HomeGuidesAPI ReferenceChangelog
Get API Keys

Introduction

Welcome to Truv’s developer documentation! Here you'll find everything you need to get started with Truv. If you have any questions, email [email protected] or chat with us in the Dashboard.

We support three environments:

  • Sandbox is used for general development. It gives you access to predefined sample data so you can understand exactly what data you'll get back from payroll providers.
  • Development is used to test your integration with live credentials. The number of successful Tasks here is limited to 50 and not billed.
  • Production is used for your production environment; each successful Task is billed.

All API requests should be made to https://prod.truv.com/v1/ regardless of your environment. Your Access key determines what environment your calls will use.

Authentication

Every call to the Truv requires you to use your API keys, which consist of a Client ID and an Access key. Your Client ID will remain the same regardless of your environment, but you will get a different Access key for each environment. You'll be able to tell which key is used for which environment because the key will be prefixed with sandbox, dev, or prod.

All API requests require the X-Access-Client-Id and X-Access-Secret headers which should contain your Client ID and Access key respectively.

Your API keys carry many privileges, so be sure to keep them secure! Do not share your Client ID or Access key with anyone and make sure to never use your API keys in the front end of your application.

Protocols

Truv uses a REST API framework that leverages HTTP requests to communicate and HTTP response codes to indicate statuses and errors. All responses come in standard JSON format. Truv's API is served over HTTPS TLS v1.2+ to ensure data privacy; HTTP and HTTPS with TLS versions below 1.2 are not supported. All requests must include a Content-Type of application/json and the body must be valid JSON.

Security

It’s critical to properly handle identifiers returned by Bridge and direct API endpoints.

Truv's identifiers let you associate API and Provider events with your requests, and will help our support team resolve your support issues faster.

️Make sure access_token is never exposed on the client-side. You should store these tokens securely on the backend and associate them with users of your application.

🚧

User can create multiple access_tokens if they have accounts with multiple payroll providers.

Errors

Our API responses use standard HTTP status codes: 2xx status codes indicate success, 4xx status codes indicate invalid input or invalid action in the current state, and 5xx status codes indicate a rare error on Truv's servers.

HTTP Responses

Code Title Description
200 OK The request was successful.
201 Created The request was successful and a resource was created.
400 Bad Request The request was unacceptable.
401 Unauthorized Missing or invalid credentials.
403 Forbidden Permission denied.
404 Not Found The resource does not exist.
405 Method Not Allowed The request method is known by the server but is not supported by the target resource.
406 Not Acceptable The server cannot produce a response matching the list of acceptable values defined in the request's content negotiation headers.
410 Gone Bridge token is expired.
415 Unsupported Media Type The request's payload format is in an unsupported format.
429 Too Many Requests Too many requests have been sent in a given period of time. Note: There is a per access_token limit that will allow an initial request and 3 refreshed in a 24-hour period. If exceeded, you will receive a error: "Refresh limit for the access_token exceeded".
50X Internal Server Error An error occurred with our API.

Error message format

The response body contains the following fields:

  • code is used to pass the source of the error.
  • message is used to communicate to the end-user what went wrong.
  • invalid-params is a list of form fields and related errors to show to the end user. field parameter indicates UI where the form field error occurred.
Response
    application/json

    400 Bad request
    {
        "error":
        {
            "code": "validation_error",
            "message": "Validation error",
            "extra":
            {
                "invalid-params":
                [
                    {
                        "field": "first_name",
                        "message": "First name is required"
                    },
                    {
                        "field": "last_name",
                        "message": "Last name is required"
                    }
                ]
            }
        }
    }

Response
    application/json

    401 Unauthorized
    {
        "error":
        {
            "code": "expired_token",
            "message": "Public token expired: 48427a36d43c4d5aa6324bc06c692456"
        }
    }

Response
  application/json

403 Forbidden
    {
        "error":
        {
            "code": "incorrect_token",
            "message": "Token is invalid"
        }
    }

Error codes

  • validation_error - any type of erroneous input to the API, including incorrect data format or missing fields
  • expired_token - used when a public token expires after 6 hours.
  • incorrect_token - used when any token (public or access) cannot be matched with internal storage

Rate Limiting

We use rate limiting to safeguard the stability of our API. Our rate limiter allows up to 300 requests per minute per access_key. To increase this limit, please contact us.

Any request over the limit will return a 429 Too Many Requests error.