Register your application in the Gusto developer portal to obtain a client_id and client_secret
Obtain a system access token by calling POST /oauth/token with the client credentials flow; the token is valid for two hours
Use the system access token to create a new partner-managed company: POST /v1/partner_managed_companies with the company's legal name, EIN, and trade name
Capture the company UUID and the company-level access token returned in the response; store both securely
Use company-level access tokens for all subsequent company-specific API calls (employees, payroll, etc.)
Refresh system access tokens before two-hour expiry; company access tokens are obtained via OAuth for each employer
Known gotchas
As of API version v2024-04-01, partner API tokens are deprecated in favor of system access tokens — do not use the legacy partner token pattern for new integrations
System access tokens allow multiple active tokens simultaneously; company access tokens should be stored per company and refreshed via the standard OAuth flow
Creating a company via the API provisions a sandbox company by default; confirm environment headers are correct before creating production companies
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp