API reference

The Third-Party Manager Application Programming Interface (APIClosed Application Programming Interface (API) is the developer interface for the platform. Use the API to develop your own applications.) is the developer interface for the Third-Party Manager platform. Use the API to develop your own applications. The API interacts with your organization's live data so care should be taken in actions like deleting data.

There are three sets of endpoints:

  • GET: Retrieve information from Third-Party Manager.
  • POST: Create (push) new information to Third-Party Manager.
  • PUT: Update existing records in Third-Party Manager.

Standards

  • The API is organized around REST and is built on the JSON API v1.0 specification.
  • The OAuth 2.0 Authorization Framework controls access to the API. OAuth 2.0 provides a safe and secure way to access data, while protecting your account credentials.

    • Security Scheme: HTTP

    • HTTP Authorization Scheme: bearer

    • Bearer format: "oauth2"

Rate limitations

The API safeguards against bursts of usage to help maximize its stability. The default for API requests is 600 per hour. A best practice is to not make more than 6 requests per second or a maximum of 6,000 per hour. Avoid making unnecessary requests to the API. Some additional endpoints have specific rate limits associated with them as well.

If you make too many requests, the API responds with a 429 "Too many requests statusClosed Third-party Status used for searching, for example, Active or Inactive. Approval Status is a subset of the Status. See Approval Status. Case Status used for searching, for example, Only Open Cases or Only Closed Cases..

Permissions

You must be a System Administrator to access the API. You may wish to create a system account in Third-Party Manager and build your application from that if your organization's security policies permit accounts not tied to an individual.

The API does not use a username and password. It uses a client IDClosed Used in the API. A public identifier for apps which should not be guessable. and a client secretClosed Used in the API. A secret known only to the application and the authorization server. It is essential the application’s own password. to obtain an access token. The access token is used to make calls back and forth to the endpoints.