This is typically a webserver application. To grant the access rights, the user is required to log in to TriNet and consent to using APIs. This type of application can be used when there are multiple users who will access the application using their own credentials. Each employee’s assigned TriNet permissions (roles) determine that user’s access level.

These applications follow this basic flow when accessing TriNet:

Obtain an Access Token

Before an application can obtain data using TriNet APIs, it has to obtain an access token from the authorization server. One access token can grant access to multiple APIs.

End-user applications must authenticate when the user logs in to TriNet using following URL: https://gateway.hrpassport.com/trinetAuth/services/v1.0/authorization/oauth2/authorize?client_id={client_id}&scope={scope}&redirect_uri={redirect_uri}

where:

  • {client_id} is your client ID provided by TriNet during setup.
  • {scope} is currently not implemented.
  • {redirect_uri) is the URI the application should be redirected to after successful logon. See details below.   

If the user grants permission, the TriNet authorization server sends the authorization code to the redirect_uri provided in the request.

Once the application receives the authorization code, it must make another call (POST) to the following URL to obtain the access token: https://gateway.hrpassport.com/trinetAuth/services/v1.0/authorization/oauth2/access-token/{authorization code}

Sample request payload:

{
"clientId": "clientId",
"clientSecret": "clientSecret",
"scope": "scope",
"refirect_uri": "redirect_uri"
}

When the call is successful, the access and refresh tokens are granted.

Sample response:

{
  "scope": "client_id cn companyid emplid mail personid uid",
  "expires_in": 59,
  "token_type": "Bearer",
  "refresh_token": "bd27fb0b-5c7a-43ed-b4f8-bdc8af809a9b",
  "access_token": "657e4ddb-b0ec-412a-84f7-f78246d91c39"
}

 

Use the Access Token in All API Calls

After the application obtains an access token, it sends it in HTTP authorization header. Access token are valid only for limited amount of time, which is specified in the "expires_in" field of the response. We recommend you write your application to anticate that a token may stop working for one of the following reasons:
  • The token expired (see Refresh the Access Token below for more information).
  • The user's access was revoked and you no longer have the necessary access.

Refresh the Access Token

When an access token expires, you can use a refresh token to obtain a new one. To obtain a new access token, call (POST) to the following URL: https://gateway.hrpassport.com/trinetAuth/services/v1.0/authorization/oauth2/refresh-token?client_id={client_id}&client_secret={client_secret}&refresh_token={refresh_token}

You will be granted a new access token and refresh token to use. Refresh tokens are valid for 8 days. If the refresh token expires, you will need to authenticate again.