Authenticating with the Kit API for apps and personal use
We support two authentication mechanisms in the V4 API:
We support the Authorization Code Grant and depending on the type of app your building we support two ways of issuing access tokens:
We’ve found these two resources to be helpful for learning more about how OAuth 2.0 works:
For apps and full API V4 support, you will need to authenticate via OAuth 2.0. In order to set this up in your Kit account, first you have to create an app and turn on API access.
Once you have turned on API authentication for your app you will be offered 3 settings to configure:
Authorization URL
Redirect URIs
Secure application
The Authorization URL
should be a URL on your system that we will link to during app installation so you can initiate OAuth and store the returned access tokens. We will link the user to this URL with a redirect
query param, e.g. ?redirect=https://app.kit.com/apps
. When the authorization flow is complete, you need to redirect the user back to that provided redirect URL so they can continue their session within the Kit app.
Once a user has logged in or signed up with your service, you will redirect them back to the Kit OAuth server for the creator to grant access to the Kit API for your service. On this request you will specify the callback URI that Kit will reach out to with a temporary authorization code, that you will be able to exhange for an access and refresh token, once consent is given by the user.
For security, the value in the redirect_uri
property sent to the Kit OAuth server must match one of the Redirect URIs you have set up in the above app configuration screen.
If your app will be used in an insecure location where the client secret can’t be kept confidential - such as mobile or single page apps, you will have to turn this setting off. When unchecked this will enforce use of the Proof Key for Code Exchange (PKCE) flow found above.
Your app may also include the option to alternatively send creators to your app, or an externally hosted onboarding flow, post signup. This can be configured using the Redirect URL after install
field in your app details setting page. An example of this flow can be seen below.
Example redirect flow
Redirect flow settings
API key authentication is the simplest way to access V4 of the API, tailored for programmatic access to your own Kit account for simple account automation, or for pulling account data for deeper external analysis. We do not offer any official support for apps or public integrations that rely upon API keys for authentication - for apps, please follow the OAuth guide below.
We also offer some restrictions when using API keys:
To use API Key authentication, you must first create a V4 API Key. To do this, visit the “Developer” tab in your account settings.
Here:
Click on Add a new key
Give it an internal name
Copy and save the API key for future use
If you have missplaced your API key, you will not be able to retrieve it again and will instead have to reset it from within your “Developer” settings. To reset your key, first click on the “Edit” button on the key you want to update:
Then click on the “Reset” button to re-roll the key to a new value.
Click “Reset” once more to confirm your action.
Your V4 key is now reset. At this point, any script or process that was relying on the previous iteration of the key will fail to authenticate, so you will need to replace it with the new value provided here.
If you ever no longer need an API Key, you can also delete it by editing the API Key, and click on “Delete API Key”.
To use V4 API key authentication, pass the key alongside a X-Kit-Api-Key
header when making requests.
For example, the following request will return your account information:
Authenticating with the Kit API for apps and personal use
We support two authentication mechanisms in the V4 API:
We support the Authorization Code Grant and depending on the type of app your building we support two ways of issuing access tokens:
We’ve found these two resources to be helpful for learning more about how OAuth 2.0 works:
For apps and full API V4 support, you will need to authenticate via OAuth 2.0. In order to set this up in your Kit account, first you have to create an app and turn on API access.
Once you have turned on API authentication for your app you will be offered 3 settings to configure:
Authorization URL
Redirect URIs
Secure application
The Authorization URL
should be a URL on your system that we will link to during app installation so you can initiate OAuth and store the returned access tokens. We will link the user to this URL with a redirect
query param, e.g. ?redirect=https://app.kit.com/apps
. When the authorization flow is complete, you need to redirect the user back to that provided redirect URL so they can continue their session within the Kit app.
Once a user has logged in or signed up with your service, you will redirect them back to the Kit OAuth server for the creator to grant access to the Kit API for your service. On this request you will specify the callback URI that Kit will reach out to with a temporary authorization code, that you will be able to exhange for an access and refresh token, once consent is given by the user.
For security, the value in the redirect_uri
property sent to the Kit OAuth server must match one of the Redirect URIs you have set up in the above app configuration screen.
If your app will be used in an insecure location where the client secret can’t be kept confidential - such as mobile or single page apps, you will have to turn this setting off. When unchecked this will enforce use of the Proof Key for Code Exchange (PKCE) flow found above.
Your app may also include the option to alternatively send creators to your app, or an externally hosted onboarding flow, post signup. This can be configured using the Redirect URL after install
field in your app details setting page. An example of this flow can be seen below.
Example redirect flow
Redirect flow settings
API key authentication is the simplest way to access V4 of the API, tailored for programmatic access to your own Kit account for simple account automation, or for pulling account data for deeper external analysis. We do not offer any official support for apps or public integrations that rely upon API keys for authentication - for apps, please follow the OAuth guide below.
We also offer some restrictions when using API keys:
To use API Key authentication, you must first create a V4 API Key. To do this, visit the “Developer” tab in your account settings.
Here:
Click on Add a new key
Give it an internal name
Copy and save the API key for future use
If you have missplaced your API key, you will not be able to retrieve it again and will instead have to reset it from within your “Developer” settings. To reset your key, first click on the “Edit” button on the key you want to update:
Then click on the “Reset” button to re-roll the key to a new value.
Click “Reset” once more to confirm your action.
Your V4 key is now reset. At this point, any script or process that was relying on the previous iteration of the key will fail to authenticate, so you will need to replace it with the new value provided here.
If you ever no longer need an API Key, you can also delete it by editing the API Key, and click on “Delete API Key”.
To use V4 API key authentication, pass the key alongside a X-Kit-Api-Key
header when making requests.
For example, the following request will return your account information: