Create and manage your access tokens
Generate API access tokens, choose their permissions and secure your integrations with read-only tokens.
A token (or access token) is the key that authorises a tool to talk to the Shyfter API. Each integration uses its own token, with its own rights. Managing your tokens well means staying in control of who accesses what, and being able to cut off access at any time.
Create a token
From the Open API platform, open the API Tokens section, then create a new token. You can generate one for personal use or for a third-party integrator. Each token has a name, which makes it easy to know which tool it corresponds to.
Choose the permissions
When creating a token, you decide precisely what it gives access to. Permissions correspond to Shyfter's main areas, for example:
- the schedule (shifts and hours);
- clocking (time tracking);
- sections;
- skills;
- contracts;
- absence management;
- custom attributes;
- productivity (turnover).
A token can only access the areas you have granted it. Permissions apply at the account level (they are valid for every department the token has access to).
Read-only tokens
You can mark a token as read-only. It will then only be able to view data, never modify it. This is the right reflex for an integration that only needs to retrieve information (a dashboard, an export), to avoid any accidental change.
Security best practices
- Create one token per integration: this way you can revoke one without affecting the others.
- Give the minimum permissions needed for each use.
- Favour read-only whenever the tool does not need to write.
- Delete immediately any token that is no longer used or that may have been exposed.
Good to know about limits
To keep the service stable, the API applies a limit of 60 requests per minute per token. If your tools exceed this rate, the extra requests are temporarily refused: it is better to space out the calls. In case of an unusual error, each response contains a tracking identifier that support can use to help you.
A token is sensitive data, just like a password. Never share it in plain text and do not write it down anywhere public.