Authentication

All API requests must be authenticated. The Zeitstrom API supports multiple authentication methods depending on your use case.

API Token

API tokens provide long-lived, scoped access to the API. Each token can be restricted to specific endpoints, giving you fine-grained control over what an integration is allowed to do.

Include the token in the Authorization header of every request:

curl -X GET "https://api.zeitstrom.com/api/v2/employees/employees/" \
  -H "Authorization: Token 9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b"

Token Permissions

Each API token has a permissions field that controls which endpoints it can access. When a token does not have permission for a given endpoint, the API returns a 403 Forbidden response.

OAuth2

OAuth2 is the standard authentication method used by the Zeitstrom mobile apps and can be used for integrations that act on behalf of a user.

The OAuth2 flow issues an access token via the token endpoint:

curl -X POST "https://api.zeitstrom.com/o/token/" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=password&username=user@example.com&password=yourpassword"

Use the returned access token in subsequent requests:

curl -X GET "https://api.zeitstrom.com/api/v2/employees/employees/" \
  -H "Authorization: Bearer your_access_token"

Basic Authentication

HTTP Basic Authentication can be used for simple integrations or testing. Provide your Zeitstrom username and password encoded as Base64.

curl -X GET "https://api.zeitstrom.com/api/v2/employees/employees/" \
  -u "user@example.com:yourpassword"

Session Authentication

Session-based authentication uses browser cookies and is primarily used by the Zeitstrom web application. It is not recommended for API integrations but is available when making requests from a browser session where the user is already logged in.