Mock sample for your project: Up API
Integrate with "Up API" from up.com.au in no time with Mockoon's ready to use mock sample
Up API
Version: v1
Speed up your application development by using "Up API" ready-to-use mock sample. Mocking this API will allow you to start working in no time. No more accounts to create, API keys to provision, accesses to configure, unplanned downtime, just work.
It also improves your integration tests' quality and reliability by accounting for random failures, slow response time, etc.
Description
The Up API gives you programmatic access to your balances and
transaction data. You can request past transactions or set up
webhooks to receive real-time events when new transactions hit your
account. It’s new, it’s exciting and it’s just the beginning.
Other APIs in the same category
Swiss NextGen Banking API-Framework
Summary
The Swiss NextGen API is based on the NextGenPSD2 Framework Version 1.3.4 of the Berlin Group which offers a modern, open, harmonised and interoperable set of
Application Programming Interfaces (APIs) as the safest and most efficient way to provide data securely.
The NextGen Framework reduces XS2A complexity and costs, addresses the problem of multiple competing standards
in Europe and, aligned with the goals of the Euro Retail Payments Board,
enables European banking customers to benefit from innovative products and services ('Banking as a Service')
by granting TPPs safe and secure (authenticated and authorised) access to their bank accounts and financial data.
The Swiss edtion refines the message formats specific to Switzerland and defines some matching examples.
The possible Approaches are:
Redirect SCA Approach
(Not recommended by obp.ch community) OAuth SCA Approach
(Not recommended by obp.ch community) Decoupled SCA Approach
(Not recommended by obp.ch community) Embedded SCA Approach without SCA method
(Not recommended by obp.ch community) Embedded SCA Approach with only one SCA method available
(Not recommended by obp.ch community) Embedded SCA Approach with Selection of a SCA method
Not every message defined in this API definition is necessary for all approaches.
Furthermore this API definition does not differ between methods which are mandatory, conditional, or optional
Therefore for a particular implementation of a compliant API it is only necessary to support
a certain subset of the methods defined in this API definition.
**Please have a look at the implementation guidelines if you are not sure
which message has to be used for the approach you are going to use.**
Some General Remarks Related to this version of the OpenAPI Specification:
This API definition is based on the Implementation Guidelines of the Berlin Group API.
It is not a replacement in any sense.
The main specification is (at the moment) always the Implementation Guidelines of the Berlin Group API.
This API definition contains the REST-API for requests from the PISP to the ASPSP.
This API definition contains the messages for all different approaches defined in the Implementation Guidelines.
According to the OpenAPI-Specification [https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.1.md]
"If in is "header" and the name field is "Accept", "Content-Type" or "Authorization", the parameter definition SHALL be ignored."
The element "Accept" will not be defined in this file at any place.
The elements "Content-Type" and "Authorization" are implicitly defined by the OpenApi tags "content" and "security".
There are several predefined types which might occur in payment initiation messages,
but are not used in the standard JSON messages in the Implementation Guidelines.
Therefore they are not used in the corresponding messages in this file either.
We added them for the convenience of the user.
If there is a payment product, which needs these fields, one can easily use the predefined types.
But the ASPSP need not to accept them in general.
**We omit the definition of all standard HTTP header elements (mandatory/optional/conditional)
except they are mentioned in the Implementation Guidelines.**
Therefore the implementer might add these in his own realisation of a comlient API in addition to the elements defined in this file.
General Remarks on Data Types
The Berlin Group definition of UTF-8 strings in context of the API have to support at least the following characters
a b c d e f g h i j k l m n o p q r s t u v w x y z
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
0 1 2 3 4 5 6 7 8 9
/ - ? : ( ) . , ' +
Space
The Swiss NextGen API is based on the NextGenPSD2 Framework Version 1.3.4 of the Berlin Group which offers a modern, open, harmonised and interoperable set of
Application Programming Interfaces (APIs) as the safest and most efficient way to provide data securely.
The NextGen Framework reduces XS2A complexity and costs, addresses the problem of multiple competing standards
in Europe and, aligned with the goals of the Euro Retail Payments Board,
enables European banking customers to benefit from innovative products and services ('Banking as a Service')
by granting TPPs safe and secure (authenticated and authorised) access to their bank accounts and financial data.
The Swiss edtion refines the message formats specific to Switzerland and defines some matching examples.
The possible Approaches are:
Redirect SCA Approach
(Not recommended by obp.ch community) OAuth SCA Approach
(Not recommended by obp.ch community) Decoupled SCA Approach
(Not recommended by obp.ch community) Embedded SCA Approach without SCA method
(Not recommended by obp.ch community) Embedded SCA Approach with only one SCA method available
(Not recommended by obp.ch community) Embedded SCA Approach with Selection of a SCA method
Not every message defined in this API definition is necessary for all approaches.
Furthermore this API definition does not differ between methods which are mandatory, conditional, or optional
Therefore for a particular implementation of a compliant API it is only necessary to support
a certain subset of the methods defined in this API definition.
**Please have a look at the implementation guidelines if you are not sure
which message has to be used for the approach you are going to use.**
Some General Remarks Related to this version of the OpenAPI Specification:
This API definition is based on the Implementation Guidelines of the Berlin Group API.
It is not a replacement in any sense.
The main specification is (at the moment) always the Implementation Guidelines of the Berlin Group API.
This API definition contains the REST-API for requests from the PISP to the ASPSP.
This API definition contains the messages for all different approaches defined in the Implementation Guidelines.
According to the OpenAPI-Specification [https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.1.md]
"If in is "header" and the name field is "Accept", "Content-Type" or "Authorization", the parameter definition SHALL be ignored."
The element "Accept" will not be defined in this file at any place.
The elements "Content-Type" and "Authorization" are implicitly defined by the OpenApi tags "content" and "security".
There are several predefined types which might occur in payment initiation messages,
but are not used in the standard JSON messages in the Implementation Guidelines.
Therefore they are not used in the corresponding messages in this file either.
We added them for the convenience of the user.
If there is a payment product, which needs these fields, one can easily use the predefined types.
But the ASPSP need not to accept them in general.
**We omit the definition of all standard HTTP header elements (mandatory/optional/conditional)
except they are mentioned in the Implementation Guidelines.**
Therefore the implementer might add these in his own realisation of a comlient API in addition to the elements defined in this file.
General Remarks on Data Types
The Berlin Group definition of UTF-8 strings in context of the API have to support at least the following characters
a b c d e f g h i j k l m n o p q r s t u v w x y z
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
0 1 2 3 4 5 6 7 8 9
/ - ? : ( ) . , ' +
Space
Tradematic Cloud API
tradematic.com
Overview
Tradematic Cloud is a trading infrastructure for building investment services.
It’s a trading engine + API + ready-made adapters to stock and forex brokers, crypto exchanges, and market data providers.
You can use it as a cloud API, or you can deploy it on your servers.
How to use Tradematic Cloud API
Sign up at tradematic.cloud. After signing up, you will receive your API key.
Authorization
Add the 'X-API-KEY' header with your API key to each request.
Examples of writing code with Tradematic Cloud API
Examples are available at tradematic.cloud.
Swagger (.yaml) File
Swagger (.yaml) file can be found here.
Tradematic Cloud is a trading infrastructure for building investment services.
It’s a trading engine + API + ready-made adapters to stock and forex brokers, crypto exchanges, and market data providers.
You can use it as a cloud API, or you can deploy it on your servers.
How to use Tradematic Cloud API
Sign up at tradematic.cloud. After signing up, you will receive your API key.
Authorization
Add the 'X-API-KEY' header with your API key to each request.
Examples of writing code with Tradematic Cloud API
Examples are available at tradematic.cloud.
Swagger (.yaml) File
Swagger (.yaml) file can be found here.
Paylocity API
paylocity.com
For general questions and support of the API, contact: [email protected]
Overview
Paylocity Web Services API is an externally facing RESTful Internet protocol. The Paylocity API uses HTTP verbs and a RESTful endpoint structure. OAuth 2.0 is used as the API Authorization framework. Request and response payloads are formatted as JSON.
Paylocity supports v1 and v2 versions of its API endpoints. v1, while supported, won't be enhanced with additional functionality. For direct link to v1 documentation, please click here. For additional resources regarding v1/v2 differences and conversion path, please contact [email protected].
Setup
Paylocity will provide the secure client credentials and set up the scope (type of requests and allowed company numbers). You will receive the unique client id, secret, and Paylocity public key for the data encryption. The secret will expire in 365 days.
Paylocity will send you an e-mail 10 days prior to the expiration date for the current secret. If not renewed, the second e-mail notification will be sent 5 days prior to secret's expiration. Each email will contain the code necessary to renew the client secret.
You can obtain the new secret by calling API endpoint using your current not yet expired credentials and the code that was sent with the notification email. For details on API endpoint, please see Client Credentials section.
Both the current secret value and the new secret value will be recognized during the transition period. After the current secret expires, you must use the new secret.
If you were unable to renew the secret via API endpoint, you can still contact Service and they will email you new secret via secure email.
When validating the request, Paylocity API will honor the defaults and required fields set up for the company default New Hire Template as defined in Web Pay.
Authorization
Paylocity Web Services API uses OAuth2.0 Authentication with JSON Message Format.
All requests of the Paylocity Web Services API require a bearer token which can be obtained by authenticating the client with the Paylocity Web Services API via OAuth 2.0.
The client must request a bearer token from the authorization endpoint:
auth-server for production: https://api.paylocity.com/IdentityServer/connect/token
auth-server for testing: https://apisandbox.paylocity.com/IdentityServer/connect/token
Paylocity reserves the right to impose rate limits on the number of calls made to our APIs. Changes to API features/functionality may be made at anytime with or without prior notice.
Authorization Header
The request is expected to be in the form of a basic authentication request, with the "Authorization" header containing the client-id and client-secret. This means the standard base-64 encoded user:password, prefixed with "Basic" as the value for the Authorization header, where user is the client-id and password is the client-secret.
Content-Type Header
The "Content-Type" header is required to be "application/x-www-form-urlencoded".
Additional Values
The request must post the following form encoded values within the request body:
granttype = clientcredentials
scope = WebLinkAPI
Responses
Success will return HTTP 200 OK with JSON content:
{
"access_token": "xxx",
"expires_in": 3600,
"token_type": "Bearer"
}
Encryption
Paylocity uses a combination of RSA and AES cryptography. As part of the setup, each client is issued a public RSA key.
Paylocity recommends the encryption of the incoming requests as additional protection of the sensitive data. Clients can opt-out of the encryption during the initial setup process. Opt-out will allow Paylocity to process unencrypted requests.
The Paylocity Public Key has the following properties:
2048 bit key size
PKCS1 key format
PEM encoding
Properties
key (base 64 encoded): The AES symmetric key encrypted with the Paylocity Public Key. It is the key used to encrypt the content. Paylocity will decrypt the AES key using RSA decryption and use it to decrypt the content.
iv (base 64 encoded): The AES IV (Initialization Vector) used when encrypting the content.
content (base 64 encoded): The AES encrypted request. The key and iv provided in the secureContent request are used by Paylocity for decryption of the content.
We suggest using the following for the AES:
CBC cipher mode
PKCS7 padding
128 bit block size
256 bit key size
Encryption Flow
Generate the unencrypted JSON payload to POST/PUT
Encrypt this JSON payload using your own key and IV (NOT with the Paylocity public key)
RSA encrypt the key you used in step 2 with the Paylocity Public Key, then, base64 encode the result
Base64 encode the IV used to encrypt the JSON payload in step 2
Put together a "securecontent" JSON object:
{
'secureContent' : {
'key' : -- RSA-encrypted & base64 encoded key from step 3,
'iv' : -- base64 encoded iv from step 4
'content' -- content encrypted with your own key from step 2, base64 encoded
}
}
Sample Example
{
"secureContent": {
"key": "eS3aw6H/qzHMJ00gSi6gQ3xa08DPMazk8BFY96Pd99ODA==",
"iv": "NLyXMGq9svw0XO5aI9BzWw==",
"content": "gAEOiQltO1w+LzGUoIK8FiYbU42hug94EasSl7N+Q1w="
}
}
Sample C# Code
using Newtonsoft.Json;
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
public class SecuredContent
{
[JsonProperty("key")]
public string Key { get; set; }
[JsonProperty("iv")]
public string Iv { get; set; }
[JsonProperty("content")]
public string Content { get; set; }
}
public class EndUserSecureRequestExample
{
public string CreateSecuredRequest(FileInfo paylocityPublicKey, string unsecuredJsonRequest)
{
string publicKeyXml = File.ReadAllText(paylocityPublicKey.FullName, Encoding.UTF8);
SecuredContent secureContent = this.CreateSecuredContent(publicKeyXml, unsecuredJsonRequest);
string secureRequest = JsonConvert.SerializeObject(new { secureContent });
return secureRequest;
}
private SecuredContent CreateSecuredContent(string publicKeyXml, string request)
{
using (AesCryptoServiceProvider aesCsp = new AesCryptoServiceProvider())
{
aesCsp.Mode = CipherMode.CBC;
aesCsp.Padding = PaddingMode.PKCS7;
aesCsp.BlockSize = 128;
aesCsp.KeySize = 256;
using (ICryptoTransform crt = aesCsp.CreateEncryptor(aesCsp.Key, aesCsp.IV))
{
using (MemoryStream outputStream = new MemoryStream())
{
using (CryptoStream encryptStream = new CryptoStream(outputStream, crt, CryptoStreamMode.Write))
{
byte[] encodedRequest = Encoding.UTF8.GetBytes(request);
encryptStream.Write(encodedRequest, 0, encodedRequest.Length);
encryptStream.FlushFinalBlock();
byte[] encryptedRequest = outputStream.ToArray();
using (RSACryptoServiceProvider crp = new RSACryptoServiceProvider())
{
crp.FromXmlstring(publicKeyXml);
byte[] encryptedKey = crp.Encrypt(aesCsp.Key, false);
return new SecuredContent()
{
Key = Convert.ToBase64string(encryptedKey),
Iv = Convert.ToBase64string(aesCsp.IV),
Content = Convert.ToBase64string(encryptedRequest)
};
}
}
}
}
}
}
}
Support
Questions about using the Paylocity API? Please contact [email protected].
Deductions (v1)
Deductions API provides endpoints to retrieve, add, update and delete deductions for a company's employees. For schema details, click here.
OnBoarding (v1)
Onboarding API sends employee data into Paylocity Onboarding to help ensure an easy and accurate hiring process for subsequent completion into Web Pay. For schema details, click here.
Overview
Paylocity Web Services API is an externally facing RESTful Internet protocol. The Paylocity API uses HTTP verbs and a RESTful endpoint structure. OAuth 2.0 is used as the API Authorization framework. Request and response payloads are formatted as JSON.
Paylocity supports v1 and v2 versions of its API endpoints. v1, while supported, won't be enhanced with additional functionality. For direct link to v1 documentation, please click here. For additional resources regarding v1/v2 differences and conversion path, please contact [email protected].
Setup
Paylocity will provide the secure client credentials and set up the scope (type of requests and allowed company numbers). You will receive the unique client id, secret, and Paylocity public key for the data encryption. The secret will expire in 365 days.
Paylocity will send you an e-mail 10 days prior to the expiration date for the current secret. If not renewed, the second e-mail notification will be sent 5 days prior to secret's expiration. Each email will contain the code necessary to renew the client secret.
You can obtain the new secret by calling API endpoint using your current not yet expired credentials and the code that was sent with the notification email. For details on API endpoint, please see Client Credentials section.
Both the current secret value and the new secret value will be recognized during the transition period. After the current secret expires, you must use the new secret.
If you were unable to renew the secret via API endpoint, you can still contact Service and they will email you new secret via secure email.
When validating the request, Paylocity API will honor the defaults and required fields set up for the company default New Hire Template as defined in Web Pay.
Authorization
Paylocity Web Services API uses OAuth2.0 Authentication with JSON Message Format.
All requests of the Paylocity Web Services API require a bearer token which can be obtained by authenticating the client with the Paylocity Web Services API via OAuth 2.0.
The client must request a bearer token from the authorization endpoint:
auth-server for production: https://api.paylocity.com/IdentityServer/connect/token
auth-server for testing: https://apisandbox.paylocity.com/IdentityServer/connect/token
Paylocity reserves the right to impose rate limits on the number of calls made to our APIs. Changes to API features/functionality may be made at anytime with or without prior notice.
Authorization Header
The request is expected to be in the form of a basic authentication request, with the "Authorization" header containing the client-id and client-secret. This means the standard base-64 encoded user:password, prefixed with "Basic" as the value for the Authorization header, where user is the client-id and password is the client-secret.
Content-Type Header
The "Content-Type" header is required to be "application/x-www-form-urlencoded".
Additional Values
The request must post the following form encoded values within the request body:
granttype = clientcredentials
scope = WebLinkAPI
Responses
Success will return HTTP 200 OK with JSON content:
{
"access_token": "xxx",
"expires_in": 3600,
"token_type": "Bearer"
}
Encryption
Paylocity uses a combination of RSA and AES cryptography. As part of the setup, each client is issued a public RSA key.
Paylocity recommends the encryption of the incoming requests as additional protection of the sensitive data. Clients can opt-out of the encryption during the initial setup process. Opt-out will allow Paylocity to process unencrypted requests.
The Paylocity Public Key has the following properties:
2048 bit key size
PKCS1 key format
PEM encoding
Properties
key (base 64 encoded): The AES symmetric key encrypted with the Paylocity Public Key. It is the key used to encrypt the content. Paylocity will decrypt the AES key using RSA decryption and use it to decrypt the content.
iv (base 64 encoded): The AES IV (Initialization Vector) used when encrypting the content.
content (base 64 encoded): The AES encrypted request. The key and iv provided in the secureContent request are used by Paylocity for decryption of the content.
We suggest using the following for the AES:
CBC cipher mode
PKCS7 padding
128 bit block size
256 bit key size
Encryption Flow
Generate the unencrypted JSON payload to POST/PUT
Encrypt this JSON payload using your own key and IV (NOT with the Paylocity public key)
RSA encrypt the key you used in step 2 with the Paylocity Public Key, then, base64 encode the result
Base64 encode the IV used to encrypt the JSON payload in step 2
Put together a "securecontent" JSON object:
{
'secureContent' : {
'key' : -- RSA-encrypted & base64 encoded key from step 3,
'iv' : -- base64 encoded iv from step 4
'content' -- content encrypted with your own key from step 2, base64 encoded
}
}
Sample Example
{
"secureContent": {
"key": "eS3aw6H/qzHMJ00gSi6gQ3xa08DPMazk8BFY96Pd99ODA==",
"iv": "NLyXMGq9svw0XO5aI9BzWw==",
"content": "gAEOiQltO1w+LzGUoIK8FiYbU42hug94EasSl7N+Q1w="
}
}
Sample C# Code
using Newtonsoft.Json;
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
public class SecuredContent
{
[JsonProperty("key")]
public string Key { get; set; }
[JsonProperty("iv")]
public string Iv { get; set; }
[JsonProperty("content")]
public string Content { get; set; }
}
public class EndUserSecureRequestExample
{
public string CreateSecuredRequest(FileInfo paylocityPublicKey, string unsecuredJsonRequest)
{
string publicKeyXml = File.ReadAllText(paylocityPublicKey.FullName, Encoding.UTF8);
SecuredContent secureContent = this.CreateSecuredContent(publicKeyXml, unsecuredJsonRequest);
string secureRequest = JsonConvert.SerializeObject(new { secureContent });
return secureRequest;
}
private SecuredContent CreateSecuredContent(string publicKeyXml, string request)
{
using (AesCryptoServiceProvider aesCsp = new AesCryptoServiceProvider())
{
aesCsp.Mode = CipherMode.CBC;
aesCsp.Padding = PaddingMode.PKCS7;
aesCsp.BlockSize = 128;
aesCsp.KeySize = 256;
using (ICryptoTransform crt = aesCsp.CreateEncryptor(aesCsp.Key, aesCsp.IV))
{
using (MemoryStream outputStream = new MemoryStream())
{
using (CryptoStream encryptStream = new CryptoStream(outputStream, crt, CryptoStreamMode.Write))
{
byte[] encodedRequest = Encoding.UTF8.GetBytes(request);
encryptStream.Write(encodedRequest, 0, encodedRequest.Length);
encryptStream.FlushFinalBlock();
byte[] encryptedRequest = outputStream.ToArray();
using (RSACryptoServiceProvider crp = new RSACryptoServiceProvider())
{
crp.FromXmlstring(publicKeyXml);
byte[] encryptedKey = crp.Encrypt(aesCsp.Key, false);
return new SecuredContent()
{
Key = Convert.ToBase64string(encryptedKey),
Iv = Convert.ToBase64string(aesCsp.IV),
Content = Convert.ToBase64string(encryptedRequest)
};
}
}
}
}
}
}
}
Support
Questions about using the Paylocity API? Please contact [email protected].
Deductions (v1)
Deductions API provides endpoints to retrieve, add, update and delete deductions for a company's employees. For schema details, click here.
OnBoarding (v1)
Onboarding API sends employee data into Paylocity Onboarding to help ensure an easy and accurate hiring process for subsequent completion into Web Pay. For schema details, click here.
Afterbanks API
afterbanks.com
La estandarización de la conexión con cualquier banco en tiempo real.
Xero OAuth 2 Identity Service API
These endpoints are related to managing authentication tokens and identity for Xero API
Business Registries
ato.gov.au
Introduction
The Business Registries API is built on HTTP. The API is RESTful. It has predictable resource URIs.
The API is documented in OpenAPI format.
In addition to the standard OpenAPI syntax we use a few
vendor extensions.
Overview
The following sections describe the resources that make up the Business Registries REST API.
Current Version
By default, all requests to https://api.abr.ato.gov.au receive the v1 version of the REST API. We encourage you to explicitly request this version via the Accept header.
Accept: application/vnd.abr-ato.v1+json
Schema
All API access is over HTTPS, and accessed from https://api.abr.ato.gov.au. All data is sent and received as JSON. Blank fields are included.
All dates use the ISO 8601 format:
YYYY-MM-DD
For example: 2017-07-01 (the 1st of July 2017)
All timestamps use the ISO 8601 format:
YYYY-MM-DDTHH:MM:SSZ
For example: 2017-07-01T11:05:06+10:00
Timezones
Some requests allow for specifying timestamps or generate timestamps with time zone information. We apply the following rules, in order of priority, to determine timezone information for API calls.
Explicitly provide an ISO 8601 timestamp with timezone information
For API calls that allow for a timestamp to be specified, we use that exact timestamp.
For example: 2017-07-01T11:05:06+10:00
Pagination
Information about pagination is provided in the Link header.
For example:
Link:; rel="next",; rel="last"
rel="next" states that the next page is page=2. This makes sense, since by default, all paginated queries start at page 1. rel="last" provides some more information, stating that the last page of results is on page 34. Accordingly, we have 33 more pages of information that we can consume.
Parameters
Many API methods take optional parameters:
GET /individuals/1234/addresses/?addressType='Mailing'
In this example, the '1234' value is provided for the :partyId parameter in the path while :addressType is passed in the query string.
For POST, PATCH, PUT, and DELETE requests, parameters not included in the URL should be encoded as JSON with a Content-Type of 'application/json'.
Metadata
The API provides metadata services that you can use to discover information about the classifcation schemes and values used by the Registry.
For example:
GET /classifications/roles
Sample response:
[
{
"id": "123e4567-e89b-12d3-a456-426655440001",
"role": "Director",
"roleDescription": "An individual responsible for managing a company's ...",
"relationship": "Directorship",
"reciprocalRole": "Company",
"reciprocalRoleDescription": "An incorporated legal entity."
},
{
...
}
]
Root Endpoint
You can issue a GET request to the root endpoint (also known as the service root) to get all the endpoint categories that the REST API supports:
curl https://api.abr.ato.gov.au
Authentication
The Business Registries API supports API Key authentication.
When you sign up for an account, you are given your first API key. You can generate additional API keys, and delete
API keys (as you may need to rotate your keys in the future). You authenticate to the Business Registries API by
providing your secret key in the request header.
Note: Some requests will return 404 Not Found, instead of 403 Permission Denied. This is to prevent the
accidental leakage of information to unauthorised users.
The Business Registries API is built on HTTP. The API is RESTful. It has predictable resource URIs.
The API is documented in OpenAPI format.
In addition to the standard OpenAPI syntax we use a few
vendor extensions.
Overview
The following sections describe the resources that make up the Business Registries REST API.
Current Version
By default, all requests to https://api.abr.ato.gov.au receive the v1 version of the REST API. We encourage you to explicitly request this version via the Accept header.
Accept: application/vnd.abr-ato.v1+json
Schema
All API access is over HTTPS, and accessed from https://api.abr.ato.gov.au. All data is sent and received as JSON. Blank fields are included.
All dates use the ISO 8601 format:
YYYY-MM-DD
For example: 2017-07-01 (the 1st of July 2017)
All timestamps use the ISO 8601 format:
YYYY-MM-DDTHH:MM:SSZ
For example: 2017-07-01T11:05:06+10:00
Timezones
Some requests allow for specifying timestamps or generate timestamps with time zone information. We apply the following rules, in order of priority, to determine timezone information for API calls.
Explicitly provide an ISO 8601 timestamp with timezone information
For API calls that allow for a timestamp to be specified, we use that exact timestamp.
For example: 2017-07-01T11:05:06+10:00
Pagination
Information about pagination is provided in the Link header.
For example:
Link:; rel="next",; rel="last"
rel="next" states that the next page is page=2. This makes sense, since by default, all paginated queries start at page 1. rel="last" provides some more information, stating that the last page of results is on page 34. Accordingly, we have 33 more pages of information that we can consume.
Parameters
Many API methods take optional parameters:
GET /individuals/1234/addresses/?addressType='Mailing'
In this example, the '1234' value is provided for the :partyId parameter in the path while :addressType is passed in the query string.
For POST, PATCH, PUT, and DELETE requests, parameters not included in the URL should be encoded as JSON with a Content-Type of 'application/json'.
Metadata
The API provides metadata services that you can use to discover information about the classifcation schemes and values used by the Registry.
For example:
GET /classifications/roles
Sample response:
[
{
"id": "123e4567-e89b-12d3-a456-426655440001",
"role": "Director",
"roleDescription": "An individual responsible for managing a company's ...",
"relationship": "Directorship",
"reciprocalRole": "Company",
"reciprocalRoleDescription": "An incorporated legal entity."
},
{
...
}
]
Root Endpoint
You can issue a GET request to the root endpoint (also known as the service root) to get all the endpoint categories that the REST API supports:
curl https://api.abr.ato.gov.au
Authentication
The Business Registries API supports API Key authentication.
When you sign up for an account, you are given your first API key. You can generate additional API keys, and delete
API keys (as you may need to rotate your keys in the future). You authenticate to the Business Registries API by
providing your secret key in the request header.
Note: Some requests will return 404 Not Found, instead of 403 Permission Denied. This is to prevent the
accidental leakage of information to unauthorised users.
Accounting
Introduction
The Xero Accounting API is a RESTful web service and uses the OAuth (v1.0a) protocol to authenticate 3rd party applications. The Accounting API exposes accounting and related functions of the main Xero application and can be used for a variety of purposes such as creating transactions like invoices and credit notes, right through to extracting accounting data via our reports endpoint.
The Xero Accounting API is a RESTful web service and uses the OAuth (v1.0a) protocol to authenticate 3rd party applications. The Accounting API exposes accounting and related functions of the main Xero application and can be used for a variety of purposes such as creating transactions like invoices and credit notes, right through to extracting accounting data via our reports endpoint.