Getting Started

Modified on Tue, Mar 24 at 7:38 PM

Developer Guide Navigation

Getting Started

Everything you need to authenticate with the HCM API and start making requests.

Prerequisites — System Setup Required

Before you begin: API access requires configuration by your HCM system administrator. The following must be set up before you can authenticate:

Requirement	Who Sets It Up	Details
User Account	HCM Admin	An HCM user account with username/password that has access to the target company
API Client Credentials	HCM Admin	A `client_id` and `client_secret` pair issued for your integration. Each API service has its own client.
Company ID	HCM Admin	The numeric company ID your integration will operate against. Required in every token request.
Roles & Permissions	HCM Admin	The user account must be assigned roles with the appropriate permissions (e.g., CanViewPatientList, CanCreateLead)
Scopes	HCM Admin	Your client must be granted the correct scopes for the APIs you need to access

Contact your HCM administrator to provision API credentials for your integration. They will provide you with a client_id, client_secret, company ID, and confirm which scopes are enabled.

Authentication

HCM uses IdentityServer4 (OpenID Connect / OAuth 2.0) as its central authentication service. All four API services (Main, Timetracking, Payroll, Billing) authenticate through the same Identity Server. The primary grant type for API integrations is Resource Owner Password — you exchange a username, password, and client credentials for a JWT bearer token.

Step 1

Request Token

Send a POST request to the Identity Server token endpoint. The request must include your client credentials, user credentials, target scope, and company ID.

cURL — Main API Token

curl -X POST https://identity.myhcit.com/connect/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=password" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET" \
  -d "username=YOUR_USERNAME" \
  -d "password=YOUR_PASSWORD" \
  -d "scope=openid profile hcmwebapiserver" \
  -d "companyId=YOUR_COMPANY_ID"

companyId is required. Every token request must include the numeric company ID. Without it, the request will fail with: "Company id is missing"

Step 2

Receive Token

The Identity Server returns a JWT access token. The token contains embedded claims including the user's ID, company, roles, and permissions.

Response

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "expires_in": 2400,
  "token_type": "Bearer",
  "scope": "openid profile hcmwebapiserver"
}

Step 3

Use Token in API Requests

Include the token in the Authorization header using the Bearer scheme. The same token works for any endpoint within the scope you requested.

cURL

curl -X GET https://api.myhcit.com/api/leads \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..." \
  -H "Content-Type: application/json"

Scopes & API Clients

Each HCM API service has its own client credentials and scopes. You need a separate token for each API service you want to call — a token scoped to hcmwebapiserver will not work for the Payroll API.

API Service	Required Scope	Token Lifetime	What It Grants
Main API	`hcmwebapiserver`	~40 minutes	Patients, caregivers, scheduling, contracts, authorizations, documents, notes, admin
Timetracking API	`Timecards.coordinador`	~24 hours	Timecards, clock in/out, geolocation, payroll settings
Payroll API	`payroll-api-scope`	~40 minutes	Payroll batches, entries, rates, schedules, pay codes, export
Billing API	`billing.read`	~40 minutes	Invoices, submissions, payments, billing rates, ERA posting

Additional scopes you can request alongside the primary scope:

openid — OpenID Connect identity profile — User profile claims roles — User role claims report.read — Reporting API access

Token Expiration: Main API and Payroll tokens expire after ~40 minutes. Timetracking tokens last ~24 hours. Implement token refresh logic — request a new token before the current one expires.

Token Claims

The JWT access token contains these claims that the API uses to determine identity and authorization:

Claim	Description
`sub`	User's unique subject ID
`name`	Display name
`email`	Email address
`role`	Assigned roles (array)
`current_company`	Active company ID (from companyId in token request)
`tenant_code`	Tenant identifier for multi-tenancy
`companyId_links`	Comma-separated list of all companies the user can access

Swagger / OpenAPI Explorer

Each HCM API exposes a Swagger UI for interactive exploration and testing. The Swagger UI is available at /swagger on each API's base URL.

API	Swagger URL (Testing)
Main API	`https://api.myhcit.com/swagger`
Timetracking	`https://timetracking.myhcit.com/swagger`
Payroll	`https://payrollapi.myhcit.com/swagger`
Billing	`https://billingapi.myhcit.com/swagger`

Authenticating in Swagger: Swagger accepts your access token via a query parameter or the authorize button. You can pass the token as ?access_token=YOUR_TOKEN in the URL, or use the Bearer Authorization header in the Swagger UI's authorize dialog.

Swagger for exploration only. The Swagger UI is useful for testing individual endpoints interactively. For production integrations, use the endpoints documented in this guide with proper token management.

Common Authentication Errors

Error	Cause	Fix
`"Company id is missing"`	companyId not included in token request	Add `companyId` parameter to your token request
`"Username or password not found"`	Invalid user credentials	Verify username and password with your HCM admin
`"invalid_client"`	Wrong client_id or client_secret	Verify client credentials with your HCM admin
`"invalid_scope"`	Requested scope not allowed for this client	Use the correct scope for your API client (see table above)
HTTP `401`	Token expired or invalid	Request a new token — tokens have limited lifetime
HTTP `403`	User lacks required permission	Contact admin to assign the necessary permission/role to the user

Environments

HCM provides separate testing and production environments for each service. Use the toggle in the top bar to switch all URLs in this guide between environments.

Service	Testing	Production
Main API	`api.myhcit.com`	`api.myhcmanager.com`
Timetracking	`timetracking.myhcit.com`	`timetracking.myhcmanager.com`
Billing	`billingapi.myhcit.com`	`billingapi.myhcmanager.com`
Payroll	`payrollapi.myhcit.com`	`payrollapi.myhcmanager.com`
Identity	`identity.myhcit.com`	`identity.myhcmanager.com`

Best Practice: Always develop and test against the Testing environment first. Only point your integration at Production after thorough testing.

API Conventions

Pagination

Most list endpoints accept pageSize and currentPage query parameters. Responses include pagination metadata alongside the result set using the structure: { currentPage, pageSize, totalInSearchResult, data: [...] }.

Sorting

Pass a sortingOptions array in the request body with objects containing { columnName, direction } where direction is Asc or Desc.

Date Format

All dates use ISO 8601 format: 2026-01-15T08:00:00

Standard Response Wrapper

Many endpoints return responses wrapped in an OperationResult pattern: { isSuccess: true, message: "", data: {...} }

Error Responses

The API uses standard HTTP status codes:

Status	Meaning	Details
`400`	Bad Request	Validation error with field-level details
`401`	Unauthorized	Missing or invalid authentication token
`403`	Forbidden	Authenticated but missing required permission
`404`	Not Found	The requested resource does not exist
`500`	Server Error	An unexpected error occurred on the server

Paginated Response Example

{
  "currentPage": 1,
  "pageSize": 25,
  "totalInSearchResult": 148,
  "data": [
    {
      "id": 1042,
      "firstName": "Jane",
      "lastName": "Doe",
      "status": "Active"
    },
    // ... more results
  ]
}

Error Response Example (400 Validation)

{
  "isSuccess": false,
  "message": "Validation failed",
  "errors": [
    {
      "field": "firstName",
      "message": "First name is required."
    },
    {
      "field": "dateOfBirth",
      "message": "Date of birth must be a valid ISO 8601 date."
    }
  ]
}

User Info

GET /api/identity/userInfo

Get current authenticated user's profile, permissions, and company info

Returns the full profile of the currently authenticated user, including their display name, email, active company context, assigned roles, and granted permissions. Use this endpoint to verify authentication and determine what the user has access to.

Response

{
  "userId": 4821,
  "displayName": "Maria Garcia",
  "email": "maria.garcia@example.com",
  "currentCompanyId": 12,
  "currentCompanyName": "Sunrise Home Health",
  "tenantCode": "SUNRISEHH",
  "userRoles": [
    "Administrator",
    "Scheduler",
    "BillingManager"
  ],
  "permissions": [
    "leads.read",
    "leads.write",
    "referrals.read",
    "referrals.write",
    "scheduling.read",
    "scheduling.write",
    "billing.read",
    "billing.write",
    "payroll.read"
  ]
}