Summary and recommendation
Help Scout exposes a REST API (v2) at https://api.helpscout.net/v2, authenticated via OAuth 2.0 client credentials or authorization code flow. Access tokens are valid for 48 hours; re-authenticate by repeating the POST /v2/auth/token call - there is no refresh token mechanism for client credentials.
Help Scout does not document granular named OAuth scopes; access is governed by the authenticated app's account-level permissions.
The API does not support user creation via REST. POST /users is not available in the public Mailbox API v2 - new users must be provisioned through the UI invite flow or via SCIM (Pro plan only).
This is the most significant constraint for teams building identity graph integrations that expect full CRUD over user objects.
Rate limits are 400 requests per minute per access token. Responses include X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers; on HTTP 429, respect the Retry-After header before retrying. If running multiple integrations, provision a separate OAuth app and token per integration to avoid shared rate limit exhaustion.
API quick reference
| Has user API | Yes |
| Auth method | OAuth 2.0 (client credentials or authorization code flow) |
| Base URL | Official docs |
| SCIM available | Yes |
| SCIM plan required | Pro |
Authentication
Auth method: OAuth 2.0 (client credentials or authorization code flow)
Setup steps
- Log in to Help Scout and navigate to Your Profile > My Apps.
- Click 'Create My App' and provide an app name and redirect URL.
- Note the generated App ID (client_id) and App Secret (client_secret).
- For server-to-server (client credentials): POST to https://api.helpscout.net/v2/auth/token with grant_type=client_credentials, client_id, and client_secret.
- Receive an access_token (Bearer token) valid for 48 hours; include it as Authorization: Bearer
on all requests.
Required scopes
| Scope | Description | Required for |
|---|---|---|
| N/A - scope-based access control not documented | Help Scout OAuth 2.0 does not expose granular named scopes in its public documentation; access is governed by the authenticated app's permissions within the account. | All API operations |
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| id | integer | Unique numeric identifier for the user. | system-assigned | immutable | Used as path parameter in user endpoints. |
| firstName | string | User's first name. | required | optional | |
| lastName | string | User's last name. | required | optional | |
| string | Primary email address; used for login. | required | optional | Must be unique within the account. | |
| role | string | Account role: owner, admin, or user. | optional | optional | Defaults to 'user' if not specified. |
| timezone | string | IANA timezone string (e.g., America/New_York). | optional | optional | |
| type | string | User type: team or virtual. | system-assigned | immutable | |
| createdAt | datetime (ISO 8601) | Timestamp when the user was created. | system-assigned | immutable | |
| updatedAt | datetime (ISO 8601) | Timestamp of last update. | system-assigned | system-assigned | |
| photoUrl | string (URL) | URL of the user's avatar image. | optional | optional | |
| jobTitle | string | User's job title. | optional | optional | |
| phone | string | User's phone number. | optional | optional | |
| alternateEmails | array of strings | Additional email addresses associated with the user. | optional | optional | |
| mention | string | The @mention handle for the user within Help Scout. | optional | optional |
Core endpoints
List Users
- Method: GET
- URL:
https://api.helpscout.net/v2/users - Watch out for: Returns only active (non-deleted) users. Deleted users are not included.
Request example
GET /v2/users?page=1 HTTP/1.1
Authorization: Bearer <token>
Response example
{
"_embedded": {
"users": [{"id":123,"firstName":"Jane","lastName":"Doe","email":"jane@example.com","role":"user"}]
},
"page": {"size":25,"totalElements":1,"totalPages":1,"number":1}
}
Get User by ID
- Method: GET
- URL:
https://api.helpscout.net/v2/users/{userId} - Watch out for: Returns 404 if the user has been deleted or does not belong to the authenticated account.
Request example
GET /v2/users/123 HTTP/1.1
Authorization: Bearer <token>
Response example
{
"id": 123,
"firstName": "Jane",
"lastName": "Doe",
"email": "jane@example.com",
"role": "user",
"createdAt": "2023-01-15T10:00:00Z"
}
Get Authenticated User (Me)
- Method: GET
- URL:
https://api.helpscout.net/v2/users/me - Watch out for: For client_credentials tokens, this returns the app/bot user, not a human user.
Request example
GET /v2/users/me HTTP/1.1
Authorization: Bearer <token>
Response example
{
"id": 456,
"firstName": "App",
"lastName": "Bot",
"email": "app@example.com",
"role": "admin"
}
List Users by Team
- Method: GET
- URL:
https://api.helpscout.net/v2/teams/{teamId}/members - Watch out for: Requires knowing the teamId; retrieve team IDs via GET /v2/teams first.
Request example
GET /v2/teams/10/members HTTP/1.1
Authorization: Bearer <token>
Response example
{
"_embedded": {
"members": [{"id":123,"firstName":"Jane","lastName":"Doe"}]
}
}
Rate limits, pagination, and events
- Rate limits: Help Scout enforces a rate limit of 400 requests per minute per access token. Exceeding the limit returns HTTP 429.
- Rate-limit headers: Yes
- Retry-After header: Yes
- Rate-limit notes: Response headers X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset are returned. On 429, respect Retry-After header before retrying.
- Pagination method: offset
- Default page size: 25
- Max page size: 50
- Pagination pointer: page
| Plan | Limit | Concurrent |
|---|---|---|
| All plans | 400 requests/minute per access token | 0 |
- Webhooks available: Yes
- Webhook notes: Help Scout supports webhooks for various mailbox events. User-specific lifecycle events (e.g., user created/deleted) are not explicitly listed as webhook event types in the public documentation; webhooks primarily cover conversation and customer events.
- Alternative event strategy: Poll GET /v2/users periodically to detect user changes, or use SCIM provisioning for lifecycle events via an IdP.
- Webhook events: convo.created, convo.updated, convo.deleted, convo.assigned, convo.moved, convo.merged, convo.status, convo.tags, convo.customerEmailChanged, customer.created, satisfaction.ratings
SCIM API status
SCIM available: Yes
SCIM version: 2.0
Plan required: Pro
Endpoint: https://api.helpscout.net/v2/scim
Supported operations: GET /Users (list users), GET /Users/{id} (get user), POST /Users (create user), PUT /Users/{id} (replace user), PATCH /Users/{id} (update user), DELETE /Users/{id} (deactivate/delete user), GET /Groups (list groups/teams), POST /Groups (create group), PATCH /Groups/{id} (update group membership), DELETE /Groups/{id} (delete group)
Limitations:
- SCIM is only available on the Pro plan ($65/user/month billed annually).
- SSO must be configured before enabling SCIM provisioning.
- Supported IdPs include Okta, Microsoft Entra ID (Azure AD), and OneLogin; Google Workspace is not officially supported.
- Group provisioning maps to Help Scout Teams; not all team attributes may be writable via SCIM.
- SCIM token is a long-lived bearer token generated in Help Scout settings, separate from OAuth tokens.
Common scenarios
Three integration patterns cover the majority of identity graph use cases against the Help Scout API.
For a full user sync, authenticate via client credentials, then paginate GET /v2/users starting at page=1. Capture totalPages from the response's page object and iterate all pages - max page size is 50, so large teams require many round trips. Map id, firstName, lastName, email, role, and createdAt to your directory schema; store updatedAt to detect changes on subsequent runs. GET /v2/users returns only active users; deactivated users are excluded from results.
For email-to-ID resolution to support identity graph lookups, there is no server-side email filter parameter on GET /v2/users. Filtering must be done client-side after fetching all pages - retrieve the full user list and match on the email field locally. For SCIM-based provisioning and deprovisioning via Okta or Entra ID, the base URL is https://api.helpscout.net/v2/scim with a long-lived bearer token generated separately from OAuth tokens in Help Scout Admin > Authentication. Unassigning a user in the IdP triggers DELETE /Users/{id}, which deactivates the user; their conversation history is retained and must be manually reassigned.
Sync all active users from Help Scout into an external directory
- Authenticate via POST /v2/auth/token with client_credentials to obtain a Bearer token.
- GET /v2/users?page=1 and capture totalPages from the page object in the response.
- Iterate pages 1..totalPages, collecting all user objects.
- Map id, firstName, lastName, email, role, createdAt fields to your directory schema.
- Store updatedAt to detect changes on subsequent syncs.
Watch out for: Max page size is 50; with large teams, expect many round trips. Cache the token for up to 48 hours to avoid re-authenticating on every sync run.
Provision and deprovision users via SCIM from Okta
- Ensure the Help Scout account is on the Pro plan and SSO is configured.
- In Help Scout Admin > Authentication, enable SCIM and copy the SCIM bearer token.
- In Okta, add the Help Scout SCIM app and enter base URL https://api.helpscout.net/v2/scim and the bearer token.
- Enable 'Push Users' and optionally 'Push Groups' in Okta.
- Assign users/groups in Okta; Okta will POST /Users to create accounts in Help Scout.
- Unassigning a user in Okta triggers DELETE /Users/{id}, deactivating the user in Help Scout.
Watch out for: Deactivated users' conversations are not deleted; reassign open conversations before deprovisioning to avoid orphaned tickets.
Look up a user by email to retrieve their Help Scout user ID
- Authenticate and obtain a Bearer token.
- GET /v2/users?page=1 (page through all results if totalPages > 1).
- Filter the returned users array client-side for the matching email field.
- Use the returned id for subsequent API calls (e.g., filtering conversations by assignee).
Watch out for: There is no server-side email filter query parameter on GET /v2/users in the public API; filtering must be done client-side after fetching all pages.
Why building this yourself is a trap
The most common integration trap is assuming the REST API supports the full user lifecycle. It does not - there is no POST /users endpoint.
Teams that build provisioning pipelines against the REST API will hit a hard wall at user creation and must either fall back to UI-based invites or implement SCIM, which is gated behind the Pro plan and requires SSO to be configured first.
A second trap involves the identity graph assumption that deactivated users remain queryable. GET /v2/users and GET /v2/users/{userId} both exclude deactivated users - the latter returns HTTP 404 for any deactivated or deleted user ID.
If your identity graph needs to track offboarded users, persist their records externally before deactivation, as the API provides no tombstone or soft-delete state in its responses.
Webhooks do not emit user lifecycle events. There are no user.created or user.deleted webhook event types in the public documentation - webhooks cover conversation and customer events only. Detecting user changes requires polling GET /v2/users on a schedule and diffing against your stored state, or relying on SCIM callbacks from your IdP.
Automate Help Scout workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
