The Worklio Embedded Payroll iFrames allow you to integrate the white-label solution within your existing platform.

1. Client Authorization Token

First, you need to get a "client" JWT token to be able to call the user token endpoint. You can obtain this client token with Client credentials authorization flow at /connect/token endpoint using the client_id and client_secret assigned to your application and user_token api scopes, like this:

2. User Token endpoint

With the Client JWT token used as the Bearer token in the request header, you can make an API call to /token/user/ endpoint to obtain appUrl and userToken. The userToken output is in JWT format and its content is generated based on parameters provided by the API call. The user token endpoint is called by the POST method with parameters in the request body as a JSON object with the following properties:

  • email : the user's email for whom the token is to be generated; this token will contain user identifications (such as loginId and role/roleId) according to other parameters.
  • token : instead of the "email" parameter, a "token" parameter can be used with the value of the user's authenticated JWT token from another trusted authentication server.
  • page : the type of page to be included as a claim in the user token:
IntPage NameAccessible for RolesRequired Properties
1Multi-Admin DashboardMulti-Admin
2Multi-Admin CompaniesMulti-Admin
3Multi-Admin PayrollsMulti-Admin
4Multi-Admin Payroll HistoryMulti-Admin
5Multi-Admin ReportsMulti-Admin
6App SettingsMulti-Admin
1001Company DashboardAdmin, Multi-AdmincompamnyId - if accessed as Multi-Admin
1002Company InfoAdmin, Multi-AdmincompamnyId - if accessed as Multi-Admin
1003Company TeamAdmin, Multi-AdmincompamnyId - if accessed as Multi-Admin
1004Company Team MemberAdmin, Multi-AdminemployeeId, compamnyId - if accessed as Multi-Admin
1005Company PayrollAdmin, Multi-AdmincompamnyId - if accessed as Multi-Admin
1006Company Payroll HistoryAdmin, Multi-AdmincompamnyId - if accessed as Multi-Admin
1007Company BenefitsAdmin, Multi-AdmincompamnyId - if accessed as Multi-Admin
1008Company ReportsAdmin, Multi-AdmincompamnyId - if accessed as Multi-Admin
10001Employee DashboardEmployee
10002Employee Personal InfoEmployee
10003Employee ContractEmployee
10004Employee Tax SetupEmployee
10005Employee DeductionsEmployee
10006Employee Pay StatementsEmployee
10007Company InfoEmployee
  • roleAccess : specifies the type of access control, determining which login role of the user will be selected for the user token; its values have the following meanings:
nullselects the highest role from all existing user roles
  • customAppClaims array(type , value ): an array of application properties that are required according to the requested page.


curl --request POST
     --url /token/user/ \
     --header 'Authorization: Bearer ' \
     --header 'content-type: application/*+json' \
     --data '
       "page": 4,
       "email": "[email protected]",
       "roleAccess": 2,
       "customAppClaims": [
           "type": "employeeId",
           "value": "123"

Endpoint output:

    "email": "[email protected]",
    "appUrl": "https://your_app_domain",
    "userToken": "eyJhbGciOiJSUzI..."

3. Embed iFrame Into Your Page

Finally, you can embed an iframe into your application using the appUrl and userToken properties, you received from the User token API call.

<iframe src="@Url.Content(appUrl+userToken)"></iframe>

Configuration note

To successfully call a User token endpoint, you need to get the external client configuration for your application, the client_id and client_secretmentioned in the first chapter.

The URL for the application and API endpoints must also be properly configured for your instance environment.
This configuration is provided by Worklio and please contact us in case of missing or incorrect configuration.