Your application will be given an API key and secret which are necessary for the making the authentication call. The authentication call with allow Paychex to authorize consumption of the Flex API. (for clients) the API key will be generated automatically when you create your application within Paychex Flex, Company Settings, Connected Applications.

Using your Key/Secret

• Your application's key is the like a username and the secret as a password.

• After making the Authorization call using the key/secret, a bearer token will be generated. This is like a session to verify who you are when making requests.

• Your credentials MUST be provided in the 'request body'

• If you have an application that is authorized to multiple client accounts, you can use the same key and secret between them.

• Access tokens have a short life span. By default, access tokens expire in 60 minutes.

• Response headers will let you know how much time you have left on the token. You will need to regenerate using the authentication endpoint to create a new bearer token (no refresh is available).

Treat your secret API keys as you would any other password. Grant access only to those who need it. Your client credentials carry many privileges, so be sure to keep them secure!

Using the generated bearer token

When you make a call to a Paychex API resource end point, you need to provide an active bearer token within the 'Body' of your request.

Example: Authorization: Bearer <generated token>