Quick-Start Guide

The Quixel Megascans API allows you to both access your own Megascans account for scripting purposes and for building apps on top of for other users to use.

Creating your First Megascans Application

Before you can start consuming the Quixel Megascans API, you will register a new Application from your Megascans account profile.

Registering the Application

On your Megascans account profile page, in the Applications box, go ahead and click the Create Application button. In the prompt, enter the application details. Those details are used to establish an identity for your application for bookkeeping on our ends, and are shown on your application’s users’ Megascans account profile pages. Your users will be able to see that they’ve given permission to your application to access their accounts on their behalf. They can also decide to revoke access to your application if they wish to do so.


Upon creating the application, you will get an Application ID and an Application Key. You will include these in your application code.

In order to login/authenticate with the Megascans API, you can exchange username and password of the user for an authentication token like this:

curl -i \
     -u USERNAME \
     -H 'Content-type: application/json' \
     -d '{"secret": "YOUR_APP_KEY"}' \

We’re using HTTP Basic Authentication in tandem with your application credentials in order to create a user authentication token.

The response body looks like this:

  "refreshToken": "REFRESH_TOKEN"

For all requests to the Megascans API, you will include this token in the Authentication header like so to authenticate the request:

Authentication: Bearer AUTHENTICATION_TOKEN

This token typically expires in 1-2 hours. To avoid asking the user for their username and password again and again, you can use the refreshToken returned with the token to get another token. You’re encouraged to store the refreshToken in your application state until you use it, and then store the subsequently returned refreshToken for future.

See the section on refresh tokens for details on how to use them.

Note: Never store the user’s username and password in your application state. Always only keep the token and refreshToken and use those to keep the user logged in indefinitely.

Testing out the API

Once you’re authenticated and have the token, you can begin interacting with the Megascans API. For example, the following request will retrieve a list of your acquired assets:

curl -i \
     -H Authorization: Bearer AUTHENTICATION_TOKEN