Drift API - build real integrations for chat, leads, routing, and conversation data
Drift is best known for conversational marketing and sales chat experiences: web chat, bots, playbooks, meeting booking flows, and lead qualification. The Drift API lets you connect those experiences to your product and your business systems CRMs, data warehouses, enrichment pipelines, analytics tools, and internal dashboards.
This page is a developer-focused guide to how Drift’s API surface actually works: authentication via OAuth, core objects like conversations and messages, how to export transcripts, how to subscribe to events, and how to design a production architecture that is reliable, secure, and easy to operate.
Drift’s “API” is not just one endpoint. You usually combine: (1) OAuth to act on a workspace, (2) REST endpoints to read/write objects like conversations and contacts, (3) webhooks for real-time events, and (4) widget events to connect browser behavior to your backend. (*Rate limit details are returned in response headers; docs mention a typical default of 600/min.)
1) What the Drift API is
Drift’s developer docs are organized around “Using Drift APIs” (core usage patterns), authentication via OAuth, working with the conversation model, receiving information via webhooks/events, and specialized guides like transcript export. The key is to think in systems, not endpoints: Drift is a real-time conversation product, so your integration needs both data APIs (to fetch state) and event APIs (to react to changes).
The 4 layers most developers touch
| Layer | What it is | What you build | Examples |
|---|---|---|---|
| OAuth + Apps | Your “app” registered in Drift, with scopes and a webhook URL. | Installation flow and secure token storage. | “Connect Drift” button, OAuth callback, access token vault. |
| Core REST APIs | Endpoints for conversations, contacts, users, etc. | Syncs, dashboards, enrichment, exports. | List conversations, fetch transcript, pull contacts, map to CRM. |
| Webhooks | Server-to-server event notifications selected during app setup. | Real-time automation and near-live pipelines. | On new conversation → create CRM activity; on lead captured → route. |
| Widget Events (client) | Browser-side events from the Drift widget (and related customization). | UX customization + event forwarding to backend. | Capture “conversation started” on site, sync UTM, instrument conversion. |
Who the Drift API is for
- SaaS product teams connecting chat to product accounts and billing state.
- Revenue ops syncing Drift activity into CRM timelines and attribution.
- Data teams exporting conversations for analytics and QA.
- Integration partners building connectors for “lead-to-meeting” workflows.
Common “first project” mistakes
- Relying only on polling instead of webhooks.
- Not implementing rate limit backoff and retry logic.
- Storing OAuth tokens in plaintext or in logs.
- Not designing idempotency for webhook-driven automations.
What to read first in official docs
Start with OAuth authentication/scopes, then read the conversation model. After that, implement webhooks to receive events for the account once OAuth is completed. Finally, use conversation endpoints to pull transcripts and metadata as needed.
2) OAuth authentication & scopes
Drift uses the OAuth 2.0 Authorization Code flow to allow your app to access a Drift account on a user’s behalf. In Drift’s docs, completing OAuth also ties into event delivery: once your app is installed and authorized, Drift can begin sending your selected webhooks for that account.
High-level OAuth flow
- Your app redirects the user to Drift’s authorization page.
- User grants requested scopes for their Drift organization/workspace.
- Drift redirects back to your redirect URI with an authorization code.
- Your server exchanges the code for an access token (and possibly a refresh token, depending on Drift’s implementation).
- Your app stores tokens securely and uses them to call Drift APIs.
Scopes: ask for the minimum you need
Scopes define what your app can do. For example, transcript exports in Drift’s docs list scopes such as conversation_read, plus reading users and contacts as needed for context. Treat scopes as your “permissions contract” with customers: the narrower the scope, the easier it is for customers to trust and approve your integration.
Scope planning tips
- Start with read-only scopes for analytics/export projects.
- Only request write scopes when you truly need to create/update data.
- Document exactly why each scope is required (helps security reviews).
- Version your integration: “v1 read-only”, “v2 write-enabled”, etc.
Token storage checklist
- Store tokens in a secrets manager or encrypted database field.
- Never ship tokens to browsers or client apps.
- Redact tokens from logs and error reporting.
- Implement rotation/reinstall flows cleanly.
// Example: how your backend might store tokens (conceptual)
{
"driftOrgId": "ORG_123",
"installedByUserId": "USER_456",
"accessTokenEncrypted": "ENCRYPTED_BLOB",
"scopes": ["conversation_read", "contact_read", "user_read"],
"createdAt": "2026-02-08T00:00:00Z",
"lastUsedAt": "2026-02-08T00:00:00Z"
}Why OAuth matters (beyond “security”)
OAuth gives customers control: they can approve scopes, revoke access, and treat your integration as a managed app rather than a leaked API key. It also makes it easier for your product to support multi-tenant installations cleanly.
3) Drift conversation model: conversations, messages, and participants
Drift’s docs describe conversations as the core objects. A conversation represents a time-ordered series of events: chat messages, notes, bot actions, and metadata within the communication between a contact and a group of users or bots. Understanding this model is essential because most “Drift API” tasks ultimately revolve around conversations: exporting transcripts, syncing outcomes, and reacting to new messages.
Conceptual model
- Conversation: the container object; has status (open/closed/pending), participants, timestamps, tags, etc.
- Message: individual items in the conversation stream (chat message, internal note, system event).
- Participants: contacts (visitors/leads) and users (team members) and bots.
- Metadata events: things like assignment changes, campaign triggers, routing events.
Why this matters for integrations
If you’re building a CRM sync, you likely want to attach the entire transcript (or a summary) to the right account/contact. If you’re building analytics, you want to measure response time, conversation outcomes, and channel attribution. If you’re building automation, you want to trigger workflows when a conversation is created, assigned, or closed. In all of those cases, your integration must be able to:
- Identify the relevant contact (and map to your user/account ID or CRM contact ID).
- Fetch the full conversation details (including messages) when needed.
- Handle status transitions (open → closed, etc.) consistently.
- Store stable identifiers so you can update records later without duplicates.
Design tip: store “conversation IDs” everywhere
Whatever you build—CRM activities, analytics tables, data warehouse facts—store the Drift conversation ID and your internal ID. That makes it easy to re-fetch transcripts, reconcile webhooks, and handle reprocessing without duplicating.
4) Conversations API: listing conversations and exporting transcripts
Drift offers endpoints to list conversations and fetch details about a conversation. The “list conversations” docs show typical query parameters like a limit (often max 100 with a default around 25), optional status filters, and a page token for pagination.
| Parameter | Type | What it does | Practical notes |
|---|---|---|---|
| limit | integer | Max conversations to return per page (e.g., up to 100). | Use 100 for batch export jobs; lower for UI calls. |
| statusId | integer (repeatable) | Filter by status (commonly open/closed/pending codes). | Use this to backfill closed transcripts only. |
| page_token | string | Pagination token; blank/omitted on first call. | Persist the token for “resume exports” jobs. |
Transcript export: what you actually need
Transcript export projects typically require more than just the chat messages. You want enough metadata to make the data useful: participants, timestamps, assignment or routing info, conversation status, and tags. Drift’s transcript export guide emphasizes setting up an OAuth app, selecting scopes like conversation/user/contact read, and then using conversation endpoints to fetch context and transcripts.
Common transcript export patterns
- Full export: Pull all conversations (often closed) into a data lake/warehouse.
- Incremental export: Poll for recent conversations (or use webhooks) and fetch only new/updated ones.
- On-demand export: A UI button that fetches a single conversation transcript and attaches it to a CRM record.
Suggested “export schema” for your database
Drift’s conversation model is message-based. A common approach is to store normalized tables: conversations + messages + participants + tags. If you want fast retrieval, you can also store a denormalized “rendered transcript” string.
// Example warehouse-friendly schema (conceptual)
conversations: { conversation_id, status, created_at, closed_at, contact_id, owner_user_id, tags[], last_message_at }
messages: { conversation_id, message_id, sent_at, sender_type, sender_id, text, message_type }
participants: { conversation_id, participant_id, participant_type, display_name, email }
exports: { job_id, started_at, finished_at, page_token_checkpoint, success, error_code }How to avoid “missing messages” in exports
If you poll with time windows, always overlap windows (e.g., fetch last 24h every hour) and dedupe by conversation_id + message_id. Webhooks can arrive out of order, so your pipeline should be “eventually consistent” rather than assuming strict ordering.
5) Webhook events: subscribing and receiving Drift events
Drift webhooks are configured in your Drift developer app. In the Events section, you provide a request URL and choose which event types you want Drift to deliver. Drift’s docs also note you can use tools like ngrok to receive webhook events on your local machine for testing.
Webhook setup checklist
- Create a Drift app in the developer portal.
- Add a request URL for event delivery.
- Select event types (only what you need).
- Implement signature verification (if provided by Drift for your event type).
- Return 2xx quickly and process asynchronously.
Events you typically subscribe to
- Conversation created / started
- New message
- Contact created / updated
- Conversation closed
- Meeting booked / playbook outcome (if applicable)
Idempotency and replay protection
Webhooks can retry (network issues, timeouts, transient errors). Your system must handle duplicates safely. Best practice is to store the webhook event ID (or a stable tuple like event_type + conversation_id + timestamp) and discard duplicates. Never assume your webhook handler will run only once.
Webhook handler blueprint
- Read raw request body.
- Verify signature (if a signature header + secret exists).
- Parse JSON; extract event ID + key object IDs.
- If already processed, return 200.
- Enqueue a job (queue/worker) to do heavier work (fetch full conversation, update CRM, etc.).
- Return 200 fast.
// Example pseudo-code for webhook handler (conceptual)
raw = readRawBody(req)
verifySignature(raw, req.headers)
event = JSON.parse(raw)
id = event.id || stableHash(event)
if dedupeStore.has(id): return 200
dedupeStore.put(id, ttl=7d)
queue.publish("drift_event", { id, type: event.type, payload: event })
return 200Local testing with ngrok
Use an ngrok HTTPS tunnel to expose a local webhook endpoint. Update the request URL in your Drift app to the ngrok URL. Test event handling, signature verification, and idempotency before going to production.
6) Widget events: client-side events and customization
Drift’s docs describe “Receiving information from Drift” via the Widget API, which can send Drift events to an outside platform or customize Drift using specific events. The widget layer is important when you need browser context: UTM parameters, page path, product state, A/B test variants, or an authenticated user ID in your app.
What widget events are good for
- Attribution: capture UTM source/medium/campaign at conversation start.
- Product context: attach plan tier, feature usage, or account ID to the conversation.
- UX logic: show/hide chat based on route, login state, or user role.
- Analytics: instrument “chat opened”, “message sent”, “meeting booked”.
Recommended data flow: widget → your backend → Drift/CRM
Widget events happen in the browser, but you often want to connect them to server-side systems safely. The safe pattern is:
- Widget emits an event with minimal data (conversation started, user clicked, etc.).
- Your front-end posts that event to your backend with a signed session token (your auth).
- Your backend enriches the event (account ID, plan tier), validates permissions, then stores it and/or calls Drift or CRM APIs as needed.
// Example front-end event forwarding (pseudo-code)
drift.on("conversation:start", (payload) => {
fetch("/api/drift/widget-event", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
type: "conversation_start",
conversationId: payload.conversationId,
utm: getUTM(),
page: location.pathname
})
})
})Privacy note for widget events
Avoid sending sensitive personal data from the browser unless you truly need it. If your app is authenticated, send stable internal IDs (accountId, userId) rather than raw emails whenever possible.
7) Rate limits, pagination, retries, and reliability
Drift’s FAQ notes that rate limits/usage caps are returned in response headers, and mentions that the default is generally high (commonly cited around 600 requests/min unless otherwise stated). Your integration must read headers and adapt.
Practical rate-limit strategy
- Implement a request wrapper that reads rate limit headers and logs them.
- On HTTP 429, back off with exponential delay + jitter.
- Use concurrency limits (e.g., 5–10 parallel calls), especially for large transcript exports.
- Prefer webhooks to reduce polling load.
Pagination: treat page tokens as opaque
For endpoints that use page tokens, don’t parse or modify them. Store the token exactly as returned. This enables “resume” behavior for long-running export jobs: if a job fails mid-way, restart from the last stored page token.
Idempotency: your integration should be safe to replay
For webhook-driven systems, you must assume duplicates. For polling systems, you must assume overlap (especially if you use time windows). Solve both with stable keys:
- Store conversation_id as the canonical object key.
- Store message_id as the canonical message key.
- Upsert on keys instead of inserting blindly.
Operational tip: build a “replay” tool
In production, you’ll occasionally need to replay a webhook or re-fetch a transcript. Build a small admin endpoint or internal tool that can reprocess a conversation ID safely and idempotently. This reduces downtime and manual debugging.
8) Common Drift API integrations you can ship
Drift is often the “front door” for revenue conversations. The highest ROI integrations connect chat activity to systems of record, then automate follow-up so nothing falls through the cracks.
Use case A: CRM timeline sync (Salesforce/HubSpot)
Goal: every meaningful Drift conversation becomes a CRM activity. The pattern:
- Subscribe to conversation events via webhooks.
- On conversation closed, fetch full transcript + metadata.
- Map the Drift contact to a CRM contact/lead (email-based match or internal ID mapping).
- Create an activity/note containing a summary + transcript link.
- Store conversation_id ↔ crm_activity_id mapping for updates/replays.
Use case B: lead routing + meeting booking enrichment
Goal: route high-intent leads instantly and enrich with firmographics. Pattern:
- Widget event captures UTM and page path at conversation start.
- Backend enriches with account data (pricing page hit, trial status).
- Webhook fires on lead captured; backend sets priority routing in your systems.
- On meeting booked, attach the context to the calendar invite and CRM opportunity.
Use case C: data warehouse analytics + QA
Goal: measure response time, bot effectiveness, and conversation outcomes.
- Nightly bulk export of conversations + messages.
- Incremental updates via webhooks for near-real-time dashboards.
- Build derived metrics: first response time, handle time, open→close duration, handoff rates.
- Run QA workflows on transcripts (tag failure modes, highlight common questions, improve playbooks).
What to store for analytics
- conversation_id, status, timestamps
- contact identifiers (hashed where possible)
- source metadata (UTM, page)
- routing/owner/queue info
- message counts + roles (visitor/agent/bot)
What NOT to store by default
- Raw sensitive PII beyond what’s needed
- Payment info or secrets accidentally pasted into chat
- Full tokens/headers in logs
- Unredacted transcripts in broad-access dashboards
9) Security & compliance (PII, least privilege, and safe operations)
Conversation data can include personal information and sensitive business details. A secure Drift integration is not optional. Use the “least privilege” principle with OAuth scopes, protect tokens, and design your event handling so it can’t be abused.
Token & secrets handling
- Encrypt tokens at rest and restrict access in your DB.
- Never include tokens in URLs or client-side code.
- Redact authorization headers in logs and error trackers.
- Implement a “disconnect” flow that revokes access cleanly.
Webhook security
- Validate the request source (signature/header if supported).
- Dedupe events and enforce idempotency.
- Use a queue to isolate your API from webhook floods.
- Store minimal payload fields; fetch details via API if needed.
GDPR-style considerations
Drift’s widget events docs include GDPR-related events, reflecting that privacy controls matter for chat. Your integration should support deletion/erasure requests, retention controls, and role-based access to transcript data.
Practical compliance checklist
Define retention windows for transcripts in your systems. Restrict transcript access by role. Provide a delete/forget path. Track data lineage: which conversations are stored where. Document your scopes and why you need them.
10) Production architecture: how to keep Drift integrations stable
The easiest way to keep Drift integrations stable is to treat them as an event-driven system with a reliable “source of truth.” Webhooks provide event signals. The Drift API provides authoritative state for objects. Your system should combine both.
| Component | Responsibility | Why it exists |
|---|---|---|
| OAuth service | Install flow, token exchange, encrypted token storage. | Secure multi-tenant access. |
| Webhook gateway | Verify + dedupe events; enqueue jobs; respond fast. | Reliability under burst traffic. |
| Worker queue | Fetch details, export transcripts, update CRM, run analytics. | Decouples heavy work from web requests. |
| Sync job runner | Scheduled export/backfill; checkpoint page tokens. | Completeness and recovery. |
| Observability | Logs, metrics, alerts, dashboards, replay tools. | Fast debugging and low downtime. |
Reliability playbook
- Always return 2xx quickly in webhook handlers; do work async.
- Backoff on 429 and record rate limit headers.
- Checkpoint pagination for long exports to resume after failures.
- Idempotent writes to CRM/DB using stable IDs.
- Replay capability for conversation IDs and webhook event IDs.
When to poll instead of webhooks
Polling can be OK for low-volume analytics or for backfills, but webhooks are better for real-time automations. If you must poll, use incremental windows + overlap and dedupe, and keep concurrency low to avoid rate limits.
11) Drift API FAQs
How does Drift authentication work for developers?
Drift uses OAuth 2.0 Authorization Code flow for apps. You register an app, request scopes, complete the OAuth flow, then use access tokens to call Drift APIs and receive selected webhook events for the authorized account.
What are “conversations” in Drift?
Conversations are core objects representing a series of messages and events exchanged between a contact and users/bots. Each conversation contains an ordered message stream including chat messages, notes, and metadata events.
How do I export conversation transcripts?
Typical exports use OAuth with read scopes for conversations/users/contacts, then list conversations and fetch details/transcripts. For big exports, paginate and checkpoint page tokens so you can resume.
How do Drift webhooks work?
You configure webhooks in your Drift developer app by providing a request URL and selecting event types. Drift then sends POST requests for those events. Use idempotency and a queue to handle retries safely.
What are the rate limits?
Drift indicates rate limits are returned in response headers and notes typical defaults can be high (commonly referenced around 600/min). Implement backoff on 429 and use webhooks to reduce polling load.
Can I get browser events from the Drift widget?
Yes. Drift documents widget events for sending Drift-related events to outside platforms and customizing widget behavior. Use your backend as the bridge so you never expose secrets in the browser.
References (official Drift docs)
These are the key official docs this guide is based on. For exact endpoint paths, payload schemas, and event names, always validate against the latest Drift developer documentation.
| Topic | Official page | Why it matters |
|---|---|---|
| Authentication & scopes | https://devdocs.drift.com/docs/authentication-and-scopes |
OAuth 2.0 Auth Code flow and scope model |
| Using Drift APIs | https://devdocs.drift.com/docs/using-drift-apis |
Entry point for API docs and patterns |
| Conversation model | https://devdocs.drift.com/docs/conversation-model |
Core object model for transcripts and messaging |
| List conversations | https://devdocs.drift.com/docs/list-conversations |
Pagination, filtering, and listing conversation data |
| Webhook events | https://devdocs.drift.com/docs/webhook-events-1 |
Configure webhooks and select event types |
| Widget events | https://devdocs.drift.com/docs/drift-events |
Client-side events for widget customization and forwarding |
| API FAQs (rate limits) | https://devdocs.drift.com/docs/faqs |
Rate limits headers + typical defaults |
| Bulk transcript export guide | https://devdocs.drift.com/docs/bulk-conversations-transcript-export |
Scopes and workflow for exports |