Jonathon's AI Wiki

API Security

4 min read

Source: ai-research/ghl-2026-05-01/support-solutions-articles-155000003697-api-security-initiatives.md, ai-research/ghl-2026-05-01/support-solutions-articles-155000002545-enhanced-account-security.md, ai-research/ghl-2026-05-01/support-solutions-articles-48001060529-highlevel-api-documentation.md

HighLevel has rolled out a series of API security initiatives that materially change how API keys behave: V1 has reached end-of-support, the platform no longer auto-generates Location API keys, and unused keys are auto-deleted after 90 days of inactivity. This article consolidates the active security guarantees, deletion timelines, customer notifications, and plan-tier access differences a developer needs to plan around.

Key Takeaways

  • API keys auto-delete after 90 days of inactivity. Any agency or sub-account API key that has not been used in the past 90 days is automatically deleted. Cleanup runs once per quarter across all agency and sub-account API keys.
  • Three in-app deletion warnings. Impacted agency and sub-account admins receive in-app notifications 15 days, 7 days, and 1 day before deletion.
  • 15-day email warning to agency admins. Agency admins (including those whose locations are impacted) receive an email 15 days prior with a complete summary of the upcoming deletion.
  • 24-hour banner. One day before deletion, the impacted agencies and sub-accounts see a banner in-app for 24 hours.
  • V1 EOL: December 31, 2025. V1 APIs reached end-of-support on that date. Existing connections continue to work, but no support or updates are provided for V1.
  • No new V1 keys can be generated. The ability to generate new API keys has been removed from both Agency and Sub-account settings for accounts that have not yet generated or are not currently using a V1 API key. Migration target is V2 with Private Integrations.
  • Enhanced Account Security is the default. Since June 17, 2024, Enhanced Account Security has been on by default for all accounts unless explicitly opted out. Opting out is strongly discouraged.
  • What Enhanced Account Security does.
    1. Disables auto-generation of Location API keys when a new location is created via API or UI — keys must be generated manually in the UI.
    2. Excludes API keys from Location CRUD API responses — keys must be retrieved by logging into the UI directly.
    3. Disables V1 User APIs (create/update/delete user) because they could be used to escalate access if a key was compromised.
  • Asymmetric reinstate. Enabling Enhanced Account Security does NOT restore API key generation for locations where it was previously revoked. It only affects locations that still have an active API key.

Plan-Tier Access Differences

PlanAPI access
StarterBasic API access
UnlimitedBasic API access
Agency ProAdvanced API access — OAuth 2.0, Agency API Keys, future endpoints in the OAuth 2.0 API

Lower-tier plans get Location API Keys only. Agency-level keys are an Agency Pro feature.

Migration Path

For developers still on V1:

  1. Inventory every place a V1 key is used (workflows, scripts, integrations).
  2. Decide per integration whether the right successor is a Private Integration Token (single-location, internal) or an OAuth 2.0 Marketplace app (multi-tenant, public, webhooks needed).
  3. Re-build the integration against V2 endpoints with the new authentication mechanism.
  4. Cut over and revoke the V1 key.

V1 keeps working but receives no security patches or new endpoints, so net-new development should target V2 only.

Try It

  1. List every API key your team owns (agency-level + per sub-account) and confirm each has been used in the last 90 days. If any are dormant, expect them to be deleted at the next quarterly sweep.
  2. Verify Enhanced Account Security is enabled on all accounts in Settings → Company. Do not opt out.
  3. Audit any integration that reads API keys from the Location CRUD API response — it will return null/empty under Enhanced Security and needs to be re-architected to either use a PIT or fetch the key from the UI.
  4. Set a calendar reminder to migrate any remaining V1 integrations — there will be no further security updates on the V1 surface.
  5. Subscribe at least one agency admin email to the 15-day deletion warning so dormant keys never get deleted by surprise.

Graph View

Backlinks