Timerise

Authentication and API keys

Learn how to authenticate requests to the Timerise GraphQL API using the login mutation or static API keys.

Updated March 1, 2026apiauthenticationapi-keyssecurity

Authentication methods

Timerise supports two authentication methods depending on your plan.

Method 1: Login mutation (all plans)

The primary authentication method is the login mutation. You exchange your email and password for a session token, then use that token as a Bearer token for subsequent API calls.

Step 1: Call the login mutation

cURL example:

curl -X POST \ -H "Content-Type: application/json" \ --data '{"query":"mutation { login(email: \"YOUR_EMAIL\", password: \"YOUR_PASSWORD\") }"}' \ https://api.timerise.io/v1

Apollo Client example:

const LOGIN_MUTATION = gql` mutation Login($email: String!, $password: String!) { login(email: $email, password: $password) } `; const { data } = await client.mutate({ mutation: LOGIN_MUTATION, variables: { email: 'YOUR_EMAIL', password: 'YOUR_PASSWORD' }, }); const token = data.login;

Step 2: Use the token for API calls

Pass the returned token as a Bearer token in the Authorization header of every subsequent request:

Authorization: Bearer YOUR_TOKEN

cURL example:

curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer YOUR_TOKEN" \ --data '{"query":"{ me { userId fullName email role } }"}' \ https://api.timerise.io/v1

Method 2: Static API key (Company and Enterprise plans only)

On Company and Enterprise plans, Timerise can provide a static API key. This eliminates the need for session-based authentication and is ideal for server-to-server integrations or systems where managing user sessions is not practical.

Pass the static API key as a Bearer token in the same way as a session token:

Authorization: Bearer YOUR_STATIC_API_KEY

To request a static API key, contact sales@timerise.io.

Useful queries

me — get current user

{ me { userId fullName email role } }

teamMember — get a specific member

{ teamMember(projectId: "YOUR_PROJECT_ID", userId: "USER_ID") { userId fullName role } }

Security best practices

  • Never commit tokens or API keys to source control
  • Use environment variables to inject credentials into your application
  • Rotate static API keys periodically
  • Revoke keys or sessions that are no longer in use

Related articles

← Back to Developers