Encompass User Management API Guide

Summary
API quick reference
Authentication
User object / data model
Core endpoints
Rate limits, pagination, and events
SCIM API status
Common scenarios
Why building this yourself is a trap

Summary and recommendation

The Encompass REST API is versioned at v3 under the base URL `https://api.elliemae.com/encompass/v3` - note the legacy `elliemae.com` domain remains in use despite the ICE Mortgage Technology rebrand.

Authentication uses OAuth 2.0;

server-to-server workflows use the `client_credentials` grant, but several user-management endpoints require either an `authorization_code` token with user context or credentials carrying the `encompass_admin` scope.

The `lp` scope is required as a baseline for general API access.

Pagination uses offset-based `start` / `limit` parameters with a default page size of 25 and a maximum of 200.

Rate limits are enforced but not publicly documented - contact ICE Mortgage Technology support for the limits applicable to your subscription tier before designing retry logic.

API quick reference

Has user API	Yes
Auth method	OAuth 2.0 (client credentials and authorization code flows)
Base URL	Official docs
SCIM available	Yes
SCIM plan required	Enterprise

Authentication

Auth method: OAuth 2.0 (client credentials and authorization code flows)

Setup steps

Register an application in the Encompass Developer Connect portal (developer.icemortgage.com).
Obtain a Client ID and Client Secret for your registered application.
Request an access token via POST to https://api.elliemae.com/oauth2/v1/token using client_credentials grant (for server-to-server) or authorization_code grant (for user-delegated access).
Include the Bearer token in the Authorization header for all API requests.
Ensure the Encompass instance has API access enabled by the administrator.

Required scopes

Scope	Description	Required for
lp	Loan Pipeline scope; required for loan-level operations.	General API access baseline
encompass_admin	Administrative scope granting access to user management and system configuration endpoints.	Creating, updating, and deleting users

User object / data model

Field	Type	Description	On create	On update	Notes
id	string	Unique identifier for the user within Encompass.	system-assigned	immutable	Used as path parameter in user-specific endpoints.
loginId	string	The user's login username.	required	optional	Must be unique within the Encompass instance.
firstName	string	User's first name.	required	optional
lastName	string	User's last name.	required	optional
email	string	User's email address.	required	optional
phone	string	User's phone number.	optional	optional
cellPhone	string	User's mobile phone number.	optional	optional
fax	string	User's fax number.	optional	optional
title	string	User's job title.	optional	optional
organizationId	string	ID of the organizational unit the user belongs to.	required	optional	Maps to Encompass organizational hierarchy.
personas	array	List of persona IDs assigned to the user, controlling feature access.	optional	optional	Personas define role-based access within Encompass.
enabled	boolean	Whether the user account is active.	optional (defaults to true)	optional	Set to false to deactivate without deleting.
password	string	User's password (write-only).	required	optional	Never returned in GET responses.
nmlsOriginatorId	string	NMLS originator ID for licensed loan officers.	optional	optional	Mortgage-industry specific compliance field.
stateLicenses	array	State licensing information for the user.	optional	optional	Array of state license objects.

Core endpoints

List Users

Method: GET
URL: https://api.elliemae.com/encompass/v3/users
Watch out for: Returns only users visible to the authenticated user's organizational scope. Use start/limit for pagination.

Request example

GET /encompass/v3/users?start=0&limit=25
Authorization: Bearer {access_token}

Response example

[
  {
    "id": "user123",
    "loginId": "jdoe",
    "firstName": "John",
    "lastName": "Doe",
    "email": "jdoe@example.com",
    "enabled": true
  }
]

Get User

Method: GET
URL: https://api.elliemae.com/encompass/v3/users/{userId}
Watch out for: Use the Encompass internal user ID (not loginId) as the path parameter.

Request example

GET /encompass/v3/users/user123
Authorization: Bearer {access_token}

Response example

{
  "id": "user123",
  "loginId": "jdoe",
  "firstName": "John",
  "lastName": "Doe",
  "email": "jdoe@example.com",
  "organizationId": "org456",
  "enabled": true
}

Create User

Method: POST
URL: https://api.elliemae.com/encompass/v3/users
Watch out for: Password must meet Encompass complexity requirements. organizationId must reference a valid org node.

Request example

POST /encompass/v3/users
Authorization: Bearer {access_token}
Content-Type: application/json
{
  "loginId": "jsmith",
  "firstName": "Jane",
  "lastName": "Smith",
  "email": "jsmith@example.com",
  "password": "TempPass123!",
  "organizationId": "org456"
}

Response example

{
  "id": "user789",
  "loginId": "jsmith",
  "firstName": "Jane",
  "lastName": "Smith",
  "email": "jsmith@example.com",
  "enabled": true
}

Update User (partial)

Method: PATCH
URL: https://api.elliemae.com/encompass/v3/users/{userId}
Watch out for: Only include fields to be changed. loginId changes may have downstream impacts on loan assignments.

Request example

PATCH /encompass/v3/users/user789
Authorization: Bearer {access_token}
Content-Type: application/json
{
  "email": "jsmith_new@example.com",
  "title": "Senior Loan Officer"
}

Response example

{
  "id": "user789",
  "email": "jsmith_new@example.com",
  "title": "Senior Loan Officer"
}

Delete User

Method: DELETE
URL: https://api.elliemae.com/encompass/v3/users/{userId}
Watch out for: Deleting a user with active loan assignments may fail or require reassignment first. Consider disabling (enabled: false) instead.

Request example

DELETE /encompass/v3/users/user789
Authorization: Bearer {access_token}

Response example

HTTP 204 No Content

Get User Personas

Method: GET
URL: https://api.elliemae.com/encompass/v3/users/{userId}/personas
Watch out for: Personas control feature-level access; incorrect persona assignment can expose or restrict critical loan functions.

Request example

GET /encompass/v3/users/user123/personas
Authorization: Bearer {access_token}

Response example

[
  { "id": "persona001", "name": "Loan Officer" },
  { "id": "persona002", "name": "Processor" }
]

List Personas (system-wide)

Method: GET
URL: https://api.elliemae.com/encompass/v3/personas
Watch out for: Use this endpoint to resolve valid persona IDs before assigning them to users.

Request example

GET /encompass/v3/personas
Authorization: Bearer {access_token}

Response example

[
  { "id": "persona001", "name": "Loan Officer" },
  { "id": "persona003", "name": "Admin" }
]

Get Current User (token introspection)

Method: GET
URL: https://api.elliemae.com/encompass/v3/users/me
Watch out for: Returns the user associated with the current access token. Not available for client_credentials tokens with no user context.

Request example

GET /encompass/v3/users/me
Authorization: Bearer {access_token}

Response example

{
  "id": "user123",
  "loginId": "jdoe",
  "firstName": "John",
  "lastName": "Doe",
  "email": "jdoe@example.com"
}

Rate limits, pagination, and events

Rate limits: ICE Mortgage Technology enforces rate limits on Encompass Developer Connect APIs, but specific numeric limits are not publicly documented in official sources.
Rate-limit headers: Unknown
Retry-After header: Unknown
Rate-limit notes: Official documentation does not publicly specify per-plan rate limit values or rate-limit response headers. Contact ICE Mortgage Technology support for current limits applicable to your subscription.
Pagination method: offset
Default page size: 25
Max page size: 200
Pagination pointer: start / limit
Webhooks available: Yes
Webhook notes: Encompass Developer Connect supports webhooks (called 'Encompass Webhooks') for event-driven notifications on loan and system events.
Alternative event strategy: User lifecycle events (create/update/delete) are not explicitly listed as webhook event types in publicly available documentation. Polling the Users API is the documented alternative for user change detection.
Webhook events: loan.created, loan.updated, loan.deleted, loan.locked, loan.unlocked

SCIM API status

SCIM available: Yes
SCIM version: 2.0
Plan required: Enterprise
Endpoint: https://api.elliemae.com/encompass/scim/v2
Supported operations: GET /Users, GET /Users/{id}, POST /Users, PUT /Users/{id}, PATCH /Users/{id}, DELETE /Users/{id}, GET /Groups, GET /ServiceProviderConfig, GET /Schemas

Limitations:

Requires Enterprise subscription tier.
SCIM provisioning configuration must be completed by an Encompass administrator.
Group management via SCIM maps to Encompass organizational units; full parity with native org hierarchy is not guaranteed.
Specific IdP connector documentation (Okta, Entra ID) is not publicly listed as officially supported in current help center docs.
SCIM endpoint base URL should be confirmed with ICE Mortgage Technology support as it may be instance-specific.

Common scenarios

Three workflows cover the main Encompass identity lifecycle tasks.

Provisioning a new loan officer usually requires this sequence:

Obtain a Bearer token with the required admin scope.
Resolve the target persona ID.
Resolve the target organizationId.
Create the user with login, identity, org, and persona fields.

For offboarding, prefer disabling over hard deletion:

Resolve the internal userId first.
PATCH the user with enabled set to false.
Reassign active loan work before attempting any irreversible cleanup.

SCIM 2.0 can support IdP-driven provisioning on Enterprise, but instance-specific mapping still matters.

Treat personas and organizationId as first-class identity attributes when reconciling Encompass against the rest of the SaaS stack.

Provision a new loan officer

Authenticate via OAuth 2.0 client_credentials to obtain a Bearer token with encompass_admin scope.
GET /encompass/v3/personas to retrieve the ID for the 'Loan Officer' persona.
GET /encompass/v3/organizations (or equivalent) to retrieve the target organizationId.
POST /encompass/v3/users with loginId, firstName, lastName, email, password, organizationId, and personas array.
Verify creation by GET /encompass/v3/users/{newUserId}.

Watch out for: Password must meet Encompass complexity policy. Persona and organization IDs must be valid for the specific Encompass instance.

Deactivate a departing employee

Authenticate and obtain a Bearer token.
GET /encompass/v3/users?loginId={loginId} to resolve the internal user ID.
PATCH /encompass/v3/users/{userId} with body {"enabled": false} to deactivate the account.
Confirm deactivation via GET /encompass/v3/users/{userId} and verify enabled=false.

Watch out for: Prefer deactivation over deletion to preserve audit trail and avoid breaking loan record associations.

Sync users via SCIM from an Identity Provider

Confirm Enterprise subscription with ICE Mortgage Technology.
Obtain SCIM endpoint URL and Bearer token credentials from Encompass administrator.
Configure the IdP (e.g., Okta, Entra ID) SCIM connector with the Encompass SCIM base URL and token.
Map IdP user attributes to SCIM standard attributes (userName → loginId, etc.).
Perform a test provisioning of a single user and validate via GET /encompass/scim/v2/Users.
Enable automated provisioning and deprovisioning rules in the IdP.

Watch out for: SCIM endpoint URL may be instance-specific. Attribute mapping between IdP schema and Encompass SCIM schema requires careful validation, especially for mortgage-specific fields like nmlsOriginatorId which may not be in the standard SCIM schema.

Why building this yourself is a trap

Several API behaviors are non-obvious and will cause silent failures if not accounted for in integration design. client_credentials tokens have no user context; GET /encompass/v3/users/me will not function with them.

Scope requirements differ by endpoint - validate that your token carries encompass_admin before attempting write operations, not after receiving a 403. Persona IDs must be fetched from /personas at runtime per environment; they are not stable across Encompass instances and cannot be assumed from documentation or prior deployments.

Webhook support exists for loan lifecycle events (loan.created, loan.updated, etc.), but user lifecycle events - create, update, deactivate - are not listed as supported webhook event types in current public documentation. Polling GET /encompass/v3/users with start/limit pagination is the documented approach for detecting user changes. API versioning is path-based (v3);

v1 and v2 endpoints may still respond but are deprecated and should not be used in new integrations.

Automate Encompass workflows without one-off scripts

Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.

Every app coverage, including apps without APIs

60+ app integrations plus browser automation for apps without APIs

IT graph reconciliation across apps and your IdP

Less than a week to launch, maintained as APIs and admin consoles change

SOC 2 Type II. ~2 hours of your team's time

Book a Demo

Encompass User Management API Guide

Summary and recommendation

API quick reference

Authentication

Setup steps

Required scopes

User object / data model

Core endpoints

List Users

Get User

Create User

Update User (partial)

Delete User

Get User Personas

List Personas (system-wide)

Get Current User (token introspection)

SCIM API status

Common scenarios

Provision a new loan officer

Deactivate a departing employee

Sync users via SCIM from an Identity Provider

Why building this yourself is a trap

Automate Encompass workflows without one-off scripts

Related apps

15Five

1Password

8x8