Home Account Settings, Security & Data Portability Developer API access and token management

Developer API access and token management

Last updated on May 19, 2026

Developer API access and token management

Timether provides API access for developers who want to connect Timether with other tools, internal systems, dashboards, automations, or custom workflows.

API access is available through public API tokens, which can be created and managed from your workspace settings.

Plan requirement

Public API token generation is available for workspace members on:

  • Team

  • Business

API token access is not available on the Free plan or Solo Pro plan.

If your workspace does not show API token settings, check that your workspace is on a Team or Business plan and that your role has permission to manage or use API access.

What API tokens are used for

API tokens allow external systems to securely communicate with the Timether API.

Developers can use the API to build integrations such as:

  • Internal reporting dashboards

  • Custom productivity tools

  • Billing or finance workflows

  • Data export automations

  • Team monitoring systems

  • Client portals

  • Other internal business tools

API tokens should only be created for trusted systems and should be handled carefully.

Creating an API token

To create a new API token:

  1. Go to your workspace settings.

  2. Open the Developer, API, or API Tokens section.

  3. Click Create Token or New Token.

  4. Add a name that helps you recognize what the token is used for.

  5. Confirm token creation.

  6. Copy the generated token and store it somewhere safe.

For security, API tokens are shown only once when they are created.

After you leave the token creation screen, you will not be able to view the full token again. If you lose the token, you will need to revoke it and create a new one.

Storing tokens safely

Treat API tokens like passwords.

Anyone with access to a valid token may be able to access Timether API data based on the permissions available to that token and workspace.

Do not share tokens in public places such as:

  • GitHub repositories

  • Public documentation

  • Client-side JavaScript

  • Chat messages

  • Screenshots

  • Support tickets

  • Shared documents

Store tokens in a secure environment variable or secrets manager when using them in applications.

Revoking an API token

If a token is no longer needed or may have been exposed, revoke it from the API token settings.

To revoke a token:

  1. Go to workspace settings.

  2. Open the Developer, API, or API Tokens section.

  3. Find the token you want to remove.

  4. Click Revoke or Delete.

  5. Confirm the action.

Once revoked, the token can no longer be used to access the Timether API.

If an application was using that token, you will need to create a new token and update the application with the new value.

Making API requests

Timether API requests use the base path:

/api/v1

When making a request, include your API token in the Authorization header using the Bearer token format.

Example:

Authorization: Bearer your_api_token_here

You must also specify which workspace the request belongs to by sending the workspace ID in the X-Workspace-Id header.

Example:

X-Workspace-Id: your_workspace_id_here

Example request headers

A typical API request should include headers like this:

Authorization: Bearer your_api_token_here
X-Workspace-Id: your_workspace_id_here
Content-Type: application/json

The Bearer token authenticates the request.

The workspace ID tells Timether which workspace context to use for the request.

Why workspace context is required

Timether accounts can belong to multiple workspaces.

Because workspace data is separated, the API needs to know which workspace the request should operate inside.

The X-Workspace-Id header makes this explicit.

This helps prevent API requests from accidentally reading or writing data in the wrong workspace.

Token security best practices

Use a separate token for each integration where possible.

For example, use one token for an internal dashboard and another token for a reporting automation. This makes it easier to revoke one integration without affecting others.

Name tokens clearly so you can recognize them later.

For example:

  • Internal reporting dashboard

  • Monthly export automation

  • Finance sync

  • Client portal integration

Revoke old or unused tokens regularly.

If a developer leaves the team or an integration is no longer used, remove the related token.

If an API request fails

If an API request does not work, check the following:

  1. The token is valid and has not been revoked.

  2. The token is included in the Authorization header.

  3. The header uses the correct Bearer format.

  4. The X-Workspace-Id header is included.

  5. The workspace is on a Team or Business plan.

  6. The workspace is active and not in a billing read-only state.

  7. The request is being sent to the correct /api/v1 endpoint.

If the workspace is in read-only mode because of a billing issue, write requests may be blocked until billing is resolved.