Klaviyo

Authentication & Authorization

Credentials

Klaviyo supports two authentication methods::

• OAuth (Recommended)
  • Klaviyo connects via OAuth 2.0 Authorization Code Grant Flow.
  • Klaviyo requires PCKE for safely storing credentials for clients.
  • Client ID and Client Secret required for authentication can be obtained from from the Klaviyo Portal. See Klaviyo Connection Instructions.
  • DataGrail uses Refresh Token Flow to periodically update Access Token after it expires to keep the connection alive.
• Private Key authentication
  • Klaviyo authenticates RESTful API requests by the customer's private API Key.
  • The private API key is passed via Authorization header with each request.
  • API Key can be generated from the Klaviyo Portal. See Klaviyo Connection Instructions.
• Publicly exposing your API credentials can allow unauthorized access to the Klaviyo API endpoints, and your Klaviyo data by a third party. DataGrail stores your API credentials encrypted and protected.

Permissions

Klaviyo admin privileges are required to setup OAuth application or manage your private API keys. See Klaviyo Connection Instructions.

Scopes

Klaviyo API requires specific scopes that need to be approved by the customer in order to grant DataGrail read and write on certain objects necessary to complete privacy requests:

• profiles:read
• lists:read
• segments:read
• data-privacy:read
• data-privacy:write

Endpoints Utilized

DataGrail uses the following endpoint to validate that credentials are good based on a successful response:

• GET https://a.klaviyo.com/api/profiles

Version

DataGrail integration currently supports Klaviyo API version “2024-10-15”.

Limits

• DataGrail supports requests throttling to stay within 70-80% of specified service rate limits.

• DataGrail processes API responses with HTTP 429 status to interrupt requests, waiting and retrying (using an exponential backoff strategy).

Access

For an access request, DataGrail will take the following actions:

• Search profiles by the Data Subject email.

• For each detected profile get profile lists.

• For each detected profile get profile segments.

• For all objects found, DataGrail will return all available fields. You can edit which objects and fields you want to provide to the Data Subject via our Portal Requests.

Endpoints Utilized

• GET https://a.klaviyo.com/api/profiles

• GET https://a.klaviyo.com/api/profiles/\{profile\_id\}/lists

• GET https://a.klaviyo.com/api/profiles/\{profile\_id\}/segments

Deletion

For a deletion request, DataGrail will take the following actions:

• Request a data privacy-compliant deletion for the person record corresponding to the Data Subject email.

• Search profiles by the Data Subject email to confirm deletion.

Endpoints Utilized

• POST https://a.klaviyo.com/api/data-privacy-deletion-jobs/

• GET https://a.klaviyo.com/api/profiles