Integrating with Paycor
How to provision API access in Paycor and share credentials with the Drivetrain engineering team.
Step 1 - Register for the Paycor Developer Portal
Step 2 - Create a New Application
Step 3 - Configure Data Access (Scopes)
Step 4 - Configure Security Connections
Step 5 - Activate the Application Against Your Production Tenant
Share Credentials with the Drivetrain Team
Prerequisites
To connect Paycor to Drivetrain, you need:
Paycor administrator access. You must hold a Company Admin, HR Admin, or Payroll Admin role in Paycor. Without this role, the production activation step will fail with a 403 error.
An active Paycor subscription for the modules whose data you intend to share (for example: Core HR, Payroll, Time).
Access to the Paycor Developer Portal at developers.paycor.com. If you have not used the portal before, you will register as part of Step 1 below.
A secure channel to share credentials with the Drivetrain engineering team. The engineering team will provide a secure intake link. Do not send credentials over plain email or Slack.
Paycor Setup
Complete the following steps in the Paycor Developer Portal to create and configure an OAuth application that Drivetrain will use to access your data. Once done, you will have four credentials to share with the Drivetrain engineering team: Client ID, Client Secret, Subscription Key, and Legal Entity ID.
Step 1 - Register for the Paycor Developer Portal
Navigate to https://developers.paycor.com/join-developer-portal.
Under "Are you an existing Paycor client?" click Get started.
Sign in with your Paycor username and password.
Select the client(s) you want to be able to activate apps for.
Choose an administrator for the Developer Portal account (typically yourself) and click Request Access.
Sign out and sign back in. This step is required for your new permissions to take effect.
If you do not see the Applications tab after signing back in, your access request is still pending. Wait a few minutes and refresh, or contact your internal Paycor administrator.
Step 2 - Create a New Application
From the Developer Portal home screen, click Applications.
Click the + Application button.
Enter an application name (recommended: YourCompany – Drivetrain Tap) and select Standard Application as the type.
Click Create Application.
Immediately copy the Client ID and Client Secret shown in the confirmation pop-up. The Client Secret is shown only once. If you miss it, you will need to regenerate it from the Security Connections tab.
Click Got it to dismiss the dialog.
Save your Client Secret now. Paycor does not display it again after this dialog closes. Paste both the Client ID and Client Secret into a secure password manager before continuing. If lost, the secret can be regenerated, but the previous value will stop working immediately.
Step 3 - Configure Data Access (Scopes)
Scopes control which Paycor objects the integration can read. Configure these on the Data Access tab of your application.
Open your application and click the Data Access tab.
Click + Scope and give it a descriptive name, for example: native-tap-read.
Select the permissions listed in the Required Scopes table below. Apply read-only permissions wherever possible.
Click Save.
Switch to the General tab and copy the Scope name that now appears. You will need it in Step 5.
Required Scopes
Enable the following data permissions. If a permission is not listed in your Paycor instance, you do not subscribe to that module. Skip it.
Employees
Read
Core employee records (name, status, hire date, work location, manager)
Person / Demographics
Read
Contact info, addresses, phone numbers, emergency contacts
Employments / Jobs
Read
Job title, FLSA status, employment type, manager hierarchy
Pay Rates
Read
Current and historical pay rate information
Earnings
Read
Earnings history per pay period
Deductions
Read
Pre- and post-tax deductions
Taxes
Read
Federal, state, and local tax records
Direct Deposits
Read
Bank account routing information for verification only
Departments / Cost Centers
Read
Organizational structure and reporting hierarchy
Legal Entities
Read
Required for any company-scoped API call
Time Off Requests
Read
PTO balances and time-off events (if Time module enabled)
Time Card Punches
Read
Worked-hours data (if Perform Time module enabled)
Step 4 - Configure Security Connections
Open the Security Connections tab on your application.
Copy the APIm Subscription Key. This is the value sent in the Ocp-Apim-Subscription-Key header on every API call. Save it alongside your Client ID and Client Secret.
In the Approved Return OAuth URL field, paste this redirect URI : https://id.drivetrain.ai/auth/callback
Save your changes.
The redirect URI must be an exact match. Paycor checks it character by character.
A trailing slash, mixed casing, or http vs https mismatch will cause an invalid_grant error during OAuth.
Step 5 - Activate the Application Against Your Production Tenant
Activation links your application to a specific Paycor legal entity. This step requires Company Admin, HR Admin, or Payroll Admin privileges.
Navigate to https://hcm.paycor.com/AppActivation/ClientActivation.
Enter the Application OAuth Client ID (from Step 2) and the Application Scope name (from Step 3, General tab).
Click Initiate.
Review the access scopes shown on the confirmation screen. These should match what you configured in Step 3.
Click Next.
Select the legal entity (client) you want to grant access to, then click Integrate.
Record the Legal Entity ID. This is the numeric identifier for the legal entity you selected. The Drivetrain engineering team will need it to scope API calls.
If you see a 403 error, the signed-in user does not have the required administrator role.
Have an authorized administrator complete this step, or request the role from your Paycor account manager.
Share Credentials with the Drivetrain Team
Send the following four values to the Drivetrain team using the secure intake link they provided. Do not share credentials over email, Slack, or any unencrypted channel.
Client ID
Application detail page, or the confirmation pop-up shown at creation in Step 2
Client Secret
Captured at creation time in Step 2. Can be regenerated on the Security Connections tab if lost.
Ocp-Apim-Subscription-Key
Application Security Connections tab (Step 4)
Legal Entity ID
Recorded during the activation step in Step 5
Last updated
Was this helpful?