Get Started Free
Get Started Free
  1. Thinkific
  2. Partners & Developers
  3. Developer Resources

Authenticating your OAuth app

    Plan Availability
  • image
    Legacy Plans
  • image
    Platform
  • image

Learn about our authorization flow options when building Apps in Thinkific

ATTENTION: This article is no longer up to date, and should be automatically redirecting you to a more current article in our Developer-specific documentation. If for some reason you are not redirected, please use this link to see the most recent version of this article.

In this article:

Authorization Flow Options

Authorization Code Flow

Implicit Flow

Authorization Flow Options

Thinkific uses OAuth 2.0 authorization framework to issue access tokens on behalf of users.

When building Apps, two authorization flows are available so you can choose which one better suites your needs:

  1. Authorization Code Flow: This authorization flow is recommended to server-side applications because the App must be able to receive requests from Thinkific. The advantage of using authorization code flow is that this flow returns a refresh token that can require the user to grant access once.
  2. Implicit Flow: The implicit flow is recommended to client-side apps, mobile or SPA (Single Page Application). In this flow there isn't a refresh token, so the user must be authenticated each time they use the App.

Authorization Code Flow

OAuth_Authorization_Code_Flow.png

Step 1: Get App credentials

See Building Apps in Thinkific for how to access your Client Key and Client Secret

Step 2: Ask for permissions

To ask for permissions, the App should redirect the user for the authorize URL which you can generate as follows:

https://{subdomain}.thinkific.com/oauth2/authorize?client_id={client_id}&redirect_uri={redirect_uri}&response_type=code&state={state}

  • {subdomain}: Thinkific's subdomain, the site where the app will be installed;
  • {client_id}: App's client id, from step 1;
  • {redirect_uri}: App's redirect URI. Only URIs defined in the app will be authorized;
  • {state}: the value that will be returned from Thinkific's request. Thinkific will not change this value;
  • response_type: this value should be always code in order to perform authorization code flow.

Step 3: Confirm authorization code

After user grants access to install the app, Thinkific redirects a request to the informed redirect_uri in the following format:

{redirect_uri}?code={authorization_code}&subdomain={subdomain}&state={state}

where:

  • {authorization_code}: a randomly generated code that expires in 60 seconds;
  • {subdomain}: Thinkific's subdomain;
  • {state}: value provided in the previous request

The app should receive Thinkific's request and make the final request to retrieve the access token.

Step 4: Retrieving access token

When receiving the authorization code, the app should perform one last request to retrieve the access token. The request must be a POST request and requires basic authentication.

Endpoint:

POST https://{subdomain}.thinkific.com/oauth2/token
  • {subdomain}: Thinkific's subdomain.

Headers (Basic Authorization):

  • Authorization: Basic base64(client_id:client_secret)
    • client_id: app's client id
    • client_secret: app's client secret
    • value client_id:client_secret encoded in base64

Example:

Authorization: Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=

Request parameters:

  • grant_type: code
  • code: authorization code

Response parameters:

You should expect an HTTP status 200 with the following attributes:

  • access_token: access token to make secure requests;
  • refresh_token: refresh token to request a new access token;
  • token_type: bearer;
  • gid: Thinkific's site global id;
  • expires_in: number of seconds until the access_token will become invalid.

You can expect an HTTP status 401 when:

  • client_id or client_secret are invalid;
  • code is invalid (code expired).

Step 5: Making secure requests

Now with the access token in hands, you can make authorized requests to Thinkific's APIs.

Request:

Header: Authorization: Bearer 386ea500-fc01-45e9-8914-f53e3b7c0ed5
POST https://api.thinkific.com/api/public/v1/users

Example:

curl -H 'Authorization: Bearer 386ea500-fc01-45e9-8914-f53e3b7c0ed5' \
-H 'Content-Type: application/json' \
https://api.thinkific.com/api/public/v1/users

Step 6: Refreshing token

If the access token expires, when the app has the refresh_token, it can make a request to get a new valid access_token.

Endpoint:

POST https://{subdomain}.thinkific.com/oauth2/token
  • {subdomain}: Thinkific's subdomain.

Headers (Basic Authorization):

  • Authorization: Basic base64(client_id:client_secret)
    • client_id: app's client id
    • client_secret: app's client secret
    • value client_id:client_secret encoded in base64
    • example:
      • Authorization: Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=

Request parameters:

  • grant_type: code
  • refresh_token: refresh token to request a new access token

Response parameters:

You should expect an HTTP status 200 with the following attributes:

  • access_token: access token to make secure requests;
  • refresh_token: refresh token to request a new access token;
  • token_type: bearer;
  • gid: Thinkific's site global id;
  • expires_in: number of seconds until the access_token will become invalid.

You can expect an HTTP status 401 when:

  • client_id or client_secret are invalid;
  • refresh_token is invalid.

Every time an access_token is generated, a new refresh token is also generated and the previous become invalid.

[back to top]

Implicit Flow

OAuth_Implicit_Flow.png

Step 1: Get App credentials

See Building Apps in Thinkific for how to access your Client Key and Client Secret

Step 2: Ask for permissions

To ask for permissions, the App should redirect the user for the authorization URL which you can generate as follows:

https://{subdomain}.thinkific.com/oauth2/authorize?client_id={client_id}&redirect_uri={redirect_uri}&response_type=token&state={state}

where:

  • {subdomain}: Thinkific's subdomain, the site where the app will be installed
  • {client_id}: App's client id retrieved when the app is created
  • {redirect_uri}: One of the authorized redirect URIs configured for the app.
  • {state}: Optional. This value will be sent back to the authorization code request.
  • response_type: this value should be always token in order to perform the implicit flow.

Step 3: Receiving access token

After user grants access to install the app, Thinkific redirects a request to the informed redirect_uri with the access token:

{redirect_uri}?access_token={access_token}&expires_in={expires_in}&state={state}

where:

  • access_token: access token to make secure requests;
  • expires_in: number of seconds until the access_token will become invalid;
  • state: value provided in the previous request.

Step 4: Making secure requests

Now with the access token in hands, you can make authorized requests to Thinkific's APIs.

Request:

Header: Authorization: Bearer 386ea500-fc01-45e9-8914-f53e3b7c0ed5
POST https://api.thinkific.com/api/public/v1/users

Example:

curl -H 'Authorization: Bearer 386ea500-fc01-45e9-8914-f53e3b7c0ed5' \
-H 'Content-Type: application/json' \
https://api.thinkific.com/api/public/v1/users

 [back to top]

Was this article helpful?

0 out of 0 found this helpful