Start with scope, then contracts
Thorbis API access is intentionally explicit. Teams should identify the workflow, tenant boundary, and availability state before building against a contract.
Scope access first
Start with the company, user role, and tenant boundary before discussing endpoints or sandbox access.
Separate inbound and outbound
Inbound provider webhooks are live for platform operations; customer-facing outbound subscriptions are still roadmap work.
Request specs by use case
For the Mobile Field API, explain whether you need estimates, invoices, payments, messaging, price book, or AI assist flows.
Keep production contracts honest
The page only documents what is available today and routes early partner needs through direct contact.
What's available now
Mobile Field API
Seventeen authenticated REST endpoints power the Thorbis field app: estimates, invoices, signatures, payments, price book search, SMS, and field AI assist.
Partner developer platform
OAuth-scoped REST APIs, OpenAPI specs, and SDKs for CRMs and internal tools are in design. Join the partner waitlist for sandbox access.
Platform webhooks (inbound)
Thorbis receives signed webhooks from payment, communications, and email providers. Outbound event subscriptions for your stack are on the roadmap.
Mobile Field API capabilities
- Draft estimates and invoices with signatures, SMS, and email send from the field.
- Collect cash or check payments and generate customer payment links.
- Search the price book, register push tokens, and run on-device AI assist actions.
- Authenticated with Supabase JWT; tenant-scoped via company membership and RLS.
The conversations this page should start
Developer pages should not imply public access that does not exist yet. These are the current integration lanes to route to partnerships.
- Mobile app workflow extensions for field estimates, invoices, signatures, and payments.
- Partner CRM or internal-tool integrations that need future OAuth-scoped REST access.
- Roadmap conversations for outbound event subscriptions such as jobs, invoices, and payments.
What partners should clarify before building
The useful developer conversation is not “which endpoint exists?” first. It is identity, tenant scope, write safety, and the workflow the integration is meant to support.
Every API conversation starts with the company membership model and what the calling user may access.
Mobile Field API requests use access tokens; broader OAuth partner access remains roadmap work.
Mutations are discussed by business workflow, not by broad table access or direct database writes.
Early integration requests route through partnerships until public docs and sandbox access are available.
A good API request starts with the business workflow.
Until public partner APIs are generally available, partnerships can move faster when the request explains what needs to happen, not just which endpoint is desired.
Workflow
Describe the field, office, payment, messaging, or reporting process the integration should support.
Direction
Clarify whether data should enter Thorbis, leave Thorbis, or stay inside the mobile field workflow.
Risk
Name the records, permissions, customer data, and write operations that would need extra review.
Frequently asked questions
Is there a public REST API for third-party integrations?
Not yet. Today, Thorbis ships a Mobile Field API (Bearer JWT) used by the official Thorbis field app for estimates, invoices, payments, and field workflows. A broader partner developer platform is on the roadmap, contact partners@thorbis.com for early access.
How does the field app authenticate?
The Mobile Field API uses Supabase access tokens in the Authorization header. Every request includes a companyId and is scoped by Row Level Security plus company membership checks.
Does Thorbis expose outbound webhooks to my systems?
Customer-facing outbound webhooks (for example job.created or invoice.paid) are planned but not generally available yet. Inbound provider webhooks (Stripe, Telnyx, Resend, and others) are live for platform operations.
Route requests to the right conversation.
Clear boundaries keep partners from building against the wrong expectation.
App API
Mobile Field API details are available for official app workflows and partner review.
Partner API
OAuth-scoped partner REST access is still routed through the partner roadmap.
Webhooks
Inbound provider webhooks are live internally; customer outbound events are not generally available yet.
Integration design should protect operational records.
Field-service APIs touch invoices, payment links, messages, and customer records. The safest integrations are explicit about identity, writes, and recovery.
Identity
Confirm how the calling user, company membership, and role will be verified before any workflow action runs.
Mutation scope
Separate read paths from writes such as estimates, invoices, payments, messages, and status changes.
Rollback
Define how failed syncs, duplicate attempts, and partial provider responses should recover without corrupting customer records.