Authentication
All Indeed Flex Reporting API endpoints require authentication using an OAuth 2.0 Bearer token. This guide walks you through the prerequisites, how to obtain a token, and how to authenticate your API requests.
Prerequisites
Before you can access the Reporting API, you need the following:
- An Indeed employer account -- Your organisation must have an active Indeed Flex employer account. If you do not have one, contact your Indeed Flex account manager to get set up.
- API access enabled -- API access must be provisioned for your employer account. This is managed by Indeed Flex and is enabled on a per-employer basis. Contact your Indeed Flex account manager to request API access.
- OAuth 2.0 credentials -- Once API access is enabled, you will receive a client ID and client secret from Indeed. These are used to obtain access tokens. Keep your client secret confidential and do not expose it in client-side code or public repositories.
Obtaining an access token
The Reporting API uses the OAuth 2.0 client credentials flow. Exchange your client credentials for an access token by making a POST request to the Indeed OAuth token endpoint:
curl -X POST https://apis.indeed.com/oauth/v2/tokens \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "Accept: application/json" \ -d "client_id=YOUR_CLIENT_ID" \ -d "client_secret=YOUR_CLIENT_SECRET" \ -d "grant_type=client_credentials" \ -d "scope=employer_access"A successful response returns an access token:
{ "access_token": "YOUR_ACCESS_TOKEN", "token_type": "Bearer", "expires_in": 3600, "scope": "employer_access"}| Field | Description |
|---|---|
access_token | The Bearer token to include in API requests. |
token_type | Always Bearer. |
expires_in | Token lifetime in seconds. Tokens typically expire after 3600 seconds (1 hour). |
scope | The scopes granted to the token. |
Authenticating requests
Include the access token in the Authorization header of every API request:
curl -X POST https://client-api.indeedflex.com/v1/reporting/me/reports/shift_fulfilment \ -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \ -H "Content-Type: application/json" \ -H "Accept: application/json" \ -d '[]'Use me as the employer path segment -- it resolves to the employer associated with your OAuth credentials, so you do not need to look up your internal Flex employer ID. You can also pass your numeric employer ID if you have it. Either way, the value must match the employer your token is issued for; a mismatch returns a 403 Forbidden response.
UK employers should use the base URL https://client-api.indeedflex.co.uk in place of https://client-api.indeedflex.com.
Token expiry and refresh
Access tokens expire after the duration specified in the expires_in field (typically 1 hour). When your token expires, request a new one using the same client credentials flow described above.
We recommend:
- Caching tokens until they are close to expiry rather than requesting a new token for every API call.
- Refreshing proactively -- request a new token a few minutes before the current one expires to avoid failed requests.
- Handling 401 responses gracefully -- if you receive a
401 Unauthorizedresponse, obtain a fresh token and retry the request.
Correlation ID
You can optionally include an X-Correlation-ID header in your requests for end-to-end tracing across systems. If you do not provide one, a correlation ID is generated automatically. Including your own correlation ID can help when working with Indeed Flex support to debug issues.
curl -X POST https://client-api.indeedflex.com/v1/reporting/me/reports/shift_fulfilment \ -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \ -H "X-Correlation-ID: your-unique-request-id" \ -H "Content-Type: application/json" \ -d '[]'Error responses
| Status code | Meaning |
|---|---|
401 Unauthorized | Missing or invalid Bearer token. Obtain a new access token and retry. |
403 Forbidden | The employer ID in the URL does not match your credentials. Using me as the employer path segment avoids this, since it resolves to the employer your token is issued for. |
404 Not Found | The endpoint does not exist, or API access has not been enabled for your employer account. |
429 Too Many Requests | Rate limit exceeded. See Rate limiting for details. |
504 Gateway Timeout | The upstream service did not respond in time. Retry after a short delay. |