List endpoints (listGrants, getAllWallets, etc.) return all results in a single response. There are no limit, offset, or cursor parameters.
Implications:
- Cache responses locally and refresh periodically
- Don’t call list endpoints on every page load in your UI
- For large organizations (1000+ grants), responses may be several MB
Rate Limiting
The API enforces 100 requests per minute per IP address.
Strategy:
- Batch operations where possible (
batchUpdateRoleInOrg, bulkUploadMultipleWallets, processBulkTestTransactions)
- Space out polling intervals (5-15 minutes, not seconds)
- Implement exponential backoff on
429 responses
Token Refresh
API tokens expire after 30 days. After refresh, the old token has a 7-day grace period.
Set a calendar reminder or cron job to refresh 7 days before expiry. The old token continues working for 7 days after refresh, so there’s no downtime during rotation.
Error Handling
Don’t retry these (fix the request):
400 Bad Request — invalid parameters
401 Unauthorized — token expired or invalid
403 Forbidden — wrong role for this endpoint
404 Not Found — resource doesn’t exist
Retry these (with backoff):
429 Too Many Requests — rate limited
500 Internal Server Error — transient failure
Common error patterns:
Idempotency
Polling Strategy
Without webhooks, poll for changes at appropriate intervals:
External Employee ID
Always set externalEmployeeID when creating recipients. This is your primary key for correlating Toku data with your HRIS:
Multi-Organization
Each API token is scoped to one organization. If you manage multiple orgs, you need a separate token for each. Token scoping is enforced server-side — a token for Org A cannot access Org B’s data.