Lightning Payroll API – Developer Docs

Getting Started

Welcome to the Lightning Payroll API. We use the OAuth 2.0 Authorization Code flow so your app can access customer payroll data securely and in a way developers already know.

Environments

Environment	Base URL	Notes
Production	`https://api.lightningpayroll.com.au`	Live customer data
Development	`https://api.dev.intellitron.com.au`	Sandbox for development and testing

Getting API Access

To access the Lightning Payroll API, your company must first be granted access by our development team. This step ensures only approved clients can generate credentials for secure integration.

If you don’t yet have access, please contact our team here to get started.

Once access has been granted, you'll be able to visit the API Management section of your admin dashboard to create a Client ID and Client Secret. These are required to begin the OAuth 2.0 Authorisation Code flow described above.

API Management Page

Authorization Code Flow

Redirect the customer to our authorization endpoint.
Replace {base} with the environment you’re targeting.

GET {base}/oauth/authorize?
  client_id=YOUR_CLIENT_ID
  &redirect_uri=https%3A%2F%2Fyourapp.com%2Foauth
  &state=xyz123
  &scope=openid%20payroll.write

Receive the one-time code.
We redirect back to redirect_uri with ?code=…&state=…. The code is single-use and valid for 10 minutes.

Exchange the code for tokens.

POST {base}/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=THE_CODE_FROM_STEP_2&
client_id=YOUR_CLIENT_ID&
client_secret=YOUR_CLIENT_SECRET&
redirect_uri=https%3A%2F%2Fyourapp.com%2Foauth

Successful response:

{
  "access_token":  "…",
  "token_type":    "Bearer",
  "expires_in":    3600,
  "refresh_token": "…",
  "refresh_expires_in": 2592000
}

Call protected endpoints.
Include Authorization: Bearer <access_token>. When it expires, swap the refresh_token for a fresh pair:

POST {base}/oauth/token
grant_type=refresh_token&
refresh_token=YOUR_REFRESH_TOKEN&
client_id=YOUR_CLIENT_ID&
client_secret=YOUR_CLIENT_SECRET&
redirect_uri=https%3A%2F%2Fyourapp.com%2Foauth

Authentication Endpoint Reference

Path	Description
`GET /oauth/authorize`	Starts the Authorization Code flow (302 redirect to sign-in / consent screen).
`POST /oauth/token`	Exchanges an authorization code or refresh_token for fresh tokens.
`GET /company` (example protected)	Lists companies the authenticated customer can access.

Scopes

openid – identity scope (required)
payroll.read – read-only payroll data
payroll.write – create / modify payroll artefacts

Using Your Access Token

Once you have received an access_token, you can begin calling protected endpoints by including it in the Authorization header of your HTTP requests, using the Bearer scheme:

    Authorization: Bearer YOUR_ACCESS_TOKEN

This is required for all endpoints that need authentication. Make sure to replace YOUR_ACCESS_TOKEN with the actual token string you received in Step 3 above.

Tip: You can test authenticated API calls directly on this documentation page. Click the “Authorize” button at the top right of the endpoint list and enter your access token in the HTTPBearer area of the popup. Once authorised, the Swagger UI will automatically include your Bearer token in requests while you explore.

Swagger Authorize Button

Swagger Authorize Token Entry

Security tip: Keep client_secret and refresh_token server-side only. Never expose them in a browser or mobile client.