Skip to main content

Prerequisites

Retrieving and Using an App Access Token

While many API endpoints require a user access token to perform actions on behalf of a user, some (like unenrolling a user from a promotion) require an App Access Token.
1

Get your Client ID and Client Secret

You can find your Client ID and Client Secret in the Zapier Developer Platform under EmbedSettingsCredentials
Client ID and Secret
Your application’s Client ID and Client Secret are only available after you’ve published your app as a public integration in Zapier’s App Directory.
Regenerating your client secret will invalidate any previous secret.
2

Determine which OAuth scopes are required for your use case

The various endpoints of the Zapier Workflow API require different OAuth scopes. Information on specific scopes required is included within the API reference for each endpoint.
3

Retrieve the App Access Token

The final step is to exchange the client credentials for an access token that can be used to make authorized requests to the Zapier Workflow API. You make the exchange with a POST request to Zapier’s token endpoint https://zapier.com/oauth/token/.Below is an example of a request that can be used to do the exchange.
curl -v -u {CLIENT_ID}:{CLIENT_SECRET} \
-H "Content-Type: multipart/form-data" \
-F grant_type=client_credentials \
-F scope="{SCOPE}" \
https://zapier.com/oauth/token/
ParameterMeaning
CLIENT_IDThis will be same client id that you retrieved in step #1.
CLIENT_SECRETThis is a secret known only to your application and the authorization server. It will be the client secret that you retrieved in step #1.
SCOPEThis is the one or more scope(s) needed from step #2, separated by spaces.
Note that, in addition to client id and secret being passed as a Basic Authentication header as above, they can be passed as part of the body, using the keys client_id and client_secret.You’ll recieve a response that looks like this:
HTTP/1.1 200 OK
Content-Type: multipart/form-data
Cache-Control: no-store
Pragma: no-cache

{
  "access_token": "jk8s9dGJK39JKD93jkd03JD",
  "expires_in": 36000,
  "token_type": "Bearer",
  "scope": "promotions:read promotions:write"
}
This response contains the access_token that you’ll use to make API request on your app’s behalf.
The access token MUST be stored securely on your server, to protect your app’s security and your users’ privacy. It MAY NOT be used in browser (frontend) requests.
4

Using the access token

The access token should be passed with requests as an Authorization header. For example:
Authorization: Bearer jk8s9dGJK39JKD93jkd03JD
I