Skip to main content
Toku connects to Gusto as an authorized application using Gusto’s OAuth 2.0 flow. Your Gusto admin signs in once to authorize the connection — no API keys are copied or stored by your team.

OAuth 2.0 Flow

1

Authorize

From the Toku dashboard, your admin is redirected to Gusto’s consent screen, which lists every scope Toku requests.
2

Exchange

Gusto redirects back with an authorization code, which Toku’s backend exchanges for an access token and refresh token.
3

Refresh

Access tokens are short-lived. Toku rotates them automatically using the refresh token — the connection stays live without re-authorization.
Authenticated requests carry the token as a bearer header and pin a dated API version:

Scopes

Gusto enforces granular, per-resource scopes. Toku requests the minimum set needed for stablecoin payroll: Any call outside these scopes is rejected by Gusto. You can revoke Toku’s authorization at any time from your Gusto account, which immediately invalidates all tokens.

Environments

Toku is integrated through the Gusto Developer Portal partner process, including Gusto’s security review. See Gusto’s API documentation to validate any of the calls referenced in this section.

Next

Employee Sync

How Toku reads your employee roster

Payroll Sync

How Toku tracks pay periods and payroll status