In addition to HTTP Basic Authentication, The YourPayroll API also supports OAuth2 authentication.
If you'd like to register an OAuth2 application, please send an email to (support@yourpayroll.com.au)[support@yourpayroll.com.au] with the following details:
Authorization URL: https://api.yourpayroll.com.au/oauth/authorise
Access Token URL: https://api.yourpayroll.com.au/oauth/token
To initiate the client authorisation process, your client should be redirected to https://api.yourpayroll.com.au/oauth/authorise?client_id={your_client_id}&redirect_uri={your_redirect_uri}&response_type=code&state={your_state}
.
The following query string parameters are required. Be sure to set the Content Type of your request to "application/x-www-form-urlencoded" (particularly if you intend to test this in Postman):
code
.Once the user allows access to your application, they will be redirected to redirect_uri specified above. The following parameters will be supplied in the query string:
code
for access token and refresh tokenUsing the code received from the oauth callback above, your application should then make a POST request to https://api.yourpayroll.com.au/oauth/token
to obtain your access tokens.
The following parameters are required:
authorization_code
, as defined in the OAuth 2.0 specification.A successful response contains the following fields in a JSON result similar to the following:
{
"access_token":"7Rqk!IAAAAJMsgSSNnKJx1tIoboFApUYQudG7nYiYr7OuGdTmSBOU4QAAAA",
"token_type":"bearer",
"expires_in":86400,
"refresh_token":"MpE-!IAAAAHyBWSC908zHY-39rhq76dojb4QEXeryTDAdjbQ0d3AFbBYmLWXXrdgPW",
"scope":""
}
bearer
.NOTE: The access tokens are currently set to expire every 24 hours, so it's important to implement the access token refresh code as well. The refresh token, on the other hand, is long-lived and it is valid for 28 days.
To refresh an access token, make a POST request to https://api.yourpayroll.com.au/oauth/token
and pass the following information:
refresh
token received when exchanging the code
for access token and refresh token aboverefresh_token
, as defined in the OAuth 2.0 specification.A successful response contains the following fields in a JSON result similar to the following:
{
"access_token":"1/fFBGRNJru1FQd44AzqT3Zg",
"expires_in":86400,
"token_type":"bearer",
}
bearer
.Now that you have the client's access token, all API requests should supply that token in the Authorization: HTTP
header. For example:
GET /api/v2/user HTTP/1.1
Host: api.yourpayroll.com.au
Authorization: Bearer 1/fFBGRNJru1FQd44AzqT3Zg