Skip to main content

API | Authentication

Mark Lawrence
Updated

📢 Important Notice

OAuth 1.0 will be deprecated and discontinued on July 1, 2026. All integrations must migrate to OAuth 2.0 before this date to maintain API access.

To obtain your Tripleseat account's public token or set up a OAuth 2.0 Application, head to settings > API/Webhooks. If you don't have access to this area, you'll have to request it from the customer admin, who can assist with updating your User Role accordingly.

 

OAuth1.0 / OAuth2.0

OAuth 1.0 (Legacy)- This method requires the individual to pass their Consumer Key and Consumer Secret with each call that they make to Tripleseat's API. This deprecated method will no longer be supported for new integrations starting January 1, 2026, and will be sunset in July 2026. We recommend reviewing our OA1 > OA2 Migration guide for steps to configure OAuth 2.0 in 2026.

OAuth 2.0 - This method allows individuals to generate an authentication token. This token can be cached (and refreshed on expiry) in place of the Consumer Key and Consumer Secret while making calls to the API, as opposed to passing them with each call, as is the case with OAuth 1.0.

Step 1: Create OAuth 2.0 Application

  1. Log in to Tripleseat with admin credentials
  2. Navigate to: Settings → Tripleseat API & Webhooks (under the Resources section)
  3. Under Tripleseat API OAuth 2.0 Client Applications, you can create and manage your OAuth 2.0 applications
  4. Click View or Edit Client Applications then create a new OAuth 2.0 application using the + New Application button. Enter the following information:
    • Name: [Your Integration Name]
    • Description: [Your Integration Description]
    • Information URL: Your company/integration website
    • Redirect URL: Your OAuth callback URL

    • Your required application scopes

  5. Save and copy the resulting credentials:
    • UID: Your new OAuth 2.0 client ID
    • Secret: Your new OAuth 2.0 client secret

Step 2: Update Your Authentication Flow

OAuth 2.0 Authorization Flow

  1. Redirect user to authorization URL:

    https://login.tripleseat.com/oauth2/authorize?
  client_id=YOUR_CLIENT_ID&
  redirect_uri=YOUR_REDIRECT_URI&
  response_type=code&
  scope=read%20write
  2. User authorizes your application

  3. Exchange authorization code for access token:

    POST https://api.tripleseat.com/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=AUTHORIZATION_CODE&
client_id=YOUR_CLIENT_ID&
client_secret=YOUR_CLIENT_SECRET&
redirect_uri=YOUR_REDIRECT_URI

  4. Response includes access and refresh tokens

    {
  "access_token": "YOUR_ACCESS_TOKEN",
  "token_type": "Bearer",
  "expires_in": 7200,
  "refresh_token": "YOUR_REFRESH_TOKEN",
  "scope": "read write",
  "created_at": 1234567890
}

Step 3: Update API Requests

OAuth 2.0 (New Way)

GET /api/v1/locations HTTP/1.1
Host: api.tripleseat.com
Authorization: Bearer YOUR_ACCESS_TOKEN

Step 4: Implement Token Refresh

OAuth 2.0 access tokens expire after 2 hours. Use refresh tokens to get new access tokens:

POST https://api.tripleseat.com/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&
refresh_token=YOUR_REFRESH_TOKEN&
client_id=YOUR_CLIENT_ID&
client_secret=YOUR_CLIENT_SECRET

 

Invalidation

Should the need arise, individuals are able to invalidate a bearer token that was generated by the OAuth2.0 method by performing a POST call to the following endpoint using the token they are looking to invalidate:

https://api.tripleseat.com/oauth/invalidate

This will result in a "410 | Gone" response status, causing any calls that had the token cached or saved to return a "401 | Unauthorized" status. 

 

OAuth 1.0 Authentication Examples (Deprecated January 1, 2026)

In order to acquire an authentication token for the OAuth2.0 method outlined above, the individual will need to perform a POST call to:

https://api.tripleseat.com/oauth/token

With the following body:

JSON

{
"client_id": "CONSUMER_KEY",
"client_secret": "CONSUMER_SECRET",
"grant_type": "client_credentials"
}

The API will return a 200 OK along with a response body as follows:

JSON

{
"access_token": "ACCESS_TOKEN",
"token_type": "bearer"
}

 

Additional Language Examples

Python

import requests
import json
url = "https://api.tripleseat.com/oauth/token"
payload = json.dumps({
  "client_id": "CONSUMER_KEY",
  "client_secret": "CONSUMER_SECRET",
  "grant_type": "client_credentials"
})
headers = {
  'Content-Type': 'application/json'
}
response = requests.request("POST", url, headers=headers, data=payload)
print(response.text)

 

PHP

<?php
$client = new Client();
$headers = [
  'Content-Type' => 'application/json'
];
$body = '{
  "client_id": "CONSUMER_KEY",
  "client_secret": "CONSUMER_SECRET",
  "grant_type": "client_credentials"
}';
$request = new Request('POST', 'https://api.tripleseat.com/oauth/token', $headers, $body);
$res = $client->sendAsync($request)->wait();
echo $res->getBody();

 

cURL

curl --location 'https://api.tripleseat.com/oauth/token' \
--header 'Content-Type: application/json' \
--data ' {
  "client_id": "CONSUMER_KEY",
  "client_secret": "CONSUMER_SECRET",
  "grant_type": "client_credentials"
 }'

 

Pro-Tips:

The above snippets are written in JSON; however, in the event that you and your team utilize a program like Postman to make your API calls, you can utilize the “Code Snippet” tool in their application to convert an existing call into other languages. Most notably, as mentioned above:

  • Python
  • PHP
  • cURL

If using an OAuth library that gives you the option to put the Authentication Information in the request header, we recommend using this setting.