API requests are made via HTTPS to the endpoint:

The default response from this endpoint will provide some data about the instance. On premise solutions will receive data pertinent to your instance. This is a good way to ensure that you have a route to the API and that it is available.

This action will return a response without the session requiring authentication

Each request, however, that interacts with your account must include a valid bearer token inside the Authorization header of the HTTPS request. We have provided some examples of how to do this via C# and TypeScript.

Generating a bearer Token

The account section contains a method for login /api/Account/Authenticate and by supplying valid credentials a valid bearer token is returned. The provided token will be similar to the below:


This token must be provided in subsequent calls in the header. The example below illustrates how to return a set of forms that are visible to the user logged in to the account.

GET ...................api/Forms HTTP/1.1
Connection: keep-alive
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Microsoft Edge";v="96"
accept: */*
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJDdXN0b21lcklkIjoiMjgiLCJMb2dpbklkIjoiMTgwNCIsIlJ....
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
sec-ch-ua-platform: "Windows"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

Bearer tokens have a built in expiry of 24 hours in WorkMobile which means that regular re-authentication is required. This is suitable where the interface is being consumed via an interactive UI but is more problematic when used within a scheduled job or other type of interface.

To avoid having to specify passwords in a file, the user has the option to create a portal user with suitable (and limited) access and then to associate a token (guid) with that account and provide access via that method.

To create an access token in WorkMobile, use the following section on the Logins page

Clicking on Generate will create a guid, which can then be copied to the clipboard by using the icon at the end of the display box.

Once you have the GUID, instead of providing a bearer token header in your call, you can supply a header named X-Api-Key and a value of the token copied from the above WorkMobile screen.

The API token will give you none-expiring access until you revoke or regenerate the token. You can add an optional description and click the update button to save the description without recreating the token.