For developers

Build on the Work App API

REST + webhooks for jobs, customers, quotes, invoices, fleet and assets — same surface our own apps use.

API keys + OAuth 2.0

Bearer tokens for server-to-server. OAuth for user-scoped apps.

Signed webhooks

HMAC-SHA256 signed payloads. Retries with exponential backoff.

Per-org isolation

Every request enforced through row-level security. No cross-tenant leaks.

Your first request

curl https://api.workappltd.com/v1/jobs \
  -H "Authorization: Bearer wa_live_••••••••" \
  -H "Content-Type: application/json"

Core endpoints

MethodPathDescription
GET/v1/jobsList jobs with filters (status, customer, assignee, date range)
POST/v1/jobsCreate a new job with site, customer and scheduled date
PATCH/v1/jobs/{id}Update job status, notes or assignee
GET/v1/customersList customers with sites and contacts
POST/v1/quotesCreate a quote with line items and send branded PDF
POST/v1/invoicesCreate or finalise an invoice from a completed job
GET/v1/assetsList equipment / assets with QR codes and check history
POST/v1/timesheetsRecord engineer time against a job
GET/v1/vehiclesFleet roster with MOT, insurance and walkaround status
POST/v1/filesUpload a photo or document to a job, asset or report

Webhook events

job.created

A new job has been booked

job.completed

An engineer marked a job complete

quote.accepted

Customer accepted a quote via the portal

invoice.paid

An invoice was marked paid (manual or Stripe)

asset.check.failed

An equipment check returned a fail / defect

vehicle.defect.logged

A driver walkaround logged a defect

Verify a webhook signature (Node)

import { createHmac, timingSafeEqual } from "crypto";

export function verify(body: string, signature: string, secret: string) {
  const expected = createHmac("sha256", secret)
    .update(body)
    .digest("hex");
  return timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

Developer FAQ

How do I authenticate?+

Two options: per-organisation API keys (Bearer header) for server-to-server integrations, or OAuth 2.0 authorization code flow for third-party apps acting on behalf of users. Generate keys from Settings → Developer.

What are the rate limits?+

300 requests per minute per API key on Business and Enterprise plans. Burst allowance up to 600. Exceeded requests return 429 with a Retry-After header.

How are webhooks signed?+

Every webhook POST includes an X-Workapp-Signature header with an HMAC-SHA256 of the raw body, signed using your endpoint's webhook secret. Verify with constant-time comparison before processing.

Is there a sandbox environment?+

Yes. Every workspace has a 'sandbox' mode with isolated data and unlimited test webhooks. Toggle from Settings → Developer → Environment.

Are there official SDKs?+

TypeScript and Python SDKs are in beta. The REST API is OpenAPI 3.1 documented, so client generation in any language is supported via openapi-generator.

Ready to integrate?

Email developers@workappltd.com for sandbox keys and onboarding.

4.9/5 from 120+ field service teams

  • NorthStar Refrigeration
  • Harrow Mechanical
  • Brightway FM
  • PECO Cold Chain
  • Aldridge HVAC
  • Crown Plumbing