Changelog
Every change to the documented API surface, newest first. The version is the
one in the specification's info.version, so it moves when the
docs move, not when the product ships. A release marked
Docs only changed no server behaviour: calls you
already make keep working, but the schema you coded against may have been
wrong, and the entry says how.
Pagination and schema description fixes
Fixed Simple pagination on inbox tags
GET /v1/inboxes/{inbox_id}/tagswas described as returning nometablock, withnext_page_urlandprev_page_urlinlinks. It does returnmeta. The block omitslast_pageandtotal(the endpoint does not count the full result set) and addscurrent_page_url. Walk the pages withlinks.nextuntil it is null rather than counting them.
Changed Schema descriptions
Error,PaginationMeta, the bearer-tokenbearerFormat, and the two camelCase path parameters described themselves in terms of the API's internal framework. They now describe the contract instead. No field, type, or requirement changed, so the Postman collection and the SDKs are byte-identical apart from these strings.
Response schemas verified against the live API
No endpoint, request body, scope, or authentication behaviour changed. Every documented response body was replayed against the running API and corrected where it had drifted, so the schemas now describe what the API actually returns.
Fixed Fields the docs described but the API never returns
These were removed, or renamed to the field the API really sends:
- Conversations:
assignee_idandcontact_idare reallyassignable_id/assignable_type, andsnooze_untilis reallyis_snoozed. The fieldsis_readandis_trasheddo not exist. - Thread events were documented as a flat message
(
type,body,html_body,cc_emails, ...). The API returns a nested shape:event_type,event(the message, null on system events),actor, andextra. - Inboxes:
channel,from_email,enabled,is_private, andcreated_atare not returned. - Organization on
GET /v1/me:nameandsubdomainare reallycompanyandslug. - Tags:
created_atandorganization_idare not returned. - Reports: an agent has
first_name/last_name/name, notemail/avatar_url. Day buckets areyear/month/day, not a singledate. - Listing knowledge base articles documented a
{message}stub. It returns a paginated{data, links, meta}.
Added Newly documented
- Responses now document every field the API returns, including the
per-folder counts and agents/teams on an inbox, the embedded
contact,last_message, andcustom_field_valueson a conversation, theauthoron a saved reply, and downloadable attachments on a message. GET /v1/inboxes/{inbox_id}/tagsuses simple pagination: itsmetahas nolast_pageortotal, and addscurrent_page_url.- Free-form objects (an inbox's satisfaction-ratings config, an organization's permission matrix, a conversation's custom-field values) are documented as such rather than invented shapes.
Trimmed public surface, teammates endpoints, tag validation
Removed Dropped from the documented surface
26 operations that existed for the ThriveDesk web app rather than for integrations are no longer documented (76 operations remain). The routes themselves still exist and first-party clients are unaffected, but they are not supported for integrations and may change without notice:
- Session auth:
POST /v1/auth/loginandPOST /v1/auth/logout. Use a personal access token instead - integrations should never collect ThriveDesk passwords. - Composer mechanics: cancel-reply (undo send) and the saved-reply use counter.
- UI organization: custom views CRUD, custom-field reorder, and saved-reply folder rename/delete.
- Redundant bulk twins:
POST /v1/settings/tags/updateand/delete(usePUT/DELETE /v1/settings/tags/{tag_id}). - Irreversible deletion: conversation force-delete and batch force-delete.
- Admin plane: automation create/update/delete (list and view remain) and Knowledge Base member/access management.
- Dashboard-only reports: recent-ratings, agent-team-conversations, agent-team-productivity.
Added New endpoints
GET /v1/settings/userslists teammates and pending invitations;GET /v1/settings/users/{user_id}shows one teammate. Both require theusers:readscope, which previously had no documented endpoint.POST /v1/conversation/{conversation_id}/draftcreates or updates the caller's reply draft and returns thedraft_idthat reply and attachment upload consume. This closes the documented reply flow, which already referenced drafts without documenting how to create one.
Changed Tag validation is now enforced
- Tag create now enforces what the spec already documented:
nameis limited to 64 characters andcolormust be a 6-digit hex value (#RRGGBB). Tag merge enforces the same plus a minimum of two source tags; bulk color update requires a hexcolor. Previously the server accepted any string.
Fixed Schema corrections
ReplyBodyno longer documentsnew_conversation. The server never read it.- The
Userschema now mirrors the API's user serializer:avatar(notavatar_url), full name/contact fields,presence, preferences underextra, and real role values (Account Owner,Administrator,User). - Pagination link fields and avatar fields are typed as URIs (were mistakenly date-times) and pagination links are nullable at the edges.
Changed Tooling
- The Postman collection is now generated from the OpenAPI spec (folder per tag, schema-placeholder examples) instead of being maintained by hand, so it can no longer drift from the reference.
Accuracy pass against the API implementation
Every operation was re-verified against the API's route table, validators, and response serializers. If you coded against 1.0.0 schemas, read this list: several documented shapes did not match the running API and have been corrected to what the server actually accepts and returns.
Fixed Authentication
- The public API uses a single authentication method: a personal access token
granted the first-party
publicscope, which can call every documented endpoint. POST /v1/auth/loginis documented as unauthenticated.POST /v1/searchrequires a token (the auth guide previously said otherwise).
Fixed Request bodies
- Reply requires
status. The message content comes from the authenticated user's draft, not the request body. - Note uses
message(notnote). Forward usesbody, an arrayto, and a requiredmessage_id. Snooze usessnoozed_untilplus a requiredtype. Split requiresthread_event_id,direction,subject, andstatus. - Tag attach/detach take
tag. Conversation update takesassign_to/tags. Custom field values are sent as a flat key-value map. - Batch operations: update and delete take
conversations, restore and force-delete takeconversation_ids. Thehardflag never existed. - Custom field and custom view create/update bodies now mirror the validators
(
key,is_required, structuredoptions,filterstree,display). - Creating a conversation requires
to,status,subject, andmessage. Contact create persists onlyemail. Attachment upload takes anattachments[]multipart array. - Saved-reply folder rename/delete and
GET /v1/saved-repliesrequireinbox_id. Tag update requiresname.
Fixed Responses and parameters
- Single resources are wrapped in
{"data": ...}. List endpoints document their real collection shapes (paginated or plain arrays). - Status enums corrected to
Active/Pending/Closed, priority toHigh/Medium/Low, custom field types totext/textarea/dropdown/toggle/number. - Date-range reports require
start_dateandend_date. Previously undocumented query parameters (contact search, tag search, per-page overrides,event_id,agent_id,rating,view) are now listed. - The global rate limit (300 requests/minute per client IP) is documented in Pagination & rate limits.
Initial public release
First publication of the ThriveDesk Public API as an OpenAPI 3.1 specification. Covers the 99 endpoints documented in the previous Postman collection, plus full schema definitions, authentication scopes, error catalog, pagination contract, and rate-limit documentation.
Added Documentation
- Hand-authored OpenAPI 3.1 specification at
openapi/openapi.yaml - Bundled single-file spec at
openapi/bundled.yaml - Redoc reference renderer at
reference.html - Stoplight Elements interactive playground at
playground.html - Guides: quickstart, authentication & scopes, errors, pagination & rate limits, changelog
Fixed Crosscheck against the Postman collection
The Postman collection remains in this repository at
api.postman_collection.json. The seven commits in
its history (visible with git log) record the fixes applied during
the crosscheck pass:
Fix api.conversation.merge request body- example body was invented and would have 422'd.Fix api.settings.tags.merge request body- same pattern.Fill empty request-body templates with real schemas- 12 endpoints had// Add request body parameters hereplaceholders.Fix api.automations.store and api.automations.update- body used a non-existentconditions[]field and the wrong active flag.Replace fabricated "string" placeholders in report responses- all 7/v1/reports/*endpoints.Replace api.search response placeholder- corrected shape.Replace api.me response placeholders- corrected shape.
The Postman collection and the OpenAPI specification are intended to be kept in lockstep from here on.