Skip to main content
Thred uses a two-tier OAuth2 system for secure multi-tenant access.

Partner-Scoped Token

Backend onlyManage multiple businesses:
  • List all businesses
  • Create new businesses
  • Get business-scoped tokens

Business-Scoped Token

Frontend safeAccess single business:
  • Invoices and payments
  • Reports and GL
  • Isolated to one business
Security: Never use partner-scoped tokens on the frontendPartner-scoped tokens grant access to ALL businesses under your partnership. Exposing them in frontend code allows users to access other businesses’ financial data.Always use business-scoped tokens in the frontend - they’re scoped to a single business and safe for end users.

Get Partner-Scoped Token

Exchange your credentials for a partner-scoped token: 
curl -X POST https://dev-backend.thredfi.com/v1/platform/oauth2/token/ \
  -H "Authorization: Basic $(echo -n 'PARTNER_UUID:API_KEY' | base64)"
Response: 
{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600
}

Get Business-Scoped Token

Exchange partner-scoped token for business-scoped token: 
curl -X POST https://dev-backend.thredfi.com/v1/platform/BUSINESS_ID/oauth2/token/ \
  -H "Authorization: Bearer PARTNER_TOKEN"
Response: 
{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "business_access"
}

Token Usage

Use for managing businesses:Location: Backend server only

Token Lifecycle

1

Tokens expire after 1 hour

Both token types expire after 3600 seconds.
2

Handle expiration

When you receive 401 Unauthorized:
  • Re-authenticate to get fresh token
  • Retry the failed request
3

Best practice

Cache tokens and refresh before expiry to avoid disruptions.

Security Best Practices

Store partner UUID and API key securely:
  • Environment variables
  • Secrets manager (AWS Secrets Manager, HashiCorp Vault)
  • Never commit to source control
All API calls must use HTTPS. HTTP requests will be rejected.
Regenerate keys every 90 days via Partner Portal for security hygiene.
Tokens secured. Now embed the accounting UI in your platform.