Skip to main content

No Pagination

List endpoints (listGrants, getAllWallets, etc.) return all results in a single response. There are no limit, offset, or cursor parameters. Implications:
  • Cache responses locally and refresh periodically
  • Don’t call list endpoints on every page load in your UI
  • For large organizations (1000+ grants), responses may be several MB

Rate Limiting

The API enforces 100 requests per minute per IP address. Strategy:
  • Batch operations where possible (batchUpdateRoleInOrg, bulkUploadMultipleWallets, processBulkTestTransactions)
  • Space out polling intervals (5-15 minutes, not seconds)
  • Implement exponential backoff on 429 responses

Token Refresh

API tokens expire after 30 days. After refresh, the old token has a 7-day grace period.
Set a calendar reminder or cron job to refresh 7 days before expiry. The old token continues working for 7 days after refresh, so there’s no downtime during rotation.

Error Handling

Don’t retry these (fix the request):

  • 400 Bad Request — invalid parameters
  • 401 Unauthorized — token expired or invalid
  • 403 Forbidden — wrong role for this endpoint
  • 404 Not Found — resource doesn’t exist

Retry these (with backoff):

  • 429 Too Many Requests — rate limited
  • 500 Internal Server Error — transient failure

Common error patterns:


Idempotency


Polling Strategy

Without webhooks, poll for changes at appropriate intervals:

External Employee ID

Always set externalEmployeeID when creating recipients. This is your primary key for correlating Toku data with your HRIS:

Multi-Organization

Each API token is scoped to one organization. If you manage multiple orgs, you need a separate token for each. Token scoping is enforced server-side — a token for Org A cannot access Org B’s data.