Authentication
This page documents the authentication specification for the Protime API, including OIDC discovery, token endpoints, request/response formats, and scope naming conventions.
OIDC discovery
The Protime API implements the OIDC (OpenID Connect) protocol. The discovery document is available at:
https://authentication.<environmentURL>/tenants/<tenantName>/.well-known/openid-configurationEnvironment URLs
| Environment | URL |
|---|---|
| Production | myprotime.eu |
| Sandbox | myprotimesandbox.eu |
Token endpoint
https://authentication.<environmentURL>/tenants/<tenantName>/connect/tokenTokens are issued per tenant. Each token is valid for a fixed duration, expressed in seconds in the response.
Supported grant types
The API supports the OAuth 2.0 Client Credentials grant type. For step-by-step instructions on obtaining a token, see How to authenticate.
Token request format
Request headers
POST /tenants/<tenantName>/connect/token HTTP/1.1
Host: authentication.<environmentURL>
Content-Type: application/x-www-form-urlencodedRequest body parameters
| Parameter | Type | Description |
|---|---|---|
grant_type |
string | Must be client_credentials |
client_id |
string | Client-specific client ID (provided by Protime) |
client_secret |
string | Client-specific client secret |
scope |
string | Space-separated list of requested scopes |
Example body (application/x-www-form-urlencoded):
grant_type=client_credentials&client_id=client+specific+client+id&client_secret=client+specific+client+secret&scope=connector-protimeapi-activity-definitions.read+connector-protimeapi-activity-definitions.write+connector-protimeapi-clockings.readToken response format
| Field | Type | Description |
|---|---|---|
access_token |
string | The JWT access token |
expires_in |
int | Token validity duration in seconds |
token_type |
string | Always Bearer |
scope |
string | Space-separated list of granted scopes |
Example response:
{
"access_token": "eyJ...Uc",
"expires_in": 1800,
"token_type": "Bearer",
"scope": "connector-protimeapi-activity-definitions.read connector-protimeapi-activity-definitions.write connector-protimeapi-clockings.read"
}Authorization header
The access token is passed via the Authorization header on every API request:
Authorization: Bearer eyJ...UcAn expired or invalid token results in a 401 response.
Scope naming convention
Scopes follow the pattern:
connector-protimeapi-<collection>.<permission>| Segment | Description |
|---|---|
<collection> |
The resource collection name (e.g. clockings, activity-definitions) |
<permission> |
Either read or write |
When no scope is specified in the token request, all available scopes are granted by default. Narrowing scopes to only the required permissions is recommended.
Example – requesting only clocking-related scopes:
grant_type=client_credentials&client_id=client+specific+client+id&client_secret=client+specific+client+secret&scope=connector-protimeapi-clockings.read+connector-protimeapi-clockings.writeScope reference by domain
The following tables list all available scopes grouped by domain. Not every collection supports both read and write; the available permissions reflect the operations the API exposes for each collection.
Time
| Collection | .read |
.write |
|---|---|---|
| clockings | connector-protimeapi-clockings.read |
connector-protimeapi-clockings.write |
| absences | connector-protimeapi-absences.read |
– |
| absence-definitions | connector-protimeapi-absence-definitions.read |
– |
| absence-groups | connector-protimeapi-absence-groups.read |
– |
| breaks | connector-protimeapi-breaks.read |
– |
| break-definitions | connector-protimeapi-break-definitions.read |
– |
| work-interruptions | connector-protimeapi-work-interruptions.read |
– |
| calculated-totals | connector-protimeapi-calculated-totals.read |
– |
| paid-presences | connector-protimeapi-calculated-totals.read |
– |
| counters | connector-protimeapi-counters.read |
connector-protimeapi-counters.write |
| counter-definitions | connector-protimeapi-counter-definitions.read |
connector-protimeapi-counter-definitions.write |
| counter-groups | connector-protimeapi-counter-groups.read |
– |
| shift-definitions | connector-protimeapi-shift-definitions.read |
– |
Activities
| Collection | .read |
.write |
|---|---|---|
| activity-definitions | connector-protimeapi-activity-definitions.read |
connector-protimeapi-activity-definitions.write |
| activity-durations | connector-protimeapi-activity-durations.read |
connector-protimeapi-activity-durations.write |
People
| Collection | .read |
.write |
|---|---|---|
| people | connector-protimeapi-people.read |
– |
| people-historical-data | connector-protimeapi-people-historical-data.read |
– |
| contracts | connector-protimeapi-contracts.read |
– |
Foundation
| Collection | .read |
.write |
|---|---|---|
| departments | connector-protimeapi-departments.read |
– |
| employers | connector-protimeapi-employers.read |
– |
| jobs | connector-protimeapi-jobs.read |
– |
| job-categories | connector-protimeapi-job-categories.read |
– |
| sectors | connector-protimeapi-sectors.read |
– |
| work-locations | connector-protimeapi-work-locations.read |
– |
Planning
| Collection | .read |
.write |
|---|---|---|
| assignments | connector-protimeapi-assignments.read |
connector-protimeapi-assignments.write |
Access
| Collection | .read |
.write |
|---|---|---|
| access-clockings | connector-protimeapi-access-clockings.read |
– |
Cross-cutting
| Collection | .read |
.write |
|---|---|---|
| external-references | connector-protimeapi-external-references.read |
connector-protimeapi-external-references.write |
| webhooks | connector-protimeapi-webhooks.read |
connector-protimeapi-webhooks.write |