The Staff Squared Client API offers a subset of the full Staff Squared functionality to allow integration with 3rd party systems. If you want your application to be able to see who has upcoming holidays or get a list of your current employees then you have come to the right place!

What can you do with the API?

This API currently offers...

  • Read only access to public staff and company profile information.
  • Read only access to calendar events including everything that the user is able to see when looking at their Staff Squared calendar from within the Staff Squared site.
  • Read only access to pending and upcoming absences.
  • The ability to approve or reject pending absences.

Sample Code & Examples

While the Staff Squared API can be accessed with any programming language that can make web requests, we have only created samples using Javascript because the samples can be executed right in your browser! For an example of using each API method, please see our Javascript Client Demo.

Keep up-to-date with changes to the Staff Squared API

This API will change over time. To keep up to date on recent and future changes, please see our Change Log page. Any breaking changes will use versioned urls so existing client implementations won't ever be broken by an update to the API.


All requests to the Staff Squared API are made on behalf of an actual user. First you will need to authorize the user by requesting a bearer token. Once you have a bearer token, you pass that token as header with the request. Any request will be processed as the user who requested the bearer token. For example if a bearer token is requested by a Manager or Admin user, then they will be able to call Absence/Approve but if the Bearer token was requested as a regular staff member then they will get an authorization exception if they try to call Absence/Approve

Bearer tokens expire after 18 hours, at which point you will need to request a new one. Once a token has been issued, it cannot be revoked until is has expired.

When requesting a bearer token, you have 2 choices. You can redirect the user to a page hosted by Staff Squared where they can safely enter their credentials. Or you can request a token directly by posting to /Token. This is usually only required when doing server to server integration or when creating native applications.

Request Token via Redirect

  1. Redirect the user to where "redirect_url" is an absolute url to a page on your site.
  2. Upon successful login, the user will be redirected to the page specified in the redirect_url query string parameter but with ?access_token=abc123etc appended.
  3. Save the access_token either in your application or in the users local browser storage. You will need to use this token in every API call.
    Here is an example of how to get the access_token from the url.
    function getParameterByName(name) {
        name = name.replace(/[\[]/, "\\[").replace(/[\]]/, "\\]");
        var regex = new RegExp("[\\?&]" + name + "=([^&#]*)"),
            results = regex.exec(;
        return results === null ? "" : decodeURIComponent(results[1].replace(/\+/g, " "));
    var token = getParameterByName('access_token');

Request Token Direct

  1. Make a post to /Token with the following data
        grant_type: 'password',
        username: loginName,
  2. Correct login details will result in a successful response which will contain an access_token property
  3. Save this token for later use

Data Formats

We support both XML and JSON request/response formats. Make sure to supply the correct accept header when making your request. JSON is the default data format.

Making your first call

Once you have your bearer token, you are ready to make your first call to the API.

  1. First, create an object which will contain the bearer token authorization header. var headers = {};
  2. Then set the Authorization header to be "Bearer " + your token headers.Authorization = 'Bearer ' + token;
  3. You are now ready to make an ajax request to the API. Here is an example using the popular jQuery library
        type: 'GET',
        url: '',
        headers: headers
    }).done(function (data) {