Authentication
The TempClock API uses Bearer token authentication. Every request must include a valid API key in the Authorization header.
Bearer Token Authentication
All API requests must include an Authorization header with a Bearer token. Your API key will be provided to you by TempClock.
API Key Format
TempClock API keys follow a consistent format that makes them easy to identify:
| tc_live_ | Fixed prefix identifying this as a TempClock live API key |
| 40 hex chars | Randomly generated hexadecimal string unique to your key |
Total key length: 48 characters (8-character prefix + 40-character hex string).
Where to Get API Keys
API keys are created and issued by TempClock. To get an API key for your account, contact TempClock and we will generate one for you.
Contact TempClock
Get in touch to request API access for your account. Let us know what integrations you are planning so we can set up the right access.
Receive your API key
We will enable API access for your account and provide you with a securely generated API key. Each key is named for easy identification (e.g. "Payroll Integration").
Store it securely
Your API key will only be shown once when it is created. Store it in a secure location such as a password manager or secrets vault. Never commit it to version control or share it publicly.
View your keys
Once issued, you can view your active API keys and their status in your manage portal under Settings > API Keys. To request new keys or revoke existing ones, contact TempClock.
Example Request
Here is a complete example of an authenticated request using cURL:
If the key is valid, you will receive a 200 OK response with JSON data. If authentication fails, you will receive a 401 Unauthorized error.
Successful response:
Failed authentication response:
Scopes
Scopes let you restrict what an API key can access. When you create a key, you can assign specific scopes to limit its permissions. If no scopes are assigned, the key has full access to all endpoints.
| Scope | Access |
|---|---|
| workers:read | List and retrieve worker details |
| timesheets:read | List time entries and timesheet data |
| locations:read | List and retrieve location details |
| clock:write | Clock workers in and out |
| shifts:read | List and retrieve shift data |
| shifts:write | Create and modify shifts |
| departments:read | List departments |
| cost-codes:read | List cost codes |
| ( empty ) | Full access to all endpoints — no restrictions |
If a key attempts to access an endpoint outside its allowed scopes, the API returns a 403 Forbidden response:
Key Security Best Practices
Your API key provides access to sensitive workforce data. Treat it like a password and follow these security practices:
Never commit keys to version control
Do not hard-code API keys in your source code or commit them to Git repositories. Even private repositories can be compromised. Add your key file to .gitignore.
Use environment variables
Store your API key in an environment variable and reference it in your code:
Rotate keys regularly
If you suspect a key has been compromised, contact TempClock immediately to have it revoked and a replacement issued. Keys can be set with expiry dates for additional security.
Restrict scopes
Create separate keys for different integrations, each with only the scopes it needs. A read-only reporting tool should not have clock:write access.
Use separate keys per environment
Use different API keys for development, staging, and production. This limits exposure if a non-production key is leaked, and makes it easier to track usage per environment.
CORS
The API supports Cross-Origin Resource Sharing (CORS) with a wildcard origin (Access-Control-Allow-Origin: *). This means you can call the API from browser-based applications.