The API Report CardAPI Index
Drift

Drift API

Conversational Marketing / B2B Chat (sunsetting under Salesloft) · drift.com

Drift documented a self-serve REST API at devdocs.drift.com covering contacts, conversations, playbooks, and SCIM, with webhooks and free API use for customers. The platform is being shut down: Salesloft sunset Drift on March 6, 2026, after the 2025 OAuth breach forced revoking every token.

Last verified: July 2026Marketing & Sales
API GRADE
A
VERIFIED JUL 2026

SCORECARD

ExistenceGOODDocumented REST API at devdocs.drift.com covering contacts, conversations, users, accounts, playbooks, and SCIM.
AccessGOODFull API use was free for all customers; private apps used a workspace token with no approval step.
CoverageGOODContacts, conversations, messages, accounts, playbook reads, GDPR data privacy, and SCIM provisioning.
AuthGOODWorkspace-scoped private tokens for internal apps; OAuth 2.0 only for publicly distributed apps.
Docs & DXGOODPublic docs, webhooks on conversation and contact events, and community Python and Node SDKs.
StabilityPOORSalesloft sunset Drift on March 6, 2026; the 2025 breach response revoked every OAuth token, and R&D has ended.
MORE FROM THE REPORT CARD
Supergood: Drift shipped a real API. Most vendors don't; we ship near-native APIs for the rest.

Frequently asked questions

Drift scores A on the API Report Card. Drift documented a self-serve REST API at devdocs.drift.com covering contacts, conversations, playbooks, and SCIM, with webhooks and free API use for customers. The platform is being shut down: Salesloft sunset Drift on March 6, 2026, after the 2025 OAuth breach forced revoking every token.

Tried to integrate with Drift?
SOURCES
Aug 2025 OAuth supply-chain breach: attackers used stolen Drift OAuth tokens to exfiltrate data from 700+ downstream Salesforce orgs over a ten-day window cloud.google.com
Salesloft revoked ALL active Drift OAuth + refresh tokens during incident response, every integrator had to re-auth from scratch flexera.com
Salesforce removed Drift from AppExchange entirely; Drift–Salesforce integration was unavailable through the marketplace for an extended window anomali.com
Initial attack vector was a compromise of Salesloft's GitHub account in March 2025, leading to repository download, reconnaissance, then Drift AWS access, exposed weak credential hygiene across the OAuth integration techtarget.com
Stolen records were combed for embedded plaintext AWS keys, VPN credentials, Snowflake tokens, and other secrets, customers' support cases contained material secret material cyberscoop.com
March 6, 2026 sunset announcement leaves the long-term API surface area unsupported; no public commitment to API uptime past the 60–90 day runway salesloft.com
Playbooks can be retrieved via API but cannot be edited via API, UI-only edit workflow blocks programmatic management of campaigns devdocs.drift.com
Two rate limit numbers cited in documentation (100 req/min per user in older docs, 600 req/min default in FAQ), inconsistency complicates capacity planning devdocs.drift.com
Multiple regulators (FINRA) and security vendors (Cloudflare, Zscaler, Palo Alto Networks, UpGuard, Anomali) issued public guidance treating Drift's API specifically as a supply-chain attack vector blog.cloudflare.com
Drift's role as the OAuth source in the breach put customers' Salesforce, Slack, Snowflake, Google Workspace, and AWS environments at risk, far beyond the chat data Drift itself held zscaler.com
Drift–Salesforce OAuth supply-chain breach (Aug 8–18, 2025) exposed 700+ downstream organizations including Cloudflare, Google, Palo Alto Networks, Zscaler, PagerDuty, Proofpoint, SpyCloud, and Tanium thehackernews.com
Salesforce removed Drift from AppExchange and revoked all Drift OAuth tokens; Salesloft took Drift offline entirely for the duration of the incident response upguard.com
Clari + Salesloft officially sunset Drift on March 6, 2026 and named 1mind as the exclusive AI successor; no hard end-of-life date but R&D investment has ended salesloft.com
Customers reportedly given 60–90 days before contract expiration or access is cut docket.io
Recommended migration path (1mind) requires 2–3 months of avatar production, persona workshops, and content ingestion, frequently exceeds the access-cut window docket.io
Premium plan starts at $2,500/month ($30k/year), Advanced runs $4,500-$6,000/month, Enterprise $8k-$15k+/month, all require annual commitment and sales conversation builtabot.com
Real-world cost typically 30–60% higher than list once add-ons, seat licenses, overage charges, and implementation fees (~$3k-$5k onboarding) are factored in knock-ai.com
Acquired by Salesloft for ~$500M in Feb 2024 and sunset 18 months later, customers describe a textbook 'acqui-shutter' experience outboundsalespro.com
FINRA issued a cybersecurity alert specifically naming Salesloft Drift as a supply-chain attack vector for the financial services industry finra.org
Migration vendors (Warmly, Docket, MarketBetter, Salespeak, Breakout) are actively running buyout/migration campaigns targeting the install base warmly.ai