GuidesAPI ReferenceChangelog

Authentication

๐Ÿ“˜

Weblink API

The weblink API uses different Auth servers to obtain bearer tokens. Please note the different server URLs, different syntax to generate the bearer token, and custom rate limit if using this API.

Transport Layer Security (TLS)

Transport Layer Security (TLS) is a security protocol widely used for encrypting communications between web applications and servers. An HTTPS transfer or API call happens over a connection secured by TLS.

You must use TLS 1.2 when calling our APIs.

To check if TLS 1.2 is supported in your HTTPS library, review the library documentation or configuration settings for mention of TLS Versions.

Authentication

Paylocity APIs utilize the Client Credentials flow from OAuth2 for authentication. This means that every call to a Paylocity API will include an HTTP Header named Authorization with a value that includes a short-lived bearer token obtained from the Paylocity Identity Provider (IDP).

Sample HTTP Header:

Authorization: Bearer TOKEN_GOES_HERE

To obtain a bearer token, consumers must first have their a client_id and secret, received after completing steps 1-3 from Getting Started. These credentials will be used when interacting with the Paylocity IDP by invoking the IDPโ€™s /token endpoint to obtain the token.

  • client_id: this is the client_id assigned to the registered application in the developer portal
  • secret: this is the secret assigned to the registered application in the developer portal
  • grant_type: the value provided here must be client_credentials

๐Ÿšง

Secure your API Credentials!

Your credentials carry many privileges, so be sure to keep them secure! Do not share your credentials in unsecured emails or publicly accessible areas such as GitHub, client-side code...etc.

Secrets are required to be rotated once every 365 days. An email notification of your secret expiring is sent to the identified contact 10 days and 5 days prior to the expiration.

Sample request to the /token endpoint:

curl --location 'https://apisandbox.paylocity.com/IdentityServer/connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=dfff6fdfb9a145d59389542285dfa505' \
--data-urlencode 'client_secret=...' \
--data-urlencode 'grant_type=client_credentials'
--data-urlencode 'scope=WebLinkAPI'

Sample response from the /token endpoint:

{ 
  "access_token": "....", 
  "token_type": "Bearer", 
  "expires_in": 3600 
} 

The value in the access_token field is the value that is used in the TOKEN_GOES_HERE placeholder above.

It is important to note that the bearer token is short-lived and will expire after 1 hour (3600 seconds). The use of an expired token will result in a failed response (status code 401) from an API. Before the token expires, consumers should obtain a new bearer token by sending another request to the /token endpoint.

Copyright ยฉ 2024 Paylocity. All Rights Reserved. Privacy Center | Terms and Conditions | Accessibility