API Access
The API requires authorisation and is not available with trial accounts.
To access the API you will need an API token, which a Super User will be able to manage through "Company settings" on your account.
Each user with access to the API will be able to access all calls available within the API. Please bear this in mind when you distribute access credentials.
Fair usage
Use of this API and associated data is at your own risk and responsibility, please be aware that we do not implement any of the data rules applied by the online system eg ‘cross dept viewing’ and other leave associated restrictions. If required, you will need to implement this in your own application.
Response typesCode | Status | Description |
---|---|---|
200 | OK | Request accepted and data returned via JSON |
400 | Bad Request | Request rejected return error message via JSON |
404 | Page not found | Endpoint not valid |
For more information on responses, check out our complete list of response codes.
Sample
The following samples show a typical response from the WhosOff API.
Authorisation & security
In order to request access to your data, authentication needs to be successfully completed to obtain a bearer token. This can be done in two ways; by supplying user credentials (username and password) or through a valid access token. Alongside the credentials or access token, an IP address, a number once (nOnce), a secret, and a unique App Id must also be supplied. See API Authenticate Object for more information on the request and response objects.
Create an access token
Step 1: Obtain app credentials
In this section, we create an access token.
Step 2: Generate a random nonce value
This can be any random string but should be unique every time.
Step 3: Calculate the secret
The secret is calculated according to the following structure:
Step 4a: Authenticate with credentials
Valid username and password of a user within your account.
Step 4b:Authenticate with access token
Obtained from a successful credential authentication. This should be used to refresh an expired token.
IP address
IP address needs to be supplied to check if the request has permission from that location. Multiple IP address ranges can be added by the super user within WhosOff.
nOnce (number once) - generated by developer on each new authentication requestnOnce is a randomly generated, unique, 32 character string which is used in conjunction with the client secret to create a unique single use SHA512 hash.
Note: this could be the current DateTime to millisecnds '2029-03-14T13:24:10.832Z' and/or a Guid - so long as it is never reused.
The secret is a unique single use string which is created using the nOnce + supplied client secret (obtained in company settings) then hashed using the SHA512 algorithm.
App Id - obtained in company settingsThe App Id is supplied to identify your unique API application. This is used in the initial request for an access token and in all proceeding calls in the call header.
Bearer token
Once authentication has been successful, an access token will be returned. This should now be used as in the example below along side your app-id and the content type 'application/json'.
Testing your connector
It is strongly recommended that all testing uses the sandbox root while you build your custom integration - this can be found in company settings. To test your first authentication, you may wish to use Postman to ensure the connection is working. Please also be aware that any writing, editing and deletion of your live data is permanent and directly impacts your own data. Any changes to your data are your responsibility, so please ensure you have tested extensively in sandbox before pointing to the live root.
Unauthorised callsAny unauthorised called will get a standard 400 response explaining why the authorisation failed. Below is an example of an invalid token. This could require reauthentication with credentials or a renewal of an expired token.
Response object
Compressed Gzip responses
When responses are given from the API, the content encoding of the response will need to be checked. If the value matches Gzip the response stream will need to be decompressed before it is deserialized.
If the response does not contain Gzip in the "content-encoding" parameter, the response can be deserialized directly into your object.
For more information regarding Gzip, we would recommend heading over to StackOverflow and follow guides on decompressing Gzip
HTTP status codes
The HTTP status codes and their meaning are as follows:
Status code | Message | Description |
---|---|---|
200 | OK | A successful API call/action has been received. |
400 | Bad request | The API request has an error in it. |
401 | Not Authenticated | Can’t authenticate with those credentials. Check credentials and get a new access token if error persists. |
403 | Forbidden | Permission not granted to execute API call/action. |
500 | Internal Server Error | Something unexpected happened, contact WhosOff support. |
502 | Bad Gateway | Unable to communicate with API server, contact WhosOff support. |
504 | Timeout | Unable to complete call/action within permitted time, contact WhosOff support |
Sample responses
The following samples show typical responses you may see.
INSTANTLY REDUCE TIME SPENT ON LEAVE MANAGEMENT
Get your long FREE trial today!
No obligation and no payment setup required.Sign up today and get until Sunday, 26th January 2025 to try the full service, for Free!