> ## Documentation Index
> Fetch the complete documentation index at: https://docs.toku.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Papaya Global API Authentication

> How Toku authenticates with Papaya Global using per-environment API credentials and short-lived JWT access tokens

Toku connects to Papaya Global's **Workforce OS** platform using API credentials that Papaya's integration support team provisions specifically for the Toku connection. Credentials are issued per environment — no shared or personal logins are used.

## Credentials

Papaya issues three values for each environment:

| Credential    | Purpose                                                       |
| ------------- | ------------------------------------------------------------- |
| API key       | Identifies the Toku integration to Papaya's API gateway       |
| Client ID     | Identifies the client application in the token exchange       |
| Client secret | Proves the client's identity — stored encrypted, never logged |

## Token Flow

<Steps>
  <Step title="Provision">
    Papaya integration support issues the API key, Client ID, and client secret for the Toku connection — one set per environment (sandbox and production).
  </Step>

  <Step title="Exchange">
    Toku's backend exchanges the client credentials at Papaya's token endpoint for a JWT access token.
  </Step>

  <Step title="Refresh">
    Access tokens are valid for 24 hours. Toku requests a fresh token automatically before expiry — the connection stays live without manual intervention.
  </Step>
</Steps>

```bash theme={null}
# Token exchange (performed by Toku's backend)
# The exact token endpoint path is provisioned by Papaya per environment
curl -X POST "https://api.papayaglobal.com/<token_endpoint>/token" \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "<toku_client_id>",
    "client_secret": "<toku_client_secret>"
  }'
```

Authenticated requests carry the JWT as a bearer header over HTTPS:

```bash theme={null}
curl "https://api.papayaglobal.com/<resource>" \
  -H "Authorization: Bearer <access_token>"
```

## Environments

| Environment | Used for                                        |
| ----------- | ----------------------------------------------- |
| Sandbox     | Implementation testing with non-production data |
| Production  | The live Toku connection                        |

Each environment has its own credential set, so sandbox testing can never touch production payroll data. Credentials can be revoked by Papaya at any time, which immediately invalidates all tokens.

<Note>
  Papaya's public developer documentation at [docs.papayaglobal.com](https://docs.papayaglobal.com) covers its Workforce Payments APIs. Worker and payroll data exchange for the Toku connection is arranged through Papaya's [Integration Center](https://www.papayaglobal.com/connectors/) and provisioned with Papaya's integration support during implementation.
</Note>

## Next

<CardGroup cols={2}>
  <Card title="Worker Sync" icon="users" href="/integrations/papaya-global/employee-sync">
    How Toku reads your worker roster
  </Card>

  <Card title="Payroll Sync" icon="calendar" href="/integrations/papaya-global/payroll-sync">
    How Toku tracks payroll cycles and G2N data
  </Card>
</CardGroup>
