API Reference

Setting up OAuth2.0

This resource provides a guide on how to set up OAuth2.0 on Tyms.

Tyms supports OAuth 2.0 to help you securely authenticate and authorize users, whether you're working in sandbox mode for testing or operating a production application.

This guide walks you through the complete OAuth 2.0 flow so you can obtain access tokens and make API requests on behalf of your users.


βœ… Why Use OAuth?

OAuth is essential when you want to:

  • Access a user’s Tyms business data securely.
  • Avoid handling user credentials directly.
  • Create a seamless onboarding and authorization experience.

Once a user authorizes your application, you’ll receive an access token which should be included as a Bearer token in your API requests via the Authorization header.


🌐 OAuth 2.0 Endpoints

Below are the key endpoints for Tyms' OAuth flow. Replace {base_url} with the appropriate environment:

EnvironmentBase URL
Sandboxhttps://staging-api.tymsbook.com
Productionhttps://api.tyms.io
PurposeEndpoint
User Authorization{base_url}/api/v1/oauth/authorization
Access Token Retrieval{base_url}/api/v1/oauth/access/token

πŸ”„ OAuth 2.0 Authorization Flow

The OAuth process involves four main steps:

  1. Redirect User to Tyms for Authorization
  2. User Approves Access to Their Tyms Account
  3. Tyms Redirects Back to Your App with an Authorization Code
  4. Exchange Authorization Code for an Access Token

πŸš€ Step-by-Step Guide

1. Initiate User Authorization

Redirect users to the Tyms OAuth authorization widget by sending a GET request to:

{base_url}/oauth/authorization

πŸ”§ Required Query Parameters

ParameterDescription
referenceA unique reference for the user on your system
client_idYour Tyms public API key
redirect_uriThe callback URL where Tyms should send the user back
terms_urlURL to your terms and conditions
privacy_urlURL to your privacy policy

πŸ“Œ Example URL

https://staging-api.tymsbook.com/oauth/authorization?reference=192303&client_id=tyms_pk_2a38835c-e3c6-47fc-80b3-123c4acdc1ee&redirect_uri=https://yourapp.com/callback&privacy_url=https://yourapp.com/privacy&terms_url=https://yourapp.com/terms

πŸ“₯ Example Response

{
  "status": "success",
  "message": "Authorization request initiated successfully",
  "data": "https://tymsbook-web.web.app/auth/oauth?client_id=tyms_pk_2a38835c-e3c6-47fc-80b3-123c4acdc1ee&redirect_uri=https://yourapp.com/callback&reference=192303&privacy_url=https://yourapp.com/privacy&terms_url=https://yourapp.com/terms"
}

βœ… Redirect the user to the URL in the data field. Tyms will handle the authorization interface.


2. Tyms Prompts for Authorization

The user is asked to authorize your app to access their Tyms business. If they approve, Tyms redirects them back to your specified redirect_uri with the following query parameters:

ParameterDescription
referenceThe original user reference you sent
authorization_codeTemporary code used to get the access token (expires in 10 minutes)
business_idID of the authorized business on Tyms

πŸ“₯ Example Redirect URL

https://yourapp.com/callback?reference=192303&authorization_code=AUTH_CODE&business_id=a123

3. Exchange Authorization Code for Access Token

Once you receive the authorization_code, exchange it for an access token by sending a POST request to:

{base_url}/api/v1/oauth/access/token

πŸ”§ Required Body Parameters

ParameterDescription
authorization_codeThe code received from the redirect
client_idYour public API key
client_secretYour secret API key

πŸ“₯ Example Request

{
  "authorization_code": "AUTH_CODE",
  "client_id": "tyms_pk_2a38835c-e3c6-47fc-80b3-123c4acdc1ee",
  "client_secret": "tyms_sk_0e3c6-47fc-80b3-9837c123c4acdc1ee"
}

πŸ“€ Example Response

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp...",
  "expires_in": 86400,
  "business_id": "a123"
}

4. Make Authenticated API Calls

Use the access token in the Authorization header of your requests:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp...

πŸ“˜ Notes

  • Access tokens are valid for 24 hours (86400 seconds).
  • Tokens should be stored securely and refreshed when expired (token refresh coming soon).
  • OAuth is required for multi-tenant platforms, B2B apps, and any system where users need to manage their own Tyms data within your platform.