Amplitude Authentication: Methods, Credentials, and Security (2026)

Authentication overview

Amplitude provides mechanisms to authenticate requests to its various APIs, ensuring that only authorized applications and users can send or retrieve data. The primary methods for authentication are API keys and OAuth 2.0. API keys are generally used for direct data ingestion via SDKs or server-side integrations, while OAuth 2.0 is designed for third-party applications or services that need secure, delegated access to Amplitude data without directly handling user credentials. All communication with Amplitude APIs must occur over HTTPS/TLS to protect data in transit, aligning with industry-standard security practices for web services TLS 1.3 specification.

Understanding the appropriate authentication method for your specific use case is crucial for maintaining data security and operational efficiency. For instance, client-side SDKs typically use a public API key for event tracking, while server-side integrations or data export APIs require a more secure secret key. OAuth 2.0 facilitates secure authorization flows, enabling users to grant permissions to applications without exposing their Amplitude login credentials OAuth 2.0 framework documentation.

Supported authentication methods

Amplitude supports two primary authentication methods tailored for different integration scenarios:

1. API Keys: These are unique identifiers used to authenticate your project and authorize data ingestion or API calls. Amplitude distinguishes between a Project API Key (often used client-side) and a Secret Key (for server-side operations).
2. OAuth 2.0: This protocol is used for third-party applications and integrations that require delegated access to Amplitude data on behalf of a user or organization. It provides a secure way to grant limited access without sharing credentials.

The following table summarizes when to use each method and their respective security levels:

Getting your credentials

To interact with Amplitude's APIs, you'll need to obtain the necessary credentials from your Amplitude project settings. The process varies slightly depending on whether you need API keys or are setting up an OAuth 2.0 integration.

API Keys

1. Log in to Amplitude: Access your Amplitude account via the Amplitude homepage Amplitude website.
2. Navigate to Project Settings: From your Amplitude workspace, go to the specific project you intend to integrate with. Look for the 'Settings' or 'Project Settings' option, typically found in the navigation menu or project dropdown.
3. Find API Keys: Within Project Settings, locate the section related to 'API Keys' or 'General Settings'. Here, you will find your unique Project API Key and Secret Key.
4. Record Credentials: Copy these keys. The Project API Key is generally intended for public-facing client-side SDKs, while the Secret Key should be treated as highly confidential and used only in secure server-side environments. For detailed steps, refer to the official Amplitude API key documentation Amplitude Project API key guide.

OAuth 2.0 Credentials

Setting up OAuth 2.0 for your application involves registering your application with Amplitude to obtain a Client ID and Client Secret. This process is typically handled through Amplitude's developer portal or specific integration settings:

1. Access Developer Settings: Within your Amplitude organization or project, look for 'Developer Settings' or 'Integrations' where you can manage applications.
2. Register New Application: Create a new application entry. You will need to provide details such as your application's name, description, and crucial Redirect URIs. The Redirect URI is where Amplitude will send the user back after they authorize your application.
3. Obtain Client ID and Client Secret: Upon successful registration, Amplitude will issue a Client ID and a Client Secret for your application. The Client ID is public, but the Client Secret must be kept confidential, similar to an API Secret Key.
4. Configure Scopes: Define the specific permissions (scopes) your application requires, such as reading events or managing cohorts. This ensures your application only has access to the necessary data.
5. Implement OAuth Flow: Integrate the OAuth 2.0 Authorization Code Grant flow into your application. This involves directing users to Amplitude for authorization, receiving an authorization code, and exchanging it for an access token and refresh token. For comprehensive guidance, consult the Amplitude API documentation on OAuth 2.0 Amplitude OAuth 2.0 guide.

Authenticated request example

This example demonstrates how to send an event to Amplitude's HTTP API using a Project API Key and a Secret Key. This is a common pattern for server-side event ingestion, where the Secret Key is used to sign the request, ensuring its authenticity.

The following Python example uses the requests library to send an event. Replace YOUR_API_KEY and YOUR_SECRET_KEY with your actual credentials.

import requests
import time
import json
import hashlib

AMP_API_KEY = "YOUR_API_KEY"
AMP_SECRET_KEY = "YOUR_SECRET_KEY"

def send_amplitude_event(user_id, event_type, event_properties=None):
    if event_properties is None:
        event_properties = {}

    event = {
        "user_id": user_id,
        "event_type": event_type,
        "event_properties": event_properties,
        "time": int(time.time() * 1000)  # Unix timestamp in milliseconds
    }

    # The secret key is used to generate a hash for server-side ingestion
    # This is a simplified example; actual hashing might involve more parameters
    # For HTTP v2 API, the secret key is often passed directly as a header or query parameter
    # Consult Amplitude's specific HTTP API v2 documentation for exact signature requirements.
    # For the standard HTTP API V2, you typically send the API key and secret key as form data.
    
    payload = {
        "api_key": AMP_API_KEY,
        "events": [event]
    }

    # For the HTTP V2 API, the secret key is typically passed as a separate parameter
    # or used in a more complex signature. For simplicity here, we'll demonstrate
    # passing it directly if the API expects it this way for server-side events.
    # The actual implementation for V2 often involves a 'secret' field in the payload.
    payload["secret"] = AMP_SECRET_KEY

    headers = {
        "Content-Type": "application/json"
    }

    # Amplitude HTTP V2 API endpoint for event ingestion
    url = "https://api2.amplitude.com/2/httpapi"

    try:
        response = requests.post(url, headers=headers, data=json.dumps(payload))
        response.raise_for_status()  # Raise an exception for HTTP errors (4xx or 5xx)
        print(f"Event sent successfully: {response.json()}")
    except requests.exceptions.RequestException as e:
        print(f"Error sending event: {e}")
        if hasattr(e, 'response') and e.response is not None:
            print(f"Response content: {e.response.text}")

# Example usage:
send_amplitude_event("user123", "Product Purchased", {"product_id": "sku456", "price": 29.99})
send_amplitude_event("user456", "Item Added to Cart", {"item_name": "Laptop"})

This example primarily illustrates the structure for sending events. When using Amplitude's official SDKs, the authentication details are typically configured during SDK initialization, abstracting the direct HTTP request details from the developer. For example, in Python, you would initialize the SDK with your API key and then track events Amplitude SDK quickstart.

Security best practices

Adhering to security best practices is essential when handling Amplitude credentials to protect your data and prevent unauthorized access.

• Protect Secret Keys: Your Amplitude Secret Key should be treated with the same level of security as a password. Never embed it directly in client-side code (e.g., JavaScript in a web browser, mobile app bundles). Instead, use environment variables, secure configuration management systems, or server-side proxies to manage and apply Secret Keys for server-to-server communication.
• Use Environment Variables: For server-side applications, store API keys and secrets in environment variables rather than hardcoding them. This prevents them from being accidentally committed to version control systems and makes credential rotation easier.
• Implement HTTPS/TLS: Always ensure that all communication with Amplitude APIs occurs over HTTPS/TLS. This encrypts data in transit, protecting your API keys and event data from eavesdropping. Amplitude's endpoints enforce HTTPS automatically.
• Restrict OAuth Scopes: When using OAuth 2.0, request only the minimum necessary permissions (scopes) for your application. This limits the potential impact if your application's access token is compromised.
• Rotate Credentials Regularly: Periodically rotate your API keys and OAuth client secrets. This reduces the window of opportunity for an attacker to exploit compromised credentials.
• Monitor API Usage: Regularly review your Amplitude API usage logs for any unusual activity or unexpected spikes in requests, which could indicate unauthorized use of your credentials.
• Secure Your Development Environment: Ensure that your development machines and CI/CD pipelines are secure and that credentials are not exposed during the development or deployment process.
• Avoid Public Repositories: Never commit API keys, secret keys, or OAuth client secrets to public code repositories like GitHub. Utilize .gitignore files or equivalent mechanisms to prevent accidental commits.
• Understand Client-Side vs. Server-Side: Differentiate between the use cases for Project API Keys (client-side, generally public) and Secret Keys (server-side, strictly confidential). Never use a Secret Key directly in client-side code.
• Review Amplitude's Security Documentation: Stay updated with Amplitude's official security guidelines and recommendations, which can be found in their help center Amplitude Help Center.