Background - API1Created with Sketch.

App Authentication

The Hotmart API uses Oauth 2.0 as a form of authentication and access tokens for traffic to authorize access to our resources. The following will show the necessary steps to create the access credentials and how to generate the access token to use both in our production environment and in sandbox , our testing environment.

You already know, but it doesn't hurt to remind you, keep your credentials and token safe. Exposing your credentials can allow the wrong people to access your information. When in doubt if your data has been exposed, you can delete and generate new credentials whenever you need to.

Generate Credentials

  • On our platform, go to Tools > Developer Credentials
  • Click the Create Credential button and give your credential a name. This name is just to better organize your credentials.
  • If you are going to use this Credential for our test environment sandbox, check the sandbox option in the Type field. If the Credential is for the production environment, just leave the box blank and click the Confirm button. Once created, you won't be able to change the type of a credential, but you must create a new one with the desired type.
  • If everything goes well, three pieces of information will be generated: client_id, client_secret and token of the Basic type.

Now that you have the credentials, the next step is to get your access_token. For this, it is necessary to make the following REST request:

Request parameters

  • client_id

    Id do cliente gerado na ferramenta de credenciais.

  • client_secret

    Chave gerada na ferramenta de credenciais.

If the request is made successfully, you will receive the access_token according to the payload below:


  • expires_in

    Indicates the time allotted before token expires. After this period, all requests made by the Hotmart with this same token will return the error code 401 .

    Our recommendation is that your application handles this error return and redo the generation of the access token. One thing to point out is that only the access token expires. The credentials, Client ID, Client Secret and Basic, follow the same.

  "access_token": "wxyz",
  "token_type": "bearer",
  "expires_in": 172799,
  "scope": "read write",
  "jti": "da2eff63-754d-4v76-9b3a-19bdb5cc8f36"