General Questions/Issues

What are the hours for API Support?
Our official working hours are Monday - Friday from 8am - 5pm Pacific Time.

How can I get support for any API questions I may have?
Please contact apisupport@procore.com and a Developer Support Engineer will get back to you as soon as possible.

The monthly sandbox is not responding or I am getting an error.
Please contact apisupport@procore.com and we will assist and escalate to our Site Reliability Engineering team if necessary.

I'm unable to login to Procore via any of the web interfaces.
Have you recently changed your password? Do you have access to Procore via an account? If not, please contact apisupport@procore.com for assistance.

I’m looking for an endpoint or piece of information and can’t find it in the reference docs. What should I do?
Please email apisupport@procore.com and we will assist you as soon as we can.

Development Environments

What time does the monthly sandbox restore?
5:00am UTC on the 2nd day of each month.

Why did the restore time recently change?
The restore time is still 5:00am UTC, but keep in mind that when you convert to local time you must take into account the recent shift to Daylight Saving Time (DST).


My access token isn’t working. Why not?
Please ensure that you are passing in your access token under the “Authorization” header in the format “Bearer <token>”. If it has been at least 2 hours since you received your access token, make sure you have refreshed your token before passing it in. If you have followed the previous instructions and are still having issues authenticating, please contact us at apisupport@procore.com and we will be happy to help.

My refresh token is not working, or it says it is invalid. Why is that?
There are a number of reasons why this might be the case. First, keep in mind that refresh tokens are for one-time use only. For security reasons, any call to refresh an access token, successful or not, permanently invalidates the current refresh token. Therefore, if your application erroneously makes a "double-call", or does not properly store the returned access & refresh tokens, you will need to re-authenticate the user and retrieve all new tokens using the application's proper OAuth flow. Also, keep in mind that if you use the Revoke Token endpoint to revoke your access token, your refresh token will also be revoked. Under this scenario, you will need to have your user re-authorize access to your application by calling the Grant App Authorization endpoint. Finally, note that on rare occasions you may experience network issues or other unforseen outages that could cause a call to be made but whose response is lost. In these cases, you would need to regenerate a fresh set of tokens.

How can my installed application go through the OAuth flow without any user interaction?
While our installed application configuration does allow for authentication without any user input, that is after the initial Grant App Authorization step is completed with user input. Once you manually go through that step by logging in and getting an authorization code, you can then programmatically authenticate from that point forward without user intervention.
After the initial App Authorization Grant, you can retrieve a pair of tokens: an access_token and refresh_token. The access_token is used to authenticate (passed in under the Authorization header as Bearer <token>), and it expires after 2 hours. The refresh_token, which corresponds to that access_token, will not expire until it is used to acquire a new pair of tokens. Using those two tokens, you can authenticate endlessly without any user input.
In other words, after getting your first pair of tokens, your program would use the access_token for up to 2 hours, after which that token would expire. After that token expires, the next time your program wanted to access our API it would use the refresh_token received with the now-expired access_token to refresh the access token and get a new pair of tokens. Once it makes that call, your old refresh_token would expire since it has now been used and you would have a new access_token and refresh_token. Then, your program would use that new access_token until it expires, and the cycle would repeat again.

IP Whitelisting

Does Procore publish a list of IP addresses for whitelisting purposes?
Some app developers have inquired about which IP addresses Procore API requests are coming from in order to open up specific ports in a firewall. However, due to the fluid nature of our architecture, we do not have a set range of IPs that API requests consistently originate from. As a result, Procore does not publish a list of IP addresses for whitelisting purposes because the pool of IP addresses we use can change frequently. If you are interested in confirming the origin of requests coming to your server, each HTTP request contains a cryptographic signature header which can be used to validate that the request is legitimately from Procore. If your internal network environment requires whitelisted IPs in order to allow access, we suggest hosting a server outside your network (e.g. in a network DMZ) to proxy requests from Procore into the internal network.


What is JavaScript Object Notation (JSON)?
Please see http://json.org/.

I'm new to JSON, how do I know if my JSON is formatted correctly?
Try out this free JSON formatter/validator: https://jsonformatter.curiousconcept.com/.

Is there a design standard regarding listing an object's attributes in the JSON response?
In general, an object will have an unordered set of name/value pairs. However, we don't actively enforce lack of order when constructing our endpoints, so sometimes you will see ordered lists, either lexically or otherwise. In particular, List Work Order Contracts happens to be ordered alphabetically. This is not something you should expect for other endpoints, new or existing. And, you should not depend on lexical order for the List Work Order Contracts as this may change in the future when we add additional response attributes as a change to the ordering is not considered breaking.


What happened to the API explorer I used in the Developer Portal for testing Procore's API?
We currently do not provide a 'built-in' API Explorer in our Developer Portal. One application we highly recommend is Postman. This app allows you to run and test Procore API endpoints. This is the tool Developer Support uses as well as our own in-house developers. See our guide to exploring our API with Postman for additional information.

.NET Development

How do I parse JSON without the JSON.NET library?
Please see this helpful Stack Overflow article. For additional information on the JSON framework for .NET see http://www.newtonsoft.com/json.


What does a Deprecation Warning mean?
You may see some Deprecation Warnings on some of our endpoints. What this means is that we will no longer add additional functionality to them and will instead provide you with newer endpoints in a future release.

Cross-Origin Resource Sharing (CORS)

Does the Procore API support Cross-Origin Resource Sharing (CORS)?
Yes, assuming your users are accessing your application using a modern browser version. In order to take advantage of CORS, you must first register your domain with our Developer Support team by contacting them at apisupport@procore.com.

When trying to send a request from my client-side application, I’m getting an error like this: “XMLHttpRequest cannot load [URL]. No 'Access-Control-Allow-Origin' header is present on the requested Resource.” Why is this happening?
For CORS requests from client-side apps, you will need to have your origin domain whitelisted for your app. To do that, please contact apisupport@procore.com and provide the domain you wish to have whitelisted. If you are having trouble with authentication using your client-side app, please consult our OAuth 2.0 Using Implicit Grant article for more information.

Frequently Requested API Functionality

This is just a short list of frequently requested functionality of our API. We would love to hear your feedback regarding these requests. Feel free to send feedback to our UserVoice Forum.

How do I get notified of changes to specific objects?
Our Webhooks feature allows you to establish a system through which you can receive notifications for changes that occur to specific resources. Please visit our Introduction to Webhooks and Using the Webhooks API articles on the Developer Portal for additional information.

How do I enable tabs via Procore's API?
This feature is not yet available via the API, but it is possible to create projects with tabs enabled by using Project Templates. For more information about configuring Project Templates, please consult the Configure a Project Template support article and the reference documentation for the Create Project API endpoint (note the “project_template_id” parameter).