OverviewAccount and sign-inYour profileDraft your summary from your CVAI assistant (Sandy)Managing shiftsBooking requestsMessaging a workplaceBooking schedulesAvailability calendarCalendar syncCancellation protectionLocum directoryWorkplaces and organisationsInvoicingWorkplace signed linksAuto-chasersShift pay-checkMedicare direct billingAgency vs direct billingAgency and PAYG trackingTripled bulk-billing incentiveThomas and Naaz: payroll taxTax planningExpenses and cents-per-kmEarnings forecastBAS readinessSuper guaranteePSI diagnosticXero integrationAdvanced reportingAHPRA registration and CPDState credentialsDocument storeCompliance passportRural incentives and MMMNDIS price guideBilling and subscriptionComplimentary and trial accessReferralsNotification preferencesNotification inboxSupport ticketsREST APIData export and privacyLocum tax calculatorATO cents-per-km calculatorBAS estimatorSuper contribution plannerPSI self-assessmentMMM rural lookupAgency super checkAHPRA renewal reminderFree invoice templateLocum GP rates AustraliaLocum pharmacist rates AustraliaAgency nurse rates AustraliaLocum paramedic rates AustraliaLocum physio rates AustraliaBecome a locum GPBecome a locum pharmacistBecome an agency nurseBecome a locum paramedicBecome a locum physiotherapist
Help centre

Workplace access links explained

Every invoice and booking email Sessional sends on your behalf carries a secure 30-day link, so a workplace can view detail, confirm payment, or flag a problem without ever creating an account.

What a workplace access link is

When you send an invoice or a booking confirmation through Sessional, the email that lands in the workplace inbox carries a secure link back to a Sessional-hosted page. The finance officer, the roster coordinator, or whoever you addressed it to clicks through and sees the detail laid out clearly: who the invoice is from, the total in Australian dollars, the line items, and any note you attached. There is no sign-up, no password, and no Sessional account to create. The link itself is the key.

Invoice links live at /w/inv/<token> and booking links at /w/bkg/<token>. The token is a long, signed string that only Sessional can produce, and it expires 30 days after the email is sent. These pages are marked no-index, so they never show up in a search engine even if a link is forwarded on.

Note

This is the same idea as your compliance passport: a no-account, time-limited link a workplace opens to see exactly what you have chosen to share, and nothing else about your Sessional account.

What a workplace can do from the link

From an invoice link the recipient can:

  • View the invoice in full: invoice number, issue and due dates, line items, the total due, your payment reference, and any note you left.
  • Mark paid: tell you the money has been sent or is scheduled, with an optional reference or note (for example, the date and bank reference they used).
  • Raise a dispute: explain in a few sentences what is wrong, for example a wrong amount or a session that was not worked.

From a booking link the recipient gets a read-only view plus one action:

  • View the booking: date, start and end times (Sydney time), the agreed rate, and your site notes.
  • Acknowledge the confirmation, so you have a record the workplace saw and accepted the booking detail.
  • Raise a dispute: most often used to say “we did not book this” before the shift happens, while there is still time to sort it out.

A booking link is deliberately not a payment surface. Money only moves once you raise the invoice after the shift, and that invoice email carries its own link with the Mark paid action.

How “Mark paid” really works

Important

A workplace pressing Mark paid does not flip your invoice to PAID. It records a claim. You check your bank, then confirm receipt (the invoice becomes PAID) or dismiss the claim (chasers resume). You stay the single source of truth for your own books.

The reason for the two-step is practical. Workplaces are not Sessional users, and a busy finance team can pay the wrong invoice, the wrong amount, or reference the wrong job. If a click silently marked the invoice PAID, it could quietly distort your earnings record, your GST position, and your tax reserve. So the claim is just a signal: the workplace tells you what they have done, and you decide what is true.

When a workplace submits a claim, you get a notification in your in-app inboxand a row appears in the “Needs your attention” area of your dashboard. From there you check your bank and either confirm the payment, which moves the invoice to PAID on both sides, or dismiss it, which clears the claim and lets auto-chasers pick up again. The action is idempotent: if a coordinator double-clicks, refreshes, or opens the link in two tabs, only one claim and one notification are recorded.

How disputes work

When a workplace raises a dispute on an invoice, three things happen:

  • An open dispute record is created against that invoice, with the reason they typed (between 5 and 500 characters).
  • The invoice moves to DISPUTED, which pauses the auto-chaser schedule so no automated reminder emails go out while the dispute is open.
  • You receive an in-app notification, visible in your inbox and on the dashboard attention row.

Only one dispute is open at a time per invoice. If the workplace submits again, the existing record is updated rather than a second one being created, so your inbox does not fill with duplicates. You resolve the dispute from your invoice list: adjust and re-issue if they were right, or move the invoice back to its chasable state if they were not, at which point reminders resume.

Booking disputes work the same way on the workplace side, but a booking has no money attached and no disputed status to flip, so raising one simply creates the record and notifies you. The point is to catch a problem early, before the shift, so you can cancel or correct it. See booking messaging for the back-and-forth that often resolves these before they become a formal dispute.

Revoking a link

You control every link you send. If you addressed an invoice to the wrong email, or a finance contact has left the workplace, you can revoke that single link from your dashboard. Once revoked, anyone opening the old URL sees a “this link was withdrawn” page and the underlying actions stop working, returning a clear gone response rather than exposing any detail. Revocation is specific to that one invoice or booking; it never affects your other links or your account.

The full invoice detail is also in the body of the email itself, so revoking a link does not strip a workplace of the information they need. The link is a convenience layer on top, not the only copy.

Why the link is safe to send

Each link is signed with HMAC-SHA256 using a secret held only on Sessional’s servers. The signature covers the invoice or booking it points to and a fixed 30-day expiry, so a recipient cannot tamper with either or forge a link to someone else’s invoice. The actions exposed by a link, Mark paid and Raise dispute, are scoped to that one entity. A link reveals nothing else about you, your other clients, or your earnings.

The action endpoints are rate limited per link and per source, so a forwarded URL cannot be used to spam claims or disputes. Because the link is the key, treat it like one: it is meant for the inbox you addressed, and the on-page guidance asks workplaces not to share it publicly. Workplace access links are available to every Sessional locum on every plan, including Free.

Tip

Sessional records who marked paid or disputed, and when, in an audit trail. If a workplace later questions a claim, you have a timestamped record to refer back to. Note that Sessional does not verify the payment itself and does not give tax or financial advice: confirming the money against your bank is always your call.

Frequently asked questions

How long does a workplace access link last?
Thirty days from the moment the email is sent. After that the recipient sees an expired page asking them to request a fresh copy. You can re-send the invoice or booking at any time to generate a new link.
Does the workplace need a Sessional account to use the link?
No. They click straight through from the email that arrived at their address. There is no sign-up, password, or login on the workplace side. The signed link in the URL is what grants access, and the actions are scoped to that single invoice or booking.
If a workplace marks an invoice paid, does it become paid automatically?
No. Marking paid records a claim only. You check the money has actually arrived in your bank, then confirm receipt to move the invoice to PAID, or dismiss the claim so auto-chasers resume. This keeps your earnings and GST records accurate and under your control.
What happens to auto-chasers when a workplace disputes an invoice?
The invoice moves to a disputed state and the automated reminder schedule pauses, so no chaser emails go out while the dispute is open. You get an in-app notification, resolve the dispute from your invoice list, and reminders only resume once you put the invoice back into a chasable state.
Can I cancel a link I have already sent?
Yes. Revoke that individual link from your dashboard and anyone opening the old URL sees a withdrawal notice instead of the detail. Revocation affects only that one invoice or booking, never your other links or your account.
Is the link safe if the workplace forwards it on?
The link is single-recipient by design and the page is no-index, so it never appears in search. Anyone holding it could view that one invoice and raise a dispute, but nothing else about your account is reachable, and the action endpoints are rate limited to prevent abuse.

Related help

Creating and sending invoicesSending booking schedulesAuto-chasers for overdue invoicesYour in-app inboxFlagging short or unpaid shiftsDirect billing workplaces

Get paid without chasing paperwork

Send invoices that a workplace can review and confirm in two clicks, with auto-chasers and dispute handling built in. Start free with Sessional Australia.

Start free