Employgroup takes the security of your data very seriously. To ensure that personal and financial data is kept as secure as possible, the Employgroup API combines a number of orthogonal security mechanisms to authenticate and authorise any third-party application when it communicates with the API. As the Employgroup API is stateless, these identification mechanisms must be provided with each request. If any of the identification mechanisms fail then the request will be rejected.

Once access to the Employgroup API has been configured, you are responsible for the secure storage and management of API tokens.


All requests to the API are encrypted via TLS 1.0 or higher; no version of SSL is supported due to well-documented weaknesses in the protocol, such as Heartbleed or POODLE. Unencrypted HTTP is also unsupported.

The Employgroup API does not support CORS requests. Since browser support for attaching digital certificates is limited at best, it is not possible to directly call the Employgroup API from a Javascript application running in the browser. If this scenario is required, then you will need to implement a server-side proxy that will transparently add the certificate to your API calls.

Note : this limitation does not apply to server-side applications written in Javascript, such as those running on Node.js.