For developers
Build on the Work App API
REST + webhooks for jobs, customers, quotes, invoices, fleet and assets — same surface our own apps use.
API keys + OAuth 2.0
Bearer tokens for server-to-server. OAuth for user-scoped apps.
Signed webhooks
HMAC-SHA256 signed payloads. Retries with exponential backoff.
Per-org isolation
Every request enforced through row-level security. No cross-tenant leaks.
Your first request
curl https://api.workappltd.com/v1/jobs \ -H "Authorization: Bearer wa_live_••••••••" \ -H "Content-Type: application/json"
Core endpoints
| Method | Path | Description |
|---|---|---|
| GET | /v1/jobs | List jobs with filters (status, customer, assignee, date range) |
| POST | /v1/jobs | Create a new job with site, customer and scheduled date |
| PATCH | /v1/jobs/{id} | Update job status, notes or assignee |
| GET | /v1/customers | List customers with sites and contacts |
| POST | /v1/quotes | Create a quote with line items and send branded PDF |
| POST | /v1/invoices | Create or finalise an invoice from a completed job |
| GET | /v1/assets | List equipment / assets with QR codes and check history |
| POST | /v1/timesheets | Record engineer time against a job |
| GET | /v1/vehicles | Fleet roster with MOT, insurance and walkaround status |
| POST | /v1/files | Upload a photo or document to a job, asset or report |
Webhook events
job.created
A new job has been booked
job.completed
An engineer marked a job complete
quote.accepted
Customer accepted a quote via the portal
invoice.paid
An invoice was marked paid (manual or Stripe)
asset.check.failed
An equipment check returned a fail / defect
vehicle.defect.logged
A driver walkaround logged a defect
Verify a webhook signature (Node)
import { createHmac, timingSafeEqual } from "crypto";
export function verify(body: string, signature: string, secret: string) {
const expected = createHmac("sha256", secret)
.update(body)
.digest("hex");
return timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
);
}Developer FAQ
How do I authenticate?+
Two options: per-organisation API keys (Bearer header) for server-to-server integrations, or OAuth 2.0 authorization code flow for third-party apps acting on behalf of users. Generate keys from Settings → Developer.
What are the rate limits?+
300 requests per minute per API key on Business and Enterprise plans. Burst allowance up to 600. Exceeded requests return 429 with a Retry-After header.
How are webhooks signed?+
Every webhook POST includes an X-Workapp-Signature header with an HMAC-SHA256 of the raw body, signed using your endpoint's webhook secret. Verify with constant-time comparison before processing.
Is there a sandbox environment?+
Yes. Every workspace has a 'sandbox' mode with isolated data and unlimited test webhooks. Toggle from Settings → Developer → Environment.
Are there official SDKs?+
TypeScript and Python SDKs are in beta. The REST API is OpenAPI 3.1 documented, so client generation in any language is supported via openapi-generator.
Ready to integrate?
Email developers@workappltd.com for sandbox keys and onboarding.
