OAuth API Authentication Overview

  • Updated on Feb 10, 2026
  • Published on Feb 6, 2026
  • 2 minute(s) read
Prev Next

To use the Thrive APIs and Webhooks, you must authenticate using OAuth 2.0 Client Credentials.

In this flow, you are issued a Client ID and Client Secret. These credentials are used to request an access token from our OAuth service. You then include this access token as a Bearer token in the Authorization header of all API or Webhook requests.

Credentials

You will be provided with:

  • Client ID - Identifies your application

  • Client Secret - Authenticates your application

  • Tenant ID - Identifies your Thrive tenant (used in the token URL)

If you do not yet have these, please contact our Support team.

Important Security Information

Please note the following critical security details:

  • Environment Specificity: Staging and Production use different endpoints and may use different credentials

  • Keep credentials secret: You must not share your Client Secret or access tokens with anyone who doesn’t need them

  • Code Safety: Never commit secrets to source control, include them in client-side code, or log them

  • Protocol: All OAuth and API requests must be made over HTTPS. Requests sent over HTTP will fail

  • Token Lifetime: Access tokens are valid for 1 hour (3600 seconds). Your application must request a new token when the current one expires

Environments & Token Endpoints

Replace :tenantId in the below endpoint URLs with your actual tenant ID for the given environment.

Staging environment

All Regions (except MEA) - API token endpoint:

https://public.api.learnstaging.link/oauth2/token/:tenantId

All Regions (except MEA) - Webhooks token endpoint:

https://user.api.learnstaging.link/oauth2/token/:tenantId

MEA - API token endpoint:

https://public.api.meastaging.learn.tech/oauth2/token/:tenantId

MEA - Webhooks token endpoint:

https://user.api.meastaging.learn.tech/oauth2/token/:tenantId

Production environment

All Regions (except MEA) - API token endpoint:

https://public.api.learn.link/oauth2/token/:tenantId

All Regions (except MEA) - Webhooks token endpoint:

https://user.api.learn.link/oauth2/token/:tenantId

MEA - API token endpoint:

https://public.api.mea.learn.tech/oauth2/token/:tenantId

MEA - Webhooks token endpoint:

https://user.api.mea.learn.tech/oauth2/token/:tenantId

Scopes

For API access (non-webhooks), allowed scopes: api/all, api/read, api/write

For Webhooks, allowed scopes: api/webhooks, api/all

Always request the minimum scope required for your integration.

Step 1: Request an Access Token

Make a POST request to the appropriate OAuth token endpoint with a JSON body containing your credentials.

Headers: Content-Type: application/json

Body:

{
    "scope": "api/all",
    "grant_type": "client_credentials",
    "client_id": "YOUR_CLIENT_ID",
    "client_secret": "YOUR_CLIENT_SECRET"
}

Examples

cURL example:

curl -X POST "https://public.api.learn.link/oauth2/token/YOUR_TENANT_ID" \
  -H "Content-Type: application/json" \
  -d '{
    "scope": "api/all",
    "grant_type": "client_credentials",
    "client_id": "YOUR_CLIENT_ID",
    "client_secret": "YOUR_CLIENT_SECRET"
  }'

Node.js (Axios) example:

import axios from "axios";
const url = "https://public.api.learn.link/oauth2/token/YOUR_TENANT_ID";
const body = {
    scope: "api/all",
    grant_type: "client_credentials",
    client_id: "YOUR_CLIENT_ID",
    client_secret: "YOUR_CLIENT_SECRET",
};
const response = await axios.post(url, body, {
    headers: {
        "Content-Type": "application/json",
    },
});
console.log(response.data);

Python (Requests) example:

import requests
url = "https://public.api.learn.link/oauth2/token/YOUR_TENANT_ID"
body = {
    "scope": "api/all",
    "grant_type": "client_credentials",
    "client_id": "YOUR_CLIENT_ID",
    "client_secret": "YOUR_CLIENT_SECRET"
}
headers = {
    "Content-Type": "application/json"
}
response = requests.post(url, json=body, headers=headers)
print(response.json())

Step 2: Token Response

A successful response will look like this:

{
  "access_token": "REDACTED",
  "expires_in": 3600,
  "token_type": "Bearer"
}

The access_token is used to authenticate API requests. The token is valid for 1 hour (3600 seconds). The token_type will always be Bearer.

Your application should cache this token and request a new one when it expires.

Step 3: Use the Access Token

Include the access token in the Authorisation header of all API or Webhook requests:

Authorization: Bearer YOUR_ACCESS_TOKEN

Example request:

curl -X GET "https://public.api.learn.tech/some/endpoint" \
 -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Migrating from Basic Authentication

If you previously used Basic Authentication (tenant-id + API key), you should now:

  1. Obtain a Client ID and Client Secret from Thrive Support

  2. Request an OAuth access token using the steps above

  3. Use the Bearer token instead of Basic Authentication in all requests