Authentication overview

The Shutterstock API offers programmatic access to its extensive collection of stock photos, videos, music, and 3D models. To ensure secure and authorized interactions, the API primarily employs OAuth 2.0 for delegated authorization. This standard protocol enables applications to obtain limited access to user accounts without exposing user credentials. For specific read-only operations that do not require user context, a direct API key can also be used.

Understanding the authentication flow is critical for developers building integrations. OAuth 2.0 involves a series of steps to obtain an access token, which then authorizes subsequent API requests. This process typically includes registering an application, redirecting users to Shutterstock for consent, and exchanging an authorization code for an access token and a refresh token. The refresh token allows the application to obtain new access tokens without re-prompting the user.

Shutterstock provides detailed API documentation and Software Development Kits (SDKs) to streamline the implementation of these authentication methods across various programming languages, including Python, Java, PHP, Ruby, and Node.js.

Supported authentication methods

The Shutterstock API supports two primary authentication mechanisms, each suited for different use cases and security requirements:

  • OAuth 2.0 Authorization Code Grant Flow: This is the recommended and most secure method for applications that need to access user-specific data, perform actions on behalf of a user (e.g., download licensed content, manage collections), or integrate with features requiring user consent. It involves redirecting the user to Shutterstock to grant permission to the application.
  • API Key Authentication: For simpler, read-only operations that do not require user context or specific user permissions (e.g., searching for images without logging in a user), a direct API key can be used. This method is less secure for write operations or sensitive data access and is generally limited in scope.

The following table summarizes when to use each method and its general security implications:

Method When to Use Security Level
OAuth 2.0 Accessing user-specific data, performing actions on behalf of a user, licensing content, integrating with user accounts. High: Delegated authorization, tokens are short-lived, refresh tokens for renewal.
API Key Public, read-only operations (e.g., anonymous content search, fetching public metadata) where no user context is required. Moderate: Credential is static, generally used for public data access.

Getting your credentials

To interact with the Shutterstock API, you need to obtain the necessary credentials. The process typically begins by registering your application on the Shutterstock developer portal.

For OAuth 2.0

  1. Register your application: Navigate to the Shutterstock developer portal's authentication section. You will need to create a new application, providing details such as your application name, description, and importantly, an authorized redirect URI. This URI is where Shutterstock will redirect the user after they grant or deny consent to your application.
  2. Obtain Client ID and Client Secret: Upon successful registration, Shutterstock will issue a Client ID and a Client Secret. The Client ID is a public identifier for your application, while the Client Secret is a confidential key that must be kept secure.
  3. Configure Redirect URI: Ensure your application's redirect URI is correctly configured in your application settings on the Shutterstock developer portal. This URI must exactly match the URI your application uses in its OAuth flow requests.

For API Key

  1. Generate API Key: Within your developer account settings on the Shutterstock portal, you can generate an API key. This key is a unique string that identifies your application for basic, read-only access.
  2. Keep it Secure: Treat your API key as a sensitive credential. It should not be exposed in client-side code or publicly accessible files.

It is crucial to store your Client Secret and API Key securely, ideally in environment variables or a secure configuration management system, and never hardcode them directly into your application's source code.

Authenticated request example

The following examples illustrate how to make authenticated requests using both OAuth 2.0 access tokens and API keys. These examples typically use an HTTP Authorization header.

OAuth 2.0 authenticated request (using an access token)

After completing the OAuth 2.0 flow and obtaining an access token, you include it in the Authorization header of your API requests. The token is prefixed with Bearer.

curl -X GET \
  'https://api.shutterstock.com/v2/images/search?query=nature' \
  -H 'Authorization: Bearer YOUR_ACCESS_TOKEN' \
  -H 'Content-Type: application/json'

In this example, YOUR_ACCESS_TOKEN is the token obtained after a user has granted your application permission. This token is typically short-lived and should be refreshed using the refresh token when it expires, as detailed in the Shutterstock OAuth 2.0 documentation.

API Key authenticated request

For operations that only require an API key, you include it directly in the Authorization header, prefixed with Client-ID, or sometimes as a query parameter for simpler GET requests (though the header is generally preferred for consistency and security).

curl -X GET \
  'https://api.shutterstock.com/v2/images/search?query=cityscape' \
  -H 'Authorization: Client-ID YOUR_API_KEY' \
  -H 'Content-Type: application/json'

Replace YOUR_API_KEY with the API key generated from your Shutterstock developer account. The use of Client-ID as the prefix for the API key in the Authorization header is a specific implementation detail for the Shutterstock API.

Security best practices

Implementing strong security practices is paramount when integrating with any API, especially when handling sensitive credentials and user data. For Shutterstock API authentication, consider the following best practices:

  • Protect your Client Secret and API Key:
    • Never expose your Client Secret or API Key in client-side code (e.g., JavaScript in a browser).
    • Store these credentials in environment variables, a secrets management service, or a secure configuration file on your server.
    • Avoid committing credentials directly into version control systems like Git. Use .gitignore or similar mechanisms.
  • Use HTTPS exclusively: Always ensure all communication with the Shutterstock API, and your own application's communication, occurs over HTTPS. This encrypts data in transit, preventing eavesdropping and tampering. This is a fundamental principle of security for data in transit.
  • Validate redirect URIs: For OAuth 2.0, strictly validate the redirect URIs. Only allow pre-registered and approved URIs to prevent redirection attacks where an attacker could intercept authorization codes.
  • Securely store access and refresh tokens:
    • Access tokens should be treated as sensitive and short-lived.
    • Refresh tokens, which grant long-term access, must be stored with extreme care. Consider encrypting them at rest in your database.
    • Implement proper token revocation mechanisms if a token is compromised or a user revokes access.
  • Implement proper error handling and logging: Log authentication failures and suspicious activity to monitor for potential security breaches. Ensure error messages do not leak sensitive information.
  • Least privilege principle: Request only the necessary OAuth scopes (permissions) that your application requires. Do not ask for broader access than your application truly needs, minimizing the potential impact of a compromise.
  • Regularly rotate API Keys and Client Secrets: Periodically rotate your API keys and Client Secrets, especially if you suspect they may have been compromised.
  • Stay updated: Keep your SDKs and libraries up to date to benefit from the latest security patches and improvements.