Front Desk For Developers
Get Started
Authentication
Core API
Reporting API
Announcements

Authentication

Front Desk apps use a standard "authorization code" OAuth 2 Flow. Your application contains a Log In link that sends users to Front Desk. The URL will look something like this:

https://frontdeskhq.com/oauth/authorize?client_id=XXXXXXXXXXXX&response_type=code&redirect_uri=https://myapp.com/callback

The user will be redirected back to your site with an authorization code parameter in the URL after authenticating with Front Desk and granting access to your application:

https://myapp.com/callback?code=AUTH_CODE

Your server exchanges the authorization code for an access token. Values are passed as form parameters. Please note, that redirect_uri must exactly match the callback_url you specified when registering your app.

POST https://frontdeskhq.com/oauth/token
  grant_type=authorization_code&
  code=AUTH_CODE&
  redirect_uri=REDIRECT_URL&
  client_id=CLIENT_ID&
  client_secret=SECRET

You will receive the access token via JSON in the response (or an error):

{"access_token":"abc123"}

Supplying an access token in API requests

An access token is required when making API requests. The access token can be supplied by using an HTTP header:

Authorization: Bearer MYTOKEN

Or by using a URL query parameter:

https://mybiz.frontdeskhq.com/api/v2/desk/people/:id.json?access_token=MYTOKEN

Currently, Front Desk access tokens don’t expire, so your app does not need to refresh the token. Access tokens could be revoked. If a token is revoked for any reason, your app should handle re-authentication.

Specifying a host for OAuth requests

If your application is tied to one business and you do not need access to a user's profiles in other businesses or if you want the users of your application to see a login screen branded to a particular business, include the subdomain of that business in the access URL:

https://mybiz.frontdekshq.com/oauth/authorize

If your application requires access to a user's complete Front Desk account across all businesses, exclude the subdomain. This will result in the users seeing a Front Desk-branded login screen (that isn't business-specific).

https://frontdeskhq.com/ouath/authorize

If an access token is created on a business subdomain, all subsequent API requests must be against that subdomain.