OAuth for Direct API Access

Use OAuth authorization to connect custom apps and call We360.ai APIs directly.

Use this path when you need a custom integration. It is the right option for direct API access.

API guides

Guide

Dynamic Report API

Description

Fetch employee activity and attendance analytics with explicit field selection.

Open

Dynamic Report API

Overview

The we360.ai API uses OAuth 2.0 Resource Owner Password Credentials.

A successful login returns:

access_token
refresh_token

The flow is:

Call the Login API with your Customer ID, email, and password.
Receive an access_token and refresh_token.
Send the access_token as a Bearer token in every API request.
Call the Refresh Token API when the access_token expires.
Call the Login API again if the refresh_token is no longer valid.

The access_token is valid for 10 hours. This value may change.

Use this endpoint to authenticate and get the first token pair.

Endpoint

POST https://auth.in.we360.ai/realms/ind-prod/protocol/openid-connect/token

cURL example

curl --location \
  'https://auth.in.we360.ai/realms/ind-prod/protocol/openid-connect/token' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode "client_id=${customer_id}" \
  --data-urlencode "username=${email}" \
  --data-urlencode "password=${password}" \
  --data-urlencode "grant_type=password"

Request parameters

Parameter

Description

client_id

Your Customer ID. Retrieve it from the profile icon in the top-right corner of the we360.ai portal.

username

The registered email address associated with your we360.ai account.

password

The password for your we360.ai account.

grant_type

Must be password.

Sample response

{
  "access_token": "eyJhbG...8qA1Klw",
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR...x78q-gRk2-lLHV53L0",
  "token_type": "Bearer",
  "not-before-policy": 0,
  "session_state": "bb62faa8-1b33-4d8e-966b-88120e39670a",
  "scope": "email offline_access profile"
}

Response fields

Field

Description

access_token

JWT used to authenticate API requests. Valid for 10 hours, subject to change.

refresh_token

Used to obtain a new access_token without logging in again.

token_type

Always Bearer.

not-before-policy

Keycloak policy timestamp. Usually 0.

session_state

UUID for the active authentication session.

scope

Granted scopes such as email, profile, and offline_access.

To retrieve your Customer ID, click the profile icon in the top-right corner of the we360.ai portal. You can copy it directly from there.

Refresh Token API

Use this endpoint to get a new token pair when the current access_token expires.

Endpoint

POST https://auth.in.we360.ai/realms/ind-prod/protocol/openid-connect/token

cURL example

curl --location \
  'https://auth.in.we360.ai/realms/ind-prod/protocol/openid-connect/token' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id=${customer_id}' \
  --data-urlencode 'refresh_token=${refresh_token}' \
  --data-urlencode 'grant_type=refresh_token'

Request parameters

Parameter

Description

client_id

Your Customer ID. Use the same value used during login.

refresh_token

The refresh_token returned by a previous Login or Refresh Token response.

grant_type

Must be refresh_token.

Sample response

{
  "access_token": "eyJhbG...8qA1Klw",
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR...x78q-gRk2-lLHV53L0",
  "token_type": "Bearer",
  "not-before-policy": 0,
  "session_state": "bb62faa8-1b33-4d8e-966b-88120e39670a",
  "scope": "email offline_access profile"
}

If the Refresh Token API returns a non-200 status, the refresh_token has expired or was invalidated. Call the Login API again to get a fresh token pair.

Use the bearer token

Send the access_token in the Authorization header of every API request:

Authorization: Bearer ${access_token}

Example

curl --location 'https://api.in.we360.ai/v1/some-endpoint' \
  --header 'Authorization: Bearer eyJhbG...8qA1Klw' \
  --header 'Content-Type: application/json'

Bearer tokens are sensitive credentials. Never expose them in client-side code, URLs, logs, or version control. Always send them over HTTPS.

Token lifecycle and best practices

Token

Expiry

On expiry

access_token

10 hours, may change

Call the Refresh Token API

refresh_token

Server-defined

Call the Login API again

Additional recommendations:

Store tokens securely. Use environment variables or a secrets manager.
Refresh proactively. Check expiry before each request.
Always store the newest access_token and refresh_token.
Use HTTPS only.
Revoke the session on logout if your application supports it.

If your environment restricts outbound traffic, allow the required domains listed in The "Allowlist" Guide.

PreviousZoho Push Punch Logs NextDynamic Report API

Last updated 26 days ago

Was this helpful?