Перейти к содержимому

OAuth Apps

Это содержимое пока не доступно на вашем языке.

OAuth apps let users sign in to your application with their TrucklineMP account. After authorization, your app receives access tokens scoped to the permissions you requested.

OAuth is separate from Public API keys. Use OAuth when you need to act on behalf of a signed-in user. Use API keys for server-side reads of public platform data.

  1. Enable Developer Mode and open the Developer Console.
  2. Go to OAuth Apps and click Create App.
  3. Fill in the app name, description, icon, website, and legal URLs.
  4. On the OAuth page, set redirect URIs (one per line) and select scopes.
  5. Save changes. Copy the client secret when it is shown. It cannot be retrieved later.
TypeClient secretTypical use
confidential (default)Required at the token endpointServer-side web apps and backends
publicNot usedMobile apps and SPAs that use PKCE

Public clients authenticate at the token endpoint with client_secret_post omitted. Confidential clients must send client_secret.

Discovery document (OAuth 2.0 Authorization Server Metadata):

GET https://trucklinemp.com/.well-known/oauth-authorization-server
EndpointURL
Authorizationhttps://trucklinemp.com/oauth/authorize
Tokenhttps://trucklinemp.com/api/oauth/token
Revocationhttps://trucklinemp.com/api/oauth/revoke
Userinfohttps://trucklinemp.com/api/oauth/userinfo

Supported response type: code (authorization code flow).

Supported grant types: authorization_code, refresh_token.

Supported PKCE method: S256.

ScopeAccess
profileUsername, avatar, and public profile (required)
vtc:readVTC membership, roles, and VTC details
events:readEvents the user attends or created
bans:readBan or suspension status for the user

Request only the scopes your app needs. Users see the full list on the consent screen.

Build a URL (or use the install link on your app overview):

https://trucklinemp.com/oauth/authorize
?client_id=tlmp_client_...
&response_type=code
&redirect_uri=https://your-app.com/callback
&scope=profile vtc:read
&state=RANDOM_CSRF_TOKEN

If your app requires PKCE, also include:

&code_challenge=CHALLENGE
&code_challenge_method=S256

Generate the challenge from a code_verifier using SHA-256 and base64url encoding.

The user signs in (if needed) and approves the requested scopes. TrucklineMP redirects back to your redirect_uri with code and state.

Verify state matches what you sent to prevent CSRF attacks.

Terminal window
curl -X POST "https://trucklinemp.com/api/oauth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code" \
-d "client_id=tlmp_client_..." \
-d "client_secret=tlmp_secret_..." \
-d "code=AUTHORIZATION_CODE" \
-d "redirect_uri=https://your-app.com/callback" \
-d "code_verifier=VERIFIER_IF_PKCE"

Response includes access_token (tlmp_...) and optionally refresh_token (tlmpr_...).

Terminal window
curl -H "Authorization: Bearer tlmp_ACCESS_TOKEN" \
"https://trucklinemp.com/api/oauth/userinfo"

PKCE protects public clients that cannot store a client secret. Enable Require PKCE on your app’s security settings to reject authorization requests without a valid challenge.

When PKCE is required:

  1. Generate a code_verifier (random base64url string).
  2. Compute code_challenge = BASE64URL(SHA256(code_verifier)).
  3. Send code_challenge and code_challenge_method=S256 on the authorize request.
  4. Send code_verifier on the token request.

New third-party apps start unpublished. While unpublished:

  • Only the app owner and test users can complete authorization.
  • Everyone else sees a message that the app is in testing mode.

Add test users on the General page of your app settings. Search for TrucklineMP users by name or handle. The test user list can also include email addresses that match the authorizing account.

This lets you develop and QA without exposing the app to all TrucklineMP users.

When your app is ready for the public:

  1. Complete domain verification for your website and redirect URIs (required for sensitive configurations).
  2. Open the Publishing page in your app settings.
  3. Click Verify / Publish App to submit for staff review when required.
  4. After approval, use Publish App to make the app available to all users.

Published apps can be unpublished again from the same page. Unpublishing returns the app to testing mode restrictions.

Staff may reject an app with notes explaining what to fix. Address the feedback and resubmit.

ItemPrefix / format
Client IDtlmp_client_...
Client secrettlmp_secret_...
Access tokentlmp_...
Refresh tokentlmpr_...

Rotate the client secret from the security page if it is compromised. Existing tokens may be invalidated depending on your rotation settings.

  • Use HTTPS redirect URIs in production.
  • Always validate the state parameter.
  • Use PKCE for public clients and browser-based apps.
  • Store client secrets and refresh tokens server-side only.
  • Request the minimum scopes required.