Authentication and Authorization


There are two ways to authenticate and authorize with Follow Up Boss: OAuth and Basic Authentication via API Key.


Head over to our OAuth guide to get started!

Basic Authentication

Every user in Follow Up Boss has a unique API Key that can be obtained from "Admin" -> "API" screen. External applications use API Key to get authenticated and read/update data in Follow Up Boss on the user's behalf.

Authentication is done with HTTP Basic Authentication over HTTPS. Use API Key as the username and leave the password blank (or you can put any value as password if your HTTP client requires it).


Expired accounts and Authentication

Note that when an account expires, it enters a grace period, however the API key remains valid. Some endpoints may still be active so that there is no data loss (e.g. new lead POST to /v1/events) however the account may be in a locked down state and will receive a 403 Forbidden response for most other requests.

Follow Up Boss API is available via HTTPS only. This ensures that API Key is always encrypted during transmission. API Key provides the same privileges as the user's login credentials and should be handled securely.

API key has the same access level as the user whom the key belongs to. For example, agent's API key allows access only to people assigned to that agent while broker's API key allows access to all people in the account.

Permission Levels

  • Owner: The account owner has access to everything in the account.
  • Admin (Broker): An admin has most access to everything but they can not access Webhooks.
  • Agent: An agent only has access to the contacts they are assigned to, or are a collaborator on. They will also have restricted access to things like action plans.
  • Lender: Similar to an agent, a Lender only has access to contacts they are assigned to, or are a collaborator on, and they will have even fewer actions they can do than an agent.