TriNet APIs support server-to-server interactions such us integrations between TriNet and other applications. In this scenario, an end-user application is not ideal as most of those integrations occur in the background and user authentication capabilities are limited. For this type of application you will need client credentials issued.

Client credentails will allow for API access that can be limited to the predefined set of informaiton:

  • Scope - read and/or write
  • Endpoints - list of endpoints integration is allowed to access
  • Company or Companies
  • Quota - TriNet reserves the right to limit the number of calls you are allowed to make for a specified period of time,

These applications follow a basic flow when accessing TriNet:


Provision Client Credentials 

Upon request TriNet will provision client credentails. You will be provided with client Id and client secret.

To obtain client credentials please fill out the form available here.


Obtain an Access Token

Before an application can obtain data using TriNet APIs, it has to obtain an access token from the authorization server. One access token can grant access to multiple APIs.

B2B applications will use the OAuth 2.0 Basic Authentication approach to acquire access token from the TriNet authorization server. In that flow you will make a following GET call: with a basic Authorization header: Authorization: Basic <base64(“clientId:clientSecret”)> 

When the call is successful, the access and refresh tokens are granted.

Sample response:

  "refresh_token_expires_in": "0",
  "api_product_list": "[trinet-product]",
  "api_product_list_json": [
  "organization_name": "trinetapi",
  "": "",
  "token_type": "BearerToken",
  "issued_at": "1578602271626",
  "client_id": "clientId",
  "access_token": "l0jHlkiVl7ZecLjkVHLphdcZ7ZMF",
  "application_name": "2df894e8-2946-4e2a-ae50-aeeaf9b903d0",
  "scope": "basic-read read",
  "expires_in": "3599",
  "refresh_count": "0",
  "status": "approved"


Use the Access Token in All API Calls

After the application obtains an access token, it sends it in HTTP authorization header in "Bearer {access_token}" format.
We also require additional header to be present "grant_type" with the value of "client_credentials".
Sample cURL command to retrieve all employee details with authorization header:
curl -v -H "authorization: Bearer {access_token}" -H "grant_type: client_credentials" -X GET "{companyId}/employees"

Access tokens are valid only for a limited amount of time, which is specified in the "expires_in" field of the response. We recommend you write your application to anticipate that a token may stop working for one of the following reasons:

  • The token expired (see Refresh the Access Token below for more information).
  • The user's access was revoked access and you no longer have the necessary access.


Refresh the Access Token

Refresh access token action is not supported with client credentials grant. When an access token expires, you have to obtain new access token with the call described above.