Hootsuite User Management API Guide

Auth method: OAuth 2.0 (Authorization Code flow)

Setup steps

1. Register a developer application at developer.hootsuite.com to obtain a client_id and client_secret.
2. Redirect the user to https://platform.hootsuite.com/oauth2/auth with response_type=code, client_id, redirect_uri, and desired scopes.
3. Exchange the returned authorization code for an access token via POST to https://platform.hootsuite.com/oauth2/token.
4. Include the access token as a Bearer token in the Authorization header for all API requests.
5. Refresh tokens using the refresh_token grant type before expiry.

Required scopes

Get current authenticated member

• Method: GET
• URL: https://platform.hootsuite.com/v1/me
• Watch out for: Returns the member associated with the OAuth token, not an arbitrary user. Requires no additional scopes beyond basic authentication.

Request example

GET /v1/me
Authorization: Bearer {access_token}

Response example

{
  "data": {
    "id": "1234567",
    "email": "user@example.com",
    "fullName": "Jane Doe",
    "organizationIds": ["org_abc"]
  }
}

List organization members

• Method: GET
• URL: https://platform.hootsuite.com/v1/organizations/{organizationId}/members
• Watch out for: Requires read:organizations scope. Paginate using the returned cursor value.

Request example

GET /v1/organizations/org_abc/members?limit=50
Authorization: Bearer {access_token}

Response example

{
  "data": [
    {"id": "111", "email": "a@example.com", "organizationRole": "ADMIN"},
    {"id": "222", "email": "b@example.com", "organizationRole": "MEMBER"}
  ],
  "cursor": "next_cursor_token"
}

Get a specific organization member

• Method: GET
• URL: https://platform.hootsuite.com/v1/organizations/{organizationId}/members/{memberId}
• Watch out for: Member ID must be the Hootsuite internal ID, not email.

Request example

GET /v1/organizations/org_abc/members/111
Authorization: Bearer {access_token}

Response example

{
  "data": {
    "id": "111",
    "email": "a@example.com",
    "organizationRole": "ADMIN"
  }
}

Invite a member to an organization

• Method: POST
• URL: https://platform.hootsuite.com/v1/organizations/{organizationId}/members
• Watch out for: Requires write:organizations scope. Sends an invitation email; the user must accept before they are fully active.

Request example

POST /v1/organizations/org_abc/members
Authorization: Bearer {access_token}
Content-Type: application/json

{"email": "newuser@example.com", "organizationRole": "MEMBER"}

Response example

{
  "data": {
    "id": "333",
    "email": "newuser@example.com",
    "organizationRole": "MEMBER"
  }
}

Remove a member from an organization

• Method: DELETE
• URL: https://platform.hootsuite.com/v1/organizations/{organizationId}/members/{memberId}
• Watch out for: Requires write:organizations scope. This action is irreversible via API; the user loses access immediately.

Request example

DELETE /v1/organizations/org_abc/members/333
Authorization: Bearer {access_token}

Response example

HTTP 204 No Content

List teams in an organization

• Method: GET
• URL: https://platform.hootsuite.com/v1/organizations/{organizationId}/teams
• Watch out for: Requires read:teams scope.

Request example

GET /v1/organizations/org_abc/teams
Authorization: Bearer {access_token}

Response example

{
  "data": [
    {"id": "team_1", "name": "Marketing"},
    {"id": "team_2", "name": "Support"}
  ]
}

Add a member to a team

• Method: POST
• URL: https://platform.hootsuite.com/v1/teams/{teamId}/members
• Watch out for: Requires write:teams scope. The member must already belong to the organization before being added to a team.

Request example

POST /v1/teams/team_1/members
Authorization: Bearer {access_token}
Content-Type: application/json

{"memberId": "111"}

Response example

{
  "data": {
    "teamId": "team_1",
    "memberId": "111"
  }
}

Remove a member from a team

• Method: DELETE
• URL: https://platform.hootsuite.com/v1/teams/{teamId}/members/{memberId}
• Watch out for: Requires write:teams scope. Does not remove the member from the organization.

Request example

DELETE /v1/teams/team_1/members/111
Authorization: Bearer {access_token}

Response example

HTTP 204 No Content

• Rate limits: Hootsuite enforces per-application rate limits on API calls. Exact numeric limits are not publicly documented in detail; limits vary by endpoint category.
• Rate-limit headers: Yes
• Retry-After header: No
• Rate-limit notes: HTTP 429 is returned when rate limits are exceeded. The API returns X-RateLimit-Limit and X-RateLimit-Remaining headers. Exact limits per tier are not published in official docs.
• Pagination method: cursor
• Default page size: 50
• Max page size: 50
• Pagination pointer: cursor

• Webhooks available: No
• Webhook notes: Hootsuite's public API does not document user-management or provisioning webhooks. Webhook support in Hootsuite is limited to social content events (e.g., incoming messages) and is not available for member lifecycle events.
• Alternative event strategy: Poll the /organizations/{organizationId}/members endpoint periodically to detect membership changes, or use SCIM provisioning with an IdP for automated lifecycle management.

• SCIM available: Yes

• SCIM version: 2.0

• Plan required: Enterprise

• Endpoint: https://platform.hootsuite.com/scim/v2

• Supported operations: GET /Users – list users, GET /Users/{id} – get user, POST /Users – provision user, PUT /Users/{id} – replace user, PATCH /Users/{id} – update user attributes, DELETE /Users/{id} – deprovision user, GET /Groups – list groups/teams, POST /Groups – create group, PATCH /Groups/{id} – update group membership, DELETE /Groups/{id} – delete group

Limitations:

• Requires Enterprise plan; not available on Professional or Team plans.
• SSO must be configured and active before SCIM can be enabled.
• SCIM setup must be coordinated with a Hootsuite Customer Success Manager.
• Supported IdPs include Okta, Microsoft Entra ID (Azure AD), and OneLogin; Google Workspace is not officially supported.
• Implementation fees of $2,000–$5,000 may apply for Enterprise onboarding.
• SCIM token is generated within Hootsuite admin settings and must be provided to the IdP as a Bearer token.

Three automation scenarios cover the core identity lifecycle. For onboarding, POST /v1/organizations/{organizationId}/members sends an invitation email - the member is not active and cannot be added to a team until they accept.

team assignment via POST /v1/teams/{teamId}/members must be deferred until acceptance is confirmed.

For auditing, GET /v1/organizations/{organizationId}/members must be paginated with cursor iteration, and team membership requires a separate GET /v1/teams/{teamId}/members call per team - there is no single endpoint that returns members with team assignments in one response. For Enterprise deprovisioning, SCIM 2.

0 at https://platform.hootsuite.com/scim/v2 supports the full user lifecycle including PATCH /Users/{id} with active=false and DELETE /Users/{id}; however, SCIM only governs users whose login method is SSO - users authenticating with username/password are outside SCIM's scope.

Onboard a new employee to Hootsuite organization and team

1. Obtain an OAuth 2.0 access token with write:organizations and write:teams scopes.
2. POST to /v1/organizations/{organizationId}/members with the new user's email and desired organizationRole.
3. Wait for the user to accept the invitation email (monitor via periodic GET /members or IdP-side SCIM if on Enterprise).
4. Once the member is active, POST to /v1/teams/{teamId}/members with the new member's ID to assign them to the appropriate team.

Watch out for: The member cannot be added to a team until they have accepted the invitation and their account is active in Hootsuite.

Deprovision a departing employee via SCIM (Enterprise)

1. Ensure SCIM 2.0 is configured between the IdP (Okta, Entra ID, or OneLogin) and Hootsuite Enterprise.
2. Deactivate or remove the user in the IdP.
3. The IdP sends a SCIM PATCH /Users/{id} with active=false or DELETE /Users/{id} to https://platform.hootsuite.com/scim/v2.
4. Hootsuite revokes the user's access and removes them from the organization automatically.

Watch out for: SCIM must be active and SSO must be the user's login method for automated deprovisioning to work. Users who log in with username/password are not managed by SCIM.

Audit all organization members and their roles

1. Obtain an OAuth 2.0 access token with read:organizations scope.
2. GET /v1/organizations/{organizationId}/members with limit=50.
3. Iterate through pages using the returned cursor value until no cursor is returned.
4. For each member, record id, email, and organizationRole fields.
5. Cross-reference with team membership by calling GET /v1/teams/{teamId}/members for each team.

Watch out for: There is no single endpoint that returns all members with their team assignments in one call; team membership must be fetched separately per team.

The most significant integration trap is the invitation-acceptance gap: POST /members does not create an active user, it creates a pending invite. Any workflow that assumes immediate provisionability - including identity graph population - will produce incomplete state until acceptance is confirmed via polling.

SCIM and the REST API are separate systems; changes made through one may not be immediately reflected in the other, which can cause consistency issues in an identity graph that reads from both.

Rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining) are present but exact numeric thresholds per plan are not publicly documented, making capacity planning for bulk operations speculative.

Finally, SCIM is hard-gated behind both an Enterprise plan and active SSO configuration - SSO must be live before SCIM can be enabled, and setup requires coordination with a Hootsuite Customer Success Manager, not a self-serve toggle.