Oauth scopes help provide secure access to the API. You can better define what data your application can access by assigning the proper scopes to the user ID used in the authentication call.

Scopes provide endpoint access security and work in with conjunction with permissions (roles), which provide access to data and features in the TriNet platform. Each endpoint is assigned to a specific scope and the API will be able to access the data only if the defined scope is assigned to the ID used to make API calls. The "client_id cn companyid emplid mail personid uid" standard scopes are not used in endpoint security.

When obtaining the access token, the list of assigned scopes is also returned:

  "scope": "basic-read client_id cn companyid emplid mail personid uid",
  "expires_in": 59,
  "token_type": "Bearer",
  "refresh_token": "bd27fb0b-5c7a-43ed-b4f8-bdc8af809a9b",
  "access_token": "657e4ddb-b0ec-412a-84f7-f78246d91c39"


Below is a list of all scopes and their endpoints for quick reference. You can also find the available scopes in the Resource Summary section of each API page.

Scope Description Read Write
basic Basic set of APIs read  
benefits Employee benefits information read write
hr-admin HR information read write
hr-new-hire New hire entry   write
hr-pay Employee salary information read  
hr-personal Employee personal information read write
hr-security Security/Role assignments read write
payroll Payroll information read write