Source: ai-research/ghl-2026-05-01/support-solutions-articles-48001060529-highlevel-api-documentation.md, ai-research/ghl-2026-05-01/docs-authorization-authorization_doc.md
A Private Integration Token (PIT) is one of HighLevel’s two supported V2 authorization mechanisms. PITs are scoped to a single sub-account (location) and intended for internal automations, custom dashboards, and single-tenant scripts that do not need user-approved access or webhook subscriptions. They are the lightweight alternative to a full OAuth 2.0 Marketplace app.
Key Takeaways
- Two-mechanism model. HighLevel V2 supports exactly two authorization types: Private Integration Tokens (PITs) and OAuth 2.0. PITs are for internal use; OAuth is for distributable Marketplace apps.
- Use a PIT when your use case is internal API access, you do not need webhooks or custom design pages, and you only need to access one sub-account at a time. Typical examples called out in the official docs: internal data synchronization, custom reporting dashboards, automated tasks within your own system.
- Generation lives in the sub-account UI. PITs are generated manually in the HighLevel sub-account settings under Integrations. Auto-generation of Location API keys was disabled by the Enhanced Account Security rollout — keys are created on demand only.
- Bearer token + version header. Authenticate by sending the PIT as
Authorization: Bearer <token>and include the API version headerVersion: 2021-07-28. The base URL ishttps://services.leadconnectorhq.com. - PIT vs OAuth at a glance. Use OAuth when building a public/Marketplace app, accessing multiple locations or accounts, or requiring secure user-approved access. Use a PIT for everything else.
- V1 → V2 migration angle. V1 APIs reached end-of-support on 31 December 2025; existing V1 connections still work but get no updates or support. Going forward, the ability to generate new V1 API keys has been removed from both Agency and Sub-account settings for accounts that have not yet generated one. PITs are HighLevel’s recommended migration target for single-location use cases.
- Per-location scoping. A PIT is bound to the sub-account it was generated in. Multi-location workflows need either a separate PIT per location or an OAuth app.
Example Request
curl -X GET \
https://services.leadconnectorhq.com/contacts/ \
-H "Authorization: Bearer YOUR_PIT" \
-H "Version: 2021-07-28" \
-H "Content-Type: application/json"When to Choose PIT vs OAuth
| Need | PIT | OAuth 2.0 |
|---|---|---|
| Internal automation, single sub-account | Yes | Overkill |
| Public Marketplace app | No | Yes |
| Multiple locations / company-wide | No | Yes |
| Webhook subscriptions | No | Yes |
| User-approved access | No | Yes |
| Custom design pages, custom workflow actions | No | Yes |
Related
Try It
- Sign in to a HighLevel sub-account.
- Go to Settings → Integrations → Private Integrations and generate a new PIT with the scopes the integration needs.
- Save the token in a secrets manager — HighLevel only displays it once.
- Make a test call to
GET /contacts/using the bearer token andVersion: 2021-07-28header. - Check the response headers for the rate-limit counters described in API Rate Limits before scaling up.