Introduction
This article is part of a series on HRIS APIs. In this post, we focus on a common requirement, retrieving employee leave data—and explain how far the OneLogin API can support this use case.
Prerequisites
Before you begin, make sure you have:
- Access to a OneLogin account with API permissions enabled
- A valid OneLogin API client (Client ID and Client Secret)
- Python installed on your system
- The
requestslibrary available in your Python environment
API Endpoints
- Base URL
https://api.onelogin.com - Authentication Endpoint
/auth/oauth2/v2/token - User Data Endpoint
/api/1/users
Step-by-Step Process
Step 1: Authenticate and Obtain an Access Token
Use the OAuth 2.0 client credentials flow to retrieve an access token.
import requests
client_id = 'YOUR_CLIENT_ID'
client_secret = 'YOUR_CLIENT_SECRET'
auth_url = 'https://api.onelogin.com/auth/oauth2/v2/token'
auth_headers = {
'Content-Type': 'application/json'
}
auth_data = {
'grant_type': 'client_credentials',
'client_id': client_id,
'client_secret': client_secret
}
response = requests.post(auth_url, headers=auth_headers, json=auth_data)
access_token = response.json().get('access_token')Step 2: Fetch User Data
Once authenticated, use the access token to retrieve user records from OneLogin.
user_url = 'https://api.onelogin.com/api/1/users'
user_headers = {
'Authorization': f'Bearer {access_token}'
}
user_response = requests.get(user_url, headers=user_headers)
users = user_response.json()This endpoint returns identity-related information such as user IDs, names, email addresses, roles, and status.
Step 3: Extract Leave Data (Key Limitation)
At this stage, it’s important to set expectations clearly:
OneLogin does not provide employee leave or attendance data through its API.
If your use case requires leave information, you will need to:
- Integrate with a dedicated HR or payroll system that manages leave
- Use OneLogin user IDs or email addresses as a linking key between systems
Common Pitfalls
- Treating OneLogin as an HR system rather than an identity provider
- Assuming leave or attendance data is available in user objects
- Failing to refresh or reissue access tokens after expiration
- Not validating API response status codes before processing data
- Ignoring pagination when fetching large user directories
- Hardcoding API credentials instead of securing them properly
- Overlooking OneLogin API rate limits during bulk syncs
FAQs
Q: How do I get API credentials for OneLogin?
A: Log in to OneLogin and navigate to Settings → API to create a client and obtain your Client ID and Client Secret.
Q: What happens when the access token expires?
A: You must re-run the authentication flow to obtain a new access token.
Q: Can OneLogin provide employee leave or attendance data?
A: No. OneLogin does not manage or expose leave data via its API.
Q: How should I handle pagination when fetching users?
A: Use the pagination parameters returned in the API response to iterate through user records.
Q: Are there rate limits on the OneLogin API?
A: Yes. Rate limits apply and should be handled according to OneLogin’s API documentation.
Q: Is this API suitable for production use?
A: Yes, provided you follow security best practices and handle tokens, rate limits, and errors correctly.
Q: What response format does the OneLogin API use?
A: All responses are returned in JSON format.
Knit for OneLogin API Integration
If you’re looking to avoid managing OAuth flows, token refresh logic, pagination, and long-term maintenance, Knit provides a streamlined alternative.
By integrating with Knit once, you can access OneLogin data through a unified API layer. Knit handles authentication, authorization, and ongoing integration upkeep, allowing teams to focus on downstream workflows rather than infrastructure complexity.
.png)
