All Shutterstock API requests require an Authorization header. OAuth is supported for all requests, but you may prefer to use Basic Auth if you don't need to interact with resources that require a customer or contributor user.

Basic Auth

You may use Basic Auth for requests that don't require a user, such as performing an image search or pulling image details. Basic Auth is part of the HTTP protocol, and described in detail in RFC1945. Send an Authorization header containing your Base64-encoded client_id and client_secret.

For example, if the user agent uses '1234' as the client_id and '4321' as the client_secret then the header is formed as follows:

Authorization: Basic MTIzNDo0MzIx

A client_id and client_secret can be obtained by registering a new application as described below.

Registering an Application

All developers need to register their application before getting started. A registered OAuth application is assigned a unique Client ID and Client Secret. The Client Secret should not be shared. You can register an application by going here.

Single User Integration

If your API integration involves the use of only one user account (for example to license images under one enterprise account) you can run the CURL requests below and re-use the resulting access_token for subsequent requests without needing to implement the OAuth2 flow within your client application.

1. Register a new application as described above.

2. Using your client_id and client_secret:


Make a request to the Shutterstock /oauth/authorize endpoint:

curl "" \
 --get \
 --data-urlencode "scope=licenses.create licenses.view purchases.view" \
 --data-urlencode "state=demo_`date +%s`" \
 --data-urlencode "response_type=code" \
 --data-urlencode "redirect_uri=$REDIRECT_URI" \
 --data-urlencode "client_id=$CLIENT_ID"

3. Open the response URL in your browser, sign in with a valid user and accept the requested permissions.

... Redirecting to

4. After a successful login you will be redirected the redirect_uri you requested, in this case:
http://localhost:3000/callback?code=qazwsxedcrfvtgbyhnujm&state=demo_1447704699. Copy the code from the URL, and store it for the next step:


The code expires after 5 minutes and can only be used once.

5. Use the code to make a request to the Shutterstock /oauth/access_token endpoint:

curl "" \
 -X POST \
 --data-urlencode "client_id=$CLIENT_ID" \
 --data-urlencode "client_secret=$CLIENT_SECRET" \
 --data-urlencode "grant_type=authorization_code" \
 --data-urlencode "code=$CODE"

6. This should return a JSON object with the access_token needed to make requests against the Shutterstock API on behalf of the authenticated user.

 "access_token": "v2/pl0okm9ijn8uhb7ygv6tfc5rdx4esz3wa2q1qasz2wsdxc3edcf4rfgv5tgb6yhn7ujm8ijFGHJKLpl0okm9ijn8uhb7ygv6tfc5rdx4esz3wa2q1qasz2wsdxc3edcf4rfgv5tgb6yhn7ujm8ijFGHJKLpl0okm9ijn8uhb7ygv6tfc5rdx4esz3wa2q1qasz2wsdxc3edcf4rfgv5tgb6yhn7ujm8ijFGHJKLpl0okm9ijn8uhb7ygv6tfc5rdx4esz3wa2q1qasz2wsdxc3edcf4rfgv5tgb6yhn7ujm8ijFGHJKLpl0okm9ijn8uhb7ygv6tfc5rdx4esz3wa2q1qasz2wsdxc3edcf4rfgv5tgb6yhn7ujm8ijFGHJKL"
 "token_type": "Bearer"

Store the access_token for later requests. The access_token is a key to the API and should be kept secret.


Multi-User Integration

If your API integration requires users to log into their Shutterstock accounts see the complete OAuth2 Guide.