Authentication

The Deel. PayAndBill API uses OAuth 2.0 Authorization Code flow for authentication. All API endpoints (except the authentication endpoints themselves) require a valid Bearer token.

OAuth 2.0 Flow

1

Request Authorization

Redirect the user to the authorization endpoint to obtain an authorization code.

GET https://<client>.pb.deel.com/openapi/oauth/authorize
?responseType=code
&clientId=YOUR_CLIENT_ID
&redirectUri=https://yourapp.com/callback
&scope=read write
&state=RANDOM_STATE_VALUE
ParameterRequiredDescription
responseTypeYesMust be set to code.
clientIdYesYour application’s client ID.
redirectUriYesThe URI where the user will be redirected after authorization. Must match the registered URI.
scopeYesSpace-separated list of requested permissions.
stateYesA random string to prevent CSRF attacks. Verify this value on callback.
2

Exchange Code for Token

After the user authorizes your application, they will be redirected to your redirectUri with a code parameter. Exchange this code for an access token:

$curl -X POST https://<client>.pb.deel.com/openapi/oauth/token \
> -H "Content-Type: application/json" \
> -d '{
> "code": "AUTHORIZATION_CODE",
> "clientId": "YOUR_CLIENT_ID",
> "clientSecret": "YOUR_CLIENT_SECRET",
> "redirectUri": "https://yourapp.com/callback",
> "grantType": "authorization_code"
> }'
3

Use the Access Token

Include the access token in the Authorization header of all API requests:

$curl -X GET https://<client>.pb.deel.com/employees/list \
> -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
> -H "Accept: application/json"

Refreshing Tokens

When your access token expires, use the refresh token to obtain a new one without requiring the user to re-authorize:

$curl -X POST https://<client>.pb.deel.com/openapi/oauth/token \
> -H "Content-Type: application/json" \
> -d '{
> "clientId": "YOUR_CLIENT_ID",
> "clientSecret": "YOUR_CLIENT_SECRET",
> "redirectUri": "https://yourapp.com/callback",
> "grantType": "authorization_code",
> "refreshToken": "YOUR_REFRESH_TOKEN"
> }'

Required Headers

All authenticated requests must include the following headers:

HeaderValueDescription
AuthorizationBearer <token>Your OAuth access token.
Acceptapplication/jsonExpected response format.
vnd.a1.tenant-id<tenant-id>Tenant identifier for multi-tenant environments.