Getting started overview

Integrating with the Shutterstock API enables programmatic access to its catalog of stock images, videos, and music, as well as tools for content management. The process typically involves creating a developer account, registering an application to obtain API credentials, and then using these credentials to authenticate requests. Shutterstock uses OAuth 2.0 for authentication, which is an industry-standard protocol designed for secure delegated access. This guide outlines the steps to get an application set up and make an initial API call.

Before beginning, it is beneficial to understand the core components of OAuth 2.0, which include client IDs, client secrets, access tokens, and refresh tokens. OAuth 2.0 provides a secure method for applications to obtain limited access to user data without sharing user credentials directly. For a detailed explanation of the protocol, refer to the OAuth 2.0 specification.

The following table summarizes the key steps involved in getting started with the Shutterstock API:

Step What to Do Where
1. Create Account Register for a Shutterstock developer account. Shutterstock Developer Portal
2. Create Application Register a new application to generate API keys (Client ID and Client Secret). Developer Portal Dashboard
3. Authenticate Obtain an OAuth 2.0 access token using your application keys. Via API call to Shutterstock's authorization server
4. Make Request Execute a sample API call to the Shutterstock API with the access token. Using cURL or an SDK in your preferred language

Create an account and get keys

To begin, navigate to the Shutterstock Developer Portal. If you do not have a Shutterstock account, you will need to create one. This account will serve as your developer account. Once logged in, you will access your developer dashboard.

Within the developer dashboard, locate the option to create a new application or manage existing applications. When creating a new application, you will typically be prompted to provide a name for your application and specify a redirect URI. The redirect URI is critical for OAuth 2.0 flows, as it is where the user will be redirected after granting permissions to your application.

Upon successful creation of your application, Shutterstock will provide you with a Client ID and a Client Secret. These are your API credentials and should be treated as sensitive information. The Client ID identifies your application, while the Client Secret is used for authentication and should never be exposed in client-side code.

Shutterstock supports different OAuth 2.0 grant types, including the Authorization Code grant type, which is recommended for server-side applications, and the Client Credentials grant type for server-to-server communication where user context is not required. For most initial integrations involving user interaction, the Authorization Code flow is appropriate.

Refer to the Shutterstock API Authorization documentation for specific steps on setting up OAuth 2.0 credentials and understanding the various grant types.

Your first request

After obtaining your Client ID and Client Secret, the next step is to acquire an access token. This token is then used in the Authorization header of your API requests.

Step 1: Obtain an Access Token

For demonstration purposes, we will use the Client Credentials grant type, which is simpler for a first server-to-server request and does not require a user to log in through a browser. This grant type is suitable for applications that need to access Shutterstock's public resources or their own private resources without specific user context.

First, encode your Client ID and Client Secret using base64. The format should be CLIENT_ID:CLIENT_SECRET. For example, if your Client ID is your_client_id and your Client Secret is your_client_secret, you would encode your_client_id:your_client_secret.

# Example base64 encoding (replace with your actual client ID and secret)
echo -n "your_client_id:your_client_secret" | base64
# Expected output for example: eW91cl9jbGllbnRfaWQ6eW91cl9jbGllbnRfc2VjcmV0

Next, make a POST request to the token endpoint:

curl -X POST "https://api.shutterstock.com/v2/oauth/access_token"
  -H "Content-Type: application/x-www-form-urlencoded"
  -H "Authorization: Basic [YOUR_BASE64_ENCODED_CLIENT_ID_SECRET]"
  -d "grant_type=client_credentials"

Replace [YOUR_BASE64_ENCODED_CLIENT_ID_SECRET] with the base64-encoded string you generated. The response will contain an access_token, its token_type (usually Bearer), and its expires_in duration.

{
  "access_token": "YOUR_ACCESS_TOKEN_HERE",
  "expires_in": 3600,
  "token_type": "Bearer"
}

Step 2: Make a Sample API Call (Search)

With the access_token in hand, you can now make your first authenticated request. A common starting point is to search for images. The Shutterstock API provides a Search Images endpoint.

Use the obtained access token in the Authorization header of your request, prefixed with Bearer.

curl -X GET "https://api.shutterstock.com/v2/images/search?query=nature&per_page=3"
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN_HERE"
  -H "Content-Type: application/json"

Replace YOUR_ACCESS_TOKEN_HERE with the actual access token you received. This request searches for three images related to 'nature'. A successful response will return a JSON object containing an array of image data, including metadata and URLs to image previews.

Common next steps

Once you have successfully made your first API call, you can explore more advanced features and deeper integrations:

  • Implement OAuth 2.0 Authorization Code Flow: For applications that require user consent and interaction (e.g., retrieving a user's licensed content), implement the full OAuth 2.0 Authorization Code flow. This involves redirecting users to Shutterstock's authorization page to grant permissions and then exchanging an authorization code for an access token.
  • Explore diverse API endpoints: Shutterstock offers various endpoints beyond basic image search, including video search, editorial content, and managing user collections. Review the Shutterstock API documentation for a complete list of capabilities.
  • Utilize SDKs: While cURL examples are useful for initial testing, consider using one of Shutterstock's official or community-contributed SDKs for your chosen programming language. SDKs typically abstract away HTTP request details and simplify authentication, making development faster and less error-prone.
  • Error Handling: Implement robust error handling in your application to gracefully manage API rate limits, invalid requests, authentication failures, and other potential issues. The Shutterstock API returns standard HTTP status codes and detailed error messages in JSON format.
  • Webhooks: For real-time notifications about events such as license changes or content updates, investigate implementing Shutterstock webhooks. Webhooks can reduce the need for constant polling and improve application responsiveness.
  • Rate Limits: Be aware of the API rate limits to avoid temporary blocks. Design your application to respect these limits, potentially by implementing retry mechanisms with exponential backoff.
  • Security Best Practices: Always store your Client Secret securely and never expose it in public client-side code. Ensure all communication with the Shutterstock API uses HTTPS. For more general guidelines on API security, refer to resources like the Google Cloud API security best practices.

Troubleshooting the first call

When making your initial API requests, you might encounter issues. Here are common problems and their solutions:

  • Invalid Client ID or Client Secret: Double-check that you have copied your Client ID and Client Secret correctly from your Shutterstock developer dashboard. Ensure there are no leading or trailing spaces. If using base64 encoding for the Client Credentials flow, verify the encoding is correct for the CLIENT_ID:CLIENT_SECRET string.
  • Incorrect Authorization Header: Ensure the Authorization header is correctly formatted. For access tokens, it should be Authorization: Bearer YOUR_ACCESS_TOKEN. For the token endpoint using client credentials, it should be Authorization: Basic YOUR_BASE64_ENCODED_ID_SECRET.
  • Expired Access Token: Access tokens have a limited lifespan (e.g., 3600 seconds for the Client Credentials grant type). If your token has expired, you will receive an authentication error. You must request a new access token using your refresh token (if applicable for the Authorization Code flow) or by repeating the token acquisition process.
  • Rate Limit Exceeded: If you make too many requests in a short period, Shutterstock's API may return a 429 Too Many Requests status code. Implement backoff strategies and check your application's request frequency. Refer to the Shutterstock API rate limit documentation for details.
  • Incorrect Endpoint or Parameters: Verify that the API endpoint URL is correct and that all required query parameters or request body fields are included and correctly formatted according to the Shutterstock API documentation. Pay attention to case sensitivity for parameters.
  • Network Issues: Ensure your development environment has a stable internet connection and is not blocked by a firewall from accessing api.shutterstock.com.
  • Scope Mismatch (OAuth 2.0 Authorization Code Flow): If you are using the Authorization Code flow and requesting specific scopes (permissions), ensure your application requests the necessary scopes during the authorization step. If the access token does not have the required scopes, you will receive permission errors when trying to access certain endpoints.
  • CORS Issues: If you are making requests from a browser-based application, you might encounter Cross-Origin Resource Sharing (CORS) errors. The Shutterstock API generally supports CORS for designated origins, but ensure your application's origin is correctly configured if necessary.