API & Webhooks

Connect Keruja to anything

Manage API keys, receive HMAC-signed webhooks for 15 event types, and bulk import/export via CSV. Public REST API and OpenAPI documentation coming soon.

Book a Demo See how it works

Included in every plan. No add-on fees.

How It Works

Integrate in three steps

Generate an API key

Create org-scoped API keys from your dashboard settings. Each key has configurable permissions and a 24-hour JWT expiry. Rotate keys without downtime.

Configure webhooks

Subscribe to events and receive HMAC-SHA256-signed payloads at your endpoint. Verify signatures to ensure authenticity. Automatic retries with exponential backoff on failure.

Import and export data

Bulk import staff, events, clients, jobs, roles, and pay rates via CSV or XLSX. Export payroll runs, attendance records, and compliance reports. Full pipeline with validation and error reporting.

Capabilities

Everything you need to integrate

API key management

Create, rotate, and revoke org-scoped API keys with 12 permission scopes. SHA-256 hashed storage, rate limiting (600 req/min), and last-used tracking.

HMAC-SHA256 webhook signing

Every webhook payload is signed with your secret. Verify signatures server-side to guarantee authenticity and prevent tampering.

CSV bulk import/export

Import staff, events, clients, jobs, roles, and pay rates via CSV/XLSX. Export payroll runs, attendance, and compliance reports.

Sandbox/test mode

Test environment with isolated data. API keys use evk_test_* prefix to distinguish sandbox from production.

Coming soon

Public REST API

Full CRUD endpoints for shifts, staff, jobs, events, and payroll — accessible via API key authentication. Currently in development.

Coming soon

OpenAPI documentation

Interactive Swagger UI with request/response examples, authentication guides, and a try-it-out sandbox. Currently in development.

Enterprise-Grade Security

Built for production from day one

Every API request is authenticated, rate-limited, and scoped to your organisation. Webhook signatures prevent spoofing. Full request audit trails give you visibility into every integration action.

Org-scoped API keys

Each key is bound to a single organisation — no cross-tenant access possible

100 requests/hour rate limit

Prevents abuse and ensures fair usage across all tenants

Signature verification on every webhook

HMAC-SHA256 signatures with timestamp to prevent replay attacks

Full request audit trail

Every API call logged with timestamp, endpoint, method, and response status

See the API documentation

Book a guided demo and explore the full REST API, webhook events, and import/export capabilities.

Book a Demo

View all features