GuidesAPI ReferenceChangelogAPI PolicyAPI StatusGusto Security


Starting from version 2023-05-01, ALL endpoints that authenticate using an access token require a strict access token. A strict access token is reserved for access to only a single company. Requests using tokens that do not meet this requirement shall be responded with a forbidden (403) status. This is the first step in improving our OAuth token management. To facilitate this redesign we introduced the following endpoint changes

  • POST v1/partner_managed_companies endpoint shall return strict access & refresh tokens reserved only for the newly created company. This token pair cannot be used to access other companies, even if they are authorized by the same user. Moreover, previously granted tokens cannot be used to access this new company.
  • Introduction of a strict access grant type to the /oauth/token endpoint to exchange a legacy token for strict access tokens. You may use this endpoint to exchange existing tokens for new ones prior to upgrading the api version. Please refer to the Strict Access guide for more details.
  • GET v1/me endpoint shall respond with 403 when accessed with a non-strict access. Additionally, the endpoint shall only return user data for the company that the strict access is reserved for.