Partner Authentication

All 7shifts partners must authenticate using the OAuth 2.0 flow to use 7shifts API endpoints. Please refer to our OAuth guide that outlines how to implement this.

Companies and other non-partner integrators can authenticate to the 7shifts API by providing your API key in the request.


This recent API version does not support API keys

API keys only support V1 endpoints. If you wish to use any V2 endpoint you will need to acquire an OAuth client or an access token.

If you require access to V2 endpoints pleases contact [email protected] to acquire an Access Token. Access Token self administration coming soon.

Don't have an API key?


Generate an API key by first creating a 7shifts account. Once it's created, navigate to "Company Settings", then "API" and click "Generate".

Your API key carries many privileges, so be sure to keep them secret! Authentication to the API occurs via HTTP Basic Auth. Provide your API key as the basic auth username. You do not need to provide a password. All API requests must be made over HTTPS. Calls made over plain HTTP will fail. You must authenticate for all requests.

OAuth Clients

Creating a token

To make requests against an API, a bearer token must be issued that can be used for API calls. The token request requires a scope, the client ID, and the client secret. Bearer tokens expire after 1 hour. Only request the scopes you intend to use.

curl --request POST --url '' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=CLIENT_ID' \
--data-urlencode 'client_secret=CLIENT_SECRET' \
--data-urlencode 'scope=v1_access ADDITIONAL_SCOPES'

Refreshing a token

Tokens expire after 1 hour from creation. After they expire, you will need to create a new one using the create token process. A refresh token mechanism will be added in the future.

Access Scopes




Required for all V1 endpoint requests


Reading or mutating company object


Reading or mutating departments


Reading or mutating locations


Reading or mutating roles


Reading or mutating users


Reading or mutating sales


Reading or mutating shifts and schedule publishing


Reading or mutating time punches


Reading or mutating schedule events

Making API requests

Once you have acquired a token, you can use it make API requests.

All requests require two headers to be sent along. The Authorization Bearer header and an x-company-guid header.

The Authorization header includes a valid, unexpired token ISSUED_TOKEN. The x-company-guid header includes a GUID, this is issued to you during the company grant authorization process. The GUID is a 1:1 map to each company ID and a partner OAuth client.

To confirm your access token is valid, you can use the test endpoint If successful, it will return an identify_id in the payload.

curl --request GET --url '' \
--header 'x-company-guid: GUID' \
--header 'Authorization: Bearer ISSUED_TOKEN'

Below is an example of making a call to list all users in a company.

curl --request GET --url '{COMPANY_ID}/users' \
--header 'x-company-guid: GUID' \
--header 'Authorization: Bearer ISSUED_TOKEN'