Authentication
Before making any API calls, you need to authenticate using an Application created in Tribe CRM.
Authentication Options
Choose the flow that matches your integration needs. You select this when creating your Application in Tribe CRM.
| Flow | Best for |
|---|---|
| Authorization Code | Marketplace integrations requiring user-specific authorization across multiple organizations |
| Client Credentials | Server-to-server integrations operating at the organizational level |
| Quick Setup | Quick prototyping, development, and personal integrations |
Creating Your Application
- Log in to Tribe CRM
- Go to Configuration > Applications (app.tribecrm.nl/configuration/api)
- Choose your authentication flow tab (Authorization Code or Client Credentials)
- Click Create New Application
- Configure the application settings (see each flow below for details)
Authorization Code Flow
Best for: Marketplace integrations and applications requiring user-specific authorization across multiple organizations.
The Authorization Code flow allows users to grant your application access to their Tribe CRM data with their explicit consent. Use this for:
- Multi-tenant SaaS integrations
- Applications used by multiple organizations
- Scenarios requiring user-level permissions and consent
Application Registration
- Go to Configuration > Applications in Tribe CRM
- Switch to the Authorization Code tab
- Create a new application — name and redirect URL are mandatory
- Optionally add a logo and description (shown on the consent screen)
- Save the application
Step 1: User Consent URL
Redirect the user's browser to the authorization endpoint:
GET https://auth.tribecrm.nl/oauth2/auth
| Parameter | Required | Description |
|---|---|---|
client_id | Yes | OAuth 2.0 client identifier issued to your application |
redirect_uri | Yes | Must match the redirect URI registered for your client |
state | Yes | A state value (minimum 8 characters) to protect against CSRF |
response_type | Yes | Must be code |
scope | Yes | Space-separated list of scopes, e.g. read write offline |
organization_id | No | UUID of the specific Tribe organization |
Step 2: Redirect URI
After the user approves, the authorization server redirects the browser to your redirect_uri:
{redirect_uri}/?code=AUTH_CODE&scope=read write offline&state=STATE
| Parameter | Description |
|---|---|
code | The authorization code — short-lived, single-use |
scope | Scopes actually granted (may be a subset of what was requested) |
state | Must match the value you originally sent |
Step 3: Token Request with Code
Exchange the authorization code for an access token from your back-end server:
POST https://auth.tribecrm.nl/oauth2/token
Content-Type: application/x-www-form-urlencoded
| Parameter | Description |
|---|---|
grant_type | authorization_code |
client_id | Your application's client ID |
client_secret | Your application's client secret |
code | The authorization code from the redirect |
Response:
{
"access_token": "...",
"token_type": "bearer",
"expires_in": 86400,
"refresh_token": "..."
}
Step 4: Token Refresh
When the access token expires (after 24 hours), use the refresh token to get a new one without user interaction:
POST https://auth.tribecrm.nl/oauth2/token
Content-Type: application/x-www-form-urlencoded
| Parameter | Description |
|---|---|
grant_type | refresh_token |
client_id | Your application's client ID |
client_secret | Your application's client secret |
refresh_token | The refresh token from the previous response |
redirect_uri | Must match the redirect URI used during initial authorization |
Response:
{
"access_token": "...",
"token_type": "bearer",
"expires_in": 86400,
"refresh_token": "..."
}
Store the new refresh_token from each response — it replaces the previous one.
Client Credentials Flow
Best for: Server-to-server integrations operating at the organizational level without requiring individual user authorization.
This is the simplest OAuth 2.0 flow. Your application authenticates directly with the API using its Client ID and Client Secret. Use this for:
- Internal automation and workflows
- Background services and scheduled tasks
- Organization-wide data synchronization
Application Registration
- Go to Configuration > Applications in Tribe CRM
- Switch to the Client Credentials tab
- Create a new application and give it a name
- Save the application
Once saved, you will see a Client ID, a Secret, and an application employee automatically generated. The application employee is the virtual user the application will impersonate when making changes to your data. Make sure to modify their rights according to what you wish to allow this application to do.
Token Request
POST https://auth.tribecrm.nl/oauth2/token
Content-Type: application/x-www-form-urlencoded
| Parameter | Description |
|---|---|
grant_type | client_credentials |
client_id | Your application's client ID |
client_secret | Your application's client secret |
scope | read write offline |
Response:
{
"access_token": "...",
"token_type": "bearer",
"expires_in": 86400
}
There is no limit to the number of times the authentication endpoint can be called with the same client_id and client_secret. Each call generates a new access token valid for 24 hours.
Quick Setup with Refresh Token
Skip the initial authorization steps in the Authorization Code flow.
For faster testing and development, you can obtain a refresh token directly from Tribe CRM:
- Go to Configuration > Applications in Tribe CRM
- Find your Authorization Code application (or create one)
- Click the three-dots menu next to the application name
- Choose 'Refresh token'
- Copy the generated refresh token
Then exchange it for an access token:
POST https://auth.tribecrm.nl/oauth2/token
Content-Type: application/x-www-form-urlencoded
| Parameter | Description |
|---|---|
grant_type | refresh_token |
client_id | Your application's client ID |
client_secret | Your application's client secret |
refresh_token | The refresh token copied from Tribe CRM |
This returns an access token and a new refresh token you can use continuously to authenticate your application.
Using the Token
Include the access token in the Authorization header of all API requests:
Authorization: Bearer <access_token>
GET /v1/odata/Relation_Person
Endpoints Summary
| Endpoint | Description |
|---|---|
GET https://auth.tribecrm.nl/oauth2/auth | Authorization / consent URL |
POST https://auth.tribecrm.nl/oauth2/token | Token endpoint (all flows) |