Create token

POST /2023-03-01/management/token

Exchange an authorization_code for an access_token after receiving on from the redirect_uri you specifiy after a successful user connection

application/json

Body Required

  • client_id string Required

    The client ID you received when you first created the application

  • client_secret string Required

    The client secret. Since there can be multiple client_secrets (to allow for rotation of secrets without downtime to your customers), any current client_secret is valid

    Please email me after signup and I will set both your client secret and redirect_uri (required) when you reach out.

  • grant_type string Required

    This is a hardcoded value required by the OAuth 2.1 spec

    Value is authorization_code.

  • code string Required

    This is the code you received in the query string

  • redirect_uri string Required

    Indicates the URI to return the user to after authorization is complete, which is the endpoint on your server to receive the authorization_code.

    Must be identical to the redirect URI provided in the original link.

    Please email me after signup and I will set both your client secret and redirect_uri (required) when you reach out.

Responses

  • 201 application/json

    Success

    Hide response attributes Show response attributes object
    • access_token string Required

      The issued access_token

    • mode string Required

      Values are official or xhr.

    • provider string Required

      Values are sandbox, bamboohr, breathe, cezanne, charliehr, deel, deputy, hailyhr, hibob, humaans, iris cascade, moorepay, nmbrs, parolla.ie, payfit, personio.de, planday, sagehr, saplinghr, staffology, xero uk, brain payroll, brightpay connect, employment hero, factorialhr, fourthhr, gusto, itrent, justworks, onpay, oysterhr, paycircle, pento.io, peoplehr, remote.com, rippling, sageone, shape payroll, simplepay.ie, quickbooks online, or zoho.

    • scopes array[string] Required

      One or more scope values indicating which parts of the user's account you wish to access.

      Note, slight deviation from the OAuth 2.1 spec in that the param is scopes (plural) is used vs scope (singular)

      Values are /2023-03-01/official/company, /2023-03-01/official/employee, /2023-03-01/official/employees, /2023-03-01/official/groups, /2023-03-01/official/identity, /2023-03-01/official/time-off-balances, /2023-03-01/official/time-off-entries, /2023-03-01/official/timesheets, /2023-03-01/official/work-locations, /2023-03-01/xhr/company, /2023-03-01/xhr/employee, /2023-03-01/xhr/employees, /2023-03-01/xhr/groups, /2023-03-01/xhr/identity, /2023-03-01/xhr/payruns, /2023-03-01/xhr/payruns/:payrun_id, /2023-03-01/xhr/time-off-balances, /2023-03-01/xhr/time-off-entries, /2023-03-01/xhr/timesheets, or /2023-03-01/xhr/work-locations.

    • token_type string Required

      The token type to pass in the Authorization header

      Value is Bearer.

  • 400 application/json

    Bad Request

    Hide response attributes Show response attributes object
  • 404 application/json

    Not Found

    Hide response attributes Show response attributes object
    • message string Required

      A description of the error

    • id string Required

      The id of the entity that the id applies. For example, the transaction id

  • 409 application/json

    Not Found

    Hide response attributes Show response attributes object
    • code string

      The authorization code insert that caused a conflict

    • token string

      The access token insert that caused a conflict

    • error string Required

      The description of the type of error, ie conflict of two requests of the the same authorization code

      Value is conflict.

  • 429 application/json

    Rate Limited / Too Many Requests

    Hide headers attribute Show headers attribute
    • Retry your call after the specified amount of seconds

    Hide response attribute Show response attribute object
  • 500 application/json

    Server Error

    Hide response attribute Show response attribute object
POST /2023-03-01/management/token
curl \
 -X POST https://api.affixapi.com/2023-03-01/management/token \
 -H "Content-Type: application/json" \
 -d '{"client_id":"00000000-00000000-00000000-00000000","client_secret":"ffffffff-ffffffff-ffffffff-ffffffff","grant_type":"authorization_code","code":"Y2xpZW50IzkzMTU4MGQwLWYwYjctNGJiOC1iYmZmLWI4MTNlYzMxNTVjYXxjb2RlIzE1MmIwYjk3LTg2ZWMtNDZlNC1hZDUyLWY5ZTAxNzE2MDIwNAo=","redirect_uri":"https://example.com"}'
Request example
{
  "client_id": "00000000-00000000-00000000-00000000",
  "client_secret": "ffffffff-ffffffff-ffffffff-ffffffff",
  "grant_type": "authorization_code",
  "code": "Y2xpZW50IzkzMTU4MGQwLWYwYjctNGJiOC1iYmZmLWI4MTNlYzMxNTVjYXxjb2RlIzE1MmIwYjk3LTg2ZWMtNDZlNC1hZDUyLWY5ZTAxNzE2MDIwNAo=",
  "redirect_uri": "https://example.com"
}
Response examples (201)
{
  "access_token": "Y2xpZW50IzkzMTU4MGQwLWYwYjctNGJiOC1iYmZmLWI4MTNlYzMxNTVjYXx0b2tlbiM4ZDY5NzMwZi1kNzI1LTQ1ZjYtYTVlOC1mZmQ0NWE3ZjhkNDE=",
  "mode": "xhr",
  "provider": "sandbox",
  "scopes": [
    "identity",
    "census"
  ],
  "token_type": "Bearer"
}
Response examples (400)
{
  "message": "string",
  "validation_error": "string"
}
Response examples (404)
{
  "message": "string",
  "id": "string"
}
Response examples (409)
{
  "code": "string",
  "token": "string",
  "error": "conflict"
}
Response examples (429)
# Headers
Retry-After: 42

# Payload
{
  "message": "string"
}
Response examples (500)
{
  "message": "string"
}