Knit is #1 product of the week in the developer tools category on Product Hunt!
X
Developers

Common Risks to API Security and How to Mitigate Them

Facing API security issues? You have come to right place. Keep reading to learn how to deal with common threats

Note: This is a part of our API Security 101 series where we solve common developer queries in detail with how-to guides, common examples and code snippets. Feel free to visit the smaller guides linked later in this article on topics such as authentication methods, rate limiting, API monitoring and more.

In today’s tech-driven world, APIs are the glue that holds different software systems together, making communication smooth and effortless. However, this convenience comes with inherent security risks. Understanding and addressing these risks is crucial for safeguarding sensitive information in interconnected digital ecosystems.

In this article, we will discuss common API security risks and learn how to identify them in order to secure our digital infrastructure.

Common risks to API security developers must know of

1. Unauthorized access 

One of the most common threats to APIs is unauthorized access. 

Without proper authentication and authorization mechanisms in place, malicious actors can exploit vulnerabilities to gain unauthorized access to your API endpoints, potentially exposing sensitive data or wreaking havoc on your system.

  • APIs are frequently targeted by unauthorized access attempts, posing a significant security risk.
  • In the absence of robust authentication and authorization mechanisms, malicious actors may exploit vulnerabilities to gain unauthorized entry to API endpoints.
  • This unauthorized access can lead to the exposure of sensitive data or cause disruption within your system, emphasizing the importance of implementing robust security measures.

2. Broken authentication tokens

If API tokens or session identifiers are not securely managed, they can be stolen or abused, allowing attackers to impersonate legitimate users and gain unauthorized access.

  • APIs commonly use tokens to authenticate users. When authentication tokens are not securely generated, stored, or transmitted, attackers can exploit these weaknesses.
  • Broken authentication tokens can result in session hijacking, where an attacker gains control over a user's active session by stealing or manipulating their authentication token. This can give the attacker access to the user's account and privileges.
  • To address broken authentication token risks, developers must implement secure token management practices such as strong encryption and regular audits.

3. Injection attacks 

Injection attacks, such as SQL injection and cross-site scripting (XSS), pose a significant risk to APIs. Attackers can manipulate input data to execute malicious code within your API, leading to data breaches or even system compromise.

  • Injection attacks often involve manipulating SQL queries by injecting malicious code. In APIs, SQL injection occurs when untrusted data is included in database queries. Attackers can execute unauthorized database operations, potentially accessing or modifying sensitive information.
  • Moreover, if an API improperly handles user input and allows it to be part of command execution, attackers can inject malicious commands, leading to unauthorized system operations.
  • API security measures, such as input validation, output encoding, and the principle of least privilege, can help safeguard against injection vulnerabilities.

4. Data Exposure 

Inadequate data protection can result in data exposure. APIs often transmit sensitive information, and if not properly encrypted or secured during transmission, this data can be intercepted by attackers. 

  • Data exposure can occur when APIs use insecure transmission protocols, such as HTTP instead of HTTPS. 
  • Without encryption, data is transmitted in plain text, making it vulnerable to eavesdropping by malicious actors.
  • It can also result from inadequate data masking and validation, leading to data leaks and unauthorized access to sensitive data.

5. Rate Limiting and Denial of Service (DoS) Attacks

APIs are susceptible to DoS attacks, where attackers flood the system with excessive requests, overwhelming it and causing disruptions in service availability.

  1. Third-party Dependencies: Relying on third-party APIs introduces an element of risk, as you have less control over their security practices. Compromised third-party APIs can have a cascading effect on your own API's security.
  2. Human Error: Human mistakes, such as misconfigurations or accidentally exposing API keys, can lead to security breaches. It's crucial to educate your team on security best practices to minimize these risks.

Learn more about 10+1 (bonus) ways to stop being rate limited

Consequences of API security breaches

API security breaches can have far-reaching consequences for both businesses and users alike. 

  • For businesses, these breaches can result in severe financial losses, damage to reputation, and legal liabilities. 
  • Customers and end users are equally affected, facing the potential exposure of sensitive personal information, such as financial data or login credentials, employment data which can lead to identity theft or financial fraud. 

It's crucial for organizations to adopt proactive security measures to mitigate these risks. By prioritizing API security from the outset, businesses can protect their operations and reputation while ensuring the safety and trust of their users.

The old adage "prevention is better than cure" couldn't be more apt in the realm of API security, where a proactive approach is the key to averting devastating consequences for all parties involved.

Take your API security to the next level

If you are dealing with a large number of API integration and looking for smarter solutions, check out unified API solutions like Knit. Knit ensures that you have access to high quality data faster in the safest way possible.

There are 3 ways Knit ensures maximum security.

  • Knit is the only unified API in the market that does NOT store a copy of your end user data in its severs or share it with any third party. All of our syncs are event-based and happens via webhooks to ensure that your data is not subjected to any external threats during the transfer. Learn more about Knit's secure data sync here
  • Knit complies with industry best practices and security standards. We are SOC2, GDPR and ISO27001 certified and always in the process of adding more security badges to our collection.
  • We monitor Knit's infrastructure continuously with the finest intrusion detection systems. Plus, our super responsive support team is available 24*7 across all time zones to make sure if at all a security issue occurs, it is resolved immediately.

If you want to learn more about Knit Security Practices, please talk to one of our experts. We would love to talk to you

Sudeshna Roy

Head of Content, Knit

Decoding product and generating users with valuable content

Latest Blogs

Browse all Blogs
Product
May 26, 2024

Top 5 Finch Alternatives

11
mins

Top 5 Alternatives to tryfinch

TL:DR:

Finch is a leading unified API player, particularly popular for its connectors in the employment systems space, enabling SaaS companies to build 1: many integrations with applications specific to employment operations. This translates to the ease for customers to easily leverage Finch’s unified connector to integrate with multiple applications in HRIS and payroll categories in one go. Invariably, owing to Finch, companies find connecting with their preferred employment applications (HRIS and payroll) seamless, cost-effective, time-efficient, and overall an optimized process. While Finch has the most exhaustive coverage for employment systems, it's not without its downsides - most prominent being the fact that a majority of the connectors offered are what Finch calls “assisted” integrations. Assisted essentially means a human-in-the-loop integration where a person has admin access to your user's data and is manually downloading and uploading the data as and when needed.

Pros and cons of Finch
Why chose Finch (Pros)

● Ability to scale HRIS and payroll integrations quickly

● In-depth data standardization and write-back capabilities

● Simplified onboarding experience within a few steps

However, some of the challenges include(Cons):

● Most integrations are human-assisted instead of being true API integrations

● Integrations only available for employment systems

● Limited flexibility for frontend auth component

● Requires users to take the onus for integration management

Pricing: Starts at $35/connection per month for read only apis; Write APIs for employees, payroll and deductions are available on their scale plan for which you’d have to get in touch with their sales team.

Now let's look at a few alternatives you can consider alongside finch for scaling your integrations

Finch alternative #1: Knit

Knit is a leading alternative to Finch, providing unified APIs across many integration categories, allowing companies to use a single connector to integrate with multiple applications. Here’s a list of features that make Knit a credible alternative to Finch to help you ship and scale your integration journey with its 1:many integration connector:

Pricing: Starts at $2400 Annually

Here’s when you should choose Knit over Finch:

● Wide horizontal and deep vertical coverage: Knit not only provides a deep vertical coverage within the application categories it supports, like Finch, however, it also supports a wider horizontal coverage of applications, higher than that of Finch. In addition to applications within the employment systems category, Knit also supports a unified API for ATS, CRM, e-Signature, Accounting, Communication and more. This means that users can leverage Knit to connect with a wider ecosystem of SaaS applications.

● Events-driven webhook architecture for data sync: Knit has built a 100% events-driven webhook architecture, which ensures data sync in real time. This cannot be accomplished using data sync approaches that require a polling infrastructure. Knit ensures that as soon as data updates happen, they are dispatched to the organization’s data servers, without the need to pull data periodically. In addition, Knit ensures guaranteed scalability and delivery, irrespective of the data load, offering a 99.99% SLA. Thus, it ensures security, scale and resilience for event driven stream processing, with near real time data delivery.

● Data security: Knit is the only unified API provider in the market today that doesn’t store any copy of the customer data at its end. This has been accomplished by ensuring that all data requests that come are pass through in nature, and are not stored in Knit’s servers. This extends security and privacy to the next level, since no data is stored in Knit’s servers, the data is not vulnerable to unauthorized access to any third party. This makes convincing customers about the security potential of the application easier and faster.

● Custom data models: While Knit provides a unified and standardized model for building and managing integrations, it comes with various customization capabilities as well. First, it supports custom data models. This ensures that users are able to map custom data fields, which may not be supported by unified data models. Users can access and map all data fields and manage them directly from the dashboard without writing a single line of code. These DIY dashboards for non-standard data fields can easily be managed by frontline CX teams and don’t require engineering expertise.  

● Sync when needed: Knit allows users to limit data sync and API calls as per the need. Users can set filters to sync only targeted data which is needed, instead of syncing all updated data, saving network and storage costs. At the same time, they can control the sync frequency to start, pause or stop sync as per the need.

● Ongoing integration management: Knit’s integration dashboard provides comprehensive capabilities. In addition to offering RCA and resolution, Knit plays a proactive role in identifying and fixing integration issues before a customer can report it. Knit ensures complete visibility into the integration activity, including the ability to identify which records were synced, ability to rerun syncs etc.

As an alternative to Finch, Knit ensures:

● No-Human in the loop integrations

● No need for maintaining any additional polling infrastructure

● Real time data sync, irrespective of data load, with guaranteed scalability and delivery

● Complete visibility into integration activity and proactive issue identification and resolution

● No storage of customer data on Knit’s servers

● Custom data models, sync frequency, and auth component for greater flexibility

Finch alternative #2: Merge

Another leading contender in the Finch alternative for API integration is Merge. One of the key reasons customers choose Merge over Finch is the diversity of integration categories it supports.

Pricing: Starts at $7800/ year and goes up to $55K

Why you should consider Merge to ship SaaS integrations:

● Higher number of unified API categories; Merge supports 7 unified API categories, whereas Finch only offers integrations for employment systems

● Supports API-based integrations and doesn’t focus only on assisted integrations (as is the case for Finch), as the latter can compromise customer’s PII data

● Facilitates data sync at a higher frequency as compared to Finch; Merge ensures daily if not hourly syncs, whereas Finch can take as much as 2 weeks for data sync

However, you may want to consider the following gaps before choosing Merge:

● Requires a polling infrastructure that the user needs to manage for data syncs

● Limited flexibility in case of auth component to customize customer frontend to make it similar to the overall application experience

● Webhooks based data sync doesn’t guarantee scale and data delivery

Finch alternative #3: Workato

Workato is considered another alternative to Finch, albeit in the traditional and embedded iPaaS category.

Pricing: Pricing is available on request based on workspace requirement; Demo and free trial available

Why you should consider Workato to ship SaaS integrations:

● Supports 1200+ pre-built connectors, across CRM, HRIS, ticketing and machine learning models, facilitating companies to scale integrations extremely fast and in a resource efficient manner

● Helps build internal integrations, API endpoints and workflow applications, in addition to customer-facing integrations; co-pilot can help build workflow automation better

● Facilitates building interactive workflow automations with Slack, Microsoft Teams, with its customizable platform bot, Workbot

However, there are some points you should consider before going with Workato:

● Lacks an intuitive or robust tool to help identify, diagnose and resolve issues with customer-facing integrations themselves i.e., error tracing and remediation is difficult

● Doesn’t offer sandboxing for building and testing integrations

● Limited ability to handle large, complex enterprise integrations

Finch alternative #4: Paragon

Paragon is another embedded iPaaS that companies have been using to power their integrations as an alternative to Finch.

Pricing: Pricing is available on request based on workspace requirement;

Why you should consider Paragon to ship SaaS integrations:

● Significant reduction in production time and resources required for building integrations, leading to faster time to market

● Fully managed authentication, set under full sets of penetration and testing to secure customers’ data and credentials; managed on-premise deployment to support strictest security requirements

● Provides a fully white-labeled and native-modal UI, in-app integration catalog and headless SDK to support custom UI

However, a few points need to be paid attention to, before making a final choice for Paragon:

● Requires technical knowledge and engineering involvement to custom-code solutions or custom logic to catch and debug errors

● Requires building one integration at a time, and requires engineering to build each integration, reducing the pace of integration, hindering scalability

● Limited UI/UI customization capabilities

Finch alternative #5: Tray.io

Tray.io provides integration and automation capabilities, in addition to being an embedded iPaaS to support API integration.

Pricing: Supports unlimited workflows and usage-based pricing across different tiers starting from 3 workspaces; pricing is based on the plan, usage and add-ons

Why you should consider Tary.io to ship SaaS integrations:

● Supports multiple pre-built integrations and automation templates for different use cases

● Helps build and manage API endpoints and support internal integration use cases in addition to product integrations

● Provides Merlin AI which is an autonomous agent to build automations via chat interface, without the need to write code

However, Tray.io has a few limitations that users need to be aware of:

● Difficult to scale at speed as it requires building one integration at a time and even requires technical expertise

● Data normalization capabilities are rather limited, with additional resources needed for data mapping and transformation

● Limited backend visibility with no access to third-party sandboxes

TL:DR

We have talked about the different providers through which companies can build and ship API integrations, including, unified API, embedded iPaaS, etc. These are all credible alternatives to Finch with diverse strengths, suitable for different use cases. Undoubtedly, the number of integrations supported within employment systems by Finch is quite large, there are other gaps which these alternatives seek to bridge:

Knit: Providing unified apis for different categories, supporting both read and write use cases. A great alternative which doesn’t require a polling infrastructure for data sync (as it has a 100% webhooks based architecture), and also supports in-depth integration management with the ability to rerun syncs and track when records were synced.

Merge: Provides a greater coverage for different integration categories and supports data sync at a higher frequency than Finch, but still requires maintaining a polling infrastructure and limited auth customization.

Workato: Supports a rich catalog of pre-built connectors and can also be used for building and maintaining internal integrations. However, it lacks intuitive error tracing and remediation.

Paragon: Fully managed authentication and fully white labeled UI, but requires technical knowledge and engineering involvement to write custom codes.

Tray.io: Supports multiple pre-built integrations and automation templates and even helps in building and managing API endpoints. But, requires building one integration at a time with limited data normalization capabilities.

Thus, consider the following while choosing a Finch alternative for your SaaS integrations:

● Support for both read and write use-cases

● Security both in terms of data storage and access to data to team members

● Pricing framework, i.e., if it supports usage-based, API call-based, user based, etc.

● Features needed and the speed and scope to scale (1:many and number of integrations supported)

Depending on your requirements, you can choose an alternative which offers a greater number of API categories, higher security measurements, data sync (almost in real time) and normalization, but with customization capabilities.

API Directory
Apr 9, 2024

A Guide toIntegrating with Freshteams API

11
mins

Freshteam API Directory

A cloud based HR software, Freshteam enables organizations with managing employee details, recruitment, on-boarding, time-off, off-boarding, and organization details, among other aspects of their HR processes and practices. With Freshteam API integration, organizations can seamlessly synchronize data between their application and Freshteam to ensure real time updation of employee information across both platforms. It helps capture any changes in employee status, designation, HR policies, etc. across different applications a business uses. 

Freshteam API Authentication, Filtering, Rate Limits

To ensure utmost security and prevent unauthorized access, Freshteam API uses Oauth2.0 for authentication and authorization. Developers can use the Freshteam UI to make calls to the Freshteam authentication server to obtain an access token. This access token can be used to make valid API calls thereon. The access token identifies the requester and the requester’s permission. In the Freshteam domain, the access token is present under Your API Key, which can be copied and used to make API calls. 

Rate limits i.e. the number of API calls that can be made in a minute for Fresteam API are determined by the plan selected by the organization. The rate limit variation for each plan is dependent on the number of subscribed employees for the organization. The trial account has a limit of 10 API calls per minute, which goes on to as high as (100, 2 * number of subscribed employees) API calls per minute for the enterprise plan. Developers or admins can also keep a track of the API calls to understand their usage patterns via:

  • X-ratelimit-total: Permissible number of API calls in a minute.
  • X-ratelimit-remaining: Number of API calls remaining.
  • X-ratelimit-used-currentrequest: Number of API calls consumed by the API request that obtained the response.

There are several endpoints in Freshteam API which retrieve bulk data, especially the ones which are required to List a certain object. In such a case, developers can use pagination parameters to filter data and limit the responses for a streamlined understanding. Developers can select the page value (from which page number they want responses), as well as the number of responses required for each page (default is set at 50). They can also sort the values as ascending or descending or select some other attribute for sorting as well. 

Freshteam API Objects, Data Models & Endpoints

Employees

  • List all employees: GET /employees
  • Create an employee: POST /employees
  • Retrieve employee information: GET /employees/{id}
  • Update employee information: PUT /employees/{id}
  • List all employee fields: GET /employee_fields
  • Create a custom employee field: POST /employee_fields

Common attributes: id, created at, updated at, workstation number, date of birth, gender, address, communication address, designation, phone number, joining date, termination date, first name, last name, status, official email, personal email, employee type, team id, department id, reporting to id, time off, hire reason, marital status, etc. 

Branches

(Used to configure different geographical locations for an organization and associate employees to a branch)

  • List all branches: GET /branches

Common attributes: id, created at, updated at, name, street, state, country code, zip, time zone, currency, language, main office, date format

Departments & Sub-Departments

  • List all departments: GET /departments
  • List all sub-departments: GET /sub_departments

Business Units

  • List all business units: GET /business_units

Common attributes: id, created at, updated at, name, description

Teams

  • List all teams: GET /teams

Levels

  • List all levels: GET /levels

Timeoffs

  • List all timeoffs: GET /time_offs
  • Create a timeoff request: POST /time_offs
  • List all timeoff types: GET /time_off_types
  • Retrieve timeoff information: GET /time_off_types/{id}
  • Cancel A Timeoff Request: PUT /time_off_types/{id}/ cancel
  • Approve A Timeoff Request: PUT /time_off_types/{id}/ approve

Common attributes: id, created at, updated at, start date, end date, status, leave units, leave type id, status comments, comments, attachment, applied by, approved by, rejected by, canceled by, notify to, description, add to calendar, canceled at, optional leave days, applicable for, auto approve, status

Roles

  • List all roles: GET /roles

Job Postings

  • List all job postings: GET /job_postings
  • Retrieve job posting information: GET /job_postings/{id}
  • List all job posting fields: GET /job_posting_fields
  • List all applicant fields: GET /job_postings/{id}/applicant_fields
  • Create an applicant: POST  /job_postings/{id}/applicants

Common attributes: id, created at, updated at, deleted, title, description, status, show_pursue_as_career, closing date, experience, remote, type, salary, branch, department, title, location, skills, requisitions, label, field type, position, candidate, candidate id, first name, last name, date of birth, mobile, phone number, source id, resume, cover letter, portfolio, skype id, content file name, url, gender, profile link, rejected at, archived at, on hold at, on hold till

Candidate Sources

  • List all candidate sources: GET /candidate_sources
  • Create a candidate source: POST /candidate_sources
  • List all candidate source categories: GET ​/candidate_source_categories

Common attributes: id, created at, updated at, deleted, label, default, leads count

User Functions

  • List all user functions: GET /user_functions

New Hires

  • Create a new hire: POST /new_hires
  • Retrieve new hire information: GET /new_hires/{id}
  • Update new hire information: PUT /new_hires/{id}

Common attributes: id, created at, updated at, deleted, first name, middle name, last name, official email, employee id, status, workstation number, designation, joining date, probation start date, probation end date, branch id, team id, department id, sub department id, termination date, termination reason, notice period, notice start date, notice end date, employee type, hired on, no show, no show reason, date of birth, marital status, gender, blood group, emergency contacts, social profiles, address, communication address, phone numbers, job codes, job exempt, scheduled weekly hours, retirement eligibility date, rehire eligibility, rehire status, confirmed, language, branch, team

Freshteam API Use Cases

  • Centralize HR operations with AI-powered virtual agents, self-service solutions and  seamless integration with MS Teams, Slack, and other applications
  • Automate internal processes with easy-to-configure workflows, leading to streamlined work and increased efficiency
  • Leverage 50+ job descriptions out of the box for use to accelerate hiring processes
  • Capture qualitative feedback about candidates along with better candidate relationships through built-in email and a manageable candidate database

Top customers

50,000+ companies from across 120+ countries use Freshteam to power their HR operations and streamline processes to make them efficient, robust and optimized. Here are some of the top customers that are leveraging Freshteam:

  • Gartner, Inc., an American technological research and consulting firm
  • OpeninApp, a smart link generator tool that ensures all social media links open in the apps they should
  • Dymocks Booksellers, an Australian-founded privately owned bookstore chain
  • Valley Medical Center, a 321-bed, acute care community hospital and clinic network
  • Kirat Plastics, a full-service custom plastic injection molding, metal pressing, fabrication, and assembly facility
  • Lot Squared Development, a Washington DC based design-build residential real estate developer 

Freshteam API FAQs

Here is a list of Freshteam API FAQs that developers must understand to make their integration journey more effective and robust:

  • How to use Freshteam Developer API? Answer
  • Where to find Freshteam API key, how to reset it and Scope of an API Key? Answer
  • What are the status and error messages that indicate the success or failure of an API request in Freshteam API? Answer
  • What are the common request header parameters used in requests to Freshteam APIs? Answer
  • What are the API methods that developers interact with for Freshteam API? Answer
  • What are models in Freshteam API? Answer

Common Integrations with Freshteam API 

Businesses, especially those engaged in the employee side of work, are increasingly seeking integration with Freshteam API to streamline data exchange between this HRIS platform and their application. Some of the top use cases and common integrations with Freshteam API include:

  • Recruitment companies which can use the write APIs to update candidate information into Freshteam once a client is hired to ensure the customer’s HRIS is up to date for all onboarding and future requirements
  • Payroll providers can leverage both read APIs to fetch employee information for payroll creation and disbursement, as well as write APIs, to push back data into customer’s Freshteam account to notify that salaries have been paid
  • Rewards and recognition companies which can use integration with Freshteam API to fetch information on employees to seamlessly manage their operations and help end customers build a culture of recognition.  

How to integrate with Freshteam API 

To kickstart the integration journey with Freshteam API, developers can go through this quick start guide. The first step is to create a developer account and join the Freshteam developer community. Next developers need to follow the installation instructions to install the API SDK. Following this it is important to get acquainted with the authorization and authentication protocols to access data and make API calls.  Learn about the terms of use for accessing or using the Freshteam developer portal and understand the different terminology used. For more support and information, businesses can scroll through the Freshteam support page and get answers to their queries. 

Get started with Freshteam API 

Companies that integrate with Freshteam API benefit from the seamless exchange of information between this HRIS platform and their application and have been able to explore multiple use cases for their end customers. However, manually building and maintaining integration with Freshteam API can be a daunting task for developers. Building the integration alone can take 4 weeks on an average and cost USD 10K (considering the cost of software developers, QA engineers, etc.). Further, the cost associated with maintaining the Freshteam API adds another burden on the bottom line, while diverting resources away from core product functionalities and enhancements. And, this is for a single HRIS integration in question here (Freshteam API). Businesses generally need to integrate with multiple HRIS APIs, meeting the demands of their end customers. Here, a unified HRIS API like Knit can enable businesses to easily integrate with multiple HRIS applications with a single connector. By incorporating an additional layer of abstraction, a unified API allows businesses to ship and scale integrations faster and in an efficient manner. Book a discovery call today to learn how developers can integrate with Freshteam API and other HRIS applications within hours and not weeks. 

API Directory
Apr 9, 2024

A Guide to Integrating with Zenefits APIs

11
mins

Zenefits API Directory

TriNet Zenefits is a leading provider of full service HR solutions. It enables small and medium sized companies to administer and manage benefits, HR offerings, including time tracking, onboarding, employee engagement, employee record keeping; payroll; performance and well-being. As a highly sought after HRIS platform, companies have been increasingly integrating with TriNet Zenefits to facilitate seamless exchange of HRIS data, captured by Zenefits, with their own apps to drive diverse use cases. 

Zenefits API Authentication, Filtering, Rate Limits

Owing to the sensitive nature of information held by the HRIS application, including personal identifiable information (PII), Zenefits API ensures that all data scopes are accessed at a granular level. The Zenefits API uses OAuth2 to authenticate and authorize access to information stored in the application. OAuth2 authorizes third party applications to request private details from Zenefits accounts, without passwords. It is limited only to admins and developers receive unique Client ID and Client Secret to access data with integration. 

Zenefits API pagination helps developers define the records needed per page. The developers can use the limit parameter to specify the number of records in a response. The maximum limit can be 100, however, in case the limit is not defined, the default limit is 20. In case the total number of records do not fit into a single page, the next_url field will have a link to the next page with the remaining records. In case the next_url field displays null, then no records exist for subsequent pages. Developers can also use the starting_after or ending_before query parameter to specify pagination based on object ids. The ending_before query parameter is useful for backwards pagination. 

Zenefits API Objects, Data Models & Endpoints

It is extremely important for developers to understand the objects, data models and endpoints when it comes to integrating with Zenefits API. While the overall scope might be large, here are a few which can be considered as a starting point for Zenefits API integration. 

  • Applications: Used to return information about the application

GET https://api.zenefits.com/platform/applications

  • Companies: Used to get information about the company

GET https://api.zenefits.com/core/companies

Fields include: ‘legal_name', 'ein','departments', 'locations'

  • People: Used to return information about a company’s employees

GET https://api.zenefits.com/core/companies/{:company_id}/people

GET http://api.zenefits.com/core/people/{:id} (For information about a single employee)

GET http://api.zenefits.com/core/people (For information for all employees across the company)

Fields include: 'work_email', 'date_of_birth', 'manager', 'department', 'location', 'work_phone', 'status', 'subordinates', 'banks','company', 'employments', 'department', 'location', 'manager', 'banks'

  • Employments: Used to return information about an employee’s employment history

GET https://api.zenefits.com/core/people/{:person_id}/employments

GET https://api.zenefits.com/core/employments/{:employment_id} (For information on a specific employment

GET https://api.zenefits.com/core/employments (For information on all employments across all people)

Fields include: 'termination_type', 'employment_type', 'comp_type', 'annual_salary', 'pay_rate', 'working_hours_per_week','person'

  • Employee Bank Accounts: Used to return information about employee’s bank account

GET https://api.zenefits.com/core/people/{:person_id}/banks

GET http://api.zenefits.com/core/banks/{:bank_id} (For information for a specific bank)

GET http://api.zenefits.com/core/banks (For information for all banks across all people)

  • Departments: Used to return the list of a company’s department

GET https://api.zenefits.com/core/companies/{:id}/departments

GET http://api.zenefits.com/core/departments/{:department_id} (For information regarding a single department:

GET http://api.zenefits.com/core/departments (For information relating to all departments across all companies)

  • Locations: Used to return the list of a company’s location

GET https://api.zenefits.com/core/companies/{:company_id}/locations

GET http://api.zenefits.com/core/locations/{:location_id} (For information relating to a single location)

GET http://api.zenefits.com/core/locations (For information relating to all locations across all companies)

  • Vacation Requests: Used to return information about employees' PTO vacation requests

GET https://api.zenefits.com/time_off/vacation_requests

GET http://api.zenefits.com/time_off/vacation_requests/{:id} (For information relating to a single vacation request)

GET http://api.zenefits.com/time_off/vacation_types/{:vacation_type_id}/vacation_requests/ (For all vacation requests for a single vacation type)

Fields include: 

  • status: Requested, approved, denied, cancelled, deleted
  • vacation_type: Vacation Type for this request, e.g. Jury Duty, Work From Home, Doctor's Appointment
  • start_date: Start date of vacation request (inclusive)
  • end_date: End date of vacation request (inclusive) 
  • creator i.e. Person who filed this vacation request
  • person i.e. Person who this vacation request applies to (often the same as creator)
  • created_date: Date this vacation request was created
  • hours: Number of hours requested, generally calculated at 8 hours a day for multi-day requests and specified manually for single day requests
  • approved_date: Date this request was moved from requested status, either to approved or denied.
  • reason: Note from the person requesting this vacation
  • deny_reason: Note from the approver for why this vacation request was denied. (Only applies if status is denied)

  • Vacation Types: Used to return information about a company's PTO vacation types

GET https://api.zenefits.com/time_off/vacation_types 

GET http://api.zenefits.com/time_off/vacation_types/{:id} (For information relating to a single vacation type)

Fields include:

  • status: Active, deleted
  • vacation_types
  • name: Name of the type
  • company: Company for this vacation type
  • vacation_requests: Vacation Requests for this type
  • counts_as: What account this type counts towards (vacation, sick, personal)

  • Time Durations: Used to return information about a person's T&A hours

GET https://api.zenefits.com/time_attendance/time_durations

GET http://api.zenefits.com/time_attendance/time_durations/{:id} (For information relating to a single time duration object)

Fields include: 

  • person: Person that this time duration is logged for people
  • activity: Activity type (work, meal_break)
  • state: Effective, overridden, deleted, correction
  • valid_status: valid, exceeds, overlapping same day, overlapping previous day, overlapping next day, missing clock out, missing clock in
  • hours: Number of hours logged
  • start: When this time duration started
  • end: When this time duration ended
  • is_overnight: Whether this time duration has been marked as part of an overnight shift
  • is_approved: When this time duration was approved. 
  • approver: Person who approved this time duration

Zenefits API Use Cases

  • Automate onboarding, saving 100s of hours as information gets auto synced to Benefits and Payroll
  • Simplify employee management with organizational charts, company directories allowing employees to update their own records
  • Improve HR processes and decision making with business intelligence reports and insights on turnover, workforce diversity, with understanding of how to pay new hires
  • Simplify the process of providing great benefits to employees, from comprehensive healthcare plans to extra perks like commuter benefits
  • Facilitate time and attendance management with employee scheduling tools, with time off and clocked-in hours automatically syncing Payroll

Zenefits API FAQs

Here is a list of FAQs about TriNet Zenefits API which can help commence and accelerate your integration:

  • What is the software stack of Zenefits? Answer
  • How to address the CORS issue in Angular 8 without changing the backend in Zenefits API? Answer 
  • How to handle New Company Installations in TriNet Zenefits API? Answer
  • How to handle New People's Subscriptions in TriNet Zenefits API? Answer
  • What does Webhooks shared secret vs OAuth client secret mean? Answer
  • How to read and write custom data with Zenefits API? Answer
  • How to issue Access Tokens for Zenefits API authentication and authorization? Answer
  • Where can I find a guidebook for Zenefits integration? Answer
  • Does Zenefits have a public API? Answer
  • What is Zenefits’ App Acceptance Criteria for API integration? Answer
  • Where is the developer portal for Zenefits API? Answer

Common Integrations with Zenefits API 

Several businesses are increasingly building integrations with Zenefits API to power operations for the end customers, facilitated by seamless data exchange, including:

  • Payroll providers to get access to employee information, employment records and agreement terms, compensation details and other relevant information like leaves, time off, etc. 
  • Candidate recruitment companies to push data about selected candidates and relevant information for smooth onboarding
  • Employee engagement companies to fetch employee data, including demographic information, personal and professional details, attendance, etc. 
  • Early wage access providers to get access to employee information, payroll details and even write back data regarding early payments/ deductions for accurate payroll processing

How to integrate with Zenefits API 

To get started with the Zenefit API integration journey, a developer account needs to be created. To create the same, developers can reach out to Zenefits team by dropping an email on this email address. Reaching out on this email ID will take the developers to the next step to get access to a sandboxed Zenefits test company and credentials to start using the API. Once the Zenefits developer account is active, developers can leverage this getting started guide for a detailed overview on REST API, Modules, Webhooks, Authentication and much more.  It is important to read through and understand the App Acceptance Criteria well. The same can be accessed here. At the same time, knowledge of the Zenefits Developer Policy is critical to understand the technical, brand and general requirements and restrictions. 

Get started with Zenefits API 

Integrating with Zenefits API is beneficial for businesses looking to seamlessly exchange data with this leading HRIS provider with bi-directional sync. However, building a custom 1:1 integration can be a complex, time and resource intensive process. The above mentioned steps, restrictions and requirements can all choke up developer bandwidth. Invariably, SaaS businesses today are moving away from building integrations to partnering with unified APIs like Knit. A unified API, in this case for HRIS integrations, enables companies to integrate once and seamlessly connect with multiple HRIS applications, including Zenefits API, without any additional requirements. With a unified HRIS API, maintenance and management of integration with Zenefits and other applications also becomes quite easy. Book a discovery call today to learn how a unified API can help you ship and scale integrations fast. 

Start building with Knit, today

Talk to our sales team for a free tour of Knit!

Book Demo!