Stitchflow
Heap logo

Heap User Management API Guide

API workflow

How to automate user lifecycle operations through APIs with caveats that matter in production.

UpdatedMar 11, 2026

Summary and recommendation

Heap's server-side API is write-only and ingest-focused - it accepts events and user property updates but provides no endpoints for reading or querying user records. Authentication uses a bare app_id field in the JSON request body; there is no Authorization header or bearer token for the server-side API.

All endpoints return HTTP 200 regardless of payload validity, so client-side validation of identity strings and app_id is mandatory before treating a 200 as a success signal. For automated provisioning, SCIM 2.0 is available on Enterprise via an Okta-hosted connector, not a standalone Heap-published SCIM base URL.

API quick reference

Has user APIYes
Auth methodAPI key (app_id passed in request body as JSON field; no Authorization header)
Base URLOfficial docs
SCIM availableYes
SCIM plan requiredEnterprise

Authentication

Auth method: API key (app_id passed in request body as JSON field; no Authorization header)

Setup steps

  1. Log in to Heap and navigate to Account > Privacy & Security > API.
  2. Copy your app_id (environment ID) from the Heap dashboard.
  3. Include the app_id field in every server-side API request body as a top-level JSON key.
  4. No OAuth flow or bearer token is used for the server-side API.

User object / data model

Field Type Description On create On update Notes
identity string Unique identifier for the user (e.g., email or internal user ID). required required Used in /identify and property calls to tie anonymous sessions to a known user.
properties object Key-value map of custom user properties (e.g., plan, role, company). optional optional Values must be scalar (string, number, boolean). Nested objects are not supported.
event string Name of the server-side event to track. required for /track n/a Used only in /track calls, not user property calls.
timestamp string (ISO 8601) Optional event timestamp; defaults to server receipt time if omitted. optional n/a Must be ISO 8601 format. Historical events may be subject to data retention limits.
idempotency_key string Optional deduplication key to prevent duplicate event ingestion. optional n/a Recommended for retry logic.

Core endpoints

Track server-side event

  • Method: POST
  • URL: https://heapanalytics.com/api/track
  • Watch out for: Returns 200 even for malformed payloads in some cases; validate identity and app_id carefully.

Request example

{
  "app_id": "11",
  "identity": "user@example.com",
  "event": "Subscription Upgraded",
  "properties": { "plan": "pro" }
}

Response example

HTTP 200 OK
{}

Identify / alias user

  • Method: POST
  • URL: https://heapanalytics.com/api/identify
  • Watch out for: Calling identify ties all prior anonymous sessions to the identity; cannot be undone via API.

Request example

{
  "app_id": "11",
  "identity": "user@example.com",
  "properties": { "role": "admin" }
}

Response example

HTTP 200 OK
{}

Add user properties

  • Method: POST
  • URL: https://heapanalytics.com/api/add_user_properties
  • Watch out for: Properties are additive/overwrite on key collision; there is no partial-update or delete for individual property keys via this endpoint.

Request example

{
  "app_id": "11",
  "identity": "user@example.com",
  "properties": { "plan": "enterprise", "company": "Acme" }
}

Response example

HTTP 200 OK
{}

Batch track events

  • Method: POST
  • URL: https://heapanalytics.com/api/batch_track
  • Watch out for: Maximum 1,000 events per batch request. Exceeding this limit may result in dropped events.

Request example

{
  "app_id": "11",
  "events": [
    {"identity":"u1@x.com","event":"Login","properties":{}},
    {"identity":"u2@x.com","event":"Login","properties":{}}
  ]
}

Response example

HTTP 200 OK
{}

Delete user (GDPR/CCPA)

  • Method: POST
  • URL: https://heapanalytics.com/api/delete_user
  • Watch out for: Deletion is asynchronous and irreversible. All event history associated with the identity is removed.

Request example

{
  "app_id": "11",
  "identity": "user@example.com"
}

Response example

HTTP 200 OK
{}

Rate limits, pagination, and events

  • Rate limits: Heap does not publish explicit rate limit numbers in official documentation. Requests that exceed undisclosed limits may be throttled or dropped silently.
  • Rate-limit headers: No
  • Retry-After header: No
  • Rate-limit notes: No rate-limit headers or retry-after headers are documented. Heap recommends batching events (up to 1,000 per batch call) to reduce request volume.
  • Pagination method: none
  • Default page size: 0
  • Max page size: 0
  • Pagination pointer: Not documented
Plan Limit Concurrent
All plans Not publicly documented 0
  • Webhooks available: No
  • Webhook notes: Heap does not offer outbound webhooks for user-management events in its documented API surface.
  • Alternative event strategy: Use Heap's data connectors (Redshift, BigQuery, Snowflake) or the Heap Connect feature to export event and user data to a warehouse for downstream processing.

SCIM API status

  • SCIM available: Yes

  • SCIM version: 2.0

  • Plan required: Enterprise

  • Endpoint: Provisioned via Okta SCIM integration (Okta-hosted SCIM connector); Heap does not publish a standalone SCIM base URL in public docs.

  • Supported operations: Create user, Deactivate user, Update user attributes, Push groups (via Okta)

Limitations:

  • SCIM provisioning is only documented for Okta; Entra ID, Google Workspace, and OneLogin are not officially supported.
  • SSO (SAML) must be configured before enabling SCIM.
  • Enterprise plan required.
  • SCIM base URL and bearer token are obtained from within the Okta Heap app configuration, not from Heap's developer portal.
  • Group-to-role mapping capabilities are limited; consult Heap support for role assignment via SCIM.

Common scenarios

Three integration patterns cover the primary lifecycle operations. First, SCIM provisioning via Okta: requires an active Enterprise plan with SAML SSO already configured; the SCIM bearer token is managed inside the Okta app config, not Heap's developer portal - if SSO is absent, SCIM calls will fail silently.

Second, server-side identity enrichment: POST to /api/identify immediately after sign-up to anchor anonymous sessions to a known identity, then use /api/add_user_properties for subsequent attribute updates. properties overwrite on key collision, so send only the keys you intend to change.

Third, GDPR/CCPA deletion: POST to /api/delete_user with the exact identity string used at track/identify time - deletion is asynchronous, irreversible, and case-sensitive, so 'User@Example. com' and 'user@example.

com' resolve to different identities.

Provision a new user via SCIM (Okta)

  1. Ensure Heap Enterprise plan is active and SAML SSO is configured in Okta.
  2. In Okta, add the Heap application and navigate to the Provisioning tab.
  3. Enable SCIM provisioning; Okta will use the SCIM 2.0 endpoint and bearer token provided in the Heap Okta app config.
  4. Assign the user to the Heap Okta app; Okta sends a SCIM POST /Users request to create the user in Heap.
  5. Verify the user appears in Heap's People section.

Watch out for: If SSO is not yet configured, SCIM provisioning will fail. SCIM bearer token is managed inside Okta, not Heap's developer portal.

Enrich user profile with server-side properties after sign-up

  1. After a user completes sign-up in your backend, POST to https://heapanalytics.com/api/identify with the user's email as identity and initial properties (plan, role).
  2. Subsequently POST to https://heapanalytics.com/api/add_user_properties to add or update additional attributes (e.g., company, subscription tier).
  3. Confirm properties appear in Heap's user profile within a few minutes.

Watch out for: Properties are overwritten on key collision; send only the keys you intend to update to avoid accidentally clearing existing values.

Delete a user for GDPR compliance

  1. Receive a data deletion request for a user identified by their email.
  2. POST to https://heapanalytics.com/api/delete_user with app_id and the user's identity string.
  3. Log the 200 response and timestamp for compliance records.
  4. Note that deletion is asynchronous; confirm with Heap support if immediate verification is required.

Watch out for: Deletion is irreversible. Ensure the identity string exactly matches what was used during identify/track calls (case-sensitive).

Why building this yourself is a trap

The silent-200 response pattern is the most dangerous integration trap: malformed payloads, wrong app_id values, and unrecognized identity strings can all return 200 with no error body, making broken pipelines invisible without external validation.

The write-only API surface means any identity graph enrichment or user-state reconciliation must be routed through Heap Connect or a warehouse export (Redshift, BigQuery, Snowflake) - there is no read endpoint to confirm what Heap has stored for a given identity.

Rate limits are undisclosed and carry no retry-after headers, so batch_track's 1,000-event cap per request is the only documented ceiling; exceeding it may result in silent event drops with no observable signal.

SCIM's Okta-only constraint means teams building identity graph pipelines on Entra ID or other providers cannot rely on SCIM and must instrument lifecycle events entirely through the server-side API with all the validation burden that entails.

Automate Heap workflows without one-off scripts

Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.

Every app coverage, including apps without APIs
60+ app integrations plus browser automation for apps without APIs
IT graph reconciliation across apps and your IdP
Less than a week to launch, maintained as APIs and admin consoles change
SOC 2 Type II. ~2 hours of your team's time

UpdatedMar 11, 2026

* Details sourced from official product documentation and admin references.

Keep exploring

Related apps

15Five logo

15Five

Full API + SCIM
AutomationAPI + SCIM
Last updatedFeb 2026

15Five uses a fixed role-based permission model with six predefined roles: Account Admin, HR Admin, Billing Admin, Group Admin, Manager, and Employee. No custom roles can be constructed. User management lives at Settings gear → People → Manage people p

1Password logo

1Password

Full API + SCIM
AutomationAPI + SCIM
Last updatedFeb 2026

1Password's admin console at my.1password.com covers the full user lifecycle — invitations, group assignments, vault access, suspension, and deletion — without any third-party tooling. Like every app that mixes role-based and resource-level permissions

8x8 logo

8x8

Full API + SCIM
AutomationAPI + SCIM
Last updatedFeb 2026

8x8 Admin Console supports full lifecycle user management — create, deactivate, and delete — across its X Series unified communications platform. Every app a user can access (8x8 Work desktop, mobile, web, Agent Workspace) is gated by license assignmen