Once your OAuth 2.0 application is set up, follow these steps to use your integration.
Review the following list of items required for your integration
- client_id
- client_secret
- The list of scopes your app was approved for (e.g. leads:write events:read)
Confirmation of the redirect_uri registered to your app
These items are available in your partner Sandbox or they will be provided to you by the partnership team.
If any of these need to change, contact us before going live. The redirect_uri must match exactly what you submitted.
Send the customer through the authorization flow
When a Tripleseat customer wants to connect your app, send them to:
https://login.tripleseat.com/oauth2/authorize ?client_id=YOUR_CLIENT_ID &redirect_uri=YOUR_REGISTERED_REDIRECT_URI &response_type=code &scope=leads:write events:read &state=CSRF_TOKEN_YOU_GENERATENotes:
- Most partners present a button on their dashboard that says "Connect to Tripleseat"
- The authorizing user must be a Tripleseat customer admin. Regular users cannot authorize integrations.
- scope is space-separated. Only request scopes your app was approved for.
state should be a random per-session value you generate and verify on the callback. This prevents CSRF.
Handle the redirect back to your app
After the customer admin approves, Tripleseat redirects to your redirect_uri with a query string:
YOUR_REDIRECT_URI?code=AUTHORIZATION_CODE&state=YOUR_STATEVerify state matches what you sent in step 2. Reject if not.
Exchange the authorization code for an access token
POST to the token endpoint:
POST https://api.tripleseat.com/oauth2/token Content-Type: application/x-www-form-urlencoded grant_type=authorization_code &code=AUTHORIZATION_CODE &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET &redirect_uri=YOUR_REGISTERED_REDIRECT_URIResponse:
{ "access_token": "...", "token_type": "Bearer", "expires_in": 7200, "refresh_token": "...", "scope": "leads:write events:read", "created_at": 1234567890 }Store both the access_token and the refresh_token. The access token expires in 2 hours by default.
Make API calls
Base URL: https://api.tripleseat.com/v1/
Send the token as a Bearer header on every request:GET https://api.tripleseat.com/v1/leads?site_id=SITE_ID Authorization: Bearer YOUR_ACCESS_TOKENKey points:
- The token grants access to all sites within the customer account that authorized you. There is one OAuth app per customer, not per site.
- Pass site_id on every request to target a specific site under that customer. Get the list of sites the token can act on via GET /v1/sites.
- If the customer has only one active site, site_id is optional and we default to it.
- Respect the scopes you were granted. A request that needs a scope your token does not have will return 403 Forbidden with an insufficient_scope error
Refresh the access token before it expires
POST https://api.tripleseat.com/oauth2/token Content-Type: application/x-www-form-urlencoded grant_type=refresh_token &refresh_token=YOUR_REFRESH_TOKEN &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRETThe response has the same shape as step 4. The old refresh token is invalidated and replaced.
Handle errors and disconnections
- 401 Unauthorized: token is expired, revoked, or the user/customer was deactivated. Trigger a refresh, or if that also fails, send the customer back through step 2.
- 403 Forbidden with insufficient_scope: your app does not have the scope required for that endpoint. Contact us if you need additional scopes added.
Customer admins can revoke your app at any time from Settings > OAuth Applications in Tripleseat. After revocation, all tokens for that customer stop working.
Assets
* Our latest company logo (as at May 2026) is below: