Mock sample for your project: VAT API
Integrate with "VAT API" from vatapi.com in no time with Mockoon's ready to use mock sample
VAT API
vatapi.com
Version: 1
Speed up your application development by using "VAT API" ready-to-use mock sample. Mocking this API will help you accelerate your development lifecycles and allow you to stop relying on an external API to get the job done. No more API keys to provision, accesses to configure or unplanned downtime, just work.
Enhance your development infrastructure by mocking third party APIs during integrating testing.
Description
A developer friendly API to help your business achieve VAT compliance
Other APIs in the same category
Event Notification API Specification - TPP Endpoints
openbanking.org.uk
Swagger for Event Notification API Specification - TPP Endpoints
Account and Transaction API Specification
openbanking.org.uk
Swagger for Account and Transaction API Specification
Tradeworks
magick.nu
Authentication is required to access all methods of the API. Enter username and password.
Credentials are automatically set as you type.
Credentials are automatically set as you type.
Taxrates.io API
taxrates.io
Introduction
Taxrates.io is a global tax rate service that automates the management of monitoring tax rates changes in 181 countries. We monitor over 14,000 US sales tax, VAT, GST rates for you and make updates via our API so you always have the most update tax rates.
You can use Taxrates.io as a virtual sandbox where we provide you with 30 days free trial.
Countries
We currently support the following countries around the world. If you would like to request the addition of a new country, please email us at [email protected]
Afghanistan Gambia Nicaragua
Albania Georgia Niger
Andorra Germany Nigeria
Angola Ghana North Korea
Antigua and Barbuda Greece Norway
Argentina Grenada Pakistan
Armenia Guam Palestine
Aruba Guatemala Panama
Australia Guinea Papua New Guinea
Austria Guyana Paraguay
Azerbaijan Haiti Peru
Bahamas Honduras Philippines
Bangladesh Hungary Poland
Barbados Iceland Portugal
Belarus India Puerto Rico
Belgium Indonesia Republic of the Congo
Belize Iran Romania
Benin Ireland Russian Federation
Bhutan Isle of Man Rwanda
Bolivia Israel Samoa
Bonaire Italy Senegal
Bosnia and Herzegovina Japan Serbia
Botswana Jersey Seychelles
Brazil Jordan Sierra Leone
Bulgaria Jordan Singapore
Burkina Faso Kazakhstan Slovakia
Burundi Kenya Slovenia
Cambodia Kiribati Solomon Islands
Cameroon Kosovo Somalia
Cape Verde Kyrgyzstan South Africa
Central African Republic Laos South Korea
Chad Latvia South Sudan
Chile Lebanon Spain
China Lesotho Sri Lanka
Columbia Liberia St Lucia
Comoros Liechtenstein Sudan
Cook Islands Lithuania Suriname
Costa Rica Luxembourg Swaziland
Cote d'Ivoire Macedonia Sweden
Croatia Madagascar Switzerland
Cuba Malawi Tahiti
Curacao Malaysia Taiwan
Cyprus Maldives Tajikistan
Czech Republic Mali Tanzania
Democratic Republic of the Congo Malta Thailand
Denmark Mauritania Togo
Djbouti Mauritius Tonga
Dominica Mexico Trinidad and Tobago
Dominican Republic Micronesia Tunisia
Ecuador Moldova Turkmenistan
Egypt Monaco Tuvalu
El Salvador Mongolia Uganda
Equatorial Guinea Montenegro Ukraine
Eritrea Morocco United Kingdom
Estonia Mozambique United States
Ethiopia Myanmar Uruguay
Fiji Namibia Vanuatu
Finland Nepal Venezuela
France Netherlands Vietnam
Gabon New Zealand Yemen
Products codes
The Taxrates.io API’s provides product-level tax rates for a subset of product codes. These codes are to be used for products that are either exempt from tax in some jurisdictions or are taxed at reduced rates.
We will be expanding support for additional, less common categories over time. If you would like to request the addition of a new product category, please email us at [email protected]
Please select a product code/s when making a request to the Taxrates.io API
Product code Product Description
C010 Services which are not subject to a service-specific tax
C011 Software - Downloaded
C012 Books - Downloaded
C011 Music - Downloaded
C011 Movies/Digital Video - Downloaded
C011 Other Electronic Goods - Downloaded
C011 Streaming Music/Audio Services new
C011 Streaming Video Services new
C018 Software as a Services, Generally (Remote Access to Hosted Software)
C018 Remote Access to Hosted Software - Personal Use
C018 Remote Access to Hosted Software - Business Use
C021 Remote Access to Hosted Business Custom Applications
C021 Personal Cloud Storage/Backup
C021 Business Cloud Storage/Backup
C021 Business Data Warehouses
C022 Infrastructure as Service, Generally
C022 Ecommerce Site/Webserver Hosting
C022 Provision of Virtual Computing Capacity
C022 Software - package or canned program
C022 Software - modifications to canned program
C022 Software - custom programs - material
C022 Software - custom programs - professional serv.
C022 Information services
C022 Data processing services
C022 Mainframe computer access and processing serv.
C022 Online Data processing services
Filtering
When calling the API endpoints you can use 'filter' parameters to get tax rate for the selected type. You can get the following tax types (Each tax rate will always have one of following types)
US Sales tax Rates
CombinedRate
StateRate
CountyRate
CityRate
SpecialRate
We recommend using Postman when discovering our API. Happy using!
Rate Limiting
We limit API requests.
If you’re exceeding this rate and encountering 429 errors, review the following:
Only make requests in states / regions where you have enabled.
Cache responses if the order details haven’t changed since the last calculation at checkout.
Errors
The Taxrates.io API uses the following error codes:
Code Error Message
400 Bad Request – Your request format is bad.
401 Unauthorized – Your API key is wrong.
404 Not Found – The specified resource could not be found.
405 Method Not Allowed – You tried to access a resource with an invalid method.
429 Too Many Requests – You’re requesting too many resources! Slow down!
500 Internal Server Error – We had a problem with our server. Try again later.
503 Service Unavailable – We’re temporarily offline for maintenance. Try again later.
Verify your API token is correct and make sure you’re correctly setting the Authorization header.
If you’re still not sure what’s wrong, contact us and we’ll investigate.
Changelog
Stay on top of new developer-facing features, accuracy improvements, and bug fixes for our API. Have a request? Encounter an issue? We’d love to hear your feedback.
Contact Support:
Name: [email protected]
Taxrates.io is a global tax rate service that automates the management of monitoring tax rates changes in 181 countries. We monitor over 14,000 US sales tax, VAT, GST rates for you and make updates via our API so you always have the most update tax rates.
You can use Taxrates.io as a virtual sandbox where we provide you with 30 days free trial.
Countries
We currently support the following countries around the world. If you would like to request the addition of a new country, please email us at [email protected]
Afghanistan Gambia Nicaragua
Albania Georgia Niger
Andorra Germany Nigeria
Angola Ghana North Korea
Antigua and Barbuda Greece Norway
Argentina Grenada Pakistan
Armenia Guam Palestine
Aruba Guatemala Panama
Australia Guinea Papua New Guinea
Austria Guyana Paraguay
Azerbaijan Haiti Peru
Bahamas Honduras Philippines
Bangladesh Hungary Poland
Barbados Iceland Portugal
Belarus India Puerto Rico
Belgium Indonesia Republic of the Congo
Belize Iran Romania
Benin Ireland Russian Federation
Bhutan Isle of Man Rwanda
Bolivia Israel Samoa
Bonaire Italy Senegal
Bosnia and Herzegovina Japan Serbia
Botswana Jersey Seychelles
Brazil Jordan Sierra Leone
Bulgaria Jordan Singapore
Burkina Faso Kazakhstan Slovakia
Burundi Kenya Slovenia
Cambodia Kiribati Solomon Islands
Cameroon Kosovo Somalia
Cape Verde Kyrgyzstan South Africa
Central African Republic Laos South Korea
Chad Latvia South Sudan
Chile Lebanon Spain
China Lesotho Sri Lanka
Columbia Liberia St Lucia
Comoros Liechtenstein Sudan
Cook Islands Lithuania Suriname
Costa Rica Luxembourg Swaziland
Cote d'Ivoire Macedonia Sweden
Croatia Madagascar Switzerland
Cuba Malawi Tahiti
Curacao Malaysia Taiwan
Cyprus Maldives Tajikistan
Czech Republic Mali Tanzania
Democratic Republic of the Congo Malta Thailand
Denmark Mauritania Togo
Djbouti Mauritius Tonga
Dominica Mexico Trinidad and Tobago
Dominican Republic Micronesia Tunisia
Ecuador Moldova Turkmenistan
Egypt Monaco Tuvalu
El Salvador Mongolia Uganda
Equatorial Guinea Montenegro Ukraine
Eritrea Morocco United Kingdom
Estonia Mozambique United States
Ethiopia Myanmar Uruguay
Fiji Namibia Vanuatu
Finland Nepal Venezuela
France Netherlands Vietnam
Gabon New Zealand Yemen
Products codes
The Taxrates.io API’s provides product-level tax rates for a subset of product codes. These codes are to be used for products that are either exempt from tax in some jurisdictions or are taxed at reduced rates.
We will be expanding support for additional, less common categories over time. If you would like to request the addition of a new product category, please email us at [email protected]
Please select a product code/s when making a request to the Taxrates.io API
Product code Product Description
C010 Services which are not subject to a service-specific tax
C011 Software - Downloaded
C012 Books - Downloaded
C011 Music - Downloaded
C011 Movies/Digital Video - Downloaded
C011 Other Electronic Goods - Downloaded
C011 Streaming Music/Audio Services new
C011 Streaming Video Services new
C018 Software as a Services, Generally (Remote Access to Hosted Software)
C018 Remote Access to Hosted Software - Personal Use
C018 Remote Access to Hosted Software - Business Use
C021 Remote Access to Hosted Business Custom Applications
C021 Personal Cloud Storage/Backup
C021 Business Cloud Storage/Backup
C021 Business Data Warehouses
C022 Infrastructure as Service, Generally
C022 Ecommerce Site/Webserver Hosting
C022 Provision of Virtual Computing Capacity
C022 Software - package or canned program
C022 Software - modifications to canned program
C022 Software - custom programs - material
C022 Software - custom programs - professional serv.
C022 Information services
C022 Data processing services
C022 Mainframe computer access and processing serv.
C022 Online Data processing services
Filtering
When calling the API endpoints you can use 'filter' parameters to get tax rate for the selected type. You can get the following tax types (Each tax rate will always have one of following types)
US Sales tax Rates
CombinedRate
StateRate
CountyRate
CityRate
SpecialRate
We recommend using Postman when discovering our API. Happy using!
Rate Limiting
We limit API requests.
If you’re exceeding this rate and encountering 429 errors, review the following:
Only make requests in states / regions where you have enabled.
Cache responses if the order details haven’t changed since the last calculation at checkout.
Errors
The Taxrates.io API uses the following error codes:
Code Error Message
400 Bad Request – Your request format is bad.
401 Unauthorized – Your API key is wrong.
404 Not Found – The specified resource could not be found.
405 Method Not Allowed – You tried to access a resource with an invalid method.
429 Too Many Requests – You’re requesting too many resources! Slow down!
500 Internal Server Error – We had a problem with our server. Try again later.
503 Service Unavailable – We’re temporarily offline for maintenance. Try again later.
Verify your API token is correct and make sure you’re correctly setting the Authorization header.
If you’re still not sure what’s wrong, contact us and we’ll investigate.
Changelog
Stay on top of new developer-facing features, accuracy improvements, and bug fixes for our API. Have a request? Encounter an issue? We’d love to hear your feedback.
Contact Support:
Name: [email protected]
nFusion Solutions Market Data API v1
nFusion Solutions provides REST APIs that deliver enterprise-grade financial data. Data sets include real-time and historical pricing for Spot prices of precious metals such as Gold, Silver, Platinum, and Palladium, exchange rates for major currency pairs, exchange rates for Crypto Currencies such as BTC, ETH, and LTC. All API access requires authentication. In order to be issued access credentials you must first enter into a service agreement with nFusion Solutions and acquire a commercial license. For information on how to obtain a licence take a tour of our products or email [email protected].
OpenFinTech.io
openfintech.io
Introduction
OpenFinTech.io is an open database that comprises of standardized primary data for FinTech industry.
It contains such information as geolocation data (countries, cities, regions), organizations, currencies (national, digital, virtual, crypto), banks, digital exchangers, payment providers (PSP), payment methods, etc.
It is created for communication of cross-integrated micro-services on "one language". This is achieved through standardization of entity identifiers that are used to exchange information among different services.
UML
UML Domain Model diagram you can find here.
Persistence
Entities are updated not more than 1 time per day.
Terms and Conditions
This OpenFinTech.io is made available under the Open Database License.
Any rights in individual contents of the database are licensed under the Database Contents License.
Contacts
For any questions, please email - [email protected]
Or you can contact us at Gitter
Powered by Paymaxi
Get Started
If you use POSTMAN or similar program which can operate with swagger`s files - just download our spec and import it. Also you can try live API demo.
Overview
The OpenFinTech API is organized around REST. Our API has predictable, resource-oriented URLs, and uses HTTP response codes to indicate API errors.
API is based on JSON API standard. JSON is returned by all API responses, including errors, although our API libraries convert responses to appropriate language-specific objects.
JSON API requires use of the JSON API media type (application/vnd.api+json) for exchanging data.
Additional Request Headers
ACCEPT HEADER
Your requests should always include the header:
If argument height or width is missing API returns original image with real sizes.
Errors
API uses conventional HTTP response codes to indicate the success or failure of an API request. In general, codes in the 2xx range indicate success, codes in the 4xx range indicate an error that failed given the information provided (e.g., a required parameter was omitted, etc.), and codes in the 5xx range indicate an error with OpenFinTech's servers (these are rare).
| Code | Description |
|------|-------------|
| 200 - OK | Everything worked as expected. |
| 400 - Bad Request | The request was unacceptable, often due to missing a required parameter. |
| 401 - Unauthorized | No valid API key provided. |
| 402 - Request Failed | The parameters were valid but the request failed. |
| 404 - Not Found | The requested resource doesn't exist. |
| 409 - Conflict | The request conflicts with another request (perhaps due to using the same idempotent key). |
| 429 - Too Many Requests | Too many requests hit the API too quickly. We recommend an exponential backoff of your requests. |
| 500, 502, 503, 504 - Server Errors | Something went wrong on OpenFinTech's end. (These are rare.) |
OpenFinTech.io is an open database that comprises of standardized primary data for FinTech industry.
It contains such information as geolocation data (countries, cities, regions), organizations, currencies (national, digital, virtual, crypto), banks, digital exchangers, payment providers (PSP), payment methods, etc.
It is created for communication of cross-integrated micro-services on "one language". This is achieved through standardization of entity identifiers that are used to exchange information among different services.
UML
UML Domain Model diagram you can find here.
Persistence
Entities are updated not more than 1 time per day.
Terms and Conditions
This OpenFinTech.io is made available under the Open Database License.
Any rights in individual contents of the database are licensed under the Database Contents License.
Contacts
For any questions, please email - [email protected]
Or you can contact us at Gitter
Powered by Paymaxi
Get Started
If you use POSTMAN or similar program which can operate with swagger`s files - just download our spec and import it. Also you can try live API demo.
Overview
The OpenFinTech API is organized around REST. Our API has predictable, resource-oriented URLs, and uses HTTP response codes to indicate API errors.
API is based on JSON API standard. JSON is returned by all API responses, including errors, although our API libraries convert responses to appropriate language-specific objects.
JSON API requires use of the JSON API media type (application/vnd.api+json) for exchanging data.
Additional Request Headers
ACCEPT HEADER
Your requests should always include the header:
If argument height or width is missing API returns original image with real sizes.
Errors
API uses conventional HTTP response codes to indicate the success or failure of an API request. In general, codes in the 2xx range indicate success, codes in the 4xx range indicate an error that failed given the information provided (e.g., a required parameter was omitted, etc.), and codes in the 5xx range indicate an error with OpenFinTech's servers (these are rare).
| Code | Description |
|------|-------------|
| 200 - OK | Everything worked as expected. |
| 400 - Bad Request | The request was unacceptable, often due to missing a required parameter. |
| 401 - Unauthorized | No valid API key provided. |
| 402 - Request Failed | The parameters were valid but the request failed. |
| 404 - Not Found | The requested resource doesn't exist. |
| 409 - Conflict | The request conflicts with another request (perhaps due to using the same idempotent key). |
| 429 - Too Many Requests | Too many requests hit the API too quickly. We recommend an exponential backoff of your requests. |
| 500, 502, 503, 504 - Server Errors | Something went wrong on OpenFinTech's end. (These are rare.) |
Billingo API v3
This is a Billingo API v3 documentation. Our API based on REST software architectural style. API has resource-oriented URLs, accepts JSON-encoded request bodies and returns JSON-encoded responses. To use this API you have to generate a new API key on our site. After that, you can test your API key on this page.
Confirmation of Funds API Specification
openbanking.org.uk
Swagger for Confirmation of Funds API Specification
Paylocity API
paylocity.com
For general questions and support of the API, contact: [email protected]
Overview
Paylocity Web Services API is an externally facing RESTful Internet protocol. The Paylocity API uses HTTP verbs and a RESTful endpoint structure. OAuth 2.0 is used as the API Authorization framework. Request and response payloads are formatted as JSON.
Paylocity supports v1 and v2 versions of its API endpoints. v1, while supported, won't be enhanced with additional functionality. For direct link to v1 documentation, please click here. For additional resources regarding v1/v2 differences and conversion path, please contact [email protected].
Setup
Paylocity will provide the secure client credentials and set up the scope (type of requests and allowed company numbers). You will receive the unique client id, secret, and Paylocity public key for the data encryption. The secret will expire in 365 days.
Paylocity will send you an e-mail 10 days prior to the expiration date for the current secret. If not renewed, the second e-mail notification will be sent 5 days prior to secret's expiration. Each email will contain the code necessary to renew the client secret.
You can obtain the new secret by calling API endpoint using your current not yet expired credentials and the code that was sent with the notification email. For details on API endpoint, please see Client Credentials section.
Both the current secret value and the new secret value will be recognized during the transition period. After the current secret expires, you must use the new secret.
If you were unable to renew the secret via API endpoint, you can still contact Service and they will email you new secret via secure email.
When validating the request, Paylocity API will honor the defaults and required fields set up for the company default New Hire Template as defined in Web Pay.
Authorization
Paylocity Web Services API uses OAuth2.0 Authentication with JSON Message Format.
All requests of the Paylocity Web Services API require a bearer token which can be obtained by authenticating the client with the Paylocity Web Services API via OAuth 2.0.
The client must request a bearer token from the authorization endpoint:
auth-server for production: https://api.paylocity.com/IdentityServer/connect/token
auth-server for testing: https://apisandbox.paylocity.com/IdentityServer/connect/token
Paylocity reserves the right to impose rate limits on the number of calls made to our APIs. Changes to API features/functionality may be made at anytime with or without prior notice.
Authorization Header
The request is expected to be in the form of a basic authentication request, with the "Authorization" header containing the client-id and client-secret. This means the standard base-64 encoded user:password, prefixed with "Basic" as the value for the Authorization header, where user is the client-id and password is the client-secret.
Content-Type Header
The "Content-Type" header is required to be "application/x-www-form-urlencoded".
Additional Values
The request must post the following form encoded values within the request body:
granttype = clientcredentials
scope = WebLinkAPI
Responses
Success will return HTTP 200 OK with JSON content:
{
"access_token": "xxx",
"expires_in": 3600,
"token_type": "Bearer"
}
Encryption
Paylocity uses a combination of RSA and AES cryptography. As part of the setup, each client is issued a public RSA key.
Paylocity recommends the encryption of the incoming requests as additional protection of the sensitive data. Clients can opt-out of the encryption during the initial setup process. Opt-out will allow Paylocity to process unencrypted requests.
The Paylocity Public Key has the following properties:
2048 bit key size
PKCS1 key format
PEM encoding
Properties
key (base 64 encoded): The AES symmetric key encrypted with the Paylocity Public Key. It is the key used to encrypt the content. Paylocity will decrypt the AES key using RSA decryption and use it to decrypt the content.
iv (base 64 encoded): The AES IV (Initialization Vector) used when encrypting the content.
content (base 64 encoded): The AES encrypted request. The key and iv provided in the secureContent request are used by Paylocity for decryption of the content.
We suggest using the following for the AES:
CBC cipher mode
PKCS7 padding
128 bit block size
256 bit key size
Encryption Flow
Generate the unencrypted JSON payload to POST/PUT
Encrypt this JSON payload using your own key and IV (NOT with the Paylocity public key)
RSA encrypt the key you used in step 2 with the Paylocity Public Key, then, base64 encode the result
Base64 encode the IV used to encrypt the JSON payload in step 2
Put together a "securecontent" JSON object:
{
'secureContent' : {
'key' : -- RSA-encrypted & base64 encoded key from step 3,
'iv' : -- base64 encoded iv from step 4
'content' -- content encrypted with your own key from step 2, base64 encoded
}
}
Sample Example
{
"secureContent": {
"key": "eS3aw6H/qzHMJ00gSi6gQ3xa08DPMazk8BFY96Pd99ODA==",
"iv": "NLyXMGq9svw0XO5aI9BzWw==",
"content": "gAEOiQltO1w+LzGUoIK8FiYbU42hug94EasSl7N+Q1w="
}
}
Sample C# Code
using Newtonsoft.Json;
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
public class SecuredContent
{
[JsonProperty("key")]
public string Key { get; set; }
[JsonProperty("iv")]
public string Iv { get; set; }
[JsonProperty("content")]
public string Content { get; set; }
}
public class EndUserSecureRequestExample
{
public string CreateSecuredRequest(FileInfo paylocityPublicKey, string unsecuredJsonRequest)
{
string publicKeyXml = File.ReadAllText(paylocityPublicKey.FullName, Encoding.UTF8);
SecuredContent secureContent = this.CreateSecuredContent(publicKeyXml, unsecuredJsonRequest);
string secureRequest = JsonConvert.SerializeObject(new { secureContent });
return secureRequest;
}
private SecuredContent CreateSecuredContent(string publicKeyXml, string request)
{
using (AesCryptoServiceProvider aesCsp = new AesCryptoServiceProvider())
{
aesCsp.Mode = CipherMode.CBC;
aesCsp.Padding = PaddingMode.PKCS7;
aesCsp.BlockSize = 128;
aesCsp.KeySize = 256;
using (ICryptoTransform crt = aesCsp.CreateEncryptor(aesCsp.Key, aesCsp.IV))
{
using (MemoryStream outputStream = new MemoryStream())
{
using (CryptoStream encryptStream = new CryptoStream(outputStream, crt, CryptoStreamMode.Write))
{
byte[] encodedRequest = Encoding.UTF8.GetBytes(request);
encryptStream.Write(encodedRequest, 0, encodedRequest.Length);
encryptStream.FlushFinalBlock();
byte[] encryptedRequest = outputStream.ToArray();
using (RSACryptoServiceProvider crp = new RSACryptoServiceProvider())
{
crp.FromXmlstring(publicKeyXml);
byte[] encryptedKey = crp.Encrypt(aesCsp.Key, false);
return new SecuredContent()
{
Key = Convert.ToBase64string(encryptedKey),
Iv = Convert.ToBase64string(aesCsp.IV),
Content = Convert.ToBase64string(encryptedRequest)
};
}
}
}
}
}
}
}
Support
Questions about using the Paylocity API? Please contact [email protected].
Deductions (v1)
Deductions API provides endpoints to retrieve, add, update and delete deductions for a company's employees. For schema details, click here.
OnBoarding (v1)
Onboarding API sends employee data into Paylocity Onboarding to help ensure an easy and accurate hiring process for subsequent completion into Web Pay. For schema details, click here.
Overview
Paylocity Web Services API is an externally facing RESTful Internet protocol. The Paylocity API uses HTTP verbs and a RESTful endpoint structure. OAuth 2.0 is used as the API Authorization framework. Request and response payloads are formatted as JSON.
Paylocity supports v1 and v2 versions of its API endpoints. v1, while supported, won't be enhanced with additional functionality. For direct link to v1 documentation, please click here. For additional resources regarding v1/v2 differences and conversion path, please contact [email protected].
Setup
Paylocity will provide the secure client credentials and set up the scope (type of requests and allowed company numbers). You will receive the unique client id, secret, and Paylocity public key for the data encryption. The secret will expire in 365 days.
Paylocity will send you an e-mail 10 days prior to the expiration date for the current secret. If not renewed, the second e-mail notification will be sent 5 days prior to secret's expiration. Each email will contain the code necessary to renew the client secret.
You can obtain the new secret by calling API endpoint using your current not yet expired credentials and the code that was sent with the notification email. For details on API endpoint, please see Client Credentials section.
Both the current secret value and the new secret value will be recognized during the transition period. After the current secret expires, you must use the new secret.
If you were unable to renew the secret via API endpoint, you can still contact Service and they will email you new secret via secure email.
When validating the request, Paylocity API will honor the defaults and required fields set up for the company default New Hire Template as defined in Web Pay.
Authorization
Paylocity Web Services API uses OAuth2.0 Authentication with JSON Message Format.
All requests of the Paylocity Web Services API require a bearer token which can be obtained by authenticating the client with the Paylocity Web Services API via OAuth 2.0.
The client must request a bearer token from the authorization endpoint:
auth-server for production: https://api.paylocity.com/IdentityServer/connect/token
auth-server for testing: https://apisandbox.paylocity.com/IdentityServer/connect/token
Paylocity reserves the right to impose rate limits on the number of calls made to our APIs. Changes to API features/functionality may be made at anytime with or without prior notice.
Authorization Header
The request is expected to be in the form of a basic authentication request, with the "Authorization" header containing the client-id and client-secret. This means the standard base-64 encoded user:password, prefixed with "Basic" as the value for the Authorization header, where user is the client-id and password is the client-secret.
Content-Type Header
The "Content-Type" header is required to be "application/x-www-form-urlencoded".
Additional Values
The request must post the following form encoded values within the request body:
granttype = clientcredentials
scope = WebLinkAPI
Responses
Success will return HTTP 200 OK with JSON content:
{
"access_token": "xxx",
"expires_in": 3600,
"token_type": "Bearer"
}
Encryption
Paylocity uses a combination of RSA and AES cryptography. As part of the setup, each client is issued a public RSA key.
Paylocity recommends the encryption of the incoming requests as additional protection of the sensitive data. Clients can opt-out of the encryption during the initial setup process. Opt-out will allow Paylocity to process unencrypted requests.
The Paylocity Public Key has the following properties:
2048 bit key size
PKCS1 key format
PEM encoding
Properties
key (base 64 encoded): The AES symmetric key encrypted with the Paylocity Public Key. It is the key used to encrypt the content. Paylocity will decrypt the AES key using RSA decryption and use it to decrypt the content.
iv (base 64 encoded): The AES IV (Initialization Vector) used when encrypting the content.
content (base 64 encoded): The AES encrypted request. The key and iv provided in the secureContent request are used by Paylocity for decryption of the content.
We suggest using the following for the AES:
CBC cipher mode
PKCS7 padding
128 bit block size
256 bit key size
Encryption Flow
Generate the unencrypted JSON payload to POST/PUT
Encrypt this JSON payload using your own key and IV (NOT with the Paylocity public key)
RSA encrypt the key you used in step 2 with the Paylocity Public Key, then, base64 encode the result
Base64 encode the IV used to encrypt the JSON payload in step 2
Put together a "securecontent" JSON object:
{
'secureContent' : {
'key' : -- RSA-encrypted & base64 encoded key from step 3,
'iv' : -- base64 encoded iv from step 4
'content' -- content encrypted with your own key from step 2, base64 encoded
}
}
Sample Example
{
"secureContent": {
"key": "eS3aw6H/qzHMJ00gSi6gQ3xa08DPMazk8BFY96Pd99ODA==",
"iv": "NLyXMGq9svw0XO5aI9BzWw==",
"content": "gAEOiQltO1w+LzGUoIK8FiYbU42hug94EasSl7N+Q1w="
}
}
Sample C# Code
using Newtonsoft.Json;
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
public class SecuredContent
{
[JsonProperty("key")]
public string Key { get; set; }
[JsonProperty("iv")]
public string Iv { get; set; }
[JsonProperty("content")]
public string Content { get; set; }
}
public class EndUserSecureRequestExample
{
public string CreateSecuredRequest(FileInfo paylocityPublicKey, string unsecuredJsonRequest)
{
string publicKeyXml = File.ReadAllText(paylocityPublicKey.FullName, Encoding.UTF8);
SecuredContent secureContent = this.CreateSecuredContent(publicKeyXml, unsecuredJsonRequest);
string secureRequest = JsonConvert.SerializeObject(new { secureContent });
return secureRequest;
}
private SecuredContent CreateSecuredContent(string publicKeyXml, string request)
{
using (AesCryptoServiceProvider aesCsp = new AesCryptoServiceProvider())
{
aesCsp.Mode = CipherMode.CBC;
aesCsp.Padding = PaddingMode.PKCS7;
aesCsp.BlockSize = 128;
aesCsp.KeySize = 256;
using (ICryptoTransform crt = aesCsp.CreateEncryptor(aesCsp.Key, aesCsp.IV))
{
using (MemoryStream outputStream = new MemoryStream())
{
using (CryptoStream encryptStream = new CryptoStream(outputStream, crt, CryptoStreamMode.Write))
{
byte[] encodedRequest = Encoding.UTF8.GetBytes(request);
encryptStream.Write(encodedRequest, 0, encodedRequest.Length);
encryptStream.FlushFinalBlock();
byte[] encryptedRequest = outputStream.ToArray();
using (RSACryptoServiceProvider crp = new RSACryptoServiceProvider())
{
crp.FromXmlstring(publicKeyXml);
byte[] encryptedKey = crp.Encrypt(aesCsp.Key, false);
return new SecuredContent()
{
Key = Convert.ToBase64string(encryptedKey),
Iv = Convert.ToBase64string(aesCsp.IV),
Content = Convert.ToBase64string(encryptedRequest)
};
}
}
}
}
}
}
}
Support
Questions about using the Paylocity API? Please contact [email protected].
Deductions (v1)
Deductions API provides endpoints to retrieve, add, update and delete deductions for a company's employees. For schema details, click here.
OnBoarding (v1)
Onboarding API sends employee data into Paylocity Onboarding to help ensure an easy and accurate hiring process for subsequent completion into Web Pay. For schema details, click here.
GOV.UK Pay API
payments.service.gov.uk
GOV.UK Pay API (This version is no longer maintained. See openapi/publicapi_spec.json for latest API specification)