OAuth Apps
Это содержимое пока не доступно на вашем языке.
OAuth Apps
Section titled “OAuth Apps”OAuth apps let users sign in to your application with their TrucklineMP account. After authorization, your app receives access tokens scoped to the permissions you requested.
OAuth is separate from Public API keys. Use OAuth when you need to act on behalf of a signed-in user. Use API keys for server-side reads of public platform data.
Create an app
Section titled “Create an app”- Enable Developer Mode and open the Developer Console.
- Go to OAuth Apps and click Create App.
- Fill in the app name, description, icon, website, and legal URLs.
- On the OAuth page, set redirect URIs (one per line) and select scopes.
- Save changes. Copy the client secret when it is shown. It cannot be retrieved later.
App types
Section titled “App types”| Type | Client secret | Typical use |
|---|---|---|
| confidential (default) | Required at the token endpoint | Server-side web apps and backends |
| public | Not used | Mobile apps and SPAs that use PKCE |
Public clients authenticate at the token endpoint with client_secret_post omitted. Confidential clients must send client_secret.
OAuth endpoints
Section titled “OAuth endpoints”Discovery document (OAuth 2.0 Authorization Server Metadata):
GET https://trucklinemp.com/.well-known/oauth-authorization-server| Endpoint | URL |
|---|---|
| Authorization | https://trucklinemp.com/oauth/authorize |
| Token | https://trucklinemp.com/api/oauth/token |
| Revocation | https://trucklinemp.com/api/oauth/revoke |
| Userinfo | https://trucklinemp.com/api/oauth/userinfo |
Supported response type: code (authorization code flow).
Supported grant types: authorization_code, refresh_token.
Supported PKCE method: S256.
Scopes
Section titled “Scopes”| Scope | Access |
|---|---|
profile | Username, avatar, and public profile (required) |
vtc:read | VTC membership, roles, and VTC details |
events:read | Events the user attends or created |
bans:read | Ban or suspension status for the user |
Request only the scopes your app needs. Users see the full list on the consent screen.
Authorization flow
Section titled “Authorization flow”1. Redirect the user to authorize
Section titled “1. Redirect the user to authorize”Build a URL (or use the install link on your app overview):
https://trucklinemp.com/oauth/authorize ?client_id=tlmp_client_... &response_type=code &redirect_uri=https://your-app.com/callback &scope=profile vtc:read &state=RANDOM_CSRF_TOKENIf your app requires PKCE, also include:
&code_challenge=CHALLENGE&code_challenge_method=S256Generate the challenge from a code_verifier using SHA-256 and base64url encoding.
2. User consents
Section titled “2. User consents”The user signs in (if needed) and approves the requested scopes. TrucklineMP redirects back to your redirect_uri with code and state.
Verify state matches what you sent to prevent CSRF attacks.
3. Exchange the code for tokens
Section titled “3. Exchange the code for tokens”curl -X POST "https://trucklinemp.com/api/oauth/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=authorization_code" \ -d "client_id=tlmp_client_..." \ -d "client_secret=tlmp_secret_..." \ -d "code=AUTHORIZATION_CODE" \ -d "redirect_uri=https://your-app.com/callback" \ -d "code_verifier=VERIFIER_IF_PKCE"Response includes access_token (tlmp_...) and optionally refresh_token (tlmpr_...).
4. Call userinfo
Section titled “4. Call userinfo”curl -H "Authorization: Bearer tlmp_ACCESS_TOKEN" \ "https://trucklinemp.com/api/oauth/userinfo"PKCE protects public clients that cannot store a client secret. Enable Require PKCE on your app’s security settings to reject authorization requests without a valid challenge.
When PKCE is required:
- Generate a
code_verifier(random base64url string). - Compute
code_challenge = BASE64URL(SHA256(code_verifier)). - Send
code_challengeandcode_challenge_method=S256on the authorize request. - Send
code_verifieron the token request.
Testing mode and test users
Section titled “Testing mode and test users”New third-party apps start unpublished. While unpublished:
- Only the app owner and test users can complete authorization.
- Everyone else sees a message that the app is in testing mode.
Add test users on the General page of your app settings. Search for TrucklineMP users by name or handle. The test user list can also include email addresses that match the authorizing account.
This lets you develop and QA without exposing the app to all TrucklineMP users.
Publishing
Section titled “Publishing”When your app is ready for the public:
- Complete domain verification for your website and redirect URIs (required for sensitive configurations).
- Open the Publishing page in your app settings.
- Click Verify / Publish App to submit for staff review when required.
- After approval, use Publish App to make the app available to all users.
Published apps can be unpublished again from the same page. Unpublishing returns the app to testing mode restrictions.
Staff may reject an app with notes explaining what to fix. Address the feedback and resubmit.
Token formats
Section titled “Token formats”| Item | Prefix / format |
|---|---|
| Client ID | tlmp_client_... |
| Client secret | tlmp_secret_... |
| Access token | tlmp_... |
| Refresh token | tlmpr_... |
Rotate the client secret from the security page if it is compromised. Existing tokens may be invalidated depending on your rotation settings.
Security checklist
Section titled “Security checklist”- Use HTTPS redirect URIs in production.
- Always validate the
stateparameter. - Use PKCE for public clients and browser-based apps.
- Store client secrets and refresh tokens server-side only.
- Request the minimum scopes required.