Who can do this
Section titled “Who can do this”Company Owners and Company Admins on the Elite plan.
What is available
Section titled “What is available”API v1.0 gives you access to:
- Clients — list, filter, and create clients
- Contacts — list and create contact persons linked to clients
- Client groups — read client group structures
- Client fields — access custom field definitions and values for clients
- Tasks — list and filter tasks
- Task fields — access custom field definitions and values for tasks
- Time entries — query tracked time data
- Members — list team members
- Member groups — read member group structures
- Invoices — query invoice data
- Contracts — query contract data
- Products — list products
- Product fields — access custom field definitions and values for products
- Invoice sellers — read invoice seller profiles
- Topics — list task topics
- Webhooks — subscribe to real-time event notifications
All endpoints follow standard REST conventions and return JSON. v1.0 is mostly a reading API: only clients, contacts, tasks, and webhook subscriptions can be created, nothing can be updated, and the only thing you can delete is a webhook subscription (to unsubscribe). If you need to write back to Uku, use API v3.
Common use cases
Section titled “Common use cases”- Business Intelligence (BI) — pull tasks, time entries, contracts, and invoices into your BI or analytics platform to analyse client, employee, service, or topic profitability and plan capacity.
- Custom integrations — connect Uku to internal tools or to accounting software not yet covered by Uku’s built-in integrations.
- Custom dashboards — power internal team dashboards with live Uku data.
- Data export pipelines — schedule regular extracts to a data warehouse.
How to enable the Public API
Section titled “How to enable the Public API”- Go to Settings & Apps.
- Find Public API in the app list (Elite features section).
- Open the app and activate it for your company.
Generating and managing API keys
Section titled “Generating and managing API keys”- Open the Public API app and go to the (old) API tab.
- Enter a Name for your API key pair (for example, “Reporting tool” or “Zapier integration”).
- Click Generate new API KEY.
- Your new API key and API secret appear in the table. Use the copy button to copy each value.
You can create multiple API key pairs for different integrations. Delete a key pair by clicking the trash icon in the table — this immediately revokes access for any integration using those credentials.
Getting started
Section titled “Getting started”Step 1: Authenticate
Section titled “Step 1: Authenticate”Send a POST request to the login endpoint with your API key and secret:
POST https://app.getuku.com/api/v1.0/loginContent-Type: application/json
{ "api_key": "your-api-key", "api_secret": "your-api-secret"}The response contains a JWT token:
{ "data": { "token": "eyJhbGciOiJIUzI1NiIs..." }}Step 2: Use the token
Section titled “Step 2: Use the token”Include the token in the Authorization header for all subsequent requests:
GET https://app.getuku.com/api/v1.0/clientsAuthorization: Bearer eyJhbGciOiJIUzI1NiIs...Step 3: Explore the documentation
Section titled “Step 3: Explore the documentation”The interactive API documentation is available at app.getuku.com/docs/sandbox/. You can test endpoints, see request and response schemas, and try queries directly from your browser. Note that the webhook subscription endpoint is not listed there — it exists, but the sandbox doesn’t document it.
Token expiration
Section titled “Token expiration”JWT tokens expire after 10 minutes. When a token expires, authenticate again to get a new one. Design your integration to handle re-authentication automatically.
Security considerations
Section titled “Security considerations”- Keep your API secret confidential. Treat it like a password. Never commit it to version control or share it in plain text.
- Use separate key pairs for different integrations. If one is compromised, revoke its key without affecting others.
- Tokens are short-lived. The 10-minute expiration window limits exposure if a token is intercepted.
- Delete unused keys. If you decommission an integration, remove its API key pair immediately.
- All requests require HTTPS. The API base URL uses TLS encryption. Never send credentials or tokens over plain HTTP.
- API access is scoped to your company. Each key pair is tied to a specific company — you can only access data that belongs to your company.