timesheet.io uses the OAuth 2.0 protocol for authentication and authorization. Oauth2 allows authorization without the external application getting the user's email address or password. Instead, the external application gets a token that authorizes access to the user's account. The user can revoke the token for one application without affecting access by any other application.

An external application must be registered with timesheet.io before it can use Oauth2 to authenticate users. A registered application can be used by all users of timesheet.io, not just the users of the account of the person registering the application. However, registered applications are not discoverable—simply registering your application does not make it visible to any other timesheet.io users.

Register your application

Once an application is registered you can use the client_id, client_secret and redirect_url in the authorization flow.

To authorize an external application to authenticate as a user, the application uses browser redirects to send the user to timesheet.io.

1. Redirect user to request access

The user should be redirected in their browser to the Ouath2 authorize URL, passing the application specific parameters:

GET https://api.timesheet.io/oauth2/auth

Parameters

• client_id: Required. The client ID created when the application was registered.
• redirect_uri: Required. The URL where the user will be redirected after they have authorized the application. This must be the same as the redirect URL provided when the application was registered.
• response_type: Required. Controls which flow will be used to return the access_token. Using a value of code will use the authorization code flow.

2. timesheet.io redirects user back to application

Once the user authorizes the application their browser will be redirected back to the redirect_uri. timehseet.io will include a parameter in the URL named code which must be exchanged for the access token by making another request to timesheet.io in the next step.

3. Request access token

The application exchanges the code from the previous step for an access token. In this step the application uses its secret which provides an additional level of security since timesheet.io can be sure that it is an authorized application that is making the request on behalf of the user.

POST https://api.timesheet.io/oauth2/token

Parameters

• code: Required. The code value that was returned by the previous step in the flow.
• client_id: Required. The client ID created when the application was registered.
• grant_type: Required. Must contain the value authorization_code.
• redirect_uri: Required. This must be the same as the redirect URL provided when the application was registered.

The response to this POST will be a JSON string containing the access token and refresh token that can then be used to access the API.

The Client Credentials grant is used when applications request an access token to access their own resources, not on behalf of a user.

1. Request access token

The application uses its secret to request an access token.

POST https://api.timesheet.io/oauth2/token

Parameters

• client_id: Required. The client ID created when the application was registered.
• client_secret: Required. The client secret that was created when the application was registered.
• grant_type: Required. Must contain the value client_credentials.

The response to this POST will be a JSON string containing the access token and refresh token that can then be used to access the API.

When you're making calls to the API, there'll be a lot of results to return. For that reason, we paginate the results to make sure responses are easier to handle. We recommend you to set the limit parameter in every request to ensure you know how many results per page you'll get. The default limit is 100 items per page. You can paginate through the results with the page parameter, starting with 1. If you set the limit to 10 and page to 1 you will get the results from 1-10. If you set the limit to 10 and page to 2, you'll get the results from 11-20.

Endpoint to retrieve and manage webhooks.