The public surface
First Six is not a general-purpose API product. The integration surface is small and purposeful: get your people in, and let them sign in. Everything else is handled inside the apps over a row-level-security-protected database, not a public REST API.
What's exposed
| Surface | Direction | Auth | Purpose |
|---|---|---|---|
| OIDC SSO | inbound login | your IdP + PKCE | Authenticate users against your IdP |
| SIS sync | inbound push | bearer shared secret | Provision and update the roster |
That is the supported integration surface today. There is no broad public REST API for reading arbitrary records, and there are no outbound webhooks yet.
Authentication models
There are two, and they are deliberately different:
- User endpoints are authorized by an HttpOnly session cookie minted at SSO login. The browser never holds a readable token; calls are proxied server-side and every read is constrained by row-level security.
- Machine endpoints (SIS sync) are authorized by a bearer shared secret and run with elevated privileges server-side. They check the secret before anything else, so they never depend on a user session.
Rate limits
Machine endpoints are rate limited per IP. SIS sync allows 20 requests per minute;
a 429 carries a Retry-After header. Build retry-with-backoff into any
automated caller.
Reading data out
Because there is no public read API, getting bulk data out today means either the in-console CSV exports (for staff) or a scheduled export we set up with you. If a programmatic read or event feed is on your roadmap, tell us the shape you need so we can prioritise it correctly.
The fastest answer is usually one question away.