HCSS uses multiple mechanisms to ensure the safety of data.


All HCSS APIs communicate using HTTPS only.  This means that data is encrypted on the way to our servers, and on the way back.  This protects against eavesdropping and tampering with the data as it is in-flight.  We also use HTTP Strict Transport Security (HSTS) to ensure that all communications are encrypted.

OAuth + Token Rotation

HCSS APIs are secured using OAuth 2.0, the industry-standard protocol for authorization.  All API requests require an OAuth bearer token, which identifies the application making the request.  These tokens expire in a maximum of one-hour, which limits the likelihood and severity of compromised tokens.  After the token expires, simply request a new one, and you can continue making API calls.

Read-only scopes

If your application is simply exporting data from HCSS, we grant read-only access.  If your access token is compromised, it will not be possible to mutate data in any way.  We also apply this "principle-of-least-privilege" to API access.  For example, if your application only needs HeavyJob data, it will not be able to access the Safety API.