Frequently Asked Questions
If the callback fails for any reason you will need to send the user through the auth flow again.
This redirect URI endpoint is where you will receive the OAUTH2 auth code. The auth code will then need to be exchanged for the OAUTH2 access token. The access token can then be used in subsequent calls to retrieve data from enableHR.
The OAuth 2.0 spec (section 3.1.2 of RFC 6749) requires that a
redirection URI must be an absolute URI. The use of wildcards in
redirect URI is not supported.
enableHR Open API support integrations via three-legged OAuth2. We
support the authorization_code grant and refresh_tokens
Access tokens are valid for 30 minutes
Unused refresh tokens expire after 14 days. If you don't refresh your
access token within 14 days the user will need to reauthorize your
app. When you perform a token refresh, you should replace your
existing refresh token with the new one returned in the response. If
for whatever reason, you don't receive the response you can retry
refreshing your existing refresh token for a grace period of 30
minutes.
You can use any OAUTH2 client to connect to our Authentication Authorisation Server (AAS). We have used Spring Security OAUTH, Spring Security 5 libraries, and POSTMAN to test our API’s
The configurations you would need to connect to our AAS are as follows:
| Item | Comments |
| Client ID | We will provide this to customer |
| Client Secret | We will provide this to customer |
| Client Authentication Method | Basic |
| Redirect Uri Template | A URL on customer server where we redirect to once their user has authenticated an approved access. Customer will provide this to us |
| Authorization Uri | https://login.enablehr.com/oauth/authorize |
| Token Uri | https://login.enablehr.com/oauth/token |
| Check Token Uri | https://login.enablehr.com/oauth/check_token |
| User Info Uri | https://rest.enablehr.com/users/self |
On your website, there would be a link to connect to enableHR. When the user clicks on the link they would be redirected to https://login.enablehr.com/oauth/authorize?client_id=<CLIENT ID>r&redirect_uri=<YOUR REDIRECT URI>&response_type=code&scope=<SCOPES REQUESTED>&state=<SOME STATE TO VERIFY>.
This will bring up the enable HR login page. Users will have to type in their username and password and approve any scopes that were requested above.
When the user login to our Authentication and Authorisation Server, an approvals screen will appear and the user will need to approve the scopes prior to retrieving the token. If no scopes are approved you will not receive a token.
If this is successful a code will be provided in the redirect URI https://<YOUR REDIRECT URI>?code=N_aFQt&state=<SOME STATE TO VERIFY>.
You can use the code to now get the access token and refresh token from the Token Uri given above. You can verify the token using the Check Token Uri given above.
Any subsequent calls to our https://rest.enablehr.com would use the above Access Token in the Authentication header. Authentication: Bearer <the access token goes here>. And the scopes requested are from our YAML.
Client ID is shared via email to an authorised user. Client Secret is shared via email within the attached zip file. The zip file is encrypted and the password to open the file will be provided to you by SMS to the authorised user. The zip file contains one line which is the client secret. You will need to ensure to keep this safe as this will allow an intruder to access your data on enableHR.
