When you create your app in Thinkific’s Partner Portal, you must set one or more Oauth scopes. This does not apply to apps using the API Key Authorization.
In this article
- What are OAuth Scopes
- Why does Thinkific use OAuth Scopes?
- What are best practices when selecting Oauth Scopes?
- Where can I set up my App’s Oauth Scopes?
- What happens if I change my app’s scopes?
- What is the difference between Users [General] and Users [Profile]?
- List of Scopes and related Endpoints
What are OAuth Scopes
OAuth scopes are a mechanism used in OAuth to restrict access to certain endpoints on a granular level. Once scopes are set for an app, Thinkific will reject any requests made to endpoints that are out of that app’s scope with a 403 forbidden
code with an "App does not have permission to perform this action. Please check the access token permissions" error.
Why does Thinkific use OAuth Scopes?
Thinkific uses OAuth scopes to:
- Increase customer confidence by informing them of what account data an app will be able to read and/or write before they install an app
- Ensure that apps can only access customer data if required in order for the app to function and cannot access customer data that is not required for the app to function.
What are best practices when selecting Oauth Scopes?
When selecting scopes for your app, only select the scopes that your app will use. For instance:
- If you do not need to write to an endpoint but do need to read it, select the Read endpoint
- If you don’t need to read or write to an endpoint, don’t select either endpoint
- Select either the Users [General] or the Users [Profile] scope, but not both (see here)
- Apps with scopes that do not provide value to the end user will be denied during the app review process. This includes unused scopes and scopes used explicitly for internal purposes.
Where can I set up my App’s Oauth Scopes?
Oauth scopes are defined in the Partner Portal when you create your app. Starting in the first week of January 2022, you can set up your app’s scopes by:
- Viewing your app through the Partner Portal
- Clicking on the Scopes tab
- Updating each scope to match the requirements of your app
- Clicking Save
A full list of Thinkific’s scopes and their endpoints can be found below and if you have any questions you can always reach out to apps@thinkific.com for clarification.
What happens if I change my app’s scopes?
When a scope is removed from an app, that scope will be removed for each user when they receive a new access token; customers will see no change.
When a scope is added to an app, each authenticated user will need to update their app permissions when they next log in to update their scopes. A user can manually update their authentication by navigating to their /manage/apps page, and clicking "Update" (if a scopes update is available).
What is the difference between Users [General] and Users [Profile]?
The Users[General]
read endpoint returns non-identifiable information regarding users in a Thinkific account, such as a user’s id
and created_at
. A user’s first_name
, last_name
, and email
, for instance, are only accessible using the Users[Profile]
read and/or write scope.
Apps that require a Users[Profile]
scope will be subject to additional scrutiny during the app submission process.
List of Scopes and related Endpoints
Bundles
View all bundles.
READ endpoints |
GET bundles/{id} |
GET bundles/{id}/courses |
Coupons
View and manage Coupons and coupon codes on customer behalf. Available for Thinkific Basic plan customers and above.
Categories
View and edit categories and add products to categories.
READ endpoints | WRITE endpoints |
GET /collections | POST /collections |
GET /collections/{id} | PUT /collections/{id} |
DELETE /collections/{id} |
Courses
View all courses.
READ endpoints |
GET /courses |
GET /courses/{id} |
course.created webhook |
course.deleted webhook |
course.updated webhook |
Curriculum
View courses' curriculum including chapters and lessons.
READ endpoints |
GET /courses/{id}/chapters |
GET /chapters/{id} |
GET /chapters/{id}/contents |
GET /contents/{id} |
lesson.completed webhook |
quiz.attempted webhook |
Enrollments
View and manage user's enrollments in courses and bundles. READ endpoints available for all Thinkific Plans, Write endpoints available to Grow/Pro + Growth plans or higher.
READ endpoints | WRITE endpoints |
GET /bundles/{id}/enrollments | POST /bundles/{id}/enrollments |
GET /enrollments | PUT /bundles/{id}/enrollments |
GET /enrollments/{id} | POST /enrollments |
enrollment.completed webhook | PUT /enrollments/{id} |
enrollment.created webhook | |
enrollment.progress webhook | |
enrollment.trial webhook |
External Orders
Create external orders on customer behalf.
WRITE endpoints |
POST /external_orders |
POST /external_orders/{id}/transactions/refund |
POST /external_orders/{id}/transactions/purchase |
Instructors
View and edit instructors.
READ endpoints | WRITE endpoints |
GET /instructors | POST /instructors |
GET /instructors/{id} | PUT /instructors/{id} |
DELETE /instructors/{id} |
Groups
View and edit groups and manage group analysts for groups.
Orders
View order history.
READ endpoints |
GET /orders |
GET /orders/{id} |
order.created webhook |
Products
View product details (courses and bundles).
READ endpoints |
GET /products |
GET /products/{id} |
GET /products/{id}/related |
GET /collections/{id}/products |
product.created webhook |
product.deleted webhook |
product.updated webhook |
Publication Requests
View and manage product publication requests.
READ endpoints | WRITE endpoints |
GET /product_publish_requests | POST /product_publish_requests/{id}/approve |
GET /product_publish_requests/{id} | POST /product_publish_requests/{id}/deny |
Reviews
View and edit Course Reviews.
READ endpoints | WRITE endpoints |
GET /course_reviews | POST /course_reviews |
GET /course_reviews/{id} |
Site Scripts
View and add custom code to site.
READ endpoints | WRITE endpoints |
GET /site_scripts | POST /site_scripts |
GET /site_scripts/{id} | PUT /site_scripts/{id} |
DELETE /site_scripts/{id} |
Users [General]
View non-identifiable information about users.
READ endpoints |
GET /users |
GET /users/{id} |
Users [Profile]
View and edit users including their personal identifiable information.
READ endpoints | WRITE endpoints |
GET /users | POST /users |
GET /users/{id} | PUT /users/{id} |
GET /custom_profile_field_definitions | DELETE /users/{id} |
users.signin webhook | |
users.signup webhook | |
user.updated webhook |