Salstead REST API
Programmatic access to shifts, timesheets, residents, and workers in your care home.
Authentication
All API requests must include a Bearer token in the Authorization header. Generate API keys in Settings > API Keys. Keys follow the format hep_live_XXXX_YYYYYYYYYYYYYYYY and are shown only once at creation.
curl https://app.salstead.com/api/v1/shifts \ -H "Authorization: Bearer hep_live_XXXX_YYYYYYYYYYYYYYYY"
Endpoints
| Method | Path | Description |
|---|---|---|
| GET | /api/v1 | API metadata |
| GET | /api/v1/shifts | List shifts |
| POST | /api/v1/shifts | Create shift |
| GET | /api/v1/shifts/{id} | Get shift by id |
| PATCH | /api/v1/shifts/{id} | Update shift |
| GET | /api/v1/timesheets | List timesheets |
| GET | /api/v1/residents | List residents |
| GET | /api/v1/workers | List workers |
List endpoints support ?limit=N (max 100, default 50) and ?offset=N query parameters. Responses include a pagination object with total, limit, and offset.
Webhooks
Configure webhook endpoints in Settings > Webhooks. Each delivery is POSTed with header X-HEP-Signature: sha256=<hmac> derived from your webhook secret using HMAC-SHA-256 over the raw JSON body.
Available events
shift.createdshift.filledshift.cancelledtimesheet.submittedtimesheet.approvedtimesheet.disputedcompliance.expiredcompliance.verifiedincident.createdincident.resolvedinvoice.issuedinvoice.paidExample: Create a shift
curl -X POST https://app.salstead.com/api/v1/shifts \
-H "Authorization: Bearer hep_live_XXXX_YYYYYYYYYYYYYYYY" \
-H "Content-Type: application/json" \
-d '{
"site_id": "00000000-0000-0000-0000-000000000000",
"role": "Carer",
"date": "2026-06-01",
"start_time": "07:00",
"end_time": "15:00",
"hourly_rate": 14.50
}'Errors
401— Invalid or missing API key404— Resource not found or not accessible400— Validation error (response body haserror)503— API not configured on the server