Your first call in 5 minutes
By the end of this guide you will have made a real authenticated call against the development environment with a test key, without touching production data.
Development base URL: https://api.dev.kinmu.app/v1 · Production: https://api.kinmu.app/v1.
Test keys (kinmu_sk_test_…) operate against a sandbox company with synthetic data.
Enable the Public API addon
In my.kinmu.app → Extensions, enable the Public API addon. When enabled, a sandbox company is provisioned automatically (5 demo employees with sample check-ins and absences) for your test keys.
Only a global_admin or company_manager can enable it.
Create an API key
Go to Developers → API keys → Create key. Choose:
- A descriptive name (e.g.
quickstart). - The scopes you need. For this quickstart it’s enough for the key to be able to read the organization (the organization scope is implicit).
- Mark it as a test key to work against the sandbox.
The key is shown only once. Copy it and store it somewhere safe:
kinmu_sk_test_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxYou won’t be able to see the full key again. If you lose it, revoke it and create another.
Export the key in your terminal
export KINMU_API_KEY="kinmu_sk_test_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
export KINMU_BASE_URL="https://api.dev.kinmu.app/v1"Make your first call: GET /v1/organization
This endpoint returns the company resolved from your credential, the key’s data and your current limits. It’s the canonical way to check that everything works.
curl
curl -s "$KINMU_BASE_URL/organization" \
-H "Authorization: Bearer $KINMU_API_KEY" \
-H "Accept: application/json"Read the response
{
"id": "a1b2c3d4-0000-0000-0000-000000000000",
"name": "Sandbox Company",
"country": "ES",
"active_employees": 5,
"key": {
"name": "quickstart",
"scopes": ["org:empleados:read"],
"expires_at": null
},
"limits": {
"rate_per_minute": 30,
"monthly_quota": 5000,
"monthly_used": 1
},
"sandbox": true
}"sandbox": true confirms the call ran against the test company. First call done.
What now?
- Authenticate properly: review scopes, rotation and best practices.
- Understand the contract: pagination, errors, idempotency and limits.
- Integrate your use case: payroll, access control or BI.
- Explore all endpoints in the interactive reference.
A 401? Check the Authorization: Bearer … header and that the key is not revoked or expired. A 403 invalid_scope? The key is missing a scope. A 429? You exceeded the per-minute limit; wait the number of seconds indicated by Retry-After.