Everything an AI agent can do with the Keap API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints33

API versionv2

Last updated23 June 2026

Orientation

How the Keap API works.

The Keap API is how an app or AI agent works with a Keap account: reading and creating contacts, applying tags that drive automation, tracking sales opportunities through a pipeline, and creating orders, products, and recurring subscriptions. Access is granted through an OAuth access token, and that token carries a single broad scope named full, so it can read and write every area the connected user can reach, with no narrower per-endpoint permission to request. Keap can also push events to a subscribed receiver when a record changes, so an app learns of activity without polling.

33Endpoints

9Capability groups

12Read

21Write

0Permissions

Authentication

Keap uses OAuth 2.0, and it is required for any marketplace integration. A user authorizes the app, which receives an access token sent as 'Authorization: Bearer ', plus a refresh token used to obtain a new access token once the old one expires. A service account key, or Personal Access Token, is an alternative long-lived Bearer token for single-account scripts, and it replaces the older Legacy API keys that Keap is retiring.

Permissions

Keap OAuth grants exactly one scope, named 'full'. There is no narrower, per-endpoint or per-resource permission to request: a token can read and write every area the connected user can reach, from contacts and tags to orders and payments. Because the API itself offers no scoping, all of the boundary has to come from outside it, from whatever sits between the agent and Keap.

Versioning

Keap runs two REST generations side by side. The v1 surface is the original REST API, and the v2 surface is newer and still gaining endpoints as Keap migrates features off its legacy XML-RPC API, which is scheduled to be retired at the end of 2026. Both REST versions share the same OAuth token, and an integration should prefer v2 for new work while using v1 for the few areas v2 does not yet cover, such as REST Hook management.

Data model

The API is resource-oriented JSON over HTTPS under https://api.infusionsoft.com/crm/rest, with the version segment v1 or v2 next in the path. Contacts are the central record, with tags applied to them to drive segmentation and automation, while companies, opportunities, orders, products, subscriptions, notes, and tasks each have their own endpoints. REST Hooks push events like a contact being added so an app learns of changes without polling.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to Keap determines what it can reach. The main route is the REST API, and Keap can also push events to a registered receiver, with each route governed by the access token behind it.

Ways to connect

REST API v2

The newer REST surface answers under https://api.infusionsoft.com/crm/rest/v2. It is the recommended target for new work and is still gaining endpoints as Keap moves features off the older XML-RPC API.

Best forConnecting an app or AI agent to Keap.

Governed byThe OAuth access token, which carries the single 'full' scope.

Docs ↗

REST API v1

The original REST surface answers under https://api.infusionsoft.com/crm/rest/v1. It still hosts a few areas v2 does not, including REST Hook subscription management, and shares the same OAuth token as v2.

Best forConnecting an app or AI agent to Keap.

Governed byThe OAuth access token, which carries the single 'full' scope.

Docs ↗

REST Hooks

REST Hooks deliver events to a receiver URL that has subscribed to a named event, like contact.add or contactGroup.applied. A subscription starts inactive and must be verified before Keap posts events to it.

Best forConnecting an app or AI agent to Keap.

Governed byThe OAuth access token, which carries the single 'full' scope.

Docs ↗

Authentication

OAuth 2.0

OAuth 2.0 is the standard and required way to connect to Keap. A user authorizes the app, which receives an access token, sent as 'Authorization: Bearer ', and a refresh token that returns a new access token after the old one expires. Keap grants only one scope, named 'full', so a token reaches every resource the user can, with no narrower per-endpoint option.

TokenOAuth access token (Bearer)

Best forAll app and AI agent access to Keap

Docs ↗

Service account key (Personal Access Token)

A service account key, also called a Personal Access Token, is a long-lived token tied to one Keap user and sent the same way as a Bearer token. It suits a single-account internal script rather than a marketplace integration, and carries lower rate limits than an OAuth token. Keap's older Legacy API keys are being retired in its favour.

TokenPersonal Access Token (Bearer)

Best forSingle-account internal scripts

Docs ↗

Capability map

What an AI agent can do in Keap.

The Keap API is split into areas an agent can act on, like contacts, tags, sales pipelines, and ecommerce orders. Each area has its own methods, and writes in the ecommerce area create real orders and charge real payments.

Contacts

5 endpoints

List, retrieve, create, update, and delete contacts, the people and records at the centre of a Keap account.

Writes here change real contact data, including deleting people from the account.

View endpoints →

Companies

3 endpoints

List, retrieve, create, and update company records, and read which companies carry a given tag.

Writes here change real company data.

View endpoints →

Opportunities & pipeline

4 endpoints

List, retrieve, create, update, and delete sales opportunities, and read or change the stages of the sales pipeline.

Writes here change real pipeline and forecast data.

View endpoints →

Orders, products & payments

5 endpoints

List and create orders and products, add line items, and record payments against an order.

Writes here create real orders and charge real payments.

View endpoints →

Subscriptions

3 endpoints

List, retrieve, create, and cancel recurring subscriptions tied to a contact and a subscription plan.

Writes here start, change, or stop recurring billing.

View endpoints →

Campaigns & automation

3 endpoints

List campaigns, read their sequences, and add or remove contacts from a campaign sequence, plus achieve an automation goal.

Adding a contact to a sequence can immediately begin sending automated messages.

View endpoints →

Emails, notes & tasks

4 endpoints

Send and record emails, list and create notes, and create or update tasks against a contact.

Sending an email delivers a real message to a real recipient.

View endpoints →

REST Hooks

2 endpoints

List, create, verify, and delete REST Hook subscriptions so an app is notified when records change.

Writes here change which events are pushed to a receiver URL.

View endpoints →

Endpoint reference

Every Keap API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
Contacts List, retrieve, create, update, and delete contacts, the people and records at the centre of a Keap account.5
GET	`/v2/contacts`	List contacts, with filtering and field selection.	read	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. The base path is https://api.infusionsoft.com/crm/rest. Acts oncontact Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/contacts/{contact_id}`	Retrieve a single contact by id.	read	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Acts oncontact Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/contacts`	Create a contact.	write	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. v1 also offers PUT /v1/contacts to create or update by a duplicate-matching rule. Acts oncontact Permission (capability)None required VersionAvailable since the API’s base version Webhook event`contact-add` Rate limitStandard limits apply SourceOfficial documentation ↗
PATCH	`/v2/contacts/{contact_id}`	Update a contact's fields.	write	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Acts oncontact Permission (capability)None required VersionAvailable since the API’s base version Webhook event`contact-edit` Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/v2/contacts/{contact_id}`	Delete a contact.	write	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Deletion removes the person and their history from the account. Acts oncontact Permission (capability)None required VersionAvailable since the API’s base version Webhook event`contact-delete` Rate limitStandard limits apply SourceOfficial documentation ↗
Tags List and create tags, and apply or remove a tag from one or many contacts, which is how Keap segments people and triggers automation.4
GET	`/v2/tags`	List tags defined in the account.	read	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Acts ontag Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/tags`	Create a tag.	write	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Acts ontag Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/tags/{tag_id}/contacts:applyTags`	Apply a tag to one or more contacts.	write	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Applying a tag is the usual way to start a Keap automation, so it can have side effects beyond labelling. The v1 equivalent is POST /v1/contacts/{contactId}/tags. Acts ontag Permission (capability)None required VersionAvailable since the API’s base version Webhook event`contactGroup-applied` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/tags/{tag_id}/contacts:removeTags`	Remove a tag from one or more contacts.	write	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. The v1 equivalent is DELETE /v1/contacts/{contactId}/tags/{tagId}. Acts ontag Permission (capability)None required VersionAvailable since the API’s base version Webhook event`contactGroup-removed` Rate limitStandard limits apply SourceOfficial documentation ↗
Companies List, retrieve, create, and update company records, and read which companies carry a given tag.3
GET	`/v2/companies`	List companies.	read	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Acts oncompany Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/companies`	Create a company.	write	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Acts oncompany Permission (capability)None required VersionAvailable since the API’s base version Webhook event`company-add` Rate limitStandard limits apply SourceOfficial documentation ↗
PATCH	`/v2/companies/{company_id}`	Update a company.	write	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Acts oncompany Permission (capability)None required VersionAvailable since the API’s base version Webhook event`company-edit` Rate limitStandard limits apply SourceOfficial documentation ↗
Opportunities & pipeline List, retrieve, create, update, and delete sales opportunities, and read or change the stages of the sales pipeline.4
GET	`/v2/opportunities`	List sales opportunities.	read	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Acts onopportunity Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/opportunities`	Create an opportunity.	write	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Acts onopportunity Permission (capability)None required VersionAvailable since the API’s base version Webhook event`opportunity-add` Rate limitStandard limits apply SourceOfficial documentation ↗
PATCH	`/v2/opportunities/{opportunity_id}`	Update an opportunity, including moving it to another pipeline stage.	write	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Acts onopportunity Permission (capability)None required VersionAvailable since the API’s base version Webhook event`opportunity-edit` Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/opportunities/stages`	List the stages of the opportunity pipeline.	read	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Acts onopportunity stage Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Orders, products & payments List and create orders and products, add line items, and record payments against an order.5
GET	`/v2/orders`	List ecommerce orders.	read	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Acts onorder Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/orders`	Create an order.	write	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Creating an order can generate an invoice and, with a payment, charge a real card. Acts onorder Permission (capability)None required VersionAvailable since the API’s base version Webhook event`order-add` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/orders/{order_id}/payments`	Record or take a payment against an order.	write	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. This can charge a real payment method. Acts onpayment Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/products`	List products.	read	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Acts onproduct Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/products`	Create a product.	write	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Acts onproduct Permission (capability)None required VersionAvailable since the API’s base version Webhook event`product-add` Rate limitStandard limits apply SourceOfficial documentation ↗
Subscriptions List, retrieve, create, and cancel recurring subscriptions tied to a contact and a subscription plan.3
GET	`/v2/subscriptions`	List recurring subscriptions.	read	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Acts onsubscription Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/subscriptions`	Create a recurring subscription for a contact.	write	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. This starts recurring billing. Acts onsubscription Permission (capability)None required VersionAvailable since the API’s base version Webhook event`subscription-add` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/subscriptions/{subscription_id}:deactivate`	Cancel an active subscription.	write	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. This stops future recurring charges. Acts onsubscription Permission (capability)None required VersionAvailable since the API’s base version Webhook event`subscription-edit` Rate limitStandard limits apply SourceOfficial documentation ↗
Campaigns & automation List campaigns, read their sequences, and add or remove contacts from a campaign sequence, plus achieve an automation goal.3
GET	`/v2/campaigns`	List campaigns.	read	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Acts oncampaign Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/campaigns/{campaign_id}/sequences/{sequence_id}:addContacts`	Add one or more contacts to a campaign sequence.	write	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Adding a contact to a sequence can immediately begin automated emails and other steps. The v1 equivalent is POST /v1/campaigns/{campaignId}/sequences/{sequenceId}/contacts. Acts oncampaign sequence Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/campaigns/{campaign_id}/sequences/{sequence_id}:removeContacts`	Remove one or more contacts from a campaign sequence.	write	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Acts oncampaign sequence Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Emails, notes & tasks Send and record emails, list and create notes, and create or update tasks against a contact.4
POST	`/v2/emails:send`	Send an email to a contact and record it.	write	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. This delivers a real message to a real recipient. The v1 equivalent is POST /v1/emails/queue. Acts onemail Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/emails`	List recorded emails.	read	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Acts onemail Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/contacts/{contact_id}/notes`	Create a note on a contact.	write	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Acts onnote Permission (capability)None required VersionAvailable since the API’s base version Webhook event`note-add` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/tasks`	Create a task.	write	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. Acts ontask Permission (capability)None required VersionAvailable since the API’s base version Webhook event`task-add` Rate limitStandard limits apply SourceOfficial documentation ↗
REST Hooks List, create, verify, and delete REST Hook subscriptions so an app is notified when records change.2
GET	`/v1/hooks`	List the REST Hook subscriptions stored for the application.	read	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. REST Hook management lives on the v1 surface. Acts onhook subscription Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v1/hooks`	Create a REST Hook subscription for a chosen event, then verify it.	write	—	Current
Keap OAuth grants a single 'full' scope, so there is no narrower per-endpoint permission. A new subscription starts inactive and must be confirmed at POST /v1/hooks/{key}/verify before events flow. Acts onhook subscription Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

Keap can notify an app or AI agent when something changes in an account, like a contact being added or a tag being applied, instead of the app repeatedly asking. Keap calls these REST Hooks: a receiver subscribes to a named event, and Keap posts a payload listing the changed records when that event fires.

Event	What it signals	Triggered by
`contact.add`	Fires when a contact is created in the account.	`/v2/contacts`
`contact.edit`	Fires when a contact's details are changed.	`/v2/contacts/{contact_id}`
`contact.delete`	Fires when a contact is deleted.	`/v2/contacts/{contact_id}`
`contactGroup.applied`	Fires when a tag is applied to a contact.	`/v2/tags/{tag_id}/contacts:applyTags`
`contactGroup.removed`	Fires when a tag is removed from a contact.	`/v2/tags/{tag_id}/contacts:removeTags`
`company.add`	Fires when a company record is created.	`/v2/companies`
`company.edit`	Fires when a company record is changed.	`/v2/companies/{company_id}`
`opportunity.add`	Fires when an opportunity is created.	`/v2/opportunities`
`opportunity.edit`	Fires when an opportunity is changed, including a stage move.	`/v2/opportunities/{opportunity_id}`
`order.add`	Fires when an order is created.	`/v2/orders`
`product.add`	Fires when a product is created.	`/v2/products`
`subscription.add`	Fires when a recurring subscription is created.	`/v2/subscriptions`
`subscription.edit`	Fires when a subscription is changed, including being cancelled.	`/v2/subscriptions/{subscription_id}:deactivate`
`note.add`	Fires when a note is created.	`/v2/contacts/{contact_id}/notes`
`task.add`	Fires when a task is created.	`/v2/tasks`

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

Keap limits how fast and how much an app or AI agent can call, through a per-minute query rate and a daily query quota that depend on the kind of token, plus a per-second spike ceiling on bursts.

Request rate

Keap limits how fast and how much an app can call, with limits that depend on the kind of token. An OAuth access token gets 1,500 queries per minute and 150,000 queries per day, where the daily quota resets at midnight UTC. A service account key, also called a Personal Access Token, gets 10 queries per second, 240 queries per minute, and 30,000 queries per day. On top of the per-minute rate, a spike-protection policy caps short bursts at about 25 calls per second by default. Every response carries x-keap-tenant-throttle-available and x-keap-product-quota-available headers reporting how much of the throttle and quota remain, and going over returns HTTP 429.

Pagination

List endpoints page through results. The v1 surface uses offset paging through limit and offset parameters, while the v2 surface uses cursor paging, returning a next page token to pass back on the following request. Page sizes are capped per endpoint.

Request size

Requests and responses are JSON. A single REST Hook delivery lists at most 1,000 changed records, and larger result sets are split across pages rather than returned at once.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
400	`Bad Request`	The request was malformed or a field failed validation.	Correct the request body or parameters named in the response and resend.
401	`Unauthorized`	The access token is missing, invalid, or expired.	Refresh the access token with the refresh token, then retry with a valid Bearer token.
403	`Forbidden`	The token is valid but the account or user is not permitted to perform the action.	Confirm the connected user has the right access in Keap for this action.
404	`Not Found`	The requested record or path does not exist.	Check the id and the path, then retry.
409	`Conflict`	The request conflicts with the current state of the record, such as a duplicate.	Refetch the current state, resolve the conflict, then retry.
429	`Too Many Requests`	A rate limit was exceeded, either the per-minute query rate, the daily quota, or the per-second spike ceiling.	Slow down using the x-keap-tenant-throttle-available and x-keap-product-quota-available headers, then retry after a pause.
500	`Internal Server Error`	An unexpected error occurred on Keap's side.	Retry after a short delay, and contact Keap support if it persists.

Versioning & freshness

Version history.

Keap runs two REST API generations side by side. The older v1 surface and the newer, still-growing v2 surface coexist, while the original XML-RPC API is being retired.

Version history

What changed, and when

Latest versionv2

v2Current version

REST API v2 (current, still growing)

REST API v2 is the newer REST surface, answering under the /rest/v2 path and sharing the same OAuth token as v1. Keap has been adding endpoints to it to reach feature parity with the legacy XML-RPC API ahead of that API's retirement, reporting parity reached around October 2025. It is the recommended target for new integrations.

What changed

Newer REST surface for contacts, tags, companies, opportunities, ecommerce, subscriptions, automation, and more
Cursor-based pagination, in place of the offset paging used by v1
Brought to feature parity with the legacy XML-RPC API to support migration

REST API v1 (original REST surface)

REST API v1 is the original RESTful API, answering under the /rest/v1 path. It uses OAuth 2.0, offers roughly half the call volume of the equivalent XML-RPC work, and still hosts a few areas v2 does not, including REST Hook subscription management.

What changed

Original REST surface with OAuth 2.0 and offset pagination
Hosts REST Hook subscription management used by both REST generations

2024-10

Legacy API keys retired

Keap announced the retirement of its older Legacy API keys, directing developers to OAuth 2.0 or a service account key (Personal Access Token) instead. This was the start of a broader move toward OAuth-only access.

What changed

Legacy API keys deprecated in favour of OAuth 2.0 and service account keys

2026-12

Legacy XML-RPC API sunset

Keap scheduled the final retirement of its legacy XML-RPC API for the end of 2026, with brownouts through the year to help integrations find remaining dependencies. REST v2 is the migration target, brought to feature parity with XML-RPC so integrations can move before the sunset.

What changed

XML-RPC API scheduled for final sunset at the end of 2026
Scheduled brownouts during 2026 to surface remaining XML-RPC dependencies
REST v2 brought to feature parity with XML-RPC as the migration path

An integration can call v1 and v2 endpoints from the same access token, and should prefer v2 for new work.

Keap developer announcements ↗

Questions

Keap API, answered.

Can I still use an API key?+

OAuth 2.0 is the standard for the Keap API and is required for any marketplace listing. Keap's older Legacy API keys are being retired, and the recommended replacement for a single-account script is a service account key, also called a Personal Access Token, which is sent as a Bearer token like an OAuth token. New integrations should use OAuth 2.0.

What scopes does the Keap API have?+

Keap grants a single OAuth scope, named 'full'. There is no way to request a narrower or read-only token through the API, so a granted token can read and write every area the connected user can reach, including contacts, tags, orders, and payments. Any tighter boundary has to be enforced outside Keap, by whatever sits between an agent and the API.

What is the difference between REST v1 and REST v2?+

v1 is the original REST API and v2 is the newer surface that Keap is still building out as it moves features off the legacy XML-RPC API. The two share the same OAuth token and can be called together. v2 is the better target for new work, but a few areas, such as REST Hook subscription management, still live on v1, so most integrations use a mix.

What are the rate limits?+

An OAuth access token gets 1,500 queries per minute and 150,000 per day, with the daily quota resetting at midnight UTC. A service account key gets 10 queries per second, 240 per minute, and 30,000 per day. A separate spike-protection policy caps bursts at around 25 calls per second. The x-keap-tenant-throttle-available and x-keap-product-quota-available response headers report how much remains, and exceeding a limit returns HTTP 429.

How do I receive events instead of polling?+

Keap uses REST Hooks. An app subscribes a receiver URL to a named event, such as contact.add, contact.edit, contactGroup.applied, opportunity.add, or order.add, by creating a hook and then verifying it. Once active, Keap posts a payload listing the changed records, up to 1,000 per delivery, when that event fires. Subscriptions are managed on the v1 surface.

Is the XML-RPC API still available?+

The legacy XML-RPC API still works but is being retired, with a final sunset at the end of 2026 and scheduled brownouts during the year to surface remaining dependencies. New work should use REST v2, which Keap has been bringing to feature parity with XML-RPC so integrations can migrate before the sunset.

What is Bollard AI?

Control what every AI agent can do in Keap.

Bollard AI sits between a team's AI agents and Keap. Grant each agent exactly the access it needs, read or write, resource by resource, and every call is checked and logged.

Set read, write, or full access per agent, never a shared Keap token.
Denied by default, so an agent reaches only what has been explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control Keap access in Bollard Browse all APIs →

Keap

CRM Agent

Read contacts ResourceOffReadFull use

Apply tags ActionOffReadFull use

Create orders and charge payments ActionOffReadFull use

Per-agent access, set in Bollard AI, not in Keap

How the Keap API works.

Connection & authentication methods.

REST API v2

REST API v1

REST Hooks

OAuth 2.0

Service account key (Personal Access Token)

What an AI agent can do in Keap.

Contacts

Tags

Companies

Opportunities & pipeline

Orders, products & payments

Subscriptions

Campaigns & automation

Emails, notes & tasks

REST Hooks

Every Keap API method.

Contacts

Tags

Companies

Opportunities & pipeline

Orders, products & payments

Subscriptions

Campaigns & automation

Emails, notes & tasks

REST Hooks

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

Keap API, answered.

More crm API guides for agents

Freshsales

Pipedrive

Insightly

Close

Copper

Nutshell

Control what every AI agent can do in Keap.