How to Get Your Gumroad API Access Token (Step by Step, 2026)
If you want to automate anything on your Gumroad account — pull your sales, bulk-edit prices, generate discount codes, or connect a tool like Zapier, n8n, or a Chrome extension — you'll hit the same first step: you need a Gumroad API access token.
The token is the key that lets software act on your account on your behalf, without you ever sharing your password. The good news is that generating one takes about two minutes and lives entirely inside your own Gumroad settings. The part most guides skip is what the token actually is, what it can and can't do, and how to shut it off if you ever need to.
This walkthrough covers the full flow as it works in 2026, plus the security details worth understanding before you paste that token anywhere.
What a Gumroad API access token actually is
Before clicking anything, it helps to know what you're creating.
Gumroad exposes a public REST API (version 2) at api.gumroad.com/v2. To call it, every request has to prove it's allowed — that proof is the access token. Think of it as a long, random password that represents one specific permission grant rather than your whole login.
A few facts that shape everything below:
- The token is generated from an "application" you create inside your Gumroad settings. The application is just a container; the token is what you actually use.
- A personal token you generate for your own account does not expire. Per Gumroad's own documentation, the access token stays valid until you manually revoke it.
- The token should be treated like a password. It goes in the header of every API request, and anyone who has it can act on your account within its permissions.
- There's a separate, heavier OAuth flow for apps that act on other people's Gumroad accounts. If you're just wiring up your own account, you can skip that and generate a token directly.
That last point is the one that trips people up. You do not need to implement OAuth, spin up a redirect server, or trade authorization codes to get a token for yourself. You just create an app and click a button.
Step 1: Open Settings → Advanced → Applications
Log in to Gumroad, then go to Settings → Advanced. You can also jump straight there at app.gumroad.com/settings/advanced.
On that page you'll find an Applications section with a form to create a new application. This is Gumroad's developer area; nothing here is visible to your customers.
Step 2: Create an application
Fill in the new-application form:
| Field | What to enter |
|---|---|
| Application icon | Optional. A small thumbnail to identify the app. Skip it for personal use. |
| Application name | Anything that reminds you what it's for — e.g. My Sales Export or Bulk Pricing. |
| Redirect URI | For your own account, enter http://127.0.0.1 (localhost). |
The Redirect URI is the field that confuses people. It only matters for the full OAuth flow, where Gumroad sends an authorization code back to your app's address. When you just want a token for your own account, Gumroad's documentation says to simply enter localhost — http://127.0.0.1 — and move on. It's a required field, not something you'll actually use.
Click Create application.
Step 3: Note your application credentials
After the app is created, its page shows two values:
- Application ID (this is your
client_id) - Application secret (this is your
client_secret)
These two are only needed if you later build the full OAuth flow so other users can connect their accounts. For a personal token, you can leave them alone — but still keep the secret private, since it's part of your app's identity.
Step 4: Generate your access token
On the same application page, click Generate access token.
Gumroad creates the token and displays it. Copy it somewhere safe immediately. This single string is what you'll paste into whatever tool or script needs API access to your account.
That's the whole process. No code, no redirect dance — the "Generate access token" button is the shortcut Gumroad provides specifically so account owners don't have to run OAuth against themselves.
Step 5: Understand the scopes
Scopes define what a token is allowed to do. Gumroad's API uses a small set, including:
view_profile— read basic account info (the default).view_sales— read your sales and customer data.edit_products— create and update products, prices, and offer codes.mark_sales_as_shipped— update fulfillment status on sales.refund_sales— issue refunds.
Scopes are most relevant in the OAuth dialog, where a third-party app requests only the permissions it needs and you approve them. A token you generate for your own account acts with your account's permissions, so it can do what the API allows on your products and sales. Either way, the principle is the same: a token can only do what its permissions allow, which is why you should only hand it to tools you trust.
Step 6: Test what the token can do
Once you have a token, you can confirm it works with a single request. The token is passed with each call (as an access_token parameter or in the request header). A quick read-only check:
curl "https://api.gumroad.com/v2/products?access_token=YOUR_TOKEN_HERE"
If the token is valid, Gumroad returns a JSON list of your products. From there, the API lets you:
- List, create, and update products and their variants.
- Create, edit, and delete offer codes (Gumroad's term for discount/coupon codes).
- Read your sales — buyer email, name, product, amount, and date.
- Manage subscribers and fulfillment.
In other words, almost anything you do by hand in the dashboard, the API can do programmatically — which is exactly why automation tools want this token.
Security: how to revoke a token
Because the token never expires on its own, you are responsible for turning it off when it's no longer needed. Two ways to do that, both from the same Settings → Advanced → Applications page:
- Regenerate the token. Generating a new access token invalidates the old one. Any tool still holding the previous token instantly loses access.
- Delete the application. Removing the app kills every token tied to it.
A few habits that keep you safe:
- Never paste your token into a public repo, a screenshot, or a support chat. It's a password.
- Use one application per tool so you can revoke access to a single integration without breaking the others.
- If a tool stores your token on its own servers, understand that you're trusting that server. Tools that keep the token in your browser only never see it on their backend — a meaningfully smaller attack surface.
That last distinction matters more than people realize, and it's worth a closer look — especially if the "tool" you're handing the token to is a browser extension.
Where this token gets used: tools built on your own API access
The whole reason to generate a Gumroad API access token is to let a tool act on your account safely. GumKit is one example of how that's supposed to work — and a good illustration of what to check before you trust any tool with your token.
GumKit is an independent Chrome extension for Gumroad sellers. It is not affiliated with, endorsed by, or sponsored by Gumroad — it's a third-party tool that talks to Gumroad's own official API on your behalf. The honest picture of how it uses the token you just created:
- You bring your own token. You generate it yourself with the exact steps above, then paste it in. GumKit doesn't ask for your Gumroad password and doesn't log in for you.
- The token stays in your browser. It's stored in
chrome.storage.localon your machine. There's no GumKit server holding your credentials, which means there's no backend that could leak them. - It only calls the official API v2 (
api.gumroad.com/v2). No scraping, no automating clicks in the dashboard, no rate-limit tricks. - You stay in control. Because it's your token hitting your account, you can revoke it anytime from Gumroad's settings using Step 6 above, and access stops immediately.
With that access in place, the kinds of one-at-a-time chores Gumroad's dashboard makes tedious become single passes:
- Bulk discount codes — define one offer code and apply it across every selected product instead of retyping it product by product (see the bulk discount codes guide).
- Per-region parity pricing — generate explicit, controllable region codes from an editable table (more in PPP pricing on Gumroad).
- Bulk price changes — set a fixed price or apply a ± percentage across many products at once.
- Customer CSV export — pull your full sales history into a spreadsheet (walkthrough: export Gumroad customers to CSV).
- AI listing SEO — improve product titles and descriptions for discoverability.
GumKit is free to start, with optional paid bulk features. The point here isn't the tool — it's that a well-built integration uses exactly the token you generated, keeps it on your side, and rides on Gumroad's official API rather than working around it. That's the bar to hold any tool to.
FAQ
Do I need to know how to code to get a Gumroad API access token?
No. Generating a token for your own account is entirely point-and-click: create an application under Settings → Advanced, enter http://127.0.0.1 as the redirect URI, and click Generate access token. You only need code if you're calling the API yourself; a finished tool handles the requests for you.
Does the Gumroad access token expire?
No. According to Gumroad's documentation, a personal access token does not expire and remains valid until you manually revoke it. That convenience is also why you should treat it like a password and revoke it the moment a tool no longer needs it.
What should I put in the Redirect URI field?
For a token tied to your own account, enter http://127.0.0.1 (localhost). The redirect URI only does real work in the full OAuth flow, where Gumroad sends an authorization code back to your application's address. For personal use it's just a required placeholder.
How do I revoke or change my Gumroad API token?
Go back to Settings → Advanced → Applications. Generating a new access token invalidates the old one, and deleting the application revokes every token tied to it. Either action cuts off access immediately for anything still using the previous token.
Is it safe to give my token to a third-party app?
It depends on the app. Safer designs use a token you generate, store it on your own device rather than their server, and call Gumroad's official API instead of scraping. Because the token is scoped to your account and revocable anytime, the worst case is bounded — but only hand it to tools you'd trust with account access, and revoke it if you stop using them.
The takeaway
Getting a Gumroad API access token is one of the easier developer tasks you'll do: open Settings → Advanced → Applications, create an app with http://127.0.0.1 as the redirect URI, and click Generate access token. The token doesn't expire, so the real discipline is on the security side — keep it private, use one app per tool, and revoke it from the same page when you're done.
Once you have it, that token is the single key behind every Gumroad automation, from a one-line curl to a full extension. If your reason for generating it is to stop doing repetitive catalog work by hand, GumKit uses exactly this token — your own, stored in your browser, on Gumroad's official API — to turn those one-at-a-time chores into single passes. Free to start, with optional paid bulk features, and no middleman between you and your own account.
More Gumroad guides
- Export Gumroad Customers CSV: A Practical Guide
- Gumroad Bulk Discount Codes: The Fast Way
- How to Change Prices on All Gumroad Products at Once
- Gumroad Discount Code Not Working? 7 Common Fixes
- Gumroad Fees Explained (2026): What You Actually Keep
- Gumroad PPP Pricing: Native Toggle vs Codes
- Gumroad Sales Tax & VAT: What Sellers Actually Owe (2026)
- Gumroad SEO: Optimize Listings to Get Found
- Gumroad vs Lemon Squeezy (2026): Which Should Digital Sellers Use?
- ParityDeals Alternative for Gumroad Sellers