Go To Top

How to use Private API

A guide how to authenticate and use “private” Trustpilot APIs.



The private Trustpilot API provides access to your private data, and allows to perform actions that are not exposed publicly. “Private” API requires a valid access_token to be provided with each request.

access_token is issued during successful authentication steps.

The following diagram illustrates private API usage process

Diagram steps description:

  1. Authentication via API - the 3rd party client authenticates. Upon successful authentication access_token and refresh_token is provided.
  2. Request a private resources - the 3rd party client calls private Trustpilot APIs with each request providing valid access_token.


The API request in the screenshot was made using the API client application Postman.

While the API examples provided are valid, they contain sample data and {{placeholders}}. Remember to fill in the correct values for the placeholders.

We recommend that you follow and read the documentation (links) in this guide to get a better understanding of API endpoints and how they work.


There are two options available for obtaining access token via API:

Both authentication methods comply with OAuth 2.0 standard. Upon successful authentication access_token and refresh_token are provided in the response. 

In the following example we will use Password grant type


  • It is recommended to authenticate only when needed and reuse the access_token when requesting “private” Trustpilot APIs. Too frequent authentication requests will be rejected with HTTP error code: 429. 
  • Once the access_token has expired an HTTP error code: 401 will be returned. It is recommended to use the refresh_token to exchange it to new access_token and refresh_token.

Calling the API endpoint

In this example we will be using the “Business unit private reviews” endpoint, which takes a business unit ID parameter in request path.

curl -X GET \

  'https://api.trustpilot.com/v1/private/business-units/{businessUnitId}/reviews' \

  -H 'Authorization: Bearer {access_token}' \

Try it yourself, just remember to replace the correct access_token value.

The result: