Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

    English (US)
    HR Croatian
    PL Polish
    DE German
    US English (US)
    ES Spanish
    MX Spanish (Mexico)
    • Home
    • Integrations
    • Fixably API

    Using OAuth2 Clients for secure API access to your tenant

    Learn to implement OAuth2 clients for secure API access to your tenant, enhancing data protection and user authentication.

    Written by Cole Docherty

    Updated at June 15th, 2026

    Contact Us

    If you still have questions or prefer to get help directly from an agent, please submit a request.
    We’ll get back to you as soon as possible.

    Please fill out the contact form below and we will reply as soon as possible.

    • Release Notes
      2026 Releases 2025 Releases 2024 Releases
    • Newly Released Features
      Blackbelt360 New Features
    • Getting Started
      Overview How To
    • Roles & Permissions
    • Manifests
    • Order Management
      Orders How-To Guides Batch Edit Order Lists Using Files Cost Estimates
    • Automations
    • Employee Management
    • Customer Management
      Adding & Removing Customers Communicating with Customers Data Privacy
    • Customer Portal
    • Stock Management
      Adding and Receiving Products Inventory Management Resolving Stock Errors
    • Part Requests
    • Price Lists
    • Invoicing
    • Reporting
      Standard Reports Built-in and Custom Reports Advanced Reports
    • Custom Fields
    • Integrations
      Shipping and Transportation Finance Single Sign-on (SSO) Payment Integrations Fixably API Blackbelt360 Xero Accounting WhatsApp Business
    • GSX
      GSX Integration Creating Repairs Managing Repairs Resolving Errors Frequently Asked Questions Part Returns
    • Shipments
    • Service Contracts
    • Configuring Your Environment
      System Settings Email and SMS Setup Importing Data Security
    • Incoming Part Allocation
    • Appointment Booking
    + More

    Table of Contents

    Before you begin OAuth2 clients vs. User Tokens – which to use Setting up OAuth2 Clients Verify the token works Using your token (for developers) Managing OAuth2 Clients User Tokens (legacy) Troubleshooting Getting support

    Fixably's REST API lets external systems create orders, manage customers, read invoices, push stock, and more. Access is controlled through OAuth2 clients – scoped, expiring tokens you can revoke individually without affecting other integrations.

    Everything to do with API access lives under System Settings > API. The menu has three pages: Settings (account-wide options), OAuth2 Clients (create, edit, and revoke clients), and User Tokens (legacy per-user keys).


    Before you begin

    • You must be a tenant admin. The API area is hidden for non-admins.
    • Decide who owns the client. The token acts on the owner's behalf and inherits what that user can see.
    • Decide the access level: use Admin for internal integrations, Customer for anything you hand to an outside customer or partner.
    • Know your API base URL: https://YOUR-SUBDOMAIN.fixably.com/api/v3/
    • Have the list of scopes the integration needs ready. Grant only what it uses — you can always add more later.


    OAuth2 clients vs. User Tokens – which to use

    Fixably supports two authentication methods. They are not equal.

      User Token (legacy API key) OAuth2 client (recommended)
    Permissions Everything the user can do Only the scopes you grant
    Expiry Never Week / Month / Year / your choice
    Limit to a customer's own data No Yes (Customer access level)
    Hide sensitive fields No Yes (excluded fields)
    If the key leaks The holder can do anything that user can until you revoke it Damage is capped to granted scopes and expires on its own
    Revoke without disruption Revoking affects the whole user account Revoke one client, leave the others running

    Recommendation: Use OAuth2 clients for every new integration. Only keep a User Token if an existing integration still depends on it, and plan to migrate it to OAuth2.

     

    Setting up OAuth2 Clients

    • Navigate to System Settings > API > OAth2 Clients

    • Click the Create New Client button.

    • Enter the Client name. Names must be 3–255 characters and unique. You cannot reuse the names of built-in clients (Portal, Fixably Signature App, Fixably Camera App).

    • Choose the appropriate Access Level for your use case. 
      • Select the Admin access level for internal API projects that require full access to all resources.
      • Choose Customer when a customer or partner is building an API integration and should only have access to the resources they own.

    • Select the Owner. For Customer access, this should be the customer profile in your Fixably tenant you expect repairs to be attached to. 

    • Set the Token expiration time. Shorter lifetimes are safer. For long-running integrations, use No expiration or build token refresh into the integration.

    Token expiration options:

    Option Meaning
    Week Expires one week from creation
    Month Expires one month from creation
    Year Expires one year from creation
    No expiration Effectively never expires

     

    • Select the appropriate Scopes. Scopes determine which API endpoints the token can access.
      • Tick only the scopes the integration actually uses. You can add more later by editing the client.
      • Read scopes (…:view) and write scopes (…:create, …:update, …:delete) are separate. Grant write scopes only when the integration writes data.
      • A call to an endpoint whose scope the token does not have returns 403 Forbidden.

    • If required, you can also use Excluded fields to restrict what data is visible in API responses. For example, a customer integration can access order lines but be prevented from seeing your internal purchase price for a part. 

    • Click Submit to save. A confirmation message will appear with your Bearer token.

    Important: The Bearer token is displayed only once, immediately after you create the client. It cannot be viewed again. Store it in a password manager or your integration's secrets store. If you lose it, you must revoke the client's tokens and create a new client to generate a fresh one.

     


    Verify the token works

    To confirm the token is working, make a test call using the Authorization header below (replace the subdomain and token). A 200 response confirms the setup is correct. For 401 or 403 responses, see Troubleshooting below.

    Authorization: Bearer YOUR_TOKEN → https://YOUR-SUBDOMAIN.fixably.com/api/v3/orders

     

    Using your token (for developers)

    Base URL: https://YOUR-SUBDOMAIN.fixably.com/api/v3/

    Send the token in the Authorization header on every request: Authorization: Bearer YOUR_TOKEN

    • Scopes: A missing scope returns 403. Ask the admin to add the required scope to the client.
    • Rate limits: When throttled you will receive 429 Too Many Requests. Monitor the X-RateLimit-Remaining and X-RateLimit-Reset headers and back off accordingly. The limit is shared across all tokens in the account.
    • Full endpoint reference: openapi.fixably.com

    Managing OAuth2 Clients

    • Navigate to System Settings > API > OAth2 Clients

    • You will see a list of all OAuth2 clients set up in your tenant. Tick Show inactive to also see clients whose tokens have all expired.

    • Under the gear menu, you have the following management options: 

    • Edit allows you to modify the scope and excluded fields, as well as modify the expiry date. 

    • View Sessions will show all active tokens for the client, including the owner, access level, and expiry date for each.

    • Logs will show any recent API requests made with this client, to assist with validation and troubleshooting.

    • Revoke all tokens will immediately invalidate every token for the client. You will be asked to confirm before this takes effect.

    Note on built-in clients: Portal, Fixably Signature App, and Fixably Camera App are system clients that cannot be edited. Revoking their tokens can break core Fixably features. Fixably will warn you before you revoke a system client – only proceed if you have a specific reason to do so.

     

    User Tokens (legacy)

    The User Tokens page lists older, per-user API keys. These carry a user's full permissions with no scopes and no expiry. New integrations should use OAuth2 clients instead.

    If a legacy key still exists, you can Revoke it or view its Logs. Treat this page as read-and-clean-up only: revoke keys you no longer recognise, and move any active integration that still relies on one over to an OAuth2 client.

    Troubleshooting

    • 401 Unauthorized with a token I just created. The token may have expired or the client may be inactive. Check the client's expiration setting and confirm it is not switched off. If you have lost the token, revoke the client's tokens and create a new client to get a fresh one.
    • 403 Forbidden on an endpoint I should be able to call. The token is missing the scope that endpoint requires. Edit the client and add the scope, then try again. A 403 is a permissions issue; a 401 is a token validity issue.
    • I did not copy the token before closing the confirmation screen. The Bearer token is displayed only once. There is no way to view it again. Revoke the client's tokens under the gear menu and create a new client to generate a fresh token.
    • An outside partner can see data that does not belong to them. The client was likely created with Admin access. For external use, create a Customer-access client instead — it automatically limits the token to data the owner is allowed to see.
    • 429 Too Many Requests. You have hit the per-tenant rate limit. Retry after the time shown in the X-RateLimit-Reset header. The limit is shared across the whole account, so a busy integration can affect all other tokens.
    • The API menu is not showing. The API area is admin-only. Ask a tenant admin to open it or to create the client on your behalf.

    Getting support

    If you are stuck, contact Fixably support and include the following:

    • Your tenant name (subdomain)
    • The OAuth2 client name or ID
    • The endpoint URL and query string you called
    • The response status code and body
    • Roughly when the issue occurred
    secure api oauth access token authorization authentication

    Was this article helpful?

    Yes
    No
    Give feedback about this article

    Related Articles

    • How do I configure the Apple GSX integration?
    • How do I resolve GSX Error 400?
    • How do I resolve errors stating that my GSX Activation Token has expired?
    Get started today and start fixing hardware with software
    Thank you! We will contact you shortly.
    Oops! Something went wrong while submitting the form.
    ProductsFixably RepairFixably Depot
    SolutionsAASPsEnterprise ServiceRefurbishersMulti-Brand Repairs
    ResourcesAll ResourcesCustomer StoriesBlog
    CompanyAbout UsCareers
    Follow UsFacebookInstagramTwitterLinkedIn

    Contact Us

    sales@fixably.comsupport@fixably.com
    Fixably RepairRepair ManagementGSX IntegrationInventory & StockCustomer ExperienceReporting & DataPoint of SaleFixably Paperless

    North America  Sales

    +1 888 3600 63920289 Stevens Creek Blvd #1070
    Cupertino, CA 95014
    United States

    Europe  Sales

    +358 45 4900 549Kansakoulukatu 3
    00100 Helsinki
    Finland

    Contact Us

    sales@fixably.comsupport@fixably.com
    Copyright © Fixably Ltd.Privacy PolicyTerms of ServiceData Processing Agreement

    Copyright 2026 – Fixably.

    Knowledge Base Software powered by Helpjuice

    Expand