How do I refactor my client to Tallyfy's new OAuth2.0?

As of November 8th, 2018 Tallyfy moved authentication to the OAuth2.0 industry standard. 

For 3rd Party API consumers ("Clients"), this will mean a few changes in how login calls are made and how authentication tokens are received. 

API Calls

Once the token is received, all other calls will be as they were previously. However, the call to receive your access token has changed:

New URL:


New JSON Request Body:

'scope': '*'

Grant Type

For the initial token request, the grant type will be "password", all subsequent calls will user the "bearer" grant type.

Client Secret and ID

You will notice that client secret and client ID are now required headers for the initial token request. To register for a client ID and secret, please reach out to us at


Scopes set permissions when requesting authorization to access an account. Through scopes, users can control the actions a third-party application or client can perform on their behalf, ensuring better security and privacy.

Our available scopes are:

  • organization - Grants access to manage organization, users, tags and subscription
  • account - Grants access to manage account details, account tasks and process views
  • template - Grants access to manage templates and steps
  • process - Grants access to manage process, tasks and one-off tasks
  •  *  -  for clients that require the all scopes, the "wildcard" symbol can be used

Process Scope

  • Can Start/Update/Delete/Restore Process
  • Can Complete/Re-Open Tasks
  • Can Report/Resolve task issues
  • Can Add/Remove tags in processes and tasks

Template Scope

  • Can Create/Update/Delete/Restore Templates
  • Can Create/Update/Delete Steps
  • Can Create/Update/Delete Forms
  • Can Create/Update/Delete Rules
  • Can Add/Remove tags in templates

Account Scope

  • Can Update current user profile and preferences.
  • Can Create/Update/Delete current user process views
  • Can Recover current user password
  • Can Get list of assigned tasks

Organization Scope

  • Can Update organization details 
  • Can Update billing info and plan
  • Can Invite/Disable/Delete users
  • Can Create/Update/Delete tags
  • Can Create/Update/Delete users groups
  • Can Create/Update/Delete users roles

Endpoint Changes

As we are updating our authentication and reviewing our scopes, we will also refactored some of our endpoints. Some will be added or changed to either better match their appropriate scope or to become more descriptive of their actual function, while some will be eliminated due to redundancy or obsolescence.

New API Endpoints

  • /oauth/token - get access token
  • /oauth/token/refresh - refresh access token

Renamed API Endpoints

  • GET /url-check changed to >  /utils/check-url
  • GET /countries changed to > /utils/countries
  • GET /p/static/config changed to /utils/config
  • GET /token changed to > /support/token
  • GET/PUT /organizations/{org}/users/me changed to > /organizations/{org}/me
  • GET/POST /organizations/{org}/users/me/preferences changed to > /organizations/{org}/me/preferences
  • GET/POST /organizations/{org}/accounts/views changed to > /organizations/{org}/me/process-views
  • GET/PUT /organizations/{org}/accounts/views/{id} changed to > /organizations/{org}/me/process-views/{id}
  • GET /organizations/{org}/role changed to > /organizations/{org}/me/role
  • PUT /organizations/{org}/accounts changed to > /organizations/{org}/me
  • GET /organizations changed to > /me/organizations
  • PUT /organizations/{org}/accounts/{id} changed to > /organizations/{org}/users/{id}

Removed API Endpoints

  • /organizations/{org}/checklists/{checklist_id}/import-steps
  • /organizations/{org}/checklists/import
  • /organizations/{org}/steps/{step_id}/copy
  • GET organizations/{org}/integrations/{type}
  • POST organizations/{org}/integrations/{type}
  • PUT organizations/{org}/integrations/{type}
  • GET /organizations/{org}/billing-info - instead use /organizations?with=billing_info
  • /organizations/{org}/permissions
  • GET /organizations/{org}/users/username/{username}
  • /auth/login use instead /oauth/token
  • /auth/check-reset-code
  • /auth/reset-password-from-account
  • /auth/resend-activation
  • GET/POST /organizations/{org}/guests/tasks/{code}/comments
  • /webhooks/start-run
  • /webhooks/post-comment
  • /zapier/api/hooks
  • /zapier/api/hooks/{id}
  • GET/POST/PUT/DELETE /organizations/{org}/comments
  • GET /organizations/{org}/runs/{run}/activities
  • GET /organizations/{org}/checklists/{checklist}/activities
  • GET /organizations/{org}/steps/{step}/activities
  • GET /organizations/{org}/runs/{runs}/tasks/{task}/activities
  • GET /organizations/{org}/comments/{comment}/activities
  • GET /organizations/{org}/users/{user}/activities
  • /organizations/{org}/integrations/hotdocs-package
  • /organizations/{org}/integrations/hotdocssession
  • PUT /organizations/{org}/checklists/{id}/activate instead use /organizations/{org}/checklists/{id}/restore
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us