There are two options for your application to gain initial authorization access to an Act-On account.
- For integrations that you develop in-house, where you have direct access to user account credentials, we recommend grant type: password.
- For integrations that you develop as a third party, where you can't store user credentials within the application, and/or where you connect to several Act-On accounts, we recommend grant type: code.
Both authorization methods returns an access_token and a refresh_token. The access token is used with all other endpoints to verify your application has been authorized to access that Act-On account. The refresh_token is used only in the grant type: refresh call to the token endpoint. This provides a new pair of access and refresh tokens so that your session can continue uninterrupted.
About the Tokens
Each access_token expires 1 hour after the time it was granted. To continue using Act-On after a session access token expires, you must request a new one using the grant-type: refresh. Each refresh token can only be used once, and lasts either until it is used, or another access token is issued for the same application and username combination.
Password or Code grant types are limited to 5 authentication attempts per hour. Using the refresh token workflow avoids unneeded access token requests and prevents your application from reaching this limit. For more limits details, please see our FAQ.
If you have an Act-On Agency account, please see our Agency Authentication page for details on determining the username and setting the password for your agency's child accounts.
- If you have not yet registered for a client ID and Secret, head to our Provisioning page to sign up.
- Decide whether you will use the Password or Code grant types.