Mailchimp Developer LogoMailchimp Developer Wordmark
October 20, 2021

Changes to API token management for accounts with multiple users

Marketing

What

On January 11, 2022 we’re changing API access to be managed at the account level, so it will no longer be tied to the authorizing user. The large majority of API keys and OAuth 2 tokens were authorized by the account owner and won’t experience any changes.

Changes in the API:

  • API requests will no longer receive 403 Forbidden errors due to user level restrictions on the authorizing user

  • All user-specific values returned from the Root endpoint will be the account owner, and the role will always be “owner”

  • At launch, API tokens connected to “viewer” and “author” roles will have their access revoked. There’s only a small number of these tokens, and we’ll reach out to inform those accounts.

Changes to OAuth 2:

  • Users will need to be at least manager level to authorize apps using OAuth 2

  • If different users go through the OAuth 2 flow for the same app on the same account, they’ll have the same API token returned

Changes to managing API access:

  • API tokens will no longer be revoked if the authorizing user is removed from the account. We’ll notify affected accounts about this change.

Why

This change makes it easier for users to manage access to their account, without disrupting critical apps and integrations.

When

January 11, 2022