To get started with OAuth you you need your App’s client ID (client_id) and client secret (client_secret). These identify to our server that your app’s requests are coming from you.

Then, you'll need to set your app's OAuth scopes, which will be displayed to the user before they grant your app permission to their Fullscript data.

Access the API Dashboard

If you don’t already have an App created with Fullscript, sign in to the Fullscript API Dashboard and click Create Application (or continue to sign up if you’re brand new to us!). For initial development, target one of our sandbox servers (either US or Canadian).

You’ll need an application name (currently used for your information only), and a redirect uri where we will send users once they have authorized your app’s request to access their Fullscript data.


Both the application name and redirect uri can be edited later, so there’s no need to agonize over those decisions now.

Client ID and secret

To find your App’s client ID and client secret, locate your App in the Fullscript API Dashboard and click Show more details. Your client ID is at the top of the page, and your secret key is masked below it. Hover your mouse over the Reveal button to see and Copy your secret key.


Your client secret is masked to remind you to keep this value a secret and handle it as you would handle any other important password.

Set app scopes

Scopes limit which pieces of the user’s data you have access to, and what you can do with it. By default, your application is set up to request only some basic read information from the user’s Fullscript data.

When a user is authorizing your app’s access to Fullscript, they see the scopes you’ve set. It’s up to them to decide if they want to authorize access to these scopes. We suggest you limit your application to the scopes that you need rather than ask for read/write access to everything.

Use the Fullscript API Dashboard to configure the scopes needed for each App you create.


Adding scopes to your App instance in the Dashboard, doesn’t update your users’ previous authorization tokens with the new scopes. Attempts to use these tokens for activities associated with a new scope will return an Unauthorized error. Whenever you add scopes to your App, we suggest you obtain new tokens by prompting all your users to reauthorize.

Catalog scopes


Grants read-only access to the Fullscript catalog. This includes the brand, product, and variant endpoints. This is a default scope that all apps must request access to.

Clinic scopes


Grants read access to clinic’s account and practitioner information.


Grants access to a clinic’s account. Can add or edit users and can perform actions on behalf of the clinic's practitioners. When this scope is paired with patients:read, treatment plans can be created.

Patient scopes


Grants access to read a patient’s data. This includes read access to any treatment plans made through the API. (Read access to treatment plans made through the Fullscript App, regardless of when they were created, requires the patients:treatment_plan_history scope.)


Grants access to create and update a patient’s information.


Grants read access to a patient’s historical treatment plan data. Needed to access treatment plans created via the Fullscript App.


Grants read access to a patient’s order history. Use this data to show patient adherence to the treatment plan.