Documentation
🇧🇷🇪🇸Get certified

Long-lived Token

Suggest Edits

When you need to develop an integration that will only be used in your account, there’s no need to go through the difficult process of getting an authorization code through the redirect mechanism. Long-lived tokens do not have a refresh_token: you don't have to exchange them or write logic to monitor the relevance of the tokens. Instead, you can receive a long-lived token. In this case, the integration will work with your rights, i.e. administrator rights (only a user with account administrator rights can create it in the account).

What to start with

Start by creating a private integration.

You don't have to fill in the **Redirect URL** or **Access revoked notification web hook**.

You don't have to fill in the Redirect URL or Access revoked notification web hook.

Generate long-lived token

To create a long-lived token, open the **Keys and scopes** tab, click the **Generate long-lived token** button, select the expiration date of the token and copy the token.

To create a long-lived token, open the Keys and scopes tab, click the Generate long-lived token button, select the expiration date of the token and copy the token.

The user selects the expirations date of the token and it is valid from 1 day to 5 years.

The user selects the expirations date of the token and it is valid from 1 day to 5 years.

🚧

Important!

  • Once a token has been generated, make sure to save it. You won’t be able to access it again
  • Such tokens are suitable only for private integrations
  • It is less safe to use this kind of authorization. Be aware that if your long-lived token is compromised, your account is in danger.

You will use the token to make requests to your Kommo account via a private integration.

Use the token

An example of a token - eyJ0eXAiOiJKV1QiLCJhbGiOiJSUz…JrIa3zT0Q

Paste the token into the body of the request to get all the leads of your account.

curl --request GET \
     --url https://$PASTE_YOUR_SUBDOMAIN_HERE$.kommo.com/api/v4/leads \
     --header 'accept: application/json' \
     --header 'authorization: Bearer $PASTE_YOUR_TOKEN_HERE$'

import requests

SUBDOMAIN = ''
API_KEY = ''


CREATE_LEAD_URL = f'{SUBDOMAIN}.kommo.com/api/v4/leads'

body = {
    'name' : "Example Lead 1",
    "price": 1000,
}

headers = {
    'Authorization' : f'Bearer {API_KEY}',
    'Content-Type': 'application/json'
}

requests.post(CREATE_LEAD_URL, json=body, headers=headers)

const options = {
  method: 'GET',
  headers: {
    accept: 'application/json',
    authorization: 'Bearer $PASTE_YOUR_TOKEN_HERE$'
  }
};

subdomain = 'PASTE_YOUR_SUBDOMAIN_HERE'

fetch(`https://${subdomain}.kommo.com/api/v4/leads`, options)
  .then(response => response.json())
  .then(response => console.log(response))
  .catch(err => console.error(err));

<?php
require_once('vendor/autoload.php');

$client = new \GuzzleHttp\Client();

$response = $client->request('GET', 'https://$PASTE_YOUR_SUBDOMAIN_HERE$.kommo.com/api/v4/leads', [
  'headers' => [
    'accept' => 'text/plain',
    'authorization' => 'Bearer $PASTE_YOUR_TOKEN_HERE$',
  ],
]);

echo $response->getBody();

You can practice using tokens and sending requests in the API References section.

Revoke access

In the Authorization tab, you can see that long-lived tokens have not only an issue date, but also an expiration date, and you can always revoke access by clicking the Revoke access button.

Updated about 2 months ago