Thumbtack’s leads and messaging APIs expose a real-time webhook-based API to integrate Thumbtack into your customer acquisition workflows. This guide explains the authorization and authentication workflow lifecycle, from connection to disconnection.
Thumbtack’s API’s implement the OAuth 2.0 protocol, specifically using the authorization code flow. A Thumbtack pro, once initiating the flow from your product, will log in to Thumbtack, authorize Thumbtack to share their data with you, and then redirect back to a URL of your choosing.
The lifecycle consists of: 1) authorization of data sharing, 2) refreshing connections, and 3) disconnection. Implementation of all three is required in order to complete the integration.
To get developer credentials with Thumbtack, contact us via the Request Access button at the top right of the page. We will create OAuth credentials for you in the production environment. Should you require access to staging you must ask for this as well and you must provide a separate redirect uri for your development or staging environment (multiple redirect uris are supported for any environment should you require them). This can be public or private as the redirect is performed using the user's browser. You will be given additional OAuth credentials that will be used for our staging environment and you will be given login credentials to access our staging environment as an actual user.
In order to implement Thumbtack’s APIs, you’ll need OAuth credentials. They consist of the following pairs for both your staging and production environments:
- Client ID
- Client secret
Our staging environment is where you can create your own data and interact with the Thumbtack product as if you were a customer and a pro, allowing full end to end testing. You will need to use the staging url and the credentials we provide you which consist of:
- username
- password
The authorization flow for staging uses a different domain which consists of:
https://staging-auth.thumbtack.com/
The api for staging also uses a different domain which consists of:
https://staging-api.thumbtack.com/
In order for a Thumbtack pro’s data to be shared by Thumbtack with your integrated partner service, the pro must authorize the connection via the OAuth flow. You will direct the Thumbtack OAuth authorization flow using the following URL:
GET https://auth.thumbtack.com/oauth2/auth?client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URL>&response_type=code&scope=<SCOPE>
We strongly encourage you to use an OAuth library for your tech stack where possible, or alternatively the generated OAuth APIs via our OpenAPI spec if your stack supports the security extension.
Below documents the information needed for a both a manual implementation alongside one utilizing a library.
The URL parameters for the all API calls must be URL encoded. For example, with the following API, if you had a parameter "lorem ipsum", it would be encoded as below
https://thumbtack.com/example-api/?your_param=<PARAMETER>
https://thumbtack.com/example-api/?your_param=lorem%20ipsum
Parameter Name | Type | Description | Required |
|---|---|---|---|
client_id | string | This is the Client ID provided by Thumbtack. | |
scope | string | Authorization scopes allow access to specific information from Thumbtack. The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings. The available scopes can be found by expanding any of the AUTHORIZATIONS sections for any of the defined Thumbtack API endpoints. The list is viewed by expanding the Scopes section in that. In addition to the chosen scopes that you wish to use from the availed scopes defined in the Authorizations section you must include the scope offline_access in order to have a refresh token returned in the response. | |
redirect_uri | string | Thumbtack redirects the pro to this URL after they complete authorization. | |
response_type | string | This must contain string code as a response type. | |
state | string | The client inserts state information such as the client's user identifier that will be appended to the redirect_uri upon successful user authorization. If the client is not interested in sending any information needed upon the redirect, send a random 10 character string. You must send at least 10 characters or an error of invalid_state will be returned. | |
audience | string | This value must be set to audience=urn:partner-api |
Partners will have to pass the relevant scope with which they want to integrate. Partners can pass multiple scopes if they want to integrate with multiple Thumbtack endpoints. The access token issued will be limited to the scopes granted. The documentation for each API will state the scopes required under its Authorizations section.
After confirming the connection, Thumbtack redirects the pro to a redirect URL with the authorization code in the URL. The redirect URL will look like this:
<REDIRECT_URL>/?code=<AUTHORIZATION_CODE>&state=<STATE>
<REDIRECT_URL>/?code=<AUTHORIZATION_CODE>&state=<STATE>
Once the pro authorizes access, they're redirected back to the URL with the authorization code. This API will use an authorization code from the request return access token and refresh token in the response.
POST https://auth.thumbtack.com/oauth2/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic <B64-encoded_oauth_credentials>
The Authorization: Basic authorization header is generated through a Base64 encoding of <client_id>:<client_secret>. You can use https://www.base64encode.org/ to see how headers should be encoded. The request parameters below are passed in as the body not as query parameters.
Parameter | Type | Description | Required |
|---|---|---|---|
grant_type | string | This must contain string authorization_code as a grant type. | |
code | string | The authorization code is returned to the redirect_url in the step-3. | |
redirect_uri | string | Thumbtack redirects to this URL after they complete authorization. |
Parameter | Type | Description | Required |
|---|---|---|---|
access_token | string | The access token issued by the authorization server. | |
expires_in | number | The access token lifetime in seconds. The default expiry is 3600 seconds (1 hour). | |
refresh_token | string | The refresh token issued by the authorization server. | |
scope | string | The scopes this access token has access to. Note that offline_access is required for being able to refresh the token. | |
token_type | string | The type of token issued. Must return bearer as a token type. |
Sample response:
{"access_token": "1.eyJCdXNpbmVzc1BLIjozODgwMDYwNjczNTExNTA1OTUsIkNsaWVudElEIjoiVEhVTUJUQUNLIElOVEVSTkFMIiwiU2NvcGUiOlsibWVzc2FnZXMiXSwiRXhwaXJlc0F0IjoiMjAyMS0xMC0xNFQwMjo1OToyOS44MjIwMDU2ODhaIiwiU3JjQXV0aENvZGUiOiIwNjcwODgwODI0M2QyOTYxN2E1OTc4ZmZjNmQ4OGRkY2UzYjBjNDQyOThmYzFjMTQ5YWZiZjRjODk5NmZiOTI0MjdhZTQxZTQ2NDliOTM0Y2E0OTU5OTFiNzg1MmI4NTUifQ.qJDfeuYfdFZCSVQmBUgr_kDoZeeEUD4y4oVTVMEc4EQ","expires_in": 3600,"refresh_token": "_s3cnwGAb5VgBt-CmYFSOw","scope": "offline_access","token_type": "bearer"}
When an access token expires, you're required to use the API below with the refresh token, which has a long lifetime to obtain a new access token and refresh token pair. In order to receive a refresh token you must include the offline_access scope when initializing the OAuth flow.
POST https://auth.thumbtack.com/oauth2/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic <B64-encoded_oauth_credentials>
The Authorization: Basic authorization header is generated through a Base64 encoding of <client_id>:<client_secret>. You can use https://www.base64encode.org/ to see how headers should be encoded. The request parameters below are passed in as the body not as query parameters.
Parameter | Type | Description | Required |
grant_type | string | This must contain string refresh_token as a grant type. | |
refresh_token | string | The refresh token value that you received along with the access token in step-4. When used it has a 60 second grace period. See below for more information. | |
token_type | string | This must contain string REFRESH as a token type. |
Parameter | Type | Description | Required |
access_token | string | The new access token issued by the authorization server. | |
token_type | string | The type of token issued. Must return bearer as a token type. | |
expires_in | number | The access token lifetime in seconds. The default expiry is 3600 seconds (1 hour). | |
refresh_token | string | The new refresh token issued by the authorization server. |
We have implemented a 60 second grace period in the OAuth refresh token flow to handle network errors, timeout errors, and similar issues. If an error occurs when calling https://auth.thumbtack.com/oauth2/token when trying to use a refresh token, we encourage you to implement retry logic that uses the same refresh token. This will call the https://auth.thumbtack.com/oauth2/token endpoint with that same refresh token to get a new access and refresh token pair. After 60 seconds from the initial use, the refresh token is marked as invalid and can no longer be utilized.
If you choose to disconnect an integration between Thumbtack and a partner service, you're required to call our disconnect endpoint. The disconnect endpoint revokes your OAuth refresh and access tokens. It also disconnects any active webhooks your integration has created for the user in question. See the API spec for more information.