The Worklio Embedded Payroll iFrames allow you to integrate the white-label solution within your existing platform.

1. Client Authorization Token

First, you need to get a "client" JWT token to be able to call the user token endpoint. You can obtain this client token with Client credentials authorization flow at /connect/token endpoint using the client_id and client_secret assigned to your application and user_token api scopes, like this:

2. User Token endpoint

The user token endpoint generates an output that is used to access the embedded payroll application on the client side. With the Client JWT token used as the Bearer token in the request header, you can make an API call to /token/user/ endpoint to obtain appUrl and userToken result.

The appUrl property contains the URL to the embedded payroll application and the userToken property is an authentication token in JWT format created on behalf of the user specified by the endpoint parameters.

This endpoint is called by the POST method and its content is generated based on parameters in the request body as a JSON object with the following properties:

  • email : The user's email for whom the token is to be generated; this token will contain user identifications (such as loginId and role/roleId) according to other parameters.
  • token : Instead of the "email" parameter, a "token" parameter can be used with the value of the user's authenticated JWT token from another trusted authentication server.
  • mode : Mode of the application container in which the generated token will be used. This is an optional parameter, if specified the mode will be included as a claim in the user token.
  • page : The type of page to be included as a claim in the user token:
IntPage NameAccessible for RolesRequired Properties
1Multi-Admin DashboardMulti-Admin
2Multi-Admin CompaniesMulti-Admin
3Multi-Admin PayrollsMulti-Admin
4Multi-Admin Payroll HistoryMulti-Admin
5Multi-Admin ReportsMulti-Admin
6App SettingsMulti-Admin
1001Company DashboardAdmin, Multi-Admincompany-id - if accessed as Multi-Admin
1002Company InfoAdmin, Multi-Admincompany-id - if accessed as Multi-Admin
1003Company TeamAdmin, Multi-Admincompany-id - if accessed as Multi-Admin
1004Company Team MemberAdmin, Multi-Adminemployee-id, company-id - if accessed as Multi-Admin
1005Company PayrollAdmin, Multi-Admincompany-id - if accessed as Multi-Admin
1006Company Payroll HistoryAdmin, Multi-Admincompany-id - if accessed as Multi-Admin
1007Company BenefitsAdmin, Multi-Admincompany-id - if accessed as Multi-Admin
1008Company ReportsAdmin, Multi-Admincompany-id - if accessed as Multi-Admin
1009Company Time OffAdmin, Multi-Admincompany-id - if accessed as Multi-Admin
1010Company IntegrationsAdmin, Multi-Admincompany-id - if accessed as Multi-Admin
1011Company Premium ATSAdmin, Multi-Admincompany-id - if accessed as Multi-Admin
10001Employee DashboardEmployee
10002Employee Personal InfoEmployee
10003Employee ContractEmployee
10004Employee Tax SetupEmployee
10005Employee DeductionsEmployee
10006Employee Pay StatementsEmployee
10007Company InfoEmployee
10009Time OffEmployee
  • roleAccess : Specifies the type of access control, determining which login role of the user will be selected for the user token; its values have the following meanings:
nullselects the highest role from all existing user roles
  • company <int>: For the login roles that a user may have been assigned more than one for different companies, it is possible to explicitly select a role for a specific company with this parameter.
    This is an optional parameter that applies to Client Admin and Employee roles.
  • customAppClaims array(type , value ): An array of application properties that are required according to the requested page.


curl --request POST
     --url /token/user/ \
     --header 'Authorization: Bearer ' \
     --header 'content-type: application/*+json' \
     --data '
       "page": 4,
       "email": "[email protected]",
       "roleAccess": 2,
       "customAppClaims": [
           "type": "employeeId",
           "value": "123"

Endpoint output:

    "email": "[email protected]",
    "appUrl": "https://your_app_domain",
    "userToken": "eyJhbGciOiJSUzI..."

3. Embed iFrame Into Your Page

Finally, you can embed an iframe into your application using the appUrl and userToken properties, you received from the User token API call.

<iframe src="@Url.Content(appUrl+userToken)"></iframe>

Configuration note

To successfully call a User token endpoint, you need to get the external client configuration for your application, the client_id and client_secretmentioned in the first chapter.

The URL for the application and API endpoints must also be properly configured for your instance environment.
This configuration is provided by Worklio and please contact us in case of missing or incorrect configuration.