Skip to content

Use the client credentials flow

Client credentials authentication for server apps

Section titled “Client credentials authentication for server apps”

The OAuth 2.0 client credentials flow handles machine-to-machine authentication. It’s designed for backend services and third-party apps that interact with the Tallyfy API without a user logging in.

You’ll need a Client ID and Client Secret from Tallyfy Support before you start.

How the flow works
  • Step 1 is manual - contacting Tallyfy Support for credentials is a one-time setup you can’t automate
  • Two token types - application tokens (system operations) and user-specific tokens (acting as a particular user)
  • Different lifetimes - application tokens expire in 7 days (604,800 seconds), user-specific tokens expire in 3 months (7,776,000 seconds)

This pattern works well when you want to:

  • Embed Tallyfy functionality inside your own software
  • Automate process management or user provisioning
  • Build system-level integrations (reporting, data sync)
  • Provide workflow features to your users without separate Tallyfy logins

Contact Tallyfy Support with your integration use case. They’ll provide a Client ID and Client Secret for your organization. Store these securely.

Your app first needs its own access token for operations like user provisioning or generating user-specific tokens.

  • Endpoint: POST https://go.tallyfy.com/oauth/token
  • Content-Type: application/x-www-form-urlencoded
  • Parameters:
    • grant_type: client_credentials
    • client_id: Your Client ID
    • client_secret: Your Client Secret
    • scope: * (optional)
const clientId = 'YOUR_CLIENT_ID';
const clientSecret = 'YOUR_CLIENT_SECRET';
const tokenUrl = 'https://go.tallyfy.com/oauth/token';
const params = new URLSearchParams();
params.append('grant_type', 'client_credentials');
params.append('client_id', clientId);
params.append('client_secret', clientSecret);
params.append('scope', '*');
const response = await fetch(tokenUrl, {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: params
});
if (!response.ok) {
throw new Error(`HTTP error! status: ${response.status}`);
}
const data = await response.json();
console.log('Access token:', data.access_token);
// Use data.access_token for subsequent API calls

Response:

{
"token_type": "Bearer",
"expires_in": 604800,
"access_token": "eyJ0eXAiOiJKV1Q..."
}

With your application token, you can create users in your organization:

  • Endpoint: POST https://go.tallyfy.com/api/applications/{orgID}/users
  • Headers:
    • Authorization: Bearer {your_app_access_token}
    • Content-Type: application/json
    • X-Tallyfy-Client: APIClient
  • Body fields:
    • first_name (required): Max 32 characters
    • last_name (required): Max 32 characters
    • email (required): Must be unique, valid domain
    • role (optional): admin, standard, or light
    • timezone (optional): User’s timezone string

To act as a specific user, generate a user-scoped token with your application token.

  • Endpoint: POST https://go.tallyfy.com/api/applications/{orgID}/users/{email}/token
  • Headers:
    • Authorization: Bearer {your_app_access_token}
    • X-Tallyfy-Client: APIClient
  • Note: No request body needed - the user’s email goes in the URL path.

Response:

{
"token_type": "Bearer",
"expires_in": 7776000,
"access_token": "eyJ0eXAiOiJKV1Q..."
}

Use your token (application-level or user-specific) in API calls with these required headers:

  • Authorization: Bearer {token}
  • Accept: application/json
  • X-Tallyfy-Client: APIClient

All API endpoints follow the pattern https://go.tallyfy.com/api/organizations/{orgID}/...

For code examples of specific API operations, see the personal access token guide - the request format is identical, just swap in your token.

  • Store client credentials in encrypted secrets management (never in source code)
  • Protect both application-level and user-specific tokens
  • Rotate secrets periodically
  • Use HTTPS for all requests
  • Re-request application tokens before the 7-day expiry