REST Permissions and Scopes

    Plan Availability
    Legacy Plans
    Platform

What are OAuth Scopes

OAuth scopes are a mechanism used in OAuth to restrict access to certain endpoints on a granular level. Once scopes are set for an app, Thinkific will reject any requests made to endpoints that are out of that app’s scope with a 403 forbidden code with an "App does not have permission to perform this action. Please check the access token permissions" error.

Why does Thinkific use OAuth Scopes?

Thinkific uses OAuth scopes to:

  • Increase customer confidence by informing them of what account data an app will be able to read and/or write before they install an app
  • Ensure that apps can only access customer data if required in order for the app to function and cannot access customer data that is not required for the app to function.

What are best practices when selecting Oauth Scopes?

When selecting scopes for your app, only select the scopes that your app will use. For instance:

  • If you do not need to write to an endpoint but do need to read it, select the Read endpoint
  • If you don’t need to read or write to an endpoint, don’t select either endpoint
  • Select either the Users [General] or the Users [Profile] scope, but not both (see here)
  • Apps with scopes that do not provide value to the end user will be denied during the app review process. This includes unused scopes and scopes used explicitly for internal purposes.

Where can I set up my App’s Oauth Scopes?

Oauth scopes are defined in the Partner Portal when you create your app. Starting in the first week of January 2022, you can set up your app’s scopes by:

  1. Viewing your app through the Partner Portal
  2. Clicking on the Scopes tab
  3. Updating each scope to match the requirements of your app
  4. Clicking Save

A full list of Thinkific’s scopes and their endpoints can be found below and if you have any questions you can always reach out to apps@thinkific.com for clarification.

scopes page

What happens if I change my app’s scopes?

When a scope is removed from an app, that scope will be removed for each user when they receive a new access token; customers will see no change.

When a scope is added to an app, each authenticated user will need to update their app permissions when they next log in to update their scopes. A user can manually update their authentication by navigating to their /manage/apps page, and clicking "Update" (if a scopes update is available).

What is the difference between Users [General] and Users [Profile]?

The Users[General] read endpoint returns non-identifiable information regarding users in a Thinkific account, such as a user’s id and created_at. A user’s first_namelast_name, and email, for instance, are only accessible using the Users[Profile] read and/or write scope.

Apps that require a Users[Profile] scope will be subject to additional scrutiny during the app submission process.

List of Scopes and related Endpoints

Bundles

View all bundles.

Coupons

View and manage Coupons and coupon codes on customer behalf. Available for Thinkific Basic plan customers and above.

Categories

View and edit categories and add products to categories.

Courses

View all courses.

READ endpoints 
GET /courses
GET /courses/{id}
course.created webhook
course.deleted webhook
course.updated webhook

Curriculum

View courses' curriculum including chapters and lessons.

READ endpoints 
GET /courses/{id}/chapters
GET /chapters/{id}
GET /chapters/{id}/contents
GET /contents/{id}
lesson.completed webhook
quiz.attempted webhook

Enrollments

View and manage user's enrollments in courses and bundles. READ endpoints available for all Thinkific Plans, Write endpoints available to Grow/Pro + Growth plans or higher.

READ endpoints  WRITE endpoints
GET /bundles/{id}/enrollments POST /bundles/{id}/enrollments
GET /enrollments PUT /bundles/{id}/enrollments
GET /enrollments/{id} POST /enrollments
enrollment.completed webhook PUT /enrollments/{id}
enrollment.created webhook  
enrollment.progress webhook  
enrollment.trial webhook  

External Orders

Create external orders on customer behalf.

Instructors

View and edit instructors.

Groups

View and edit groups and manage group analysts for groups.

Orders

View order history.

READ endpoints 
GET /orders
GET /orders/{id}
order.created webhook

Products

View product details (courses and bundles).

READ endpoints 
GET /products
GET /products/{id}
GET /products/{id}/related
GET /collections/{id}/products
product.created webhook
product.deleted webhook
product.updated webhook

Publication Requests

View and manage product publication requests. 

Reviews

View and edit Course Reviews.

Site Scripts

View and add custom code to site.

Users [General]

View non-identifiable information about users.

READ endpoints 
GET /users
GET /users/{id}

Users [Profile]

View and edit users including their personal identifiable information.

READ endpoints  WRITE endpoints
GET /users POST /users
GET /users/{id} PUT /users/{id}
GET /custom_profile_field_definitions DELETE /users/{id}
users.signin webhook  
users.signup webhook  
user.updated webhook  
Was this article helpful?
0 out of 0 found this helpful