Search Site
This site uses cookies to deliver our services, improve performance, for analytics, and (if not signed in) for advertising. By using LibraryThing you acknowledge that you have read and understand our Terms of Service and Privacy Policy. Your use of the site and services is subject to these policies and terms.


LibraryThing's secure API authorization

  • About
  • Register an application
  • Documentation
  • Code
  • Community/Help
  • About

    thingAuth is a secure API authorization system to be used by developers accessing LibraryThing's member data. To use thingAuth as a developer, you must first be a member, and second register an application. Each application registered will be given an application key number as well as an application secret. These will be used to establish user authentication between third party applications and LibraryThing.

    Before account information access is granted, the end user must first approve the application. At which point, the application request will be signed and access to the user's data will be made available through independent API requests. Users have the ability to revoke access to any approved application via their edit profile settings.

    Register an application

    You must be a member of LibraryThing to register an application. To join, simply visit the homepage and elect to join.


    Get started with thingAuth and LibraryThing's API by registering your application. Your applications key, secret, and authorization URL are extremely important and we recommend storing them on your local machine. The steps below will outline the process of how thingAuth works on both the application and user end.


    Before receiving the access token, the user must first grant the application access. To do this, you must direct users to the authorization URL

    http://www.librarything.com/services/thingAuth/authorize/AUTHORIZATION URL HASH

    The user, once signed in, will be prompted to authorize the application. Upon user selection, the user will be redirected to the application's callback URL with the response data sent in POST form. The POST name "status" will always be given. A 200 code will be given for access granted, with a 401 given for access denied. With an access granted response, the user will be returned with a token and token expiration time stamp.

    Example response:

    status = "200"
    user_token = "ueirkalwo394djk3isk2oijsdoij3j340j3d0j34"
    user_token_expires = "1285799558"


    Now that access has been granted, you can make API calls using the methods below. Each API call must be send in POST form and must include a packet of information including the API method, API function, user token, app key, app secret, and response format.

    Example request:

    "method" = "read"
    "function" = "profile"
    "format" = "json"
    "token" = "ueirkalwo394djk3isk2oijsdoij3j340j3d0j34"
    "key" = "d6a8299wo394djk3isk2oijsdoij3j340j3d0j38"
    "secret" = "d6a8299wo394djk3isk2oijsdoij3j34"

    If any part of the packet is missing or incorrect, a fail response will be given along with the reason for failure. This will also happen if the user has revoked access for the application. If the token has expired, an expired response will be given. With a successful API call, the data will be given in the requested format along with a success response.

    Example XML response:

    <realname>Joey Joe</realname>
    <location>Portland, Maine</location>



    About | Contact | Privacy/Terms | Help/FAQs | Blog | Store | APIs | TinyCat | Legacy Libraries | Early Reviewers | Common Knowledge | 157,075,244 books! | Top bar: Always visible