What authentication methods does Getty Images API support?

The Getty Images API primarily supports API Key authentication combined with OAuth 2.0 for both application identification and user authorization. Specific flows include Client Credentials Grant for server-to-server and Authorization Code Grant for user-interactive applications.

How do I get an API key and client secret for Getty Images?

You can obtain your API key (Client ID) and client secret by registering a new application in the Getty Images Developer Center. After registration, these credentials will be provided to you.

Is the client secret safe to use in client-side code (e.g., browser JavaScript)?

No, the client secret should never be exposed in client-side code, mobile applications, or committed to public version control. It must be stored and used securely on a server-side component.

What is OAuth 2.0 used for in Getty Images API authentication?

OAuth 2.0 is used to secure access to Getty Images resources. It allows your application to obtain limited access to a user's account without requiring their password, and also enables secure server-to-server communication using the Client Credentials Grant.

How often do access tokens expire, and how do I renew them?

Access tokens have a limited lifespan, typically specified in the token response (e.g., 'expires_in'). You should implement logic to refresh these tokens using the associated refresh token before they expire to maintain continuous access without re-authenticating the user.

Do I need to send both the API key and the OAuth 2.0 Bearer token in requests?

Yes, for many Getty Images API endpoints, you need to include both the API-Key header (your Client ID) and the Authorization: Bearer {access_token} header in your requests. The API key identifies your application, while the Bearer token authorizes specific actions or user access.

What is a secure way to store my client secret?

The client secret should be stored in secure environment variables on your server, a dedicated secrets management service (e.g., AWS Secrets Manager, Google Cloud Secret Manager), or a vault solution. Do not hardcode it or commit it to source control.

Getty Images Authentication: API Key & OAuth 2.0 (2026)

Authentication overview

Authentication for the Getty Images API enables developers to programmatically access and manage their extensive library of visual content. The primary method involves registering an application to obtain an API key and client secret. These credentials are then used in conjunction with the OAuth 2.0 authorization framework to secure requests, ensuring that applications can access resources on behalf of a user or themselves, depending on the scope of access required. Understanding the workflow for obtaining and managing these credentials is a prerequisite for integrating with the Getty Images platform.

The Getty Images API supports various operations, including searching for images, videos, and editorial content, retrieving metadata, and facilitating content downloads. The chosen authentication method depends on whether the application needs to access public content (requiring primarily an API key) or user-specific content (requiring OAuth 2.0 for delegated authorization). Proper authentication is critical for maintaining the integrity and security of both the application and the Getty Images platform, as detailed in the Getty Images developer documentation.

Supported authentication methods

Getty Images primarily supports two authentication mechanisms for its API:

API Key authentication: Used for identifying the application making the request. This is typically combined with OAuth 2.0.
OAuth 2.0: An industry-standard protocol for authorization that allows applications to obtain limited access to user accounts on an HTTP service, such as Getty Images, without giving away user passwords. It works by having the user grant permission for an application to access their resources.

Comparison of Authentication Methods

Method	When to Use	Security Level
API Key (Client Credentials)	Accessing public resources or initial application identification. Often used in conjunction with OAuth 2.0 Client Credentials flow for server-to-server communication.	Moderate (identifies application, but doesn't authorize user directly).
OAuth 2.0 (Authorization Code Grant)	Accessing user-specific resources (e.g., content linked to a user account, purchases). Requires user consent.	High (delegated access, short-lived tokens, secure refresh token handling). Recommended by OAuth.net for web applications.
OAuth 2.0 (Client Credentials Grant)	Server-to-server interactions where the application acts on its own behalf, not a user's.	High (application-level access, authenticated via client ID and secret).

Getting your credentials

To begin integrating with the Getty Images API, you must first register your application in the Getty Images Developer Center. Follow these steps to obtain your API key and client secret:

Access the Developer Center: Navigate to the Getty Images Developer documentation portal.
Create an Account or Log In: If you don't have an account, you'll need to create one. Existing Getty Images users can log in with their credentials.
Register a New Application: Once logged in, locate the section for 'My Apps' or 'Register Application'. You will be prompted to provide details about your application, such as its name, description, and redirect URIs (if using OAuth 2.0 Authorization Code Grant).
Receive API Key and Client Secret: Upon successful registration, the Developer Center will issue an API Key (also referred to as Client ID) and a Client Secret. These are unique identifiers for your application.
Configure Redirect URIs: For OAuth 2.0 flows that involve user interaction, specify the redirect URIs. These are the URLs to which Getty Images will redirect the user's browser after they have authorized your application. They must exactly match the URIs configured in your application settings in the Developer Center.
Store Credentials Securely: Treat your client secret as a sensitive password. Do not embed it directly in client-side code, distribute it publicly, or commit it to version control systems.

The Getty Images API authentication guide provides specific instructions for each step.

Authenticated request example

Authenticating requests with Getty Images typically involves obtaining an OAuth 2.0 access token using your client ID and client secret, and then including this token in subsequent API calls. Below is an example using the Client Credentials Grant flow in Python, suitable for server-to-server applications that do not involve user interaction.

Step 1: Obtain an Access Token (Client Credentials Grant)

First, make a POST request to the token endpoint to exchange your client ID and client secret for an access token. This example assumes you have your CLIENT_ID and CLIENT_SECRET available as environment variables or securely configured in your application.


import requests
import base64

# Replace with your actual credentials
CLIENT_ID = "YOUR_CLIENT_ID"
CLIENT_SECRET = "YOUR_CLIENT_SECRET"

# Getty Images OAuth 2.0 Token Endpoint
TOKEN_URL = "https://api.gettyimages.com/oauth2/token"

# Base64 encode client ID and secret for Basic Authorization header
auth_string = f"{CLIENT_ID}:{CLIENT_SECRET}"
encoded_auth_string = base64.b64encode(auth_string.encode()).decode()

headers = {
    "Content-Type": "application/x-www-form-urlencoded",
    "Authorization": f"Basic {encoded_auth_string}"
}

data = {
    "grant_type": "client_credentials"
}

try:
    response = requests.post(TOKEN_URL, headers=headers, data=data)
    response.raise_for_status() # Raise an exception for HTTP errors
    token_data = response.json()
    access_token = token_data.get("access_token")
    print(f"Access Token: {access_token}")
except requests.exceptions.RequestException as e:
    print(f"Error obtaining token: {e}")
    if response is not None:
        print(f"Response content: {response.text}")

The response will contain an access_token and its expires_in duration. You should cache this token and refresh it before it expires.

Step 2: Make an Authenticated API Request

Once you have the access_token, include it in the Authorization header of your subsequent API calls, typically using the 'Bearer' scheme.


# Assuming 'access_token' was obtained from the previous step

# Getty Images Search API Endpoint
SEARCH_URL = "https://api.gettyimages.com/v3/search/images"

search_headers = {
    "Authorization": f"Bearer {access_token}",
    "Api-Key": CLIENT_ID # API Key also needs to be sent as a header
}

search_params = {
    "phrase": "sunset beach"
}

try:
    search_response = requests.get(SEARCH_URL, headers=search_headers, params=search_params)
    search_response.raise_for_status() # Raise an exception for HTTP errors
    search_results = search_response.json()
    print(f"Search Results: {search_results['images'][0]['title']}")
except requests.exceptions.RequestException as e:
    print(f"Error during search request: {e}")
    if search_response is not None:
        print(f"Response content: {search_response.text}")

Note that the Api-Key header also needs to be included, even when using OAuth 2.0. This dual requirement identifies both the application (via Api-Key) and the authorized scope/user (via Bearer token).

Security best practices

Securing your Getty Images API integration is crucial to protect your application and user data. Implement the following best practices:

Protect your Client Secret: The client secret is a critical credential. Never hardcode it in client-side code (e.g., JavaScript in a browser), mobile applications, or commit it directly to version control. Store it in secure environment variables or a secrets management system.
Use HTTPS exclusively: Always ensure all communication with the Getty Images API occurs over HTTPS to encrypt data in transit and prevent eavesdropping. The Getty Images API endpoints are exclusively HTTPS, but ensure your application enforces this.
Secure Redirect URIs: For OAuth 2.0 flows, register specific, fully qualified HTTPS redirect URIs. Avoid using localhost or wildcard URIs in production. This prevents token leakage to unauthorized endpoints.
Manage Access Tokens securely: Access tokens should be stored in memory for the duration of their validity and not persisted beyond their expiration. Do not store sensitive tokens in client-side storage like local storage or cookies without proper security measures (e.g., HttpOnly, Secure flags for cookies).
Implement Token Refresh logic: Access tokens have a limited lifespan. Implement logic to gracefully refresh tokens using the refresh token before they expire. Refresh tokens must also be handled with care, as their compromise could lead to long-term unauthorized access. The OAuth 2.0 specification provides guidance on refreshing access tokens.
Scope Limitation: Request only the minimum necessary scopes during the OAuth 2.0 authorization process. This limits the damage if an access token is compromised.
Error Handling and Logging: Implement robust error handling for authentication failures and log relevant (non-sensitive) information to aid in debugging and security monitoring.
Regular Audits: Periodically review your application's access credentials, permissions, and security configurations in the Getty Images Developer Center.