LibraryThing's secure API authorization


thingAuth is a secure API authorization system to be used by developers accessing LibraryThing's member data. To use thingAuth as a developer, you must first be a member, and second register an application. Each application registered will be given an application key number as well as an application secret. These will be used to establish user authentication between third party applications and LibraryThing.

Before account information access is granted, the end user must first approve the application. At which point, the application request will be signed and access to the user's data will be made available through independent API requests. Users have the ability to revoke access to any approved application via their edit profile settings.

Register an application


Get started with thingAuth and LibraryThing's API by registering your application. Your applications key, secret, and authorization URL are extremely important and we recommend storing them on your local machine. The steps below will outline the process of how thingAuth works on both the application and user end.


Before receiving the access token, the user must first grant the application access. To do this, you must direct users to the authorization URL URL HASH

The user, once signed in, will be prompted to authorize the application. Upon user selection, the user will be redirected to the application's callback URL with the response data sent in POST form. The POST name "status" will always be given. A 200 code will be given for access granted, with a 401 given for access denied. With an access granted response, the user will be returned with a token and token expiration time stamp.

Example response:

status = "200"
user_token = "ueirkalwo394djk3isk2oijsdoij3j340j3d0j34"
user_token_expires = "1285799558"


Now that access has been granted, you can make API calls using the methods below. Each API call must be send in POST form and must include a packet of information including the API method, API function, user token, app key, app secret, and response format.

Example request:

"method" = "read"
"function" = "profile"
"format" = "json"
"token" = "ueirkalwo394djk3isk2oijsdoij3j340j3d0j34"
"key" = "d6a8299wo394djk3isk2oijsdoij3j340j3d0j38"
"secret" = "d6a8299wo394djk3isk2oijsdoij3j34"

If any part of the packet is missing or incorrect, a fail response will be given along with the reason for failure. This will also happen if the user has revoked access for the application. If the token has expired, an expired response will be given. With a successful API call, the data will be given in the requested format along with a success response.

Example XML response:

<realname>Joey Joe</realname>
<location>Portland, Maine</location>