Skip to main content
The Privy API uses OAuth 2.0 bearer tokens for authentication. Every API request must include a valid token in the Authorization header.

How it works

  1. Generate an access token from your Privy dashboard.
  2. Include the token in the Authorization header of every request.
curl -X GET "https://dashboard.privy.com/v1/contacts" \
  -H "Authorization: Bearer YOUR_TOKEN"

Getting a token

Navigate to Settings > Apps in your Privy dashboard to generate an access token. When creating a token, you’ll choose which scopes to grant.

Scopes

Scopes control what your token can access. Choose the minimum scopes needed for your use case.
ScopeAllows
contacts_readList and filter contacts
contacts_writeCreate, update, unsubscribe, and delete contacts
A token with only contacts_read cannot create or modify contacts. If you attempt a write operation with a read-only token, you’ll receive a 403 insufficient_scope error.

Security tips

  • Keep tokens secret. Never share tokens in client-side code, public repositories, or URLs.
  • Use minimum scopes. Only grant the permissions your integration needs.
  • Rotate tokens regularly. Revoke and regenerate tokens periodically, especially if a team member leaves.
  • Use one token per integration. This makes it easy to revoke access for a single integration without affecting others.

Invalid tokens

If your token is missing, expired, or malformed, the API returns a 401 unauthorized error: 
{
  "error": {
    "code": "unauthorized",
    "message": "Bearer token is missing or invalid"
  }
}
See the Errors page for all error codes.