WBSync REST API: getting started
5 min read · Updated 8 Jun 2026
/api/docs/, and use idempotency keys on write calls so retries never double-count.What the API covers
The REST API gives programmatic access to the same data your app surfaces:
- Projects & WBS — list, read and update projects; traverse and edit the WBS tree; read cost codes.
- Labour entries — list, create, approve and reject entries; read clash rows.
- Operatives & users — list, create and update operatives; read project memberships.
- Reports / KPIs — read EVM metrics (S/E, SPI, CPI, EAC) at any WBS level; pull the S-curve data series.
- Clock events — push clock-in / clock-out pairs via the open ingest endpoint.
Get your API token
Available to Owners and Admins. Click Generate token. Your token is shown once — copy it immediately and store it in a secrets manager, not in source code.
Include the token in every request as an HTTP header:
Authorization: Bearer <your-token>All endpoints require HTTPS. Requests without a valid token receive 401 Unauthorized.
Explore in the Swagger UI
Open /api/docs/ while signed in. The interactive docs list every endpoint, show the request/response schema, and let you fire live calls from the browser — no separate tool needed. The OpenAPI schema is also available as JSON at /api/schema/ for import into Postman or Insomnia.
Write safely with idempotency keys
Every write endpoint (POST, PATCH, DELETE) that could have side effects accepts an Idempotency-Key header. Send a UUID of your choice:
Idempotency-Key: 4a7f3b2c-1d9e-4f8a-b0c2-3e5d6f7a8b9cIf you retry a request with the same key, WBSync returns the original 2xx response instead of processing the call again — so a network timeout or a retry loop never creates a duplicate entry or double-charges a clock event. Only 2xx responses are cached; 4xx / 5xx errors must re-validate.
Pagination
List endpoints return a consistent shape:
{"count": 142, "next": "/api/v1/labour/?page=2", "previous": null, "results": [...]}Page size is 50 by default. Walk next until it is null to retrieve a full dataset.
Rate limits
The API enforces per-user and per-IP rate limits. Responses include X-RateLimit-Remaining and Retry-After headers when limits are near or exceeded. A 429 Too Many Requests response means you should back off and retry after the Retry-After interval.
POST /api/v1/clock-events/ingest/ is secured by a shared-secret header rather than Bearer auth — see Connect a time-clock system for that flow.What next?
Sending clock events from a custom device? Connect a time-clock system →
Frequently asked
Which plans include API access?
Pro, Business and Enterprise include the read/write REST API. Field and Team accounts have read-only access to dashboards through the app but the API token feature is not available on those tiers.
Can I use the API without a token?
No. Every request must include a Bearer token in the Authorization header. The one exception is the open clock-events ingest endpoint, which uses a shared-secret header instead.
How do I rotate my API token?
From Settings → API & integrations, revoke the existing token and generate a new one. The old token stops working immediately — update any scripts or integrations before revoking.
What happens if I send the same idempotency key twice?
WBSync returns the original 2xx response from the first call. No duplicate is created. This is safe for retries in scripts and background workers. Only 2xx responses are cached — if the first call returned a 4xx or 5xx, a second call with the same key will re-process normally.
Where is the OpenAPI schema?
At /api/schema/ as a JSON file, and as an interactive Swagger UI at /api/docs/. You can import the schema directly into Postman, Insomnia or any OpenAPI-compatible toolchain.