OAuth 2.0 Flow
1
Authorize
From the Toku dashboard, your admin is redirected to Gusto’s consent screen, which lists every scope Toku requests.
2
Exchange
Gusto redirects back with an authorization code, which Toku’s backend exchanges for an access token and refresh token.
3
Refresh
Access tokens are short-lived. Toku rotates them automatically using the refresh token — the connection stays live without re-authorization.
Scopes
Gusto enforces granular, per-resource scopes. Toku requests the minimum set needed for stablecoin payroll:
Any call outside these scopes is rejected by Gusto. You can revoke Toku’s authorization at any time from your Gusto account, which immediately invalidates all tokens.
Environments
Toku is integrated through the Gusto Developer Portal partner process, including Gusto’s security review. See Gusto’s API documentation to validate any of the calls referenced in this section.
Next
Employee Sync
How Toku reads your employee roster
Payroll Sync
How Toku tracks pay periods and payroll status
