tyms_sk_... secret.
Tyms issues your app a public key (tyms_pk_...) and secret key (tyms_sk_...). End users sign in through the Tyms consent screen, pick a business, and your app receives short-lived tokens scoped to that connection.
When to use OAuth vs a business key
| Approach | Best for |
|---|---|
Business tyms_sk_... | Automating your own Tyms business (Authentication, Quickstart) |
| OAuth | Apps used by many Tyms customers, each connecting their own business |
Credentials
| Credential | Who holds it | Used for |
|---|---|---|
client_id (tyms_pk_...) | Your integration app | Starting authorization; shown to users as your app identity |
App secret_key (tyms_sk_...) | Your integration app (server-side only) | Exchanging codes, refreshing tokens, and authenticating API calls alongside the user’s access token |
access_token / refresh_token | Your integration app (per connected user) | Calling business-scoped endpoints on behalf of the user who authorized access |
End-to-end flow
Start authorization
Call Get authorization URL with
client_id, redirect_uri, reference, privacy_url, and terms_url.Redirect the user
Send the user to the
authorization_url in the response. Tyms hosts sign-in and business selection at https://app.useadam.io/auth/oauth/self.Receive the authorization code
After consent, the user lands on your
redirect_uri with reference, authorization_code, and business_id as query parameters.Exchange for tokens
Call Exchange authorization code with your app
secret_key and the code. Store access_token, refresh_token, expires_at, and business_id.Call business endpoints
Send both your app
secret_key and Authorization: Bearer <access_token> on every business-scoped request. See Call with OAuth tokens.reference is your correlation id for the connection attempt — generate a unique value per authorization and verify it matches on callback.
Callback URL shape
Call business endpoints with OAuth
Every business-scoped request requires both credentials:secret_key identifies your integration to Tyms.
Use Validate OAuth session to confirm a token and read business profile fields (including authentication_method: "oauth" and expiry).
Token lifetime and refresh
- Access tokens expire after 60 minutes (
expires_atin the exchange response). - Call Refresh access token with your app
secret_key,refresh_token, andbusiness_idto obtain a new access token without sending the user through consent again. - Call Revoke access when a user disconnects your app. Provide
business_idand eitheraccess_tokenorrefresh_token.
Subscription requirement
The connected business must have an active Tyms subscription eligible for Developer API access. Businesses without a qualifying subscription cannot complete authorization; API calls return 403 if subscription lapses after connect.Common errors
| Situation | HTTP | What to do |
|---|---|---|
Invalid client_id | 400 | Check tyms_pk_... from Tyms |
| No businesses on the account | 400 | User must belong to at least one business |
| Business without active subscription | 403 | User must pick a subscribed business or upgrade |
| Expired or reused authorization code | 400 | Start a new authorization |
| Bearer token without app secret | 401 | Send X-API-Key with your app secret_key |
| Invalid or expired access token | 401 | Refresh or re-authorize |
| Subscription lapsed after connect | 403 | Prompt user to restore subscription or disconnect |
| User lost business access | 403 | Treat as revoked; remove stored tokens |
Related reference
- API overview — errors, rate limits, response envelope
- Authentication — business and partner API keys (non-OAuth)
- OAuth endpoints under API reference → OAuth