Long-lived Token

When you need to develop an integration that will only be used in your account, there’s no need to go through the difficult process of getting an authorization code through the redirect mechanism. Long-lived tokens do not have a refresh_token: you don’t have to exchange them or write logic to monitor the relevance of the tokens. Instead, you can receive a long-lived token. In this case, the integration will work with your rights, i.e. administrator rights (only a user with account administrator rights can create it in the account).

Start by creating a private integration. You don’t have to fill in the Redirect URL or Access revoked notification web hook

To create a long-lived token, open the Keys and scopes tab, click the Generate long-lived token button, select the expiration date of the token, and copy the token.

When you generate a long-lived token, you select the expirations date of the token, which is valid from 1 day to 5 years.


  • Once a token has been generated, make sure to save it. You won’t be able to access it again.
  •  Such tokens are suitable only for private integrations.
  • It is less safe to use this kind of authorization. Be aware that if your long-lived token is compromised, your account is in danger.

You will use the token to make requests to your Kommo account via a private integration.


An example of the long-lived token –



Paste the token into the body of the request to get all the leads of your account.

  require_once('vendor/autoload.php') ;
  $client = new \GuzzleHttp\Client();
  $response = $client->request('GET', 'https://subdomain.kommo.com/api/v4/leads', [ 
 'headers' => [
  'accept' => 'text/plain', 'authorization' => 'Bearer $PASTE_YOUR_TOKEN_HERE$', 
echo $response->getBody();

In the Authorization tab, you can see that long-lived tokens have not only an issue date, but also an expiration date, and you can always revoke access by clicking the Revoke access button.