Klaviyo API: 8 Smart Ways to Sync Data, Trigger Flows & Personalise at Scale (2025)

Developer Tools · Integrations

Klaviyo API: 8 Smart Ways to Sync Data, Trigger Flows & Personalise at Scale

Q: What is the difference between Klaviyo API v2 and v2023-10-15?

v2 is the older legacy version still used for some endpoints. v2023-10-15 is the modern, fully RESTful standard recommended for all new integrations. Always specify the revision via the revision header in your requests.

Q: How do I secure my Klaviyo API usage?

Use Private API Keys for all backend calls and rotate them regularly (every 90 days is recommended). Never expose private keys in client-side code. For third-party apps, use OAuth 2.0 for secure, delegated access.

12 min read By Sendora Team Jul 15, 2025

Klaviyo’s native integrations handle a lot — but the Klaviyo API is where advanced automation, seamless third-party connections, and hyper-personalised marketing really come to life. Whether you’re syncing CRM data, triggering server-side events, or building custom analytics pipelines, the API gives technically inclined marketers and developers the tools to scale intelligently without being constrained by what’s in the UI.

What This Guide Covers

How the Klaviyo API works — RESTful structure, content types, and versioning
The three authentication methods — Public Key, Private Key, and OAuth 2.0
Core endpoint groups — Profiles, Events, Lists, Campaigns, Catalogues, and Tags
8 practical API use cases — from CRM sync to real-time abandoned cart flows
How to trigger Klaviyo flows from external systems and custom backends
Rate limits, error codes, and how to handle failures gracefully
Testing, validating, and optimising your API integrations before going live

What the Klaviyo API Does and How It Works

The Klaviyo API is a RESTful interface that connects your Klaviyo account to external platforms — enabling custom integrations, real-time data synchronisation, and automations that go far beyond what native integrations support. It handles full CRUD operations via standard HTTP methods and communicates using JSON.

Two API Versions — Know Which One to Use

v2 (Legacy): Supports basic tasks like list subscriptions. Deprecated for new integrations — only use if maintaining an existing build
v2023-10-15 (Current): The modern, fully RESTful standard with versioning support via the revision: 2023-10-15 request header. Use this for all new integrations

Content Type Requirement Always use Content-Type: application/json in your request headers. Missing or incorrect content types return a 415 Unsupported Media Type error — one of the most common avoidable API failures. Always check Klaviyo’s API reference for the latest revision details.

What You Can Do with the Klaviyo API

Sync Shopify orders with custom loyalty tools outside native integrations
Send leads from Meta Lead Ads to Klaviyo profiles via server-side calls or Zapier backends
Trigger abandoned quiz flows from Typeform or Octane AI responses
Pull campaign metrics into Google Sheets dashboards for daily automated reporting
Update tags and profile attributes in real time after a Recharge subscription change
Build headless commerce event tracking that bypasses frontend ad blockers

Choose the Right Klaviyo API Authentication Method

Choosing the wrong authentication method causes either 401 Unauthorized errors or exposes sensitive credentials in client-side code. Each method is designed for a specific context — match it to where and how your integration runs.

Public Key

Frontend Tracking

Used for client-side tracking with klaviyo.js — page views, Added to Cart, form submissions. Limited to /identify, /track, and /subscribe endpoints only. Safe to expose in the browser but must never be used for profile management or data reads.

Private Key

Server-Side Integration

Required for all backend operations — profiles, events, lists, segments, campaigns, flows, and catalogues. Must be kept secret and never exposed in client-side code. Supports scoped permissions (read-only or full access). Rotate every 90 days as a security best practice.

OAuth 2.0

Third-Party Apps

Ideal for building multi-tenant apps or integrations where external users connect their Klaviyo accounts. More secure and scalable than API keys at scale. User grants access via Klaviyo login → your app receives an access token → use token for authenticated API calls.

Security Rule Public key → browser only. Private key → server only. If you ever see a private key in JavaScript visible in a browser’s source code, that’s a critical security vulnerability. Rotate the key immediately and move the logic server-side.

Klaviyo API Keys settings page showing public site ID and private API key sections with create key buttons and scope configuration options

Klaviyo → Account → Settings → API Keys — manage public, private, and scoped API keys from one screen Klaviyo API Key Setup →

Core Klaviyo API Endpoint Groups Explained

Klaviyo’s API is structured around functional endpoint groups. Understanding which endpoint handles which task helps you build clean, efficient integrations without unnecessary API calls or payload errors.

POST /profiles/

Profiles — Create, Update, Identify

Create or update customer profiles with properties like first_name, source, email_consent, and custom attributes. Ensure email is unique in payloads to avoid 409 Conflict errors. Essential for syncing CRM, loyalty, and subscription data into Klaviyo profiles.

POST /events/

Events & Metrics — Track Behaviour Server-Side

Track any custom behavioural event — “Started Free Trial”, “Completed Quiz”, “Watched Demo”, “Abandoned Cart” — from your server. These events can trigger flows, score leads, or power custom analytics. Bypasses frontend ad blockers and ITP browser restrictions.

POST /lists/…/relationships/profiles/

Lists & Segments — Subscribe, Pull, Remove

Subscribe users to specific lists, pull contacts within a segment, or remove profiles dynamically (useful for churn logic). Use page[size] and page[cursor] pagination parameters to handle large datasets efficiently.

GET /campaigns/

Campaigns & Flows — Fetch Metadata and Stats

Read-only endpoints for fetching performance stats, tracking engagement by user, and logging when someone interacted with a campaign. These endpoints don’t send emails — they’re for monitoring and tagging users based on flow or campaign status.

POST /catalog-items/

Catalogues — Sync Products and Variants

Sync product SKUs, metadata, prices, and inventory to Klaviyo via /catalog-items/ and /variants/. Critical for dynamic product blocks in abandoned cart and back-in-stock flows that auto-populate product details. Update daily for accuracy.

POST /tags/

Tags — Assign Behavioural Labels

Define custom tag groups (e.g. “Interests”, “Acquisition Source”) and apply labels to profiles (e.g. “Self-care”, “Instagram”). Ideal for dynamic segmentation, flow triggers, and personalising product block content based on customer intent or quiz results.

Example Event Payload

POST /events/ — custom event tracking
{
  "data": {
    "type": "event",
    "attributes": {
      "profile": {
        "data": {
          "type": "profile",
          "attributes": {
            "email": "sarah@example.com"
          }
        }
      },
      "metric": {
        "data": {
          "type": "metric",
          "attributes": {
            "name": "Completed Quiz"
          }
        }
      },
      "properties": {
        "quiz_result": "hydration",
        "score": 87,
        "source": "homepage_quiz"
      },
      "time": "2025-07-15T10:30:00Z",
      "unique_id": "evt_abc123xyz"
    }
  }
}

8 Klaviyo API Use Cases to Implement Now

CRM or Loyalty Data Sync

Push membership tiers, loyalty points, or CRM lifecycle stages to Klaviyo profiles via PATCH /profiles/{id}. Trigger VIP flows automatically when a profile enters a loyalty tier, or suppress low-LTV contacts from high-margin promotional sends.

Server-Side Event Tracking

Bypass ad blockers and Safari ITP by posting events directly to POST /events/ from your backend. Use for login events, quiz completions, trial activations, subscription renewals — any action that happens outside the browser or after checkout.

Custom Dashboard Reporting

Pull campaign and flow metrics via GET /metrics/ or GET /campaign-metrics/ and pipe them into Google Sheets or a BI tool for automated daily reports. Schedule API pulls via a cron job or Zapier to keep dashboards current without manual exports.

Product and Inventory Sync

POST product data to POST /catalog-items/ to keep prices, stock levels, and variant metadata current in Klaviyo. This feeds dynamic abandoned cart and back-in-stock flows that auto-populate product details without manual updates.

Trigger SMS Campaigns from External Events

Use POST /events/ to fire events from external systems that trigger SMS flows in Klaviyo. Example: a WooCommerce order confirmed via API can trigger a “Thanks for your purchase” SMS flow without needing native integration.

Personalise Emails with Dynamic Tags

Use POST /tags/ to assign interest or behavioural tags based on quiz responses, purchase history, or CRM data. Tag users as “Fitness Enthusiast” or “Eco-Conscious” to dynamically show matching product blocks and personalised copy in flows.

Sync Subscription Statuses in Real Time

Use PATCH /profiles/ to update subscription status from Recharge, Stripe, or Chargebee the moment it changes. Update a profile’s subscription_status to “active”, “paused”, or “churned” to trigger the appropriate loyalty, win-back, or churn-save flows automatically.

Real-Time Abandoned Cart Flows from Custom Checkouts

Push an “Abandoned Cart” event via POST /events/ from a headless commerce platform or custom checkout to trigger a Klaviyo discount email within 30 minutes. Works for any checkout system — not just Shopify or WooCommerce native integrations.

⚡

→

Trigger Klaviyo Flows from External Systems

Any action in your app, CRM, or custom backend can start an automated Klaviyo flow — as long as you send the right API calls in the right order. Here’s the exact pattern:

Step 1: POST /profiles/ to create or update the user profile with at least an email and any relevant properties
Step 2: POST /events/ to push the triggering event — e.g. “Signed Up via App”, “Booked Demo”, or “Trial Started”
Step 3: Include custom properties like plan_type, signup_source, or device so the flow can branch and personalise based on context
Pre-requisite: A flow must already be configured in Klaviyo to trigger on that specific metric name before you make the API call

Custom event API call — trigger a Klaviyo welcome flow from a mobile app signup with device and plan context Create Event API Reference →

Development Safety Test flow triggers in Klaviyo’s sandbox environment or against isolated test lists before going live. A misconfigured event trigger can fire welcome flows to thousands of real subscribers — use a dedicated test profile and list during development.

Integrate Klaviyo with CRMs, CDPs, and Loyalty Platforms

The Klaviyo API is the backbone of a connected marketing stack. These are the four most common integration scenarios and how to implement them.

CRM (HubSpot, Salesforce)

Push lead scores, lifecycle stages, and deal pipeline status to Klaviyo profiles. Trigger nurture flows when a lead moves to “Qualified” or “Closed Lost” — without manual list management or CSV exports.

CDP (Segment, RudderStack)

Stream events and profile traits to Klaviyo in real time. Keep data consistent across email, ads, and on-site experiences — using your CDP as the single event source of truth.

Loyalty (LoyaltyLion, Smile.io)

Sync point balances and VIP tier changes to Klaviyo profiles via API or webhook. Send “You’re 200 points from a reward” emails that pull live loyalty data — not stale snapshots from yesterday’s export.

Paid Media Audiences

Export Klaviyo segments via GET /segments/ and upload them to Meta or Google Ads for retargeting. Target high-LTV or win-back segments with paid social based on real Klaviyo engagement data.

🎯

→

Rate Limits, Error Codes, and How to Handle Failures

Klaviyo enforces rate limits per API key using a burst and steady rate model. Understanding these limits and handling errors correctly keeps your integrations reliable and prevents data sync failures during high-volume operations.

Monitor the X-Rate-Limit-Remaining and X-Rate-Limit-Reset response headers to track your usage in real time
Rate limits apply per API key — if you have multiple integrations, each needs its own key
Use exponential backoff when handling 429 Too Many Requests — don’t retry immediately
Split large batch operations across time intervals rather than firing all at once
Check Account → Settings → API Usage in Klaviyo for historical request logs and error patterns

Common Error Codes and Fixes

Error Code	Meaning	Fix
400	Bad Request — malformed payload or missing required field	Validate JSON structure with JSONLint. Check that all required fields (email, metric name) are present and correctly typed
401	Unauthorized — invalid or missing API key	Verify you’re using the correct key type (private for server-side). Confirm the key hasn’t expired or been revoked in Settings → API Keys
409	Conflict — duplicate profile or resource already exists	Ensure email is unique in /profiles payloads. Use PATCH instead of POST to update an existing profile
415	Unsupported Media Type — wrong content type header	Add `Content-Type: application/json` to all request headers
429	Too Many Requests — rate limit exceeded	Implement exponential backoff. Read X-Rate-Limit-Reset to know when to retry. Spread large batch updates across intervals
5XX	Server Error — temporary Klaviyo infrastructure issue	Retry with exponential backoff. Log the request for monitoring and alert on repeat failures above a threshold

Postman API testing interface showing a 401 authentication error response when incorrect Klaviyo API credentials are used in the request headers

Klaviyo API 401 error in Postman — always verify key type (public vs private) before debugging payload structure Klaviyo API Documentation →

Test, Validate, and Optimise Your Klaviyo API Integrations

Shipping an untested API integration to production is one of the costliest mistakes in marketing automation — a misconfigured event can trigger flows to your entire list. Build this into your workflow before every deployment.

📬

Use Postman with Klaviyo’s official API collection — pre-built for standard endpoints like Profiles, Events, and Lists. Inspect request and response headers to catch auth and content-type issues before they reach production.

✅

Validate JSON payloads with JSONLint before sending. A single misplaced comma or missing quote in a payload will return a 400 Bad Request — validation tools catch this in seconds.

🔒

Test against sandbox data or isolated test lists — never use your main list during development. Klaviyo’s sandbox environment lets you simulate API calls without affecting live subscribers or triggering real email sends.

📊

Log and benchmark response times to spot lagging endpoints or emerging rate limit issues. Tag API-triggered flows using UTM parameters or custom event properties to isolate and analyse their performance separately from organic flows.

🚨

Alert on error spikes — track success vs failure rates per endpoint and set up notifications when error rates exceed a threshold. Check Account → Settings → API Usage in Klaviyo for historical request logs and error breakdowns.

📊

→

Frequently Asked Questions About the Klaviyo API

Do I need a developer to use the Klaviyo API? +

Yes, most API tasks require basic programming knowledge or developer support — especially for custom integrations and server-side event tracking. However, no-code tools like Zapier can connect Klaviyo to many external platforms without writing a single line of code.

Can I test Klaviyo API calls without affecting live data? +

Yes. Use Postman with Klaviyo’s official API collections and test against dummy profiles or isolated test lists before deploying. Klaviyo’s sandbox environment lets you simulate API calls without impacting your live account or triggering real email sends.

What is the difference between Klaviyo API v2 and v2023-10-15? +

v2 is the legacy version — still functional for some older endpoints but deprecated for new builds. v2023-10-15 is the modern, fully RESTful standard recommended for all new integrations. Specify the revision via the revision: 2023-10-15 request header.

How do I secure my Klaviyo API usage? +

Use Private API Keys for all backend calls and rotate them every 90 days. Never expose private keys in client-side code or commit them to source control. For third-party apps where external users connect their accounts, use OAuth 2.0 for secure, delegated access.

Does Klaviyo support webhooks alongside the API? +

Yes. Klaviyo webhooks send data from Klaviyo to external systems in real time — ideal for pushing profile updates, flow exits, or campaign engagements into your CRM, loyalty platform, or analytics stack the moment they happen in Klaviyo.

Key Takeaways

Unlock true data sync: The Klaviyo API connects CRMs, loyalty tools, subscription platforms, and CDPs directly — no CSV exports or manual list management.
Trigger smarter flows: Server-side events via POST /events/ power real-time automation from any external action — quiz completions, app signups, WooCommerce orders.
Choose the right auth: Public key for browser tracking only. Private key for all server-side operations. OAuth for multi-tenant apps. Using the wrong one causes 401 errors or security vulnerabilities.
Build custom reporting: Pull campaign and flow metrics into Google Sheets or BI tools via scheduled API calls for automated dashboards without manual exports.
Respect rate limits: Monitor X-Rate-Limit-Remaining headers, implement exponential backoff on 429 errors, and spread batch updates across time intervals.
Test before deploying: Use Postman, validate payloads with JSONLint, and test on isolated lists. A misconfigured event can trigger welcome flows to thousands of real subscribers.