API functions that use user authentication support an onBehalfOf parameter. The idea behind onBehalfOf is that the caller authenticates using privileged credentials (corresponding to a Talent Suite user account with the Switch User permission), and specifies the ID of the user on whose behalf the call will actually be executed. Thus an application such as a portal can make API calls on behalf of an end user without having to obtain that user’s credentials.

onBehalfOf has limitations however. For one thing it can only be used by applications that are capable of keeping the privileged credentials secret, which in practice typically means applications that run on a server. It also requires a high degree of trust in the application, since an application with privileged credentials can make API calls on behalf of any user, without explicit authorization from the user.

As of version 10.0, Talent Suite supports OAuth. OAuth provides a Web-based flow via which an application can request an access token, which it can then use to make API calls on behalf of the end user. OAuth eliminates the need for privileged credentials, and provides more control over how authorization is granted. We recommend using OAuth for new development.

Since OAuth eliminates the need for onBehalfOf, we no longer show the corresponding form fields by default in the API explorer. However, we recognize that these fields can sometimes be useful for testing purposes. If you want to see these fields in the API explorer, simply append an onBehalfOf query string parameter to the API explorer URL, i.e. api/?onBehalfOf=. Moreover, if you specify a non-empty value for the parameter, e.g. api/?onBehalfOf=lucy, then this will be used as the default value for the onBehalfOf fields.