If a third-party tool needs to read data from Rise, you can connect it using OAuth. You create an OAuth application in Rise, then paste the credentials into the third-party tool. No password is ever shared.

Note: You need admin access to OAuth applications in Rise to follow these steps.

What you'll do

• Create an OAuth application inside Rise.
• Configure it for the third-party tool you're connecting.
• Copy the credentials and OAuth endpoints into that tool.

The whole thing takes about five minutes once you have the third-party app's setup details.

Before you start

• Have the third-party app's Redirect URL ready. It's usually shown on the app's setup screen.
• Check whether the third-party app requires PKCE. The app's own setup instructions will tell you.

Set up the connection in Rise

1. Open OAuth applications

In Rise, go to OAuth applications.

2. Create a new application

Click Create application.

3. Fill in the application details

Give your application:

• Name. Anything descriptive, like "Reporting integration".
• Scopes. The types of data the third-party app is allowed to read. Pick only what's needed.
• Redirect URL (optional). Paste the URL the third-party app gave you. This is where Rise sends users back once they authorize the connection.
• Logo URL (optional). Link to an image shown on the consent screen.
• PKCE requirement. Turn on if the third-party app supports or requires it. Leave off if it doesn't.

If you're not sure what to choose, check the third-party app's connection instructions. They'll specify the Redirect URL and whether PKCE is needed.

4. Save and copy your credentials

After saving, Rise shows your Client ID and Client Secret. Copy both somewhere safe. You'll paste them into the third-party app.

Warning: The Client Secret is shown only once. If you lose it, you'll need to regenerate it. Rise requires both the Client ID and Client Secret for external token requests, even when PKCE is enabled.

5. Find your OAuth endpoints

On the application's details page, you'll see the OAuth endpoints: the authorization URL and the token URL. Copy whichever ones the third-party app asks for, then paste them into its setup screen.

For developers

If you're building your own integration or want to call Rise APIs directly, visit the developer portal at developer.risepeople.com. It currently covers Authentication and Reporting APIs, with more on the way.

Troubleshooting

• "Invalid redirect URL". The URL on your OAuth application must match exactly what the third-party app uses, including http versus https and any trailing slash.
• "PKCE required" or "PKCE not allowed". Check that PKCE on your OAuth application matches the third-party app's expectation.
• Lost your Client Secret. Open the OAuth application in Rise and regenerate it, then update the third-party app with the new value.
• Need to revoke access. Delete or disable the OAuth application in Rise. The third-party app will no longer be able to read your data.

Glossary

• OAuth. The standard way for one app to securely access data in another app on your behalf, without sharing your password.
• OAuth application. The record you create in Rise that represents the third-party app and stores its credentials.
• Client ID. The public identifier for your OAuth application.
• Client Secret. The private password for your OAuth application. Keep it confidential.
• Scopes. The specific permissions you grant (for example, read employee directory or read payroll reports).
• Redirect URL. Where Rise sends users back after they approve the connection.
• PKCE (Proof Key for Code Exchange). An extra security step in the OAuth flow that some apps require.
• OAuth endpoints. The Rise URLs the third-party app uses to request and exchange tokens.