Mechanisms for API Permissions Control

Can you control permissions when using the old application API key?

Does the new OAuth2 authentication system use the permissions of the authenticated user (i.e. who accepted the OAuth2 flow)?

Knowing whether the API key allows the behaviour is important even if the new OAuth2 system provides this level of control.

Hi @Dylan_Lester, the Legacy API key is not associated to any user and essentially gives full administrative access to integrating applications.

The OAuth2 flow ties the access token to the user that provided authorization so whatever permission level that user has will be what the access token will have permission to do. This is largely controlled by the permission settings under Admin > Users > Edit Permissions.

Hi @Nicholas_Trecina, thank you for the excellent reply. That answers my questions.

You’re welcome!

@Nicholas_Trecina I stumbled across this topic when searching for API permissions, I was wondering if in the meanwhile there is a solution to let the user login to it’s account on Infusionsoft and then take actions on behalf of that user using the API?

I don’t fully understand you question, but using OAuth 2.0 Authorization Code grant allows an API developer to get access to a users account if they first login and authorize your application. Hopefully I am understanding you correctly.

https://developer.infusionsoft.com/authentication/#request-permission

@bradb thanks for your reply, I was confused but it looks like I have it working now!

1 Like