The Arcoro API is a new RESTful API that gives users direct, programmatic access to their Arcoro data. It covers employee demographics and company reference data today, with plans to expand across all Arcoro modules over time.  This release represents a significant step toward a more scalable, transparent, and user-controlled integration experience.

 This release delivers three things:

1. A scalable and modern API - 15+ endpoints, full read and write operations, built as a platform-level capability that is extensible to all Arcoro products
2. An API infrastructure built for security, scalability, and multi-tenant isolation
3. A self-service API portal in Hub for managing keys, monitoring usage, and reviewing request history.

Features

New API

A standards-based REST API providing full Create, Read, Update, and Delete (CRUD) operations on core workforce data. All endpoints follow consistent patterns with pagination, validation, and meaningful error responses.

Supported Endpoints (Initial Release)

API Infrastructure

The API is hosted through a dedicated, secure gateway providing:

• Security — Encrypted with TLS 1.2+
• API key authentication — Strong keys validated through a dedicated login flow
• Per-key security controls — Each API key can be assigned as read-only or read-write.
• Request/response logging — Full HTTP request and response bodies are captured for every API call, with automatic redaction of sensitive fields (e.g., SSNs)
• Rate limiting — Configurable request throttling
• Multi-tenant isolation — Each API request is scoped to the authenticated company's data

Self-Service API Management

• Dashboard — KPI cards (total requests, success rates, failures), usage-over-time chart, success/failure breakdown, and top 3 most-used endpoints. Configurable for 7, 30, or 90-day timeframes.
• API Keys — Create, view (masked), and delete API keys. Each key is named and assigned to security groups at creation. The full key is shown only once at creation time.
  • Support for unlimited API keys per company
  • Immediate invalidation of revoked keys
• Request History — Searchable, filterable log of all API requests showing timestamp, request method/path, status code, response time, requestor, and IP address.

Access Control

• Assign access levels per API key:
  • Full Access → All endpoints
  • Read Only → GET endpoints only
• Enforcement of access restrictions (non-compliant requests return 403 errors)

API Request Logs

• user-facing log viewer
• Search and filter by:
  • Date range
  • HTTP method
  • Endpoint path
  • Status code
  • IP address

Security & Compliance

• API keys masked after creation (last 4 characters visible)
• Full audit trail for:
  • Key creation
  • Key deletion
  • Access level changes
• No PII exposure in request logs

Enhancements to Existing Functionality

API Key Management

• Previously admin-only with limited visibility
• Now fully self-service and user-controlled

API Request Logging

• Previously captured but not exposed
• Now accessible, searchable, and actionable

Security Model

• Previously basic enable/disable at company level
• Now granular, role-based, and auditable

Sandbox

• API users can request access to a sandbox environment populated with sample data. The sandbox gives the user a safe place to test API calls without affecting their production data.
• The sandbox will not contain the company's actual data.

User Resources

The Arcoro API is built as a platform-level capability designed to become the single, unified API for all Arcoro products over time. This initial release covers employee demographics and company reference data, with additional endpoints planned for future releases.

Users can refer to our guide here.

Examples