HighLevel V2 API OAuth2 Helper

A Free Community Tool

by: Jacob Radcliffe

OAuth2 Education / FAQ:

What is Highlevel? Looking for Help or to Upgrade?

What is HighLevel?

You might have landed on this site after watching my youtube videos. I offer my affiliates and their teams onboarding help, templated automations/workflows, and more to help you get trained and ready to use this awesome tech. I offer way more than a snapshot and personally work with my affiliates! Click Here to Learn More and Get a FREE trial!

Is this an official tool made by HighLevel?

No! This is privately developed tool to help developers and agencies use the V2 API more easily. All of the tasks on this page can be done DIY using the instructions in the developer documentation.

Are you looking for Free Help with HighLevel?

I offer a free onboarding course to anyone even if they are affiliated with someone else. It is loaded with links, help docs, and my tips/tricks on all the configuration tasks that can cause headaches and hours of research.

Click Here for the FREE Course

Stuck in Tutorial Hell? Want Paid Help? Want a 1 on 1 Teacher/Coach?

I am the only licensed computer science teacher and HighLevel nerd. Is there another? Let me know!

Contact Me for a Quote

Thinking of Upgrading to the SAAS plan?

Did you know if you are on the $297 plan that you can elect a second affiliate to upgrade to the SAAS $497 plan with? It is great because your first affiliate still earns their commission! If you are looking for 1 on 1 help to help prep your accounts and build automations that will help you scale: then elect me! I am focused on the things to help you scale and manage a large number of clients. In fact: my affiliates get access to my CuratedConnector Make and Zapier V2 OAuth2 apps with unlimited licenses for your agency and clients! Click Here to Learn More

FAQ image

HighLevel V2 API OAuth2 Process

OAuth2 is a more secure API and is a "Three-Legged Process"

Leg 1: Configure Your Application (follow steps on this page)

Leg 2: Request an authorization "code" (click submit, it lands on redirect URL)

Leg 3: Exchange authorization "code" for an "access token" (we use HL V2 docs for this).

NOTE: An access token is only good for 24 hours. You must refresh the token using a custom app (read below about CuratedConnector) or apply complex routing / data storage if the API call to an endpoint fails.

Click Here to Navigate to the HighLevel Developer Documentation Page

FAQ image

What is all of this API terminology?

Buckle Up. This is a long guide. API Requests are simply HTTP Requests. Highlevel's V1 API is a REST API. HighLevel's V2 is an OAuth2 API which is implemented for the additional security measures and authentication. Every public API has a base URL for API requests.

Highlevel's Base API V2 URL is:


"The Payload" - Refers to the data sent typically sent in a JSON object which are key value pairs in curly braces. Note that most programming languages like Javascript, Python, etc have libraries to convert their data structures to JSON. This is done due to syntactic differences amongst programming languages and to send a universal data structure.

JSON Object: Note that in Make/Integromat they refer to Objects as Collections


key1: value,

key2: value



You will also see arrays which use bracket notation. Arrays are used when it is one value separated by commas.

"tags": [





Nested Objects:

You will also see objects nested in objects. Each object is separated by a comma.

"dndSettings": {

"Call": {

"status": "active",

"message": "string",

"code": "string"


"Email": {

"status": "active",

"message": "string",

"code": "string"



An Array of Objects:

Sometimes you see an array with objects nested in it. In this customFields array, we have two custom field objects, separated by a comma. The ID represents the unique ID assigned to the customField when it was first generated by the system. A contact would show this data, so to know what the "id" is then you would need to query the "get custom fields" to know the internal system Ids name (for now).

"customFields": [


"id": "6dvNaf7VhkQ9snc5vnjJ",

"field_value": "the value of this custom field"



"id": "6daefsfesfsEFdasfesDSJ",

"field_value": "another custom field with this value"



On contact creation or update you can update with just the "key" which is a great new update like this:

"customFields": [
"key": "my_key_name",
"field_value": "the value of this custom field"

Some requests, such as the access token, are sent as URL form encoded payloads (see below).

Method: HTTP Methods refer to the type of request you are doing on a resource. GET, PUT, etc.

Endpoint: Refers to the resource which we want to access. Endpoints are a category of a resource: contacts, opportunities, users, etc. Most endpoints require a query parameter to target the specific location for the request.

Query Parameters: These parameters are on the end of a URL after a question mark and are also called query strings. Each parameter, after the first one, is separated by the ampersand "&" symbol. Query parameters help filter or reduce the response. This is useful for endpoints like "GET contacts" so we can narrow down the results and do less parsing of our data payload. Example which limits to 20 results:


contacts is endpoint

locationId is a required query field key

limit is a query parameter

Path Parameters: The path refers to the entire string of text after the base URL. The first part of the path is the endpoint. The API will also require you to have additional things in the path such as a User ID which is surrounded in curly braces.

GET User


users is endpoint

{userId} is the required path parameter

Example: https://services.leadconnectorhq.com/users/ve9EPM428h8vShlRW1KT

Headers: These are additional things that explain the formatting of our payload such as

{'Content-Type': 'application/json'}. - Informs the receiving end of a PUT/POST/PATCH/DELETE that they are receiving a JSON data payload. You must format the request exactly how the receiving end wants to receive it. If you format it incorrectly you will get a 400 Bad Request or 422 unprocessible entity. All endpoints use this content type.

{'Content-Type': 'application/x-www-form-urlencoded'} - Only the "Get Access Token" uses this content-type. This content type refers to data that is encoded and sent in a long URL link to a server. Encoding is the conversion of the special characters and symbols so that it doesn't break the link. A blank space is encoded to "%20" as an example and sent as one long query string on the token URL.

{'Authorization': 'Bearer token'} - Sends over our authentication in the form of an API Key (REST terminology) or an access token (OAuth2 terminology). Note the V2 docs don't show the word Bearer, at the time of this publishing, but it is a required prefix.

{'Version': '2021-04-15'} - This is a required header for every request on the V2 API, except to get the access token, to indicate the current API version.


A GET request does not have a body. Every other type of request usually requires some required fields in the body. This is where you can specify exactly what you want to change or map in with Zapier/Make. Creating a custom value (POST) would have the body:


"name": "Custom Value Name",

"value": "Value"


What are scopes?

Scopes are the permissions you need to grant to the app. Add only the scopes that you need to use. You can add all of them if you want to. The only issue you run into with lots of scopes is if you use want to listen to webhook events on your webhook URL (see next section).

A full list of scopes is available here.
Note: Links constantly change. Navigate to v2 api scopes page for updated links.

NOTE: You must pick "Agency" in your marketplace apps profile in order to have access to agency scopes like oauth, snapshots, saas, etc.

What are the "oauth" scopes for?
-> These are specifically to use the "Get Location Access Token from Agency Token" endpoint. This allows you to generate tokens for temporary use or you can store them and refresh them.

FAQ image

What are webhook events?

V2 API has advanced endpoints for "webhook events" which opens up a lot of automations abilities. These are also referred to as "triggers." So when an event occurs in the location/sub-account, it sends a payload to the "webhook delivery URL" in your marketplace app at the bottom of the settings page. Note that you can only save one webhook URL in your app. Pay attention to the scopes you give your app because multiple webhook events on the same webhook URL = a huge spiderweb scenario filter to properly route the payloads. I recommend just one webhook event scope per app so that it is easier to manage over on Zapier or Make. Webhook events are listed in the developer docs scopes/endpoints/events page, but you need to scroll all the way down the left navigation bar to see what they do.

Note the data payload of webhook events do not include the full contact data payload, so refer to the docs as to the format and types of data it will send.

Go watch Quinton Newman's awesome demo video where he shows how to record inbound messages in a Google Sheet. Note: You do not need to maintain your access token to use webhook events. You can turn it on and the system will keep sending the events to the webhook URL even if the access token expires. Refer to his video for a more in-depth guide, but the tool on this page will speed up that process.

FAQ image

Why not use the REST API V1?

The V1 API is being deprecated March of 2024.

If you are reading this, it might already be too late. You should get some coffee and read this page a few more times....

FAQ image

Is there a Make App for V2?

What is Make?

Never heard of Make (formerly Integromat)? Signup here and get two free active scenarios with no credit card required! It is an awesome product and I rarely use my Zapier account since switching to Make since they offer routing/flow controls on their entry level plans.

We offer the ONLY Fully Whitelabeled Make API V2 App:

This app is truly whitelabeled. It can be installed in your account, a customers acount, or with other agencies. It is an awesome freelancing tool and can help YOU earn money by affiliate selling our app! You can start solving quick under $100 jobs and bake our app into the deal which earns you affiliate clicks if you sign them up! Nobody else does this! Learn more.

FAQ image

Is there a Zapier or Pabbly App for V2? What about other platforms?


Our whitelabeled apps are also on Zapier and Pabbly! Our apps are easy to use but also allow custom develoepr custom payloads with any method. It is full featured and does WAY more than the "LC" App. We offer single connections and unlimited connection options: Click Here to Signup!

Interested in an affiliate selling the apps? Contact us to learn more.

Considering upgrading to the SAAS plan? Upgrade with us and get access to our entire network of automation templates, apps, and tools to grow your SAAS business. To sweeten the deal even more: We offer unlimited installations of our whitelabeled apps for you and your clients! Supercharge your SAAS journey with all of the tools that the pros use to scale to 100+ clients. Learn More.

Is HighLevel Making a Zapier V2 App?

The HighLevel team confirmed their whitelabeled V2 Zapier app is on on the to-do list.

FAQ image

Authorization Link Errors

Before anything: Go back to your marketplace app and click the save button again. Then retry it. Note that some providers that you give auth links to will dynamically build your auth link. They separate out the scopes. This leads to formatting issues. One stray "space" and it fails. Study the URL and then continue down this error path to figure out what is wrong:

Right Click on the location selector screen. Click "Inspect". Go to the network tab. Click on a location again. Check the response for the error code.

ClientID Not Found in the Marketplace: Means the clientID is wrong. Try again.

CastError: Cast to ObjectId failed for value "clientidstring" at path "_id" for model "OAuthClient"

Scopes Incorrect: Recheck the scopes you have in the marketplace app and the scopes you chose in the checkboxes on this page.

Redirect URI Doesn't Match: Copy and paste the entire link on the failing auth screen. Compare it to your marketplace app. Try deleting the redirect and resaving.

Please make sure to only elect a "private" app while you are testing things. If you pick "public" then your app will require scope reviews and you will hate your life waiting. Only go public if this is to be sold or listed in app marketplace.

Make sure you are signed in to your account with "app.gohighlevel.com". Test that URL to make sure because you can be logged in your whitelabel and logged out of the GHL link.

FAQ image

$297 Agency Unlimited vs $497 Agency Pro SAAS Plan

This is a copy/paste from a GHL release:

Enhanced App Installation Capabilities: Agencies under the $297 plan can now install apps (with distribution types: agency and agency & sub-account) to their sub-accounts.

New Company API: A new company API has been introduced, providing agencies access to all sub-account details.

Marketplace Scope Enhancement: We've added a new marketplace scope (companies.readonly) to ensure smoother integration processes.

Limitations:To encourage our customers to consider upgrading to the $497 plan, we have implemented certain limitations in the $297 plan:

Restrictions on Sub-Account Management: Limitations on creating or updating sub-accounts.Agency-Level User Management Constraints: 

Restrictions on creating and updating users at the agency level. These limitations are designed to offer basic functionalities to $297 plan customers while providing incentives to upgrade to the $497 plan for more comprehensive features, particularly in sub-account creation, updating, and user management at the agency level.

Need to make locations? Upgrade with us to the $497 plan and get access to all of our Low-Code Applications!


The SSO option on the settings page is specifically for "Custom Pages" aka "Custom Menu Links" for private or public marketplace apps. This is not for external usage (yet). This is sent via post message through the iframe. It returns back an object of data including companyId, locationId, name, email, userId, userType. You are provided a decryption key in your marketplace app and you will need to decrypt it on a server with appropriate libraries.

Whitelabel Payment Integration Providers

The whitelabel payment providers currently serve as an overlay. It is simply a custom logo and name and then you can pick authorize.net and NMI as the backend for credentials. This will be rapidly changing with future releases for custom providers.

App Distribution and Paid Apps

Apps can have two types:

1) Sub-Account
2) Agency

Be extremely cautious before you save these. There is no going back when you make your election. Ever. There are fundamental differences in how the app is displayed in the app marketplace as of 12 July 2024. Note that this does not affect private app installations at all. These are only apps that are published in the marketplace. Private app auth links you can generate on this page are not affected.

Able to be seen in the Sub-Account App Marketplace and installed

Only able to be installed in the Agency Marketplace.

Sub-Account and Agency
Visible in both app marketplaces but only able to be installed in the Agency Marketplace.

How To Pick:

If you need locations.write or any scope requiring Agency tokens then you need Agency type.

Private App vs Public App:

When you click "Public" and submit for review your app now requires scope review. Do not do that until you are ready. It takes about a week or so to get your app reviewed. Once an app is public, new scopes or changes take another app review to get added.

Free vs Paid Apps:

If you are wanting to handle all payments off-site then make the app "Free". There is an option to do a Paid app and do your own external payment system. This system is very new and will work so long as you properly handle the payment flow. If you elect to do a paid app through the GHL payment system then this election is permanent/irrevocable. You also can no longer install your app with the auth link outside of the marketplace. You literally have to buy your own app to test it. So please make sure you have fully installed the app in a demo account prior to publishing and paid app model.

Last Update: 12JUL2024

Leg 1 - Configure Your Application

  • Step 3: Select the checkboxes with the scopes you picked:












Custom Values

Custom Fields








Payments Integration


Social Planner





Agency Pro $497 Only

Agency $297 or $497

Webhook Event Only

Select All

  • Step 4: Auth Link Options

Authorization Link Options

  • Step 5: Use our testing redirect URI and paste it into your marketplace app or set your own custom redirect.

  • Step 6: Generate a Client ID and Client Secret in the marketplace app. Copy them to a notepad and save both before you close the popup screen! Paste Client ID Here:

  • Step 7: Click to generate your authorization link. This includes all the previous steps in one link. Save this link in a notepad or bookmark the authorization URL after you click submit.

  • Step 7: Click the submit button below for "Leg 2". You will be prompted to grant a location/sub-account the permissions to your app. It will then land on the redirect URL link with more instructions.

DISCLAIMER: This site and tool is offered "as-is" with no warranty, implied or otherwise. All of the actions on this page can be accomplished on your own by reading the developer documentation on https://developers.gohighlevel.com. This site/tool is not created or run by HighLevel™. Protect your app's client secret, access token, and refresh token and do not share it. HighLevel offers a secure access token test widget in their developer docs, which is linked on our redirect page. We do not save or store any of your data. This site was built and is hosted on a HighLevel funnel page. This site includes and clearly discloses affiliate offers, but use of the tool does not require you to sign up or opt-in to any marketing.