Summary and recommendation
Toast exposes employee provisioning through its Labor API at https://ws-api.toasttab.com, authenticated via OAuth 2.0 client credentials (POST /authentication/v1/authentication/login).
Tokens expire after 1 hour;
integrations must handle re-authentication proactively on 401 responses.
API access requires enrollment in the Toast Partner Program - credentials are not fully self-serve for all customers.
The API is strictly restaurant-location-scoped.
Every request requires the Toast-Restaurant-External-ID header set to the target restaurant's GUID;
there is no org-level or multi-location employee endpoint.
Multi-location operators must iterate over each restaurant GUID independently for every provisioning or deprovisioning operation.
Core employee operations are covered: GET /labor/v1/employees (list, paginated via pageToken, max 100 per page), GET /labor/v1/employees/{guid} (single record), POST /labor/v1/employees (create), and PATCH /labor/v1/employees/{guid} (update or soft-delete).
The labor:read and labor:write OAuth scopes are required for read and write operations respectively.
API quick reference
| Has user API | Yes |
| Auth method | OAuth 2.0 (client credentials grant) |
| Base URL | Official docs |
| SCIM available | No |
| SCIM plan required | Enterprise |
Authentication
Auth method: OAuth 2.0 (client credentials grant)
Setup steps
- Register as a Toast API partner or integration developer via the Toast Partner Portal.
- Obtain a client_id and client_secret from the Toast developer dashboard.
- POST to https://ws-api.toasttab.com/authentication/v1/authentication/login with client_id and client_secret to receive a Bearer token.
- Include the Bearer token in the Authorization header for all subsequent API requests.
- Tokens expire; re-authenticate using the same client credentials flow when a 401 is returned.
Required scopes
| Scope | Description | Required for |
|---|---|---|
| labor:read | Read access to employee records, jobs, and shifts. | GET /labor/v1/employees, GET /labor/v1/employees/{guid} |
| labor:write | Write access to create or update employee records. | POST /labor/v1/employees, PATCH /labor/v1/employees/{guid} |
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| guid | string (UUID) | Unique Toast identifier for the employee. | system-assigned | immutable | Used as path parameter for individual employee operations. |
| externalId | string | External identifier for the employee set by the integrating system. | optional | updatable | Useful for mapping to HR/payroll system IDs. |
| firstName | string | Employee's first name. | required | updatable | |
| lastName | string | Employee's last name. | required | updatable | |
| string | Employee's email address. | optional | updatable | Used for Toast account login if employee has a Toast account. | |
| phoneNumber | string | Employee's phone number. | optional | updatable | |
| passcode | string | POS passcode for the employee. | optional | updatable | Used for POS login; not returned in GET responses for security. |
| jobReferences | array of objects | List of job assignments for the employee, each with a job GUID and wage. | optional | updatable | References Toast Job objects; jobs must exist before assignment. |
| restaurantUserGuid | string (UUID) | GUID of the restaurant location this employee belongs to. | required | immutable | Passed as the Toast-Restaurant-External-ID header, not in the body. |
| deleted | boolean | Indicates whether the employee record has been soft-deleted. | system-assigned (false) | read-only | Deleted employees are returned when includeDeleted=true query param is used. |
| createdDate | string (ISO 8601) | Timestamp when the employee record was created. | system-assigned | immutable | |
| modifiedDate | string (ISO 8601) | Timestamp when the employee record was last modified. | system-assigned | system-assigned |
Core endpoints
List employees
- Method: GET
- URL:
https://ws-api.toasttab.com/labor/v1/employees - Watch out for: The Toast-Restaurant-External-ID header is mandatory; omitting it returns a 400 error.
Request example
GET /labor/v1/employees?pageToken=&pageSize=100
Authorization: Bearer {token}
Toast-Restaurant-External-ID: {restaurantGuid}
Response example
{
"employees": [
{"guid":"abc-123","firstName":"Jane","lastName":"Doe","email":"jane@example.com"}
],
"pageToken": "next-page-token"
}
Get employee by GUID
- Method: GET
- URL:
https://ws-api.toasttab.com/labor/v1/employees/{employeeGuid} - Watch out for: Returns 404 if the employee GUID does not belong to the restaurant specified in the header.
Request example
GET /labor/v1/employees/abc-123
Authorization: Bearer {token}
Toast-Restaurant-External-ID: {restaurantGuid}
Response example
{
"guid": "abc-123",
"firstName": "Jane",
"lastName": "Doe",
"email": "jane@example.com",
"deleted": false
}
Create employee
- Method: POST
- URL:
https://ws-api.toasttab.com/labor/v1/employees - Watch out for: Creating an employee does not automatically grant POS access; job assignments and passcode must be set separately.
Request example
POST /labor/v1/employees
Authorization: Bearer {token}
Toast-Restaurant-External-ID: {restaurantGuid}
{"firstName":"John","lastName":"Smith","email":"john@example.com"}
Response example
{
"guid": "def-456",
"firstName": "John",
"lastName": "Smith",
"email": "john@example.com",
"deleted": false
}
Update employee
- Method: PATCH
- URL:
https://ws-api.toasttab.com/labor/v1/employees/{employeeGuid} - Watch out for: Only fields included in the PATCH body are updated; omitted fields retain their current values.
Request example
PATCH /labor/v1/employees/def-456
Authorization: Bearer {token}
Toast-Restaurant-External-ID: {restaurantGuid}
{"email":"john.new@example.com"}
Response example
{
"guid": "def-456",
"firstName": "John",
"lastName": "Smith",
"email": "john.new@example.com"
}
Authenticate (get token)
- Method: POST
- URL:
https://ws-api.toasttab.com/authentication/v1/authentication/login - Watch out for: userAccessType must be TOAST_MACHINE_CLIENT for server-to-server integrations. Token expiry is 1 hour.
Request example
POST /authentication/v1/authentication/login
Content-Type: application/json
{"clientId":"your-client-id","clientSecret":"your-client-secret","userAccessType":"TOAST_MACHINE_CLIENT"}
Response example
{
"token": {
"tokenType": "Bearer",
"token": "eyJ...",
"expiresIn": 3600
}
}
List jobs
- Method: GET
- URL:
https://ws-api.toasttab.com/labor/v1/jobs - Watch out for: Job GUIDs are required when assigning jobReferences to an employee; jobs are restaurant-scoped.
Request example
GET /labor/v1/jobs
Authorization: Bearer {token}
Toast-Restaurant-External-ID: {restaurantGuid}
Response example
{
"jobs": [
{"guid":"job-111","title":"Server","deleted":false}
]
}
Rate limits, pagination, and events
Rate limits: Toast does not publicly document specific numeric rate limits in its developer docs. Rate limiting is enforced but thresholds are not published.
Rate-limit headers: Unknown
Retry-After header: Unknown
Rate-limit notes: No explicit rate limit values, headers, or Retry-After behavior documented in official Toast developer docs as of research date.
Pagination method: token
Default page size: 100
Max page size: 100
Pagination pointer: pageToken
Webhooks available: No
Webhook notes: Toast does not publicly document a webhook system for employee/user-management events in its developer docs. Event-driven notifications for employee changes are not described in official documentation.
Alternative event strategy: Poll GET /labor/v1/employees with a modifiedDate filter or pageToken-based pagination to detect changes.
SCIM API status
- SCIM available: No
- SCIM version: Not documented
- Plan required: Enterprise
- Endpoint: Not documented
Limitations:
- Toast does not offer a native SCIM 2.0 endpoint according to official documentation.
- No IdP (Okta, Entra, Google Workspace, OneLogin) SCIM connector is officially documented by Toast.
- Employee provisioning must be performed via the Toast Labor API directly.
Common scenarios
For provisioning a new hire across multiple locations, authenticate once, retrieve your restaurant GUID list, then POST /labor/v1/employees per location with firstName, lastName, email, and jobReferences.
Store the returned employee GUID per location - there is no shared identity across locations, so your identity graph must maintain a per-location GUID map for each employee.
For deprovisioning, PATCH /labor/v1/employees/{employeeGuid} with {"deleted": true for each location the employee belongs to.
Toast uses soft deletes only;
records persist and are retrievable with includeDeleted=true.
There is no hard-delete endpoint, and the deleted field is the sole mechanism for access revocation via API.
For HR roster sync, paginate GET /labor/v1/employees?pageSize=100 per location using pageToken until exhausted, then diff against your HR system using externalId as the correlation key.
There is no delta or changelog endpoint - full pagination is required on every sync cycle.
Use modifiedDate on the employee object to minimize unnecessary PATCH calls.
Provision a new employee across multiple restaurant locations
- Authenticate via POST /authentication/v1/authentication/login to obtain a Bearer token.
- Retrieve the list of restaurant GUIDs for the organization (via the Toast Configuration API or stored mapping).
- For each restaurant GUID, POST /labor/v1/employees with the employee's firstName, lastName, email, and desired jobReferences.
- Store the returned employee GUID per restaurant for future updates or deprovisioning.
Watch out for: Employee records are not shared across restaurant locations; a separate POST is required per location. There is no org-wide employee create endpoint.
Deprovision (soft-delete) a departing employee
- Authenticate to obtain a Bearer token.
- For each restaurant location the employee belongs to, PATCH /labor/v1/employees/{employeeGuid} with {"deleted": true} and the appropriate Toast-Restaurant-External-ID header.
- Verify the employee no longer appears in GET /labor/v1/employees (without includeDeleted=true).
Watch out for: Toast uses soft deletes; the employee record persists and is retrievable with includeDeleted=true. There is no hard-delete endpoint documented.
Sync employee roster from an external HR system
- Authenticate and retrieve all employees via GET /labor/v1/employees?pageSize=100 for each restaurant location, paginating with pageToken until exhausted.
- Compare the retrieved roster against the HR system's employee list using externalId as the correlation key.
- For new HR employees not in Toast, POST /labor/v1/employees to create them.
- For changed employees (name, email, job), PATCH /labor/v1/employees/{guid} with updated fields.
- For terminated employees present in Toast but not in HR, PATCH with {"deleted": true}.
Watch out for: There is no delta/changelog endpoint; full pagination is required on each sync cycle. Store modifiedDate to minimize unnecessary updates.
Why building this yourself is a trap
The location-scoped API model is the primary architectural trap: building an integration without accounting for per-location GUID iteration will silently miss employees at locations not explicitly enumerated. This is especially dangerous for offboarding - a departing employee soft-deleted at one location retains active records at all others unless each is patched individually.
Webhooks are not documented for employee events. All change detection must be polling-based, which means your sync frequency directly determines how stale your identity graph can become between cycles. Pair this with undocumented rate limits (implement exponential backoff on 429s;
no Retry-After header is documented) and full roster pagination at scale requires careful throttle management.
Two additional caveats worth flagging explicitly: the passcode field is write-only and never returned in GET responses, so your system cannot audit or verify POS passcode state after creation.
And creating an employee record via POST does not automatically grant POS terminal access - job assignments and passcode must be set in the same or a subsequent request, or the employee cannot clock in.
Automate Toast workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
