Skip to main content

Overview

The Sesame HR API uses Bearer Token authentication. Every API request must include a valid token in the Authorization header. 
Authorization: Bearer YOUR_API_TOKEN

Getting Your API Token

1

Access API Settings

Log in to app.sesametime.com and navigate to Settings > Integrations > API
2

Create a New Token

Click Create New Token
3

Copy Your Token

Copy the token, you can use the copy icon
4

Store Securely

Save the token in your application’s secure configuration (environment variables, secrets manager, etc.)
Security Best Practices
  • Never expose tokens in client-side code, logs, or version control
  • Use environment variables or a secrets manager
  • Create separate tokens for each integration
  • Rotate tokens periodically
  • Revoke tokens immediately when compromised

Making Authenticated Requests

Include your token in every API request: 
curl -X GET "https://api-{region}.sesametime.com/core/v3/employees" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"

Verifying Your Token

Test your token by calling the info endpoint: 
curl -X GET "https://api-{region}.sesametime.com/core/v3/info" \
  -H "Authorization: Bearer YOUR_API_TOKEN"

Managing Tokens

Listing Active Tokens

View all active tokens in Settings > Integrations > API. Each token shows:
  • Token
  • Active
  • Creation Date
  • Last Used Date

Revoking Tokens

To revoke a token:
  1. Go to Settings > Integrations > API
  2. Find the token to revoke
  3. Click the delete button
  4. Confirm the action
Revoking a token immediately invalidates it. Any applications using that token will receive 401 Unauthorized errors.

Authentication Errors

StatusErrorCauseSolution
401UnauthorizedMissing or invalid tokenCheck token is correct and not deleted
401Token ExpiredToken has been revokedGenerate a new token
  1. Check token format: Ensure the header is exactly Authorization: Bearer YOUR_TOKEN (note the space after “Bearer”)
  2. Verify token is active: Check in the dashboard that the token hasn’t been deleted
  3. Check region: Ensure you’re using the correct API region for your account
  4. Check for typos: Copy the token again from the dashboard
  5. Check encoding: Ensure no extra characters or whitespace were added

Security Recommendations

Environment Variables

Store tokens in environment variables, never in code

Secrets Manager

Use AWS Secrets Manager, HashiCorp Vault, or similar for production

Token Rotation

Rotate tokens every 90 days as a security best practice

Audit Logs

Monitor API usage in your Sesame HR dashboard