Knit is #1 product of the week in the developer tools category on Product Hunt!
X
Developers

API Security 101: Best Practices, How-to Guides, Checklist, FAQs

This is your one stop solution to mastering API Security. From common techniques to best practices to code snippets: we've got you all covered. Plus, we have a downloadable security checklist. Keep reading

Note: This is our master guide on API Security where we solve common developer queries in detail with how-to guides, common examples and code snippets. Feel free to visit the smaller guides linked later in this article on topics such as authentication methods, rate limiting, API monitoring and more.

Today an average SaaS company today has 350 integrations. They rely heavily on APIs to share data and functionality, both internally and externally. This reliance has made the need for solid API security practices more crucial than ever. 

The consequences of overlooking API security are nothing short of disastrous, with the potential to expose sensitive data, compromise user privacy, and open the door to cyberattacks that can wreak havoc on an organization's operations.

In this article, we will dive into the world of API security —

  • The ever-evolving threats that surround APIs
  • Best practices to protects your APIs (detailed step-by-step guides for quick implementation)
  • Downloadable API security checklist
  • Answers to common FAQs asked by developers
  • And finally, we will show you how you can eliminate the risks altogether by adopting a new approach to API integration

Whether you're a developer creating APIs or dealing with their seamless integration, these practices will strengthen your infrastructure but also preserve the trust of your users and partners in an increasingly interconnected digital landscape.

So, let’s get started.

API Security Risks

Before diving deeper into the API security best practices, it's crucial to have a solid grasp of the risks and threats that APIs can face. These risks can stem from various sources, both external and internal, and being aware of them is the first step towards effective protection. 

Here are some of the key API security risks to consider:

  1. Unauthorized access
  2. Broken authentication tokens
  3. Injection attacks
  4. Data exposure
  5. Rate limiting and Denial of Service (DoS) attacks 
  6. Third party dependencies
  7. Human error
Read: Common Risks to API Security and their consequences where we discussed all these threats in detail

The old adage "prevention is better than cure" couldn't be more apt in the realm of API security, where a proactive approach is the key to averting devastating consequences for all parties involved.

Keeping this in mind, let’s dive deeper into our API security best practices.

API security best practices

Ensuring API security means providing a safe way for authentication, authorization, data transfer and more.

1. API Authentication and Authorization methods

API authentication and authorization methods are the most essential components of modern web and software development. These methods play a crucial role in ensuring the security and integrity of the data exchanged between systems and applications. 

Authentication verifies the identity of users or systems accessing an API, while authorization determines what actions or resources they are allowed to access. 

With a variety of techniques and protocols available, such as API keys, OAuth, and token-based systems, developers have the flexibility to choose the most suitable approach to protect their APIs and the data they manage.

Read our article on API Authentication Best Practices where we discuss top 5 authentication protocols such as OAuth, Bearer tokens, Basic auth, JWT and API keys in detail.

While choosing the right protocol depends on your specific use case and security requirements, here's a quick comparison of the 5 API authentication methods:

API authentication and authorization

Now, let’s explore how data can be transferred securely between API calls.

2. Secure data transmission: Encryption and HTTPS

When it comes to API security, ensuring that data is transmitted securely is an absolute must. 

Imagine your data is like a confidential letter traveling from sender to receiver through the postal service. Just as you'd want that letter to be sealed in an envelope to prevent prying eyes from seeing its contents, data encryption in transit ensures that the information exchanged between clients and servers is kept safe and confidential during its journey across the internet. 

HTTPS

The go-to method for achieving this security is HTTPS, which is like the secure postal service for your data. 

HTTPS uses Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL), to encrypt data before it leaves the sender's location and decrypt it only when it reaches the intended recipient. 

Think of TLS/SSL certificates as the unique stamps on your sealed letter; they ensure that the data's journey is tamper-proof and that it's delivered only to the right address. 

So, whenever you see that little padlock icon in your browser's address bar, rest assured that your data is traveling securely, just like that confidential letter in its sealed envelope.

In a world where data breaches are a constant threat, secure data transmission is like the lock and key that keeps your digital communication safe from potential eavesdroppers.

Note: As an API aggregator, Knit, prioritizes user privacy and commit to keeping your data safe in the best way possible. All data at Knit is doubly encrypted at rest with AES 256 bit encryption and in transit with TLS 1.2. Plus, all PII and user credentials are encrypted with an additional layer of application security. Learn more about Knit's security practices here 

3. Input validation and parameter sanitization

In the world of API security, one area that often flies under the radar but is absolutely critical is input validation and parameter sanitization. It's like inspecting every ingredient that goes into a recipe; if you miss something harmful, the entire dish could turn out toxic.

First, let's talk about the risks. 

Input validation failures can open the door to a variety of malicious attacks, with one of the most notorious being injection attacks. 

These crafty attacks involve malicious code or data being injected into an API's input fields, exploiting vulnerabilities and wreaking havoc. Two common types are SQL injection and Cross-Site Scripting (XSS), both of which can lead to data breaches and system compromise. 

To learn more about injection vulnerabilities, read Common API Security Threats Developers Must Know About

How to defend against injection attacks 

Well, think of sanitizing user inputs as thoroughly washing your hands before handling food – it's a fundamental hygiene practice.

By rigorously examining and cleaning incoming data, we can block malicious code from getting through. For instance, when dealing with user-generated content, we should sanitize inputs to remove potentially harmful scripts or queries.

Additionally, for database queries, you should use parameterized statements instead of injecting user inputs directly into SQL queries. This way, even if an attacker tries a SQL injection, their input gets treated as data rather than executable code.

In the above example, we use a parameterized statement (? as a placeholder) to safely handle user input, preventing SQL injection by treating the input as data rather than executable SQL code.

In essence, input validation and parameter sanitization are like the gatekeepers of your API, filtering out the bad actors and ensuring the safety of your system. It's not just good practice; it's a crucial line of defense in the world of API security.

4. Rate limiting and Throttling

Both rate limiting and throttling are critical components of API security, as they help maintain the availability and performance of API services, protect them against abusive usage, and ensure a fair distribution of resources among clients. 

Rate limiting restricts the number of API requests a client can make within a specific timeframe (e.g. requests per second or minute) while throttling is a more flexible approach that slows down or delays the processing of requests from clients who exceeded their allotted rate limit instead of denying requests outright. 

Throttling is useful for ensuring a more graceful degradation of service and a smoother user experience when rate limits are exceeded. The exhaustion of rate limits are often denoted by HTTP error code 429.

These techniques are often implemented in combination with each other to create a comprehensive defense strategy for APIs.

Read: 10 API rate limiting best practices to deal with HTTP error code 429

5. API monitoring and logging

API monitoring and logging are vital for proactive security measures, threat detection, and incident response. 

API monitoring involves the continuous observation of API traffic and activities in real-time. It allows for immediate detection of unusual or suspicious behavior, such as spikes in traffic or unexpected access patterns. Beyond security, it also aids in optimizing performance by identifying bottlenecks, latency issues, or errors in API responses, ensuring smooth and efficient operation. 

API logging involves the recording of all API interactions and events over time. This creates a detailed historical record that can be invaluable for forensic analysis, compliance, and auditing. They are invaluable for debugging and troubleshooting, as they contain detailed information about API requests, responses, errors, and performance metrics. 

Monitoring and logging systems can also trigger alerts or notifications when predefined security thresholds are breached, enabling rapid incident response.

Access Logs and Issues in one page

This is exactly what Knit does. Along with allowing you access to data from 50+ APIs with a single unified API, it also completely takes care of API logging and monitoring. 

It offers a detailed Logs and Issues page that gives you a one page historical overview of all your webhooks and integrated accounts. It includes a number of API calls and provides necessary filters to choose your criterion. This helps you to always stay on top of user data and effectively manage your APIs.

API monitoring & logging

6. Regular security audits and Penetration Testing

Regular security audits and penetration testing are critical components of a comprehensive API security strategy. They help identify vulnerabilities, assess the effectiveness of existing security measures, and ensure that an API remains resilient to evolving threats.

  • Security audits involve a thorough review of an API's design, architecture, and implementation to identify security weaknesses, misconfigurations, and best practice violations, and assess whether an API adheres to security policies, standards, and regulatory requirements. This is also important for ensuring compliance with data protection laws and industry regulations.
  • Meanwhile Penetration testing, or pen testing, involves simulating cyberattacks to identify vulnerabilities, weaknesses, and potential entry points that malicious actors could exploit. It ​​attempt to exploit API vulnerabilities in a controlled environment to assess the API's resilience against real-world threats, including SQL injection, cross-site scripting (XSS), and more.

The results of penetration testing provide insights into the API's security posture, allowing organizations to prioritize and remediate high-risk vulnerabilities. Penetration tests should be conducted regularly, especially when changes or updates are made to the API, to ensure that security measures remain effective over time.

These practices are essential for safeguarding sensitive data and ensuring the trustworthiness of API-based services.

7. API lifecycle management and decommissioning

A comprehensive approach to API security involves not only establishing APIs securely but also systematically retiring and decommissioning them when they are no longer needed or viable. 

This process involves clearly documenting the API's purpose, usage, and dependencies from the outset to facilitate informed decisions during the decommissioning phase. Also, you should implement version control and deprecation policies, enabling a gradual transition for API consumers and regularly audit and monitor API usage and access controls to detect potential security risks. 

When decommissioning an API, the sunset plan should be communicated with stakeholders while providing ample notice, and assistance to the users in migrating to alternative APIs or solutions.

Finally, a thorough security assessment and testing should be conducted before decommissioning to identify and resolve any vulnerabilities, to ensure that the process is executed securely and without compromising data or system integrity.

Read: Developer's guide to API lifecycle management

8. Third-Party API Security Considerations

When integrating third-party APIs into your application, it's crucial to consider several important security factors. 

  • First and foremost, thoroughly review the reputation and trustworthiness of the API provider. Assess their security practices and history of vulnerabilities. 
  • Additionally, scrutinize the permissions and access levels you grant to the third-party API. Only provide the minimum access necessary for your application to function to limit potential risks. 
  • Monitor the API's security updates and patch management, as vulnerabilities may emerge over time.
  • Ensure that data transmitted between your application and the third-party API is encrypted and protected to safeguard against interception or tampering. 
  • Lastly, have contingency plans in place for potential downtime or security breaches in the third-party API, which might affect your application's availability and data security.
Read: How to evaluate security before choosing a third-party API provider

API security checklist

To sum up everything that we discussed above, here is a checklist that provides a comprehensive overview of critical aspects to consider when securing your APIs, from authentication and authorization to encryption, monitoring, and incident response.
Although, you’ll need to tailor it to your specific needs and regularly review and update it to adapt to evolving security threats and best practices.

To download checklist, click here

Common API security FAQs by developers

We have a separate post to deal with all your day-to-day API security FAQs where we discuss the following and more:

1. How to handle when a token expires – generate and store new?

2. How often should I perform security audits and testing for my APIs?

3. What should I do in case of a security breach involving my API?

4. How can I monitor and log API activity for security purposes?

Read all the FAQs

Enable maximum security for your API integrations with Knit

If you are dealing with a large number of API integrations and looking for smarter solutions, check out unified API solutions like Knit. Knit ensures that you have access to high quality data faster in the safest way possible.

  • Knit is the only unified API in the market that does NOT store a copy of your end user data in its servers or share it with any third party. All of our syncs are event-based and happen via webhooks to ensure that your data is not subjected to any external threats during the transfer. Learn more about Knit's secure data sync here
  • Knit complies with industry best practices and security standards. We are SOC2, GDPR and ISO27001 certified and always in the process of adding more security badges to our collection.
  • We monitor Knit's infrastructure continuously with the finest intrusion detection systems. Plus, our super responsive support team is available 24*7 across all time zones to make sure if at all a security issue occurs, it is resolved immediately.
We understand how crucial your data is. That's why we are always fine-tuning our security measures to offer maximum protection for your user data.  Talk to one of our experts to learn more. If you are ready to build integrations at scale, get your API keys for free

Sudeshna Roy

Head of Content, Knit

Decoding product and generating users with valuable content

Latest Blogs

Browse all Blogs
API Directory
Apr 9, 2024

A Guide toIntegrating with Freshteams API

11
mins

Freshteam API Directory

A cloud based HR software, Freshteam enables organizations with managing employee details, recruitment, on-boarding, time-off, off-boarding, and organization details, among other aspects of their HR processes and practices. With Freshteam API integration, organizations can seamlessly synchronize data between their application and Freshteam to ensure real time updation of employee information across both platforms. It helps capture any changes in employee status, designation, HR policies, etc. across different applications a business uses. 

Freshteam API Authentication, Filtering, Rate Limits

To ensure utmost security and prevent unauthorized access, Freshteam API uses Oauth2.0 for authentication and authorization. Developers can use the Freshteam UI to make calls to the Freshteam authentication server to obtain an access token. This access token can be used to make valid API calls thereon. The access token identifies the requester and the requester’s permission. In the Freshteam domain, the access token is present under Your API Key, which can be copied and used to make API calls. 

Rate limits i.e. the number of API calls that can be made in a minute for Fresteam API are determined by the plan selected by the organization. The rate limit variation for each plan is dependent on the number of subscribed employees for the organization. The trial account has a limit of 10 API calls per minute, which goes on to as high as (100, 2 * number of subscribed employees) API calls per minute for the enterprise plan. Developers or admins can also keep a track of the API calls to understand their usage patterns via:

  • X-ratelimit-total: Permissible number of API calls in a minute.
  • X-ratelimit-remaining: Number of API calls remaining.
  • X-ratelimit-used-currentrequest: Number of API calls consumed by the API request that obtained the response.

There are several endpoints in Freshteam API which retrieve bulk data, especially the ones which are required to List a certain object. In such a case, developers can use pagination parameters to filter data and limit the responses for a streamlined understanding. Developers can select the page value (from which page number they want responses), as well as the number of responses required for each page (default is set at 50). They can also sort the values as ascending or descending or select some other attribute for sorting as well. 

Freshteam API Objects, Data Models & Endpoints

Employees

  • List all employees: GET /employees
  • Create an employee: POST /employees
  • Retrieve employee information: GET /employees/{id}
  • Update employee information: PUT /employees/{id}
  • List all employee fields: GET /employee_fields
  • Create a custom employee field: POST /employee_fields

Common attributes: id, created at, updated at, workstation number, date of birth, gender, address, communication address, designation, phone number, joining date, termination date, first name, last name, status, official email, personal email, employee type, team id, department id, reporting to id, time off, hire reason, marital status, etc. 

Branches

(Used to configure different geographical locations for an organization and associate employees to a branch)

  • List all branches: GET /branches

Common attributes: id, created at, updated at, name, street, state, country code, zip, time zone, currency, language, main office, date format

Departments & Sub-Departments

  • List all departments: GET /departments
  • List all sub-departments: GET /sub_departments

Business Units

  • List all business units: GET /business_units

Common attributes: id, created at, updated at, name, description

Teams

  • List all teams: GET /teams

Levels

  • List all levels: GET /levels

Timeoffs

  • List all timeoffs: GET /time_offs
  • Create a timeoff request: POST /time_offs
  • List all timeoff types: GET /time_off_types
  • Retrieve timeoff information: GET /time_off_types/{id}
  • Cancel A Timeoff Request: PUT /time_off_types/{id}/ cancel
  • Approve A Timeoff Request: PUT /time_off_types/{id}/ approve

Common attributes: id, created at, updated at, start date, end date, status, leave units, leave type id, status comments, comments, attachment, applied by, approved by, rejected by, canceled by, notify to, description, add to calendar, canceled at, optional leave days, applicable for, auto approve, status

Roles

  • List all roles: GET /roles

Job Postings

  • List all job postings: GET /job_postings
  • Retrieve job posting information: GET /job_postings/{id}
  • List all job posting fields: GET /job_posting_fields
  • List all applicant fields: GET /job_postings/{id}/applicant_fields
  • Create an applicant: POST  /job_postings/{id}/applicants

Common attributes: id, created at, updated at, deleted, title, description, status, show_pursue_as_career, closing date, experience, remote, type, salary, branch, department, title, location, skills, requisitions, label, field type, position, candidate, candidate id, first name, last name, date of birth, mobile, phone number, source id, resume, cover letter, portfolio, skype id, content file name, url, gender, profile link, rejected at, archived at, on hold at, on hold till

Candidate Sources

  • List all candidate sources: GET /candidate_sources
  • Create a candidate source: POST /candidate_sources
  • List all candidate source categories: GET ​/candidate_source_categories

Common attributes: id, created at, updated at, deleted, label, default, leads count

User Functions

  • List all user functions: GET /user_functions

New Hires

  • Create a new hire: POST /new_hires
  • Retrieve new hire information: GET /new_hires/{id}
  • Update new hire information: PUT /new_hires/{id}

Common attributes: id, created at, updated at, deleted, first name, middle name, last name, official email, employee id, status, workstation number, designation, joining date, probation start date, probation end date, branch id, team id, department id, sub department id, termination date, termination reason, notice period, notice start date, notice end date, employee type, hired on, no show, no show reason, date of birth, marital status, gender, blood group, emergency contacts, social profiles, address, communication address, phone numbers, job codes, job exempt, scheduled weekly hours, retirement eligibility date, rehire eligibility, rehire status, confirmed, language, branch, team

Freshteam API Use Cases

  • Centralize HR operations with AI-powered virtual agents, self-service solutions and  seamless integration with MS Teams, Slack, and other applications
  • Automate internal processes with easy-to-configure workflows, leading to streamlined work and increased efficiency
  • Leverage 50+ job descriptions out of the box for use to accelerate hiring processes
  • Capture qualitative feedback about candidates along with better candidate relationships through built-in email and a manageable candidate database

Top customers

50,000+ companies from across 120+ countries use Freshteam to power their HR operations and streamline processes to make them efficient, robust and optimized. Here are some of the top customers that are leveraging Freshteam:

  • Gartner, Inc., an American technological research and consulting firm
  • OpeninApp, a smart link generator tool that ensures all social media links open in the apps they should
  • Dymocks Booksellers, an Australian-founded privately owned bookstore chain
  • Valley Medical Center, a 321-bed, acute care community hospital and clinic network
  • Kirat Plastics, a full-service custom plastic injection molding, metal pressing, fabrication, and assembly facility
  • Lot Squared Development, a Washington DC based design-build residential real estate developer 

Freshteam API FAQs

Here is a list of Freshteam API FAQs that developers must understand to make their integration journey more effective and robust:

  • How to use Freshteam Developer API? Answer
  • Where to find Freshteam API key, how to reset it and Scope of an API Key? Answer
  • What are the status and error messages that indicate the success or failure of an API request in Freshteam API? Answer
  • What are the common request header parameters used in requests to Freshteam APIs? Answer
  • What are the API methods that developers interact with for Freshteam API? Answer
  • What are models in Freshteam API? Answer

Common Integrations with Freshteam API 

Businesses, especially those engaged in the employee side of work, are increasingly seeking integration with Freshteam API to streamline data exchange between this HRIS platform and their application. Some of the top use cases and common integrations with Freshteam API include:

  • Recruitment companies which can use the write APIs to update candidate information into Freshteam once a client is hired to ensure the customer’s HRIS is up to date for all onboarding and future requirements
  • Payroll providers can leverage both read APIs to fetch employee information for payroll creation and disbursement, as well as write APIs, to push back data into customer’s Freshteam account to notify that salaries have been paid
  • Rewards and recognition companies which can use integration with Freshteam API to fetch information on employees to seamlessly manage their operations and help end customers build a culture of recognition.  

How to integrate with Freshteam API 

To kickstart the integration journey with Freshteam API, developers can go through this quick start guide. The first step is to create a developer account and join the Freshteam developer community. Next developers need to follow the installation instructions to install the API SDK. Following this it is important to get acquainted with the authorization and authentication protocols to access data and make API calls.  Learn about the terms of use for accessing or using the Freshteam developer portal and understand the different terminology used. For more support and information, businesses can scroll through the Freshteam support page and get answers to their queries. 

Get started with Freshteam API 

Companies that integrate with Freshteam API benefit from the seamless exchange of information between this HRIS platform and their application and have been able to explore multiple use cases for their end customers. However, manually building and maintaining integration with Freshteam API can be a daunting task for developers. Building the integration alone can take 4 weeks on an average and cost USD 10K (considering the cost of software developers, QA engineers, etc.). Further, the cost associated with maintaining the Freshteam API adds another burden on the bottom line, while diverting resources away from core product functionalities and enhancements. And, this is for a single HRIS integration in question here (Freshteam API). Businesses generally need to integrate with multiple HRIS APIs, meeting the demands of their end customers. Here, a unified HRIS API like Knit can enable businesses to easily integrate with multiple HRIS applications with a single connector. By incorporating an additional layer of abstraction, a unified API allows businesses to ship and scale integrations faster and in an efficient manner. Book a discovery call today to learn how developers can integrate with Freshteam API and other HRIS applications within hours and not weeks. 

API Directory
Apr 9, 2024

A Guide to Integrating with Zenefits APIs

11
mins

Zenefits API Directory

TriNet Zenefits is a leading provider of full service HR solutions. It enables small and medium sized companies to administer and manage benefits, HR offerings, including time tracking, onboarding, employee engagement, employee record keeping; payroll; performance and well-being. As a highly sought after HRIS platform, companies have been increasingly integrating with TriNet Zenefits to facilitate seamless exchange of HRIS data, captured by Zenefits, with their own apps to drive diverse use cases. 

Zenefits API Authentication, Filtering, Rate Limits

Owing to the sensitive nature of information held by the HRIS application, including personal identifiable information (PII), Zenefits API ensures that all data scopes are accessed at a granular level. The Zenefits API uses OAuth2 to authenticate and authorize access to information stored in the application. OAuth2 authorizes third party applications to request private details from Zenefits accounts, without passwords. It is limited only to admins and developers receive unique Client ID and Client Secret to access data with integration. 

Zenefits API pagination helps developers define the records needed per page. The developers can use the limit parameter to specify the number of records in a response. The maximum limit can be 100, however, in case the limit is not defined, the default limit is 20. In case the total number of records do not fit into a single page, the next_url field will have a link to the next page with the remaining records. In case the next_url field displays null, then no records exist for subsequent pages. Developers can also use the starting_after or ending_before query parameter to specify pagination based on object ids. The ending_before query parameter is useful for backwards pagination. 

Zenefits API Objects, Data Models & Endpoints

It is extremely important for developers to understand the objects, data models and endpoints when it comes to integrating with Zenefits API. While the overall scope might be large, here are a few which can be considered as a starting point for Zenefits API integration. 

  • Applications: Used to return information about the application

GET https://api.zenefits.com/platform/applications

  • Companies: Used to get information about the company

GET https://api.zenefits.com/core/companies

Fields include: ‘legal_name', 'ein','departments', 'locations'

  • People: Used to return information about a company’s employees

GET https://api.zenefits.com/core/companies/{:company_id}/people

GET http://api.zenefits.com/core/people/{:id} (For information about a single employee)

GET http://api.zenefits.com/core/people (For information for all employees across the company)

Fields include: 'work_email', 'date_of_birth', 'manager', 'department', 'location', 'work_phone', 'status', 'subordinates', 'banks','company', 'employments', 'department', 'location', 'manager', 'banks'

  • Employments: Used to return information about an employee’s employment history

GET https://api.zenefits.com/core/people/{:person_id}/employments

GET https://api.zenefits.com/core/employments/{:employment_id} (For information on a specific employment

GET https://api.zenefits.com/core/employments (For information on all employments across all people)

Fields include: 'termination_type', 'employment_type', 'comp_type', 'annual_salary', 'pay_rate', 'working_hours_per_week','person'

  • Employee Bank Accounts: Used to return information about employee’s bank account

GET https://api.zenefits.com/core/people/{:person_id}/banks

GET http://api.zenefits.com/core/banks/{:bank_id} (For information for a specific bank)

GET http://api.zenefits.com/core/banks (For information for all banks across all people)

  • Departments: Used to return the list of a company’s department

GET https://api.zenefits.com/core/companies/{:id}/departments

GET http://api.zenefits.com/core/departments/{:department_id} (For information regarding a single department:

GET http://api.zenefits.com/core/departments (For information relating to all departments across all companies)

  • Locations: Used to return the list of a company’s location

GET https://api.zenefits.com/core/companies/{:company_id}/locations

GET http://api.zenefits.com/core/locations/{:location_id} (For information relating to a single location)

GET http://api.zenefits.com/core/locations (For information relating to all locations across all companies)

  • Vacation Requests: Used to return information about employees' PTO vacation requests

GET https://api.zenefits.com/time_off/vacation_requests

GET http://api.zenefits.com/time_off/vacation_requests/{:id} (For information relating to a single vacation request)

GET http://api.zenefits.com/time_off/vacation_types/{:vacation_type_id}/vacation_requests/ (For all vacation requests for a single vacation type)

Fields include: 

  • status: Requested, approved, denied, cancelled, deleted
  • vacation_type: Vacation Type for this request, e.g. Jury Duty, Work From Home, Doctor's Appointment
  • start_date: Start date of vacation request (inclusive)
  • end_date: End date of vacation request (inclusive) 
  • creator i.e. Person who filed this vacation request
  • person i.e. Person who this vacation request applies to (often the same as creator)
  • created_date: Date this vacation request was created
  • hours: Number of hours requested, generally calculated at 8 hours a day for multi-day requests and specified manually for single day requests
  • approved_date: Date this request was moved from requested status, either to approved or denied.
  • reason: Note from the person requesting this vacation
  • deny_reason: Note from the approver for why this vacation request was denied. (Only applies if status is denied)

  • Vacation Types: Used to return information about a company's PTO vacation types

GET https://api.zenefits.com/time_off/vacation_types 

GET http://api.zenefits.com/time_off/vacation_types/{:id} (For information relating to a single vacation type)

Fields include:

  • status: Active, deleted
  • vacation_types
  • name: Name of the type
  • company: Company for this vacation type
  • vacation_requests: Vacation Requests for this type
  • counts_as: What account this type counts towards (vacation, sick, personal)

  • Time Durations: Used to return information about a person's T&A hours

GET https://api.zenefits.com/time_attendance/time_durations

GET http://api.zenefits.com/time_attendance/time_durations/{:id} (For information relating to a single time duration object)

Fields include: 

  • person: Person that this time duration is logged for people
  • activity: Activity type (work, meal_break)
  • state: Effective, overridden, deleted, correction
  • valid_status: valid, exceeds, overlapping same day, overlapping previous day, overlapping next day, missing clock out, missing clock in
  • hours: Number of hours logged
  • start: When this time duration started
  • end: When this time duration ended
  • is_overnight: Whether this time duration has been marked as part of an overnight shift
  • is_approved: When this time duration was approved. 
  • approver: Person who approved this time duration

Zenefits API Use Cases

  • Automate onboarding, saving 100s of hours as information gets auto synced to Benefits and Payroll
  • Simplify employee management with organizational charts, company directories allowing employees to update their own records
  • Improve HR processes and decision making with business intelligence reports and insights on turnover, workforce diversity, with understanding of how to pay new hires
  • Simplify the process of providing great benefits to employees, from comprehensive healthcare plans to extra perks like commuter benefits
  • Facilitate time and attendance management with employee scheduling tools, with time off and clocked-in hours automatically syncing Payroll

Zenefits API FAQs

Here is a list of FAQs about TriNet Zenefits API which can help commence and accelerate your integration:

  • What is the software stack of Zenefits? Answer
  • How to address the CORS issue in Angular 8 without changing the backend in Zenefits API? Answer 
  • How to handle New Company Installations in TriNet Zenefits API? Answer
  • How to handle New People's Subscriptions in TriNet Zenefits API? Answer
  • What does Webhooks shared secret vs OAuth client secret mean? Answer
  • How to read and write custom data with Zenefits API? Answer
  • How to issue Access Tokens for Zenefits API authentication and authorization? Answer
  • Where can I find a guidebook for Zenefits integration? Answer
  • Does Zenefits have a public API? Answer
  • What is Zenefits’ App Acceptance Criteria for API integration? Answer
  • Where is the developer portal for Zenefits API? Answer

Common Integrations with Zenefits API 

Several businesses are increasingly building integrations with Zenefits API to power operations for the end customers, facilitated by seamless data exchange, including:

  • Payroll providers to get access to employee information, employment records and agreement terms, compensation details and other relevant information like leaves, time off, etc. 
  • Candidate recruitment companies to push data about selected candidates and relevant information for smooth onboarding
  • Employee engagement companies to fetch employee data, including demographic information, personal and professional details, attendance, etc. 
  • Early wage access providers to get access to employee information, payroll details and even write back data regarding early payments/ deductions for accurate payroll processing

How to integrate with Zenefits API 

To get started with the Zenefit API integration journey, a developer account needs to be created. To create the same, developers can reach out to Zenefits team by dropping an email on this email address. Reaching out on this email ID will take the developers to the next step to get access to a sandboxed Zenefits test company and credentials to start using the API. Once the Zenefits developer account is active, developers can leverage this getting started guide for a detailed overview on REST API, Modules, Webhooks, Authentication and much more.  It is important to read through and understand the App Acceptance Criteria well. The same can be accessed here. At the same time, knowledge of the Zenefits Developer Policy is critical to understand the technical, brand and general requirements and restrictions. 

Get started with Zenefits API 

Integrating with Zenefits API is beneficial for businesses looking to seamlessly exchange data with this leading HRIS provider with bi-directional sync. However, building a custom 1:1 integration can be a complex, time and resource intensive process. The above mentioned steps, restrictions and requirements can all choke up developer bandwidth. Invariably, SaaS businesses today are moving away from building integrations to partnering with unified APIs like Knit. A unified API, in this case for HRIS integrations, enables companies to integrate once and seamlessly connect with multiple HRIS applications, including Zenefits API, without any additional requirements. With a unified HRIS API, maintenance and management of integration with Zenefits and other applications also becomes quite easy. Book a discovery call today to learn how a unified API can help you ship and scale integrations fast. 

API Directory
Mar 21, 2024

Comprehensive Guide to Keka API Directory

11
mins

Keka is a leading human resources management system that enables organizations to seamlessly manage diverse aspects of their human resource processes, including recruitment and onboarding, attendance and time management, payroll, expense and performance management. With OAuth authentication, rate limiting, pagination, and adherence to industry standards, Keka provides developers with everything they need to build robust integrations with their software/ platform and facilitate data exchange between their application and this leading HRMS portal. 

Keka API Authentication, Pagination, Rate Limit

To ensure safe and secure access, Keka API uses OAuth for authentication. This suggests that for successful integration, developers need an access token which can be generated with specific details. This includes client id (identifier for the client), client secret (for secure authentication), api key (unique API key for accessing the system), scope (requires passing kekaapi for this key). To facilitate integration testing for applications, developers can also leverage the Sandbox Environment which is offered by Keka. This allows developers to ensure robust functionality, before integration production begins. Keka APIs already come with pagination implemented to ensure response time optimization. The standard or the default page size in Keka is 100 with 1 being the default page number. 

API limit is a critical element of any API and so is the case with Keka, which helps define the number of requests that can be made to Keka within a limited time period. Keka has a rate limit of 50 API requests/ minute. This suggests that once 50 requests are made in a minute, the user needs to wait for the quote to be refilled before any other request is made. The rate limits are enforced and automatically reset after 60 seconds. In case a request is made before the quota is refilled, a 429 error with the reason rateLimitExceeded will be sent. 

Keka API Objects, Data Models & Endpoints

As a developer or the representative of an organization seeking to integrate with Keka API, it is important to understand the endpoints that you will be using eventually for data exchange, both when it comes to read APIs (getting data from Keka) as well as write APIs (providing data to Keka). 

CORE HR

Employees

  • Get all Employees

GET https://{company}.{environment}.com/api/v1/hris/employees

  • Create an Employee

POST https://{company}.{environment}.com/api/v1/hris/employees

  • Get an Employee

GET https://{company}.{environment}.com/api/v1/hris/employees/{id}

  • Get all update fields

GET https://{company}.{environment}.com/api/v1/hris/employees/updatefields

  • Update Employee personal details

PUT https://{company}.{environment}.com/api/v1/hris/employees/{id}/personaldetails

  • Update employee job details

PUT https://{company}.{environment}.com/api/v1/hris/employees/{id}/jobdetails

Groups

  • Get all Groups

GET https://{company}.{environment}.com/api/v1/hris/groups

  • Get all Group Types

GET https://{company}.{environment}.com/api/v1/hris/grouptypes

Departments

  • Get all departments

GET https://{company}.{environment}.com/api/v1/hris/departments

Locations

  • Get all Locations

GET https://{company}.{environment}.com/api/v1/hris/locations

Job Title

  • Get all job titles

GET https://{company}.{environment}.com/api/v1/hris/jobtitles

Currency

  • Get all currencies

GET https://{company}.{environment}.com/api/v1/hris/currencies

Notice Period

  • Get all notice periods

GET https://{company}.{environment}.com/api/v1/hris/noticeperiods

LEAVE

Leave Types

  • Get all Leave Types

GET https://{company}.{environment}.com/api/v1/time/leavetypes

Leave Balance

  • Get all Leave balances

GET https://{company}.{environment}.com/api/v1/time/leavebalance

Leave Requests

  • Get all Leave Requests

GET https://{company}.{environment}.com/api/v1/time/leaverequests

  • Create an Leave Request

POST https://{company}.{environment}.com/api/v1/time/leaverequests

ATTENDANCE

Attendance

  • Get all Attendance Records

GET https://{company}.{environment}.com/api/v1/time/attendance

Attendance Capture Scheme

  • Get all captureschemes

GET https://{company}.{environment}.com/api/v1/time/capturescheme

Holiday Calendar

  • Get all holidays Calendar

GET https://{company}.{environment}.com/api/v1/time/holidayscalendar

PAYROLL

Salary Components

  • Get all Salary Components

GET https://{company}.{environment}.com/api/v1/payroll/salarycomponents

Pay Groups

  • Get all Pay Groups

GET https://{company}.{environment}.com/api/v1/payroll/paygroups

Pay Cycles

  • Get all Pay Cycles

GET https://{company}.{environment}.com/api/v1/payroll/paygroups/{payGroupId}/paycycles

  • Get Pay Register

GET https://{company}.{environment}.com/api/v1/payroll/paygroups/{payGroupId}/paycycles/{payCycleId}/payregister

  • Get all Pay Batches

GET https://{company}.{environment}.com/api/v1/payroll/paygroups/{payGroupId}/paycycles/{payCycleId}/paybatches

  • Get all Batch Payments

GET https://{company}.{environment}.com/api/v1/payroll/paygroups/{payGroupId}/paycycles/{payCycleId}/paybatches/{payBatchId}/payments

  • Update the Payments status

PUT https://{company}.{environment}.com/api/v1/payroll/paygroups/{payGroupId}/paycycles/{payCycleId}/paybatches/{payBatchId}/payments

Pay Grades

  • Get all Pay Grades

GET https://{company}.{environment}.com/api/v1/payroll/paygrades

Pay Bands

  • Get all Pay Bands

GET https://{company}.{environment}.com/api/v1/payroll/paybands

PSA

Clients

  • Get all clients

GET https://{company}.{environment}.com/api/v1/psa/clients

  • Create a Client

POST https://{company}.{environment}.com/api/v1/psa/clients

  • Get a client

GET https://{company}.{environment}.com/api/v1/psa/clients/{id}

  • Update a Client

PUT https://{company}.{environment}.com/api/v1/psa/clients/{id}

Project Phases

  • Get project phases.

GET https://{company}.{environment}.com/api/v1/psa/projects/{projectId}/phases

  • Create a Project Phase

POST https://{company}.{environment}.com/api/v1/psa/projects/{projectId}/phases

Projects

  • Get all projects.

GET https://{company}.{environment}.com/api/v1/psa/projects

  • Create a Project

POST https://{company}.{environment}.com/api/v1/psa/projects

  • Get a project

GET https://{company}.{environment}.com/api/v1/psa/projects/{id}

  • Update a Project

PUT https://{company}.{environment}.com/api/v1/psa/projects/{id}

  • Get a project allocations

GET https://{company}.{environment}.com/api/v1/psa/projects/{id}/allocations

  • Get project timesheet entries.

GET https://{company}.{environment}.com/api/v1/psa/projects/{id}/timeentries

Tasks

  • Get project tasks.

GET https://{company}.{environment}.com/api/v1/psa/projects/{projectId}/tasks

  • Create a task

POST https://{company}.{environment}.com/api/v1/psa/projects/{projectId}/tasks

  • Update a task

PUT https://{company}.{environment}.com/api/v1/psa/projects/{projectId}/tasks/{taskId}

  • Get project task time entries.

GET https://{company}.{environment}.com/api/v1/psa/projects/{projectId}/tasks/{taskId}/timeentries

PMS

Time Frames

  • Get time frame list.

GET https://{company}.{environment}.com/api/v1/pms/timeframes

Goal

  • Get goal list.

GET https://{company}.{environment}.com/api/v1/pms/goals

  • Update goal progress

PUT https://{company}.{environment}.com/api/v1/pms/goals/{goalId}/progress

Badge

  • Get badge list.

GET https://{company}.{environment}.com/api/v1/pms/badges

Praise

  • Add Praise

POST https://{company}.{environment}.com/api/v1/pms/praise

EXPENSE

Expense Category

  • Get all Expense Categories

GET https://{company}.{environment}.com/api/v1/expense/categories

Expense

  • Get all Expense Claims

GET https://{company}.{environment}.com/api/v1/expense/claims

Expense Policy

  • Get all expense policies

GET https://{company}.{environment}.com/api/v1/expensepolicies

ASSETS

Asset

  • Get all Assets

GET https://{company}.{environment}.com/api/v1/assets

Asset Type

  • Get all Asset Types

GET https://{company}.{environment}.com/api/v1/assets/types

Asset Category

  • Get all Asset Categories

GET https://{company}.{environment}.com/api/v1/assets/categories

Asset Condition

  • Get all Asset Conditions

GET https://{company}.{environment}.com/api/v1/assets/conditions

Keka API Use Cases

  • Easy payroll processing and integration with attendance and leave to ensure proper calculation of payroll and taxes
  • Covers every HR workflow to manage people processes, including hiring, onboarding, probation confirmation, internal movements, etc.
  • Streamline all HR operations with automated workflows, comprehensive analytics, and hassle-free employee management
  • Conduct a multi-dimensional assessment of employees' abilities, behavioral competencies, and performance for constructive team evaluation
  • Get an accurate view of revenue against each project, resources allocation, and amount of time spent
  • Robust attendance management system that integrates every aspect of time tracking, including scheduling shifts, and tracking over-time, fully integrated with payroll

Top Customers

Keka, as an HRMS tool, is widely used with 5000+ customers, including:

  • Noise, India's trusted wearable watch brand
  • GrabOn, one of India’s top players in the coupons and deals industry
  • ICM, a UK-based global multi-regulated financial service provider
  • Easypolicy, a leading insurance aggregator
  • Traveazy, a Dubai-based travel-tech company focused on simplifying pilgrimage travel
  • Unbox Robotics, a leading supply chain robotics technology company specializing 
  • HackerEarth, a comprehensive developer assessment software that helps companies accurately measure developers' skills while recruiting
  • Metrochem API, a manufacturer of Active Pharmaceutical Ingredients (APIs), Pellets, and Intermediates in Multi Therapeutic segments

Keka API FAQs

Here’s a list of quick FAQs which will help answer any thoughts that you might have during your journey of integrating your application with Keka API

  • How can an admin create an API access key on Keka? Answer
  • How to integrate the Mettl assessment app with Keka Hire? Answer
  • How to integrate Naukri with Keka Hire? Answer
  • How to integrate Keka Hire with HackerEarth for Sending Assessments? Answer
  • How to integrate Keka Hire with LinkedIn? Answer 
  • How to integrate MS Teams account with Keka Hire? Answer
  • How to integrate SpringVerify with Keka? Answer

How to integrate with Keka API 

If you are just getting started, it might be a good idea to go through this documentation to understand how you can initiate the integration process. The detailed documentation contains everything you need to know about the overview, endpoints and much more. Leverage this to learn about the different data models scope and other details which will come in handy to get started. At the same time, this link will help you generate the access token for seamless authentication. 

Get started with Keka API 

While the guide shared above will serve as a comprehensive starting point for you to integrate your application with Keka API, it is important to understand that the entire process can be engineering heavy, time consuming and resource intensive. Put simply, it’s not just about building an integration, but also about managing and maintaining it over time. At the same time, if you want to connect with other HRMS APIs, the process becomes multifold. In such a situation, leveraging a unified HRMS API like Knit can come in handy. Knit enables SaaS businesses to easily connect with multiple HRMS applications by integrating once with its unified API, eliminating the need to connect with each application separately.

Book a demo call today to learn how you can accelerate your integration journey with Keka and other HRMS applications using Knit. 

Start building with Knit, today

Talk to our sales team for a free tour of Knit!

Book Demo!