Summary and recommendation
HireRight does not expose a public user-management API. The HireRight Connect API is a partner-tier integration scoped exclusively to background check ordering and results retrieval - it is not a user lifecycle API and requires a signed partner agreement before any credentials are issued.
No SCIM 2.0 endpoint is publicly documented, and SSO is SAML 2.0 only with no confirmed OIDC support. For teams maintaining an identity graph that maps user state across SaaS applications, HireRight represents a structural gap: there is no REST or SCIM surface to query for current account status, role assignments, or last-activity signals.
API quick reference
| Has user API | No |
| SCIM available | No |
| SCIM plan required | Enterprise |
Authentication
Auth method: Not documented
User object / data model
User object field mapping is not yet verified for this app.
Core endpoints
Endpoint coverage is not yet verified for this app.
Rate limits, pagination, and events
Rate limits: Not documented
Rate-limit headers: No
Retry-After header: No
Rate-limit notes: Not documented
Pagination method: none
Default page size: 0
Max page size: 0
Pagination pointer: Not documented
Webhooks available: No
Webhook notes: No publicly documented webhook system for user-management events. HireRight Connect API provides status callbacks for background check orders, not user lifecycle events.
Alternative event strategy: HireRight Connect API supports order-status polling for background check workflows. SSO via SAML 2.0 (Okta, Entra ID, OneLogin) handles authentication but not provisioning.
SCIM API status
- SCIM available: No
- SCIM version: Not documented
- Plan required: Enterprise
- Endpoint: Not documented
Limitations:
- No SCIM provisioning documented publicly by HireRight as of the policy date.
- User provisioning is handled manually via the HireRight admin console or through SSO (SAML JIT) where supported.
- Enterprise customers may have access to custom integration options via HireRight Connect partner agreements, but these are not publicly documented user-management APIs.
Common scenarios
Three integration paths exist, each with hard constraints. First, SAML 2.
0 SSO with JIT provisioning: configure your IdP (Okta, Entra ID, OneLogin) against HireRight's SAML settings, map attributes in the assertion, and new users are created on first authenticated login - but JIT does not deprovision, so offboarding still requires a manual admin console step.
Second, HireRight Connect for ATS/HRIS workflows: after a signed partner agreement, the API supports order submission and status polling for background check pipelines. this is entirely separate from user account management and should not be used as a proxy for it.
Third, manual offboarding via admin console: without a SCIM or REST user API, the only reliable deprovisioning path is an administrator locating and deactivating the account directly in the UI, making this a required step in any offboarding runbook that includes HireRight.
Automate user provisioning via SSO JIT
- Configure SAML 2.0 SSO in HireRight admin console using your IdP (Okta, Entra ID, or OneLogin).
- Enable Just-In-Time (JIT) provisioning in the SAML configuration if supported by your HireRight plan.
- Map IdP attributes (email, role, department) to HireRight user attributes in the SAML assertion.
- Test login flow; new users are created on first SSO authentication if JIT is active.
Watch out for: JIT provisioning only creates users on first login; it does not deprovision users when they are removed from the IdP. Manual deactivation in HireRight admin console is required for offboarding.
Integrate background check ordering via HireRight Connect
- Apply for HireRight Connect partner access via HireRight's integration team.
- Receive API credentials (key/secret) under a signed partner agreement.
- Use HireRight Connect API to submit background check orders from your ATS/HRIS.
- Poll order-status endpoints or configure callbacks to retrieve check results.
Watch out for: HireRight Connect is scoped to background check workflows, not user account management. Do not conflate check-ordering API access with the ability to manage HireRight platform users programmatically.
Manual user offboarding via admin console
- Log in to HireRight admin console with an administrator account.
- Navigate to User Management section.
- Locate the departing user by name or email.
- Deactivate or remove the user account manually.
Watch out for: Without a SCIM or REST user API, there is no automated deprovisioning path. Organizations must establish a manual offboarding process or rely on SSO session expiry to limit access.
Why building this yourself is a trap
The primary trap is conflating HireRight Connect API access with user-management capability - they are unrelated surfaces.
A second trap is assuming SAML JIT provisioning covers the full user lifecycle; it handles creation on first login but leaves deprovisioning entirely manual, meaning SSO session expiry is the only automatic access boundary after an IdP account is disabled.
Any identity graph implementation that relies on HireRight for user-state signals will find no supported read endpoint; account status must be inferred from manual records or IdP session data rather than a live API response.
Because HireRight retains audit trails for compliance reasons, permanent user deletion is likely unavailable, though this is not confirmed in public documentation.
Automate HireRight workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
