Private Integration Tokens vs Marketplace Apps in GoHighLevel: Which to Use

When to use a GoHighLevel Private Integration Token and when to build a Marketplace app with OAuth, with a side-by-side comparison and a decision checklist.

MMahzaib MirzaJuly 12, 20267 min read0 comments
Private Integration Tokens vs Marketplace Apps in GoHighLevel: Which to Use

Use a GoHighLevel Private Integration Token when you're automating accounts you control, and build a Marketplace app with OAuth when other agencies will install what you're making. That one sentence answers it for most people. The rest of this article is the detail behind it: how each option authenticates, what it costs you in effort, and the specific situations where the "obvious" choice is wrong. Get this decision right early and you avoid the most expensive mistake in HighLevel development, which is rebuilding your auth layer after you picked the wrong door.

The two options in plain terms

A Private Integration Token (PIT) is a single bearer token you generate inside an account's settings. You choose its scopes, copy it once, and use it to call API v2 for that account. There's no install flow and no user consent screen, because you already own the account. PITs replaced the old v1 API keys as the recommended way to do internal automation.

A Marketplace app is a distributable product. Any HighLevel account can install it, and installation runs through OAuth 2.0, so each install grants your app scoped, revocable access to that specific account. This is the only way to reach accounts you don't own, and it's how you build something thousands of agencies can use. The full build is covered in How to Build a GoHighLevel Marketplace App with OAuth 2.0.

Side by side

FactorPrivate Integration TokenMarketplace App (OAuth)
Who can it access?Only accounts you ownAny account that installs it
Auth modelOne static bearer tokenOAuth 2.0 with rotating tokens
Setup effortMinutes, in the UIDays: install flow, storage, refresh
Token lifecycleNo expiry; rotate every ~90 daysAccess ~24h, refresh rotates each use
User consent screenNoneYes, per install
DistributionNot distributableListed in the marketplace
Custom in-app UINoYes, via Custom Pages
Workflow triggers/actionsNoYes
Best forInternal tools, client work you runProducts other agencies install

When a Private Integration Token is the right call

Reach for a PIT whenever the accounts are yours. If you run an agency and want to sync your own sub-accounts to a database, push leads into HighLevel from a landing page you built, or run a nightly reconciliation job, a token is all you need. You create it, scope it, and start calling the API the same afternoon. No OAuth server, no callback route, no token-refresh logic to get wrong.

It's also the right choice for client work where you manage the account. If a client hands you their HighLevel and asks for a custom automation, generate a PIT inside their sub-account, store it securely on your side, and build. You get the same API v2 surface a Marketplace app has, without any of the distribution machinery.

The one discipline PITs require is rotation. Because the token doesn't expire on its own, it's a long-lived secret. HighLevel recommends rotating every 90 days, and the settings include rotate-and-expire controls to do it without downtime. Put a calendar reminder on it.

When you need a Marketplace app instead

The moment your software has to touch an account you don't own, PITs are off the table and you need OAuth. You can't ask a thousand agencies to paste a token into your product, and you wouldn't want the liability if they did. OAuth gives each customer a consent screen, scoped access, and a revoke button, which is exactly what installing third-party software should feel like.

There's also a capability gap that surprises people. Only Marketplace apps can render Custom Pages inside HighLevel and register workflow triggers and actions. If your idea includes an onboarding screen your users see in the CRM, or a trigger they drop into their own automations, you're building a Marketplace app regardless of how the auth shakes out. And with HighLevel waiving developer commission through the end of 2026, the marketplace is unusually attractive to ship into right now.

The trap: picking PIT because OAuth looks hard

Here's the mistake I see most. Someone wants to build a product other agencies will use, but OAuth feels like a lot of work, so they ship with Private Integration Tokens and a "paste your token here" box. It works in the demo. Then it falls apart: onboarding is clunky, you're storing customers' long-lived tokens with no consent trail, you can't offer Custom Pages or workflow triggers, and you have no clean way to handle a customer leaving. Migrating that to OAuth later means rebuilding auth while live customers depend on it.

If the honest answer to "will people I don't own install this?" is yes, build OAuth from day one. It's a few more days now against a painful rebuild later. That trade is not close.

A quick decision checklist

  • Only automating accounts you own or manage? Use a Private Integration Token.
  • Other agencies will install it? Build a Marketplace app.
  • Need Custom Pages or workflow triggers/actions? Marketplace app, no exceptions.
  • Just testing the API to learn it? Start with a PIT, it's the fastest path to a first successful call.
  • Not sure if it'll ever be distributed? Assume it will and build OAuth if that's even plausible.

Whichever door you pick, the API v2 surface beyond auth is identical: same base URL, same Version header, same rate limits. The choice here is only about how you get the token, not what you can do once you have it. For the bigger picture on both paths, see the GoHighLevel custom development guide.

Frequently asked questions

Are Private Integration Tokens the same as the old API keys?

No. PITs replaced v1 API keys as the recommended approach for internal access. They're scoped, manageable, and work with API v2, which the old keys don't fully cover.

Can I start with a PIT and move to OAuth later?

You can, but if you already know the product will be distributed, don't. Migrating auth after launch means changing how every customer connects while they're relying on the app. Build OAuth up front when distribution is the goal.

Do both options use the same API endpoints?

Yes. Once you have a valid bearer token, the API v2 endpoints, the base URL, and the required Version header are identical. Only the way you obtain the token differs.

How often should I rotate a Private Integration Token?

Roughly every 90 days. Since the token doesn't expire on its own, rotation is what limits the damage if it ever leaks. The settings include controls to rotate without breaking your running integration.

Share:
M

Written by

Mahzaib Mirza

Software developer & Founder of Coders Vibe.

Related Posts

Liked this post?

Get the next one in your inbox the moment it's published. No spam, unsubscribe anytime.

0 Comments

Leave a comment