What authentication methods does Customer.io support?

Customer.io primarily supports API keys for server-to-server integrations and OAuth 2.0 for third-party applications requiring delegated access.

How do I get an API key for Customer.io?

You can generate API keys by logging into your Customer.io account, navigating to Workspace Settings, and selecting the 'API Keys' section to create and manage your keys.

Are there different types of API keys in Customer.io?

Yes, Customer.io uses different keys like the App API Key (Track API Key) and Site ID for tracking events, and a Data API Key for broader data management operations.

Is OAuth 2.0 necessary for all Customer.io integrations?

No, OAuth 2.0 is generally used for third-party applications where user consent and granular permissions are needed. For direct server-side integrations, API keys are typically sufficient.

How should I store my Customer.io API keys securely?

API keys should never be hardcoded. Store them in environment variables, secure configuration files, or dedicated secret management services, ensuring they are not exposed in public repositories.

What is the principle of least privilege in Customer.io authentication?

It means granting API keys or OAuth tokens only the minimum necessary permissions required for their specific tasks, avoiding broad access to sensitive data or functions.

Does Customer.io enforce HTTPS for API calls?

Yes, Customer.io's APIs enforce HTTPS for all communications to encrypt data in transit and protect credentials and sensitive information.

Customer.io Authentication: Methods & Security (2026)

Customer.io authentication enables secure access to its API for managing customer data, triggering campaigns, and tracking events. Developers primarily use API keys for server-to-server communication and OAuth 2.0 for third-party applications. Proper credential management and secure practices are essential for maintaining data integrity and system security.

Authentication overview

Customer.io provides mechanisms for authenticating requests to its API, ensuring that only authorized applications and users can interact with customer data and campaign management features. The API is RESTful, supporting operations such as creating and updating customer profiles, tracking events, and sending messages across various channels (Customer.io API reference). Authentication is a prerequisite for nearly all API interactions, safeguarding sensitive customer information and maintaining the integrity of marketing automation workflows.

Developers integrating with Customer.io typically manage authentication through API keys or OAuth 2.0. The choice of method depends on the integration's nature: API keys are suitable for server-side applications and internal tools, while OAuth 2.0 is designed for third-party applications requiring delegated access without directly handling user credentials. Customer.io's API is designed to support various use cases, from syncing customer databases to automating personalized communications (Customer.io documentation).

The system is built to handle high volumes of data and interactions, making secure authentication critical for performance and compliance. Customer.io adheres to compliance standards such as SOC 2 Type II, GDPR, CCPA, and PCI DSS, which further emphasize the importance of robust authentication and authorization practices across all API access points.

Supported authentication methods

Customer.io primarily supports two authentication methods for its API:

API Keys: These are unique identifiers used to authenticate requests. They are typically generated within the Customer.io workspace and can be associated with specific permissions. API keys are suitable for server-to-server communication where an application needs direct, programmatic access to the Customer.io API.
OAuth 2.0: This open standard is designed for delegated authorization, allowing third-party applications to obtain limited access to a user's Customer.io resources without exposing their credentials (OAuth 2.0 specification). OAuth 2.0 is generally preferred for integrations where user consent and granular permission control are necessary, such as when building applications on top of Customer.io for other users.

Here's a comparison of when to use each method:

Authentication Method	When to Use	Security Level
API Keys	Server-side applications, internal scripts, direct integrations where the application owns the credentials.	High (requires secure storage and transmission)
OAuth 2.0	Third-party applications, public client applications, integrations requiring user consent and granular permissions.	High (token-based, scope-limited access)

For most typical integrations involving backend systems interacting with Customer.io, API keys offer a straightforward and effective authentication mechanism. OAuth 2.0 is utilized when building platforms that serve multiple Customer.io users or require a more complex authorization flow.

Getting your credentials

To authenticate with the Customer.io API, you need to generate the appropriate credentials within your Customer.io workspace.

API Keys

API keys are generated and managed within the Customer.io user interface. The process typically involves:

Logging into your Customer.io account.
Navigating to the Workspace Settings.
Selecting API Keys or a similar section.
Generating a new API key. You might be prompted to give it a descriptive name to help with management and revoke access later if needed.
Copying the generated key. It is crucial to store this key securely, as it grants access to your Customer.io data.

Customer.io differentiates between several types of API keys, each with specific purposes:

App API Key (Track API Key): Used for tracking customer events and managing customer profiles (Customer.io API Client setup).
Site ID (Tracking API Site ID): Often paired with the App API Key, this identifies your specific Customer.io workspace.
API Key (Data API Key): Used for more extensive data management, including accessing and manipulating customer data, segments, and campaigns.

Consult the official Customer.io documentation for the exact steps and the most current naming conventions for API keys (Customer.io API authentication details).

OAuth 2.0

For OAuth 2.0 implementations, you typically register your application with Customer.io as an OAuth client. This process involves:

Registering your application: Provide details such as application name, redirect URIs, and a description.
Obtaining a Client ID and Client Secret: These credentials identify your application to Customer.io's authorization server.
Implementing the OAuth flow: Your application will guide users through an authorization process, where they grant permission for your application to access their Customer.io data. Upon successful authorization, your application receives an access token, which is then used to make API requests on behalf of the user (Mozilla OAuth 2.0 authorization flow).

The specifics of OAuth 2.0 setup, including scopes and redirect URIs, are detailed in the Customer.io developer documentation for third-party integrations.

Authenticated request example

When using API keys, requests to the Customer.io API typically include the API key in the request headers or body, depending on the endpoint. For the Track API, the API key and Site ID are often included as part of the payload. For the Data API, an API key is usually sent as a Bearer token in the Authorization header.

Example: Track API (Curl)

To track an event for a customer, you might use your App API Key (also known as a Track API Key) and Site ID:

curl -X POST "https://track.customer.io/api/v1/customers/<customer_id>/events" \
  -u "<YOUR_SITE_ID>:<YOUR_APP_API_KEY>" \
  -H "Content-Type: application/json" \
  -d '{"name":"product_viewed", "data":{"product_id":"P123"}}'

Replace <customer_id>, <YOUR_SITE_ID>, and <YOUR_APP_API_KEY> with your actual values.

Example: Data API (Curl)

To retrieve information about a customer using the Data API, you would typically use your Data API Key as a Bearer token:

curl -X GET "https://api.customer.io/v1/customers/<customer_id>" \
  -H "Authorization: Bearer <YOUR_DATA_API_KEY>" \
  -H "Content-Type: application/json"

Replace <customer_id> and <YOUR_DATA_API_KEY> with your actual values.

Customer.io provides SDKs in several languages, including Ruby, Python, Node.js, PHP, Go, and Java, which abstract these HTTP requests, making authentication simpler within application code (Customer.io Client Libraries).

Security best practices

Implementing secure authentication practices is paramount when working with sensitive customer data via the Customer.io API. Adhering to these best practices helps mitigate risks and maintain data integrity:

Use HTTPS for all API interactions: Ensure all communications with the Customer.io API occur over HTTPS. This encrypts data in transit, protecting API keys and sensitive customer information from interception (Cloudflare HTTPS explanation). Customer.io's APIs enforce HTTPS by default.
Store API keys securely: Never hardcode API keys directly into your application's source code. Instead, use environment variables, secret management services (e.g., AWS Secrets Manager, Google Secret Manager), or secure configuration files. Access controls should limit who can retrieve these secrets.
Implement the principle of least privilege: Grant API keys and OAuth tokens only the necessary permissions required for their intended function. Avoid using a single API key with broad permissions for all operations. If Customer.io offers scoped API keys, utilize them to restrict access.
Regularly rotate API keys: Periodically generate new API keys and revoke old ones. This practice reduces the window of exposure if a key is compromised. Automated rotation mechanisms are ideal for large-scale deployments.
Monitor API usage: Keep an eye on API access logs and usage patterns for any unusual activity. Anomalies could indicate unauthorized access or misuse of credentials. Customer.io may provide logging or audit trails for this purpose.
Protect your OAuth Client Secret: If using OAuth 2.0, treat your Client Secret with the same level of security as an API key. It should never be exposed in client-side code or public repositories.
Validate redirect URIs (for OAuth): For OAuth 2.0, ensure that your registered redirect URIs are specific and secure. Only allow redirection to trusted URLs to prevent authorization code interception attacks.
Error handling: Implement robust error handling for authentication failures without revealing excessive information that could aid an attacker. Generic error messages are preferred over detailed ones that might expose system specifics.
Stay updated: Regularly review Customer.io's security advisories and update your integration to use the latest recommended authentication methods and security features.

By following these guidelines, developers can establish a robust security posture for their Customer.io integrations, protecting both their applications and their customer's data.

Customer.io Authentication: Methods & Security (2026)

Authentication overview

Supported authentication methods

Getting your credentials

API Keys

OAuth 2.0

Authenticated request example

Example: Track API (Curl)

Example: Data API (Curl)

Security best practices

Frequently asked questions

Reviews

Discussion

Written by

Authentication overview

Supported authentication methods

Getting your credentials

API Keys

OAuth 2.0

Authenticated request example

Example: Track API (Curl)

Example: Data API (Curl)

Security best practices

Related

Frequently asked questions

Reviews

Discussion

Written by