Why integrate?

Oftentimes, you may want to pull or push data from Fyle. Here are a few use-cases:

  • You want to backup your company’s Fyle data in your own storage on a daily basis

  • You want to push expenses, advances and other information into your accounting or ERP system

  • You want to update employee information from your HRMS/HRIS system to Fyle so that new joinees get a Fyle account provisioned automatically and any critical HR information is updated automatically in Fyle

  • You want to update the list of projects or cost centers from your ERP system to Fyle

  • You are a travel provider and want to offer an easy way to push booking and expense information to Fyle

  • You want to create custom dashboards or perform custom analytics that is not offered by Fyle

Types of integration

There are two kinds of integrations you can build. The primary difference between them is how you can authorize the application to access your data.

  • Internal: These are custom for your organization and will not be used by any others. You don’t need to build OAuth flow - you can simply use some critical information and attach them along with every request.

Subsequent to authorization, the rest of the steps for the application are similar.

Never share your client secret or refresh token with anyone - this can be used to access your entire organization’s data.

High-Level Steps

Steps for integration

Create an Application

The first step to creating integration would be to create your application on Fyle and getting the credentials. As an Admin, you will have click on the gear icon on the top right corner on the web app on the left-hand side of your name.

Go to Admin Settings>Integrations>Custom Apps on the left naviagtion pane

You will then be redirected Create Application Page. You can choose Internal or OAuth 2 based on your requirement. Detailed explanation on when you need to select each of these apps are provided in next sections.

Internal Applications

These applications are to be used only by the organization and is highly customised.

Internal Applications

When we click on Save the following screen will pop up:

Client Secret id for Internal app


  • Please copy the Client Secret on this screen as you won’t be able to access this later on.

  • Refresh Token and Client Id will be available later on too.

OAuth 2.0 Applications

These applications are for public use by multiple organizations. Usually when building integrations that can be used by any Fyle user irrespective of the organization. 

OAuth 2.0 Applications

You can provide us with all the redirect URIs that you want Fyle to allow in OAuth 2. After clicking on ‘save’ you will be able to copy the Client Id, Client Secret.

Authorize access to Fyle

Base URL

The base URL for all the requests will be -

$base_url = https://accounts.fylehq.com

Internal app

For internal apps, you will get the refresh token, client id and client secret. You can get the access token using an HTTP POST to the token URL. This returns a new access token.

POST https://$base_url/api/oauth/token

The body will have the following data:

  • grant_type should be the literal string 'refresh_token'

  • refresh_token = <Your refresh token>

  • client_id = <Your Client Id>

  • client_secret = <Your Client Secret>

This will return the access token which has to be attached to the header of every API call.

curl -X POST \

  https://$base_url/api/oauth/token \

  -H 'Content-Type: application/json' \

  -d '{

  "client_id":  "<your_client_id>"",

  "client_secret": "<your_client_secret>",

  "grant_type": "refresh_token",

  "refresh_token": "<your_refresh_token>""


Response:  {"access_token": "<your_access_token>"}

The access token is valid for one hour. Every subsequent request should have an Authorization header with an access token.

curl -X GET \

  'https://$base_url/api/tpa/v1/employees' \

  -H 'Authorization: Bearer <your_access_token>'

Response:  [


    "employee_email": "john.doe@example.com",

    "employee_code": "E84122",

    "full_name": "John Doe",

    "joining_date": "2018-10-31",

    "location": "string",

    "level": "string",

    "business_unit": "string",

    "department": "string",

    "sub_department": "string",

    "approver1_email": "approver1@example.com",

    "approver2_email": "approver2@example.com",

    "approver3_email": "approver3@example.com",

    "title": "string",

    "branch_ifsc": "SBIN0116569",

    "branch_account": "string",

    "mobile": "string",

    "delegatee_email": "user@example.com",

    "default_cost_center_name": "string",

    "perdiem_names": [



    "mileage_rate_labels": [



    "custom_fields": [


        "custom_field_name": "Gender",

        "custom_field_value": "Male"



    "disabled": false,

    "org_id": "o12334",

    "org_name": "Ministry of Magic"



OAuth 2.0 app

While building a public integration you will need to allow users to use it. This can be done using our authorize URL.


The query parameters that need to be sent along with this URL are:

client_id = <Your Client Id>

response_type = <Your Response Type> (eg.- code, token)

redirect_uri = <Your Redirect URI>

State = <Current State of your Application>

While accessing this URI you will be redirected to this page:

Permission access for Fyle account

Clicking on yes will allow the application permission to access the user’s Fyle account and redirect to the redirect URI provided.

Business Logic

We provide APIs to help our users to extract data from Fyle and also put data into Fyle. These APIs can be accessed once the Application is created in the web app.

You can find all the details about our APIs and how to use them to integrate Fyle:


Rate limits

We have a limit on the number of requests that can be made per second from a particular IP address while accessing our resources. Currently, we allow only 10 requests/second for an IP address.

Safety Precautions

We have a Denial of Service (DoS) attack prevention mechanisms in place to safeguard the system against suspicious use. The Denial of Service (DoS) prevention limits exposure to request flooding, whether malicious or as a result of a misconfigured client. The DoS prevention keeps track of the number of requests from a connection per second. So, certain precautions and standards should be maintained while developing integrations to avoid them from getting blocked.

Additional Resources


We also have a Python SDK that can be integrated easily with Python projects. Follow this link to read more:


Did this answer your question?