Skip to main content
To access the Shiftsheet public API, you must authenticate your requests using an API Key. API Keys carry the same privileges as your Company Admin account, so they should be kept secure. Never expose your API keys in client-side code, public repositories, or frontend applications.

Obtaining an API Key

  1. Log in to your Shiftsheet Dashboard as a Company Admin.
  2. Navigate to Settings > Integrations & API.
  3. Under the API Keys tab, click Generate Key.
  4. Provide a descriptive name for the key (e.g., “Zapier Integration”).
  5. Copy the generated key. This is the only time the full key will be shown to you.
If you lose a key, you must revoke it and generate a new one.

Making Authenticated Requests

The Shiftsheet API uses standard HTTP Authorization headers. You must pass your API key as a Bearer token in every request.
cURL
curl --request GET \
  --url https://api.shiftsheet.com/api/v1/timesheets \
  --header 'Authorization: Bearer ss_live_your_api_key_here'
Node.js
const response = await fetch('https://api.shiftsheet.com/api/v1/timesheets', {
  headers: {
    'Authorization': 'Bearer ss_live_your_api_key_here',
    'Content-Type': 'application/json'
  }
});
const data = await response.json();

Error Codes

If authentication fails, the API will return one of the following standard HTTP status codes:
401 Unauthorized
Error
The API key is missing, invalid, or was not formatted as a Bearer token.
403 Forbidden
Error
The API key is valid, but it has been revoked or the account no longer has permissions to perform the requested action.