Authentication
Safety First!
Due to the sensitive nature of payroll, all potential integrations must be vetted and approved by Gusto.
To ensure you receive initial approval prior to investing in your build, please sign up for a Gusto Developer Account, fill out the Production Pre-Approval application and await a response from Gusto's Partnerships team.
During development, all API calls must be made to api.gusto-demo.com
.
After passing QA, Gusto will issue your production credentials via the Developer Portal. After receiving your production credentials, you can start making calls to our production environment via api.gusto.com
.
Please Note
Gusto is unable to provide production test accounts. All testing, both pre- and post-launch, must take place in our demo environment.
Authentication
The Gusto App Integrations API has two types of tokens that are used throughout development: organization level API tokens (api_token), provided via the Developer Portal, and company level tokens (access_token, refresh_token), provided via the OAuth2 process. You will need to securely manage and store all access tokens, api tokens, and refresh tokens in your database.
Token Management Recommendations
Access/refresh token pairs are specific to a user and company. The following gusto_auth_tokens
table definition is an example of how Gusto tokens can be stored.
company_uuid
is the Gusto company UUID. This column could also be a foreign key to your owncompanies
table that contains agusto_company_uuid
columnaccess_token_expiration
is theexpires_in
response field, which is the expiration time in seconds of the newly generatedaccess_token
- The expiration time is 7200 seconds or 2 hours.
- To be safe, the
access_token_expiration
can be set to (expires_in
- 60) from when the response is received. - This field can be used to proactively refresh tokens instead of always waiting for a 401 response to trigger a refresh.
Care should be taken to avoid token refresh race conditions. It is recommended to have unique constraints and when refreshing tokens, lock the associated row.
Example refresh steps:
- An access token needs to be refreshed. We know this because the
access_token_expiration
is less than current time or an HTTP status of 401 is received from a Gust API request - Lock the
gusto_auth_tokens
row for the associatedcompany_uuid
- Refresh the access token as detailed here
- Update the
gusto_auth_tokens
row with the new access and refresh tokens. Theaccess_token_expiration
should also be updated to (expires_in
- 60) seconds from the current time. - Unlock the row
- Use the new
access_token
for Gusto API requests - All concurrent processes should use the latest
access_token
Updated over 1 year ago