The API Report CardAPI Index
Heap

Heap API

Product Analytics / Digital Experience Analytics · heap.io

Heap documents client SDKs plus server-side REST ingestion at developers.heap.io, batching up to 1,000 events per call. Ingestion auth is a bare project app_id in the request body. There is no raw-event read API; egress runs through the paid Heap Connect warehouse sync.

Last verified: July 2026Software & Data Tools
API GRADE
A
VERIFIED JUL 2026

SCORECARD

ExistenceGOODDocumented client SDK and server-side REST ingestion APIs at developers.heap.io, plus a partner OAuth surface.
AccessGOODIngestion is self-serve with a project app_id; only the Integrations Partner API is approval-gated.
CoverageGOODTrack, bulk track to 1,000 events per call, and user or account properties; raw-event readback needs paid Heap Connect.
AuthMIXEDStandard ingestion auth is a bare app_id in the JSON body with no scoping; OAuth 2.0 exists only for the approved-partner API.
Docs & DXGOODPostman and Insomnia collections, an OpenAPI index via llms.txt, and documented client and server references.
StabilityGOOD
MORE FROM THE REPORT CARD
Supergood: Heap shipped a real API. Most vendors don't; we ship near-native APIs for the rest.

Frequently asked questions

Heap scores A on the API Report Card. Heap documents client SDKs plus server-side REST ingestion at developers.heap.io, batching up to 1,000 events per call. Ingestion auth is a bare project app_id in the request body. There is no raw-event read API; egress runs through the paid Heap Connect warehouse sync.

Tried to integrate with Heap?
SOURCES
Rate limits are enforced but undocumented, no published RPS, no rate-limit response headers, no Retry-After; clients must implement blind exponential backoff stitchflow.com
Authentication for server-side ingestion is a bare app_id in the JSON body, no bearer token, no header-based auth, no fine-grained scoping developers.heap.io
No native bulk read/export API for raw event data, pulling your own event stream out requires the paid Heap Connect warehouse sync, not a self-serve REST endpoint heap.io
Heap publicly documented breaking their own APIs in production to test resilience; historical reliability stories include rate-limiting and silent drops heap.io
Heap's own guidance is to batch up to 1,000 events per call to avoid undocumented throttling, implying single-event clients will hit invisible ceilings developers.heap.io
Integrations Partner API (OAuth) is gated to approved partners, third-party app builders cannot self-serve onboard github.com
Documentation is fragmented across developers.heap.io, docs.heapanalytics.com, and help.heap.io with overlapping but inconsistent content help.heap.io
User Deletion (GDPR) API requires separately generated auth token and is documented separately from the core ingestion APIs developers.heap.io
Pricing is opaque and session-based, paid plans reportedly start at $3,600/year but real costs balloon with longer data retention and add-ons; small businesses are priced out as they scale g2.com
Autocapture produces overwhelming volumes of unlabeled events; teams spend significant overhead sifting, naming, and curating events after the fact g2.com
Steep learning curve and lack of thorough onboarding, technical users adopt fast, but marketing/business users struggle for weeks g2.com
'Insights are valuable, but the pricing forced us to look for alternatives as we scaled', recurring complaint from growth-stage customers on Capterra uxcam.com
Some reviewers feel Heap is not as enterprise-grade as Amplitude or Adobe Analytics for governance, permissions, and advanced cohorting g2.com
Post-Contentsquare acquisition concerns about product direction, increased bundling pressure, and rising contract values at renewal posthog.com
Session Replay retention is short by default and longer retention is a paid upgrade, frustrating teams that need historical replay g2.com
Reporting/charting depth is shallower than Amplitude for advanced cohort, attribution, and predictive analyses amplitude.com