When making any API requests, you have to authenticate in one of the following ways:

  • By generating a personal API token
  • By requesting an OAuth 2 access token


Please use HTTPS to send API requests.

Calls made over plain HTTP will fail.

API token authentication

  1. Please note that you must have an admin role in a project in order to access that project with the supplied API token.
  2. To generate a new API token, open Lokalise and click on your team avatar in the bottom left corner.
  3. Proceed to Profile settings > API tokens.
  4. Click Generate new token and choose the token type to create (read-only or read/write).
  5. Copy the newly created token and store it safely in your app (specifically, it should not be added to Git version control).
  6. Your token should be sent with every API request inside the X-Api-Token header:
X-Api-Token: f4d3f29bf893dc3583e9970735e08de094e82b0

OAuth 2 authentication

If your app needs to act on behalf of another user, you can implement an OAuth 2 flow:

  1. Contact our support team via the chat widget on and ask to register a new OAuth 2 app. Please provide the following info:
    • Title of your application
    • Logo of your application (150x150px, PNG or JPG)
    • Description of your application (optional).
    • Link to app website/documentation (optional).
    • Required scopes. Find the list of required scopes for the corresponding API endpoints
  2. You'll be provided with a client ID and client secret. Please bear in mind that the client secret must never be publicly exposed.
  3. Your app should redirect the user to the authentication URL <>. The following GET params must be added to this URL:
    • client_id
    • redirect_uri — a URL in your application where users will be sent after authorization.
    • scope — should contain a list of space-separated scopes that your app needs access to. For example, you'll need a write_projects scope to create new projects. You can find the required scopes under each API endpoint.
    • state (optional if you are not using redirect_uri) — a random string used to protect against CSRF attacks.
  4. Once the user grants access to their account, they will be redirected back to your app along with an oauth_code. Your app should make a POST request to <> along with the following body params:
    • grant_type — should be authorization_token
    • client_id
    • client_secret
    • code — the code sent to your app
  5. After sending the POST request, you'll receive a response with access_token and refresh_token. You can now make requests to the API by providing the access_token under the Authorization header in the following way:
curl -H "Authorization: Bearer someAccessToken"
  1. Access tokens usually expire in 60 minutes, so in order to request a new token, your app should send another POST request to <> with the following data:
    • grant_type — should be refresh_token
    • client_id
    • client_secret
    • refresh_token