Skip to main content

Get Started

The Tight API uses access tokens to authenticate requests. To get started, simply exchange your client credentials and a userId for an access token: 
curl -X POST https://sandbox.tight.com/v6/auth/token \
-u client_id:client_secret \
-d userId=your_userId
The Tight API will respond with your granted access token: 
{
    "access_token": "<access_token>",
    "token_type": "Bearer",
    "expires_in": 3600
}
This token can be used anywhere in the Tight API to access this user’s data.

Partner-level Authentication

The userId in the above request is optional. You can omit it to request a token that can access data across all of your users: 
curl -X POST https://sandbox.tight.com/v6/auth/token \
-u client_id:client_secret
See the POST /token reference for more information.

Using the Access Token

Include the returned token in the Authorization header of any request to the Tight API: 
curl --location --request POST 'https://sandbox.tight.com/v6/banks/transactions' \
-H 'Authorization: Bearer <access_token>'
The above request retrieves bank transactions available to the provided access_token.

Authentication Scenarios

How the token was generated impacts what data the above request will return. For example, when using a token generated for a specific business owner (via their userId), the request will return bank transactions belonging to that user’s company. The following table outlines what data is accessible based on the userId provided:
Authentication TypeData Accessible
Business ownerOnly that company
BookkeeperAll companies the bookkeeper can access
None (Partner-level)All companies
How the token was generated impacts how the Tight API audits changes to entities modified using that token. See the Audit Trail docs for more info.

Token Renewal

Instead of tracking token expiration, generate a new token for each user session.
Tight Embedded Components automatically refresh tokens for you.