How to Get Your Mailchimp API Key
May 25, 2026
To get your Mailchimp API key, log in to Mailchimp, click your profile icon, go to Extras → API keys, click Create A Key, name it, and copy it immediately—you'll only be able to see the full key once.
That's the short version. Below is the full walkthrough, including the data center detail that trips up most first-time integrations, when you should use OAuth instead of an API key, and how to keep your key secure.
Key takeaways
- Your Mailchimp API key lives under Profile → Extras → API keys (you can also deep-link to
admin.mailchimp.com/account/apiwhile logged in). - Every key ends in a data center suffix like
us21. That suffix sets your API base URL—forgetting it is the most common first-attempt failure. - An API key grants full access to your account. Treat it like a password: one key per integration, descriptive names, and revoke any key that leaks.
- Use an API key for your own account. If you're building a product where other people connect their Mailchimp accounts, use OAuth 2.0 instead.
Before you start
You need a Mailchimp account, logged in through a browser. You'll need at least Manager permissions to create your own key (Admins can also see keys other users created). Free accounts have API access, though some advanced endpoints are gated by plan tier.
Note: Mailchimp is an Intuit company, so the login screens may show Intuit account branding or a "Continue with Google" option. The API key and app-registration pages still live in the Mailchimp account area reachable from the in-product profile menu.
Step-by-step: generate your Mailchimp API key
- Log in and open your account. Go to mailchimp.com and sign in. Click your profile icon in the top-right corner and choose Profile (some UI versions label this Account & billing).
- Open the API keys page. In the account navigation, open the Extras drop-down and click API keys. This takes you to the "Your API keys" section.
- Create a key. Click Create A Key. Give it a descriptive name that tells you what uses it—"WordPress site" or "internal reporting sync"—because later you'll only see this name and the first four characters of the key.
- Copy and store it. Click Copy Key to Clipboard and paste it into your integration and a secure secret store (a password manager or your environment's secrets manager). After you click Done, you won't be able to see or copy the full key again. If you lose it, you generate a new one and update any integration using the old one.
- Revoke keys you no longer use. On the same page, you can revoke a key for any integration you've stopped using. Revocation is permanent—you can't reactivate a revoked key.
The data center suffix (don't skip this)
Every Mailchimp API key ends in a dash and a data center code, like xxxxxxxx-us21 or xxxxxxxx-eu10. The part after the dash is your account's data center, and it determines your API base URL:
https://<dc>.api.mailchimp.com/3.0/
So a key ending in -us21 calls https://us21.api.mailchimp.com/3.0/. If you call a bare https://api.mailchimp.com/3.0/ or the wrong data center, requests fail with connection or authentication errors. Many no-code platforms have a separate "data center" or "server prefix" field—make sure it matches your key's suffix.
API key vs. OAuth 2.0: which do you need?
Mailchimp supports two credential paths, and choosing the wrong one is the most common source of confusion.
Use an API key if you're connecting your own Mailchimp account to a tool, plugin, or backend you control. You generate the key once and paste it in. This is what most people searching for "Mailchimp API key" actually need.
Use OAuth 2.0 if you're building a product where other people connect their Mailchimp accounts—a multi-tenant SaaS with a "Connect your Mailchimp" button. Instead of asking each customer to paste a key, you register an app (Extras → API keys → Register and manage your apps → Register an App), receive a client_id and client_secret, and send users through Mailchimp's authorization flow:
- Authorize endpoint:
https://login.mailchimp.com/oauth2/authorize - Token endpoint:
https://login.mailchimp.com/oauth2/token - Metadata endpoint:
https://login.mailchimp.com/oauth2/metadata
With OAuth, you don't read the data center from a key suffix—after authorization, you call the metadata endpoint to get each user's data center and correct API base URL. Mailchimp is explicit about this: it strongly discourages asking your users to copy and paste their API keys into your application.
A note on Mandrill: if you're using Mailchimp Transactional (Mandrill), its API keys live in that product's own settings, separate from the Marketing API keys above. Generate, name, and store them the same way.
Keeping your key secure
An API key grants full access to your Mailchimp account, so treat it like a password:
- Give each integration its own key, with a descriptive name, so you can revoke one without breaking the others.
- Never commit keys to a Git repo, paste them into screenshots, or email them. Store them in environment variables or a secrets manager.
- If a key leaks, revoke it immediately and generate a new one.
Mailchimp's Marketing API also enforces rate limits: up to 10 simultaneous connections per account, with a 120-second timeout per call. Exceeding the connection limit returns HTTP 429 Too Many Requests. For bulk work, use batch endpoints and add retry logic with exponential backoff rather than firing many calls in parallel.
Frequently asked questions
Where do I find my Mailchimp API key? Click your profile icon, then Extras → API keys. While logged in, you can also go straight to admin.mailchimp.com/account/api.
Why does my API key have "-us21" on the end? That's your account's data center. It tells you which base URL to call: https://us21.api.mailchimp.com/3.0/. The code varies by account (us4, us21, eu10, and so on).
Can I see my API key again later? No. Mailchimp shows the full key only once, at creation. Afterward you see only its name and first four characters. If you've lost a key, generate a new one and update your integration.
What's the difference between an API key and an OAuth token? An API key is a credential you generate manually for your own account. An OAuth access token is issued per user after they authorize your app—the right approach when many customers connect their own Mailchimp accounts to your product.
Is a free Mailchimp account enough? Free accounts can use the API, but some advanced endpoints are restricted by plan tier.
Connecting Mailchimp to many integrations at once
Generating one Mailchimp key is straightforward. The work compounds when your product needs Mailchimp and the other platforms your customers use—each with its own credential model, data center quirks, and key-rotation rules. And as Mailchimp itself notes, asking your customers to paste raw API keys into your product is exactly the friction you want to avoid.
This is the problem Unified.to solves. Unified provides Mailchimp through one unified Marketing API—working with lists, subscribers, campaigns, and reports as normalized objects—alongside other marketing platforms like HubSpot, ActiveCampaign, Klaviyo, Constant Contact, and SendGrid, through a single integration. Unified handles the authorization flow (OAuth or API key), data center resolution, and token lifecycle, so your customers get a clean "connect your account" experience and your team doesn't maintain per-vendor credential logic.
It's the same pattern that lets teams like Humi ship integrations in days rather than building and maintaining each one in-house: integrate once per category, and get every platform in it.