> ## Documentation Index
> Fetch the complete documentation index at: https://docs.toku.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Paychex API Authentication

> How Toku authenticates with the Paychex APIs using OAuth 2.0 client credentials

Toku connects to the [Paychex APIs](https://developer.paychex.com/) using OAuth 2.0 client credentials issued through the Paychex developer program. Access is provisioned per company — there are no self-serve API keys, and none are copied or stored by your team.

## OAuth 2.0 Client Credentials Flow

<Steps>
  <Step title="Provision">
    Toku's connection is provisioned through the [Paychex partner program](https://developer.paychex.com/partner) and authorized for your company by your Paychex administrator during onboarding.
  </Step>

  <Step title="Authenticate">
    Toku's backend exchanges its client ID and secret for a bearer access token using the client credentials grant.
  </Step>

  <Step title="Renew">
    Access tokens are short-lived. There is no refresh-token flow — Toku simply re-acquires a token automatically when one expires, so the connection stays live without any action from your team.
  </Step>
</Steps>

```bash theme={null}
# Token request (performed by Toku's backend)
curl -X POST https://api.paychex.com/auth/oauth/v2/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=<toku_client_id>" \
  -d "client_secret=<toku_client_secret>"
```

Authenticated requests carry the token as a bearer header:

```bash theme={null}
curl https://api.paychex.com/companies/<company_id>/workers \
  -H "Authorization: Bearer <access_token>"
```

## Access & Provisioning

Paychex provisions API access through its developer and partner program rather than granular self-service scopes:

| Aspect       | Detail                                                                                     |
| ------------ | ------------------------------------------------------------------------------------------ |
| Access model | Partner credentials provisioned by Paychex, authorized per company                         |
| Data scope   | Company-scoped — Toku can only read data for companies that have authorized the connection |
| Reads        | Workers, pay periods, and checks                                                           |
| Writes       | Worker pay components (the Toku deduction only)                                            |

Your Paychex administrator can revoke Toku's company authorization at any time, which immediately cuts off API access.

## Environments

| Environment | Base URL                  |
| ----------- | ------------------------- |
| Production  | `https://api.paychex.com` |

<Note>
  Toku is integrated through the [Paychex Developer Program](https://developer.paychex.com/) and listed in the [Paychex Marketplace](https://marketplace.paychex.com/). See the [Paychex API Developer Center](https://developer.paychex.com/) to validate any of the calls referenced in this section.
</Note>

## Next

<CardGroup cols={2}>
  <Card title="Worker Sync" icon="users" href="/integrations/paychex/employee-sync">
    How Toku reads your worker roster
  </Card>

  <Card title="Payroll Sync" icon="calendar" href="/integrations/paychex/payroll-sync">
    How Toku tracks pay periods and checks
  </Card>
</CardGroup>
