Every Tallyfy API request needs authentication. Pick the method that fits your use case:
- Personal access token — grab your token from Settings > Integrations > REST API in Tallyfy and pass it in the
Authorization header. Tokens last 6 months and act as the logged-in user. Best for scripts, testing, and quick integrations.
- Client credentials flow — use a
client_id and client_secret (provided by Tallyfy Support) to get an application-level token via POST https://go.tallyfy.com/oauth/token. App tokens last 7 days. Best for backend services that don’t need a user session.
Include these three headers on every API call:
| Header | Value |
|---|
Authorization | Bearer {access_token} |
Accept | application/json |
X-Tallyfy-Client | APIClient |
Omitting X-Tallyfy-Client or Accept will cause requests to fail.
Authentication > Get & use a personal access token
The Tallyfy API uses personal access tokens for authentication which requires including the token in the Authorization header along with Accept and X-Tallyfy-Client headers for all API requests with tokens being invalidated upon logout.
Integrations > Open API
Tallyfy’s REST API gives developers full programmatic access to every core platform feature—including process management and task operations and user control and data export—using standard JSON responses and three authentication methods (user tokens and application tokens and OAuth) with required headers sent to a single production endpoint.
Open Api > API integration guide
The Tallyfy REST API enables workflow automation through two authentication methods (user-based tokens obtained from Settings or application-based OAuth credentials) requiring specific headers and proper token management while supporting multi-organization contexts and webhook integrations with standardized date formats.
Authentication > Use the client credentials flow
The OAuth 2.0 client credentials flow lets server-side apps authenticate with Tallyfy’s API using a client ID and secret to get application-level tokens (valid 7 days) and optional user-specific tokens (valid 3 months) for acting as individual users.