Hyperproof User Management API Guide

Auth method: API Key (Bearer token); OAuth 2.0 not confirmed in public docs

Setup steps

1. Log in to Hyperproof as an Organization Admin.
2. Navigate to Settings > Integrations > API Tokens.
3. Generate a new API token and copy the value.
4. Include the token in the Authorization header as: Authorization: Bearer .

List users via SCIM

• Method: GET
• URL: {tenant-scim-endpoint}/Users
• Watch out for: The tenant-specific SCIM endpoint must be copied from Hyperproof's provisioning settings rather than assumed from the generic base URL.

Request example

GET /Users?startIndex=1&count=100

Response example

{"Resources":[{"id":"123","userName":"user@example.com","active":true}],"totalResults":1}

Deactivate user via SCIM

• Method: PATCH
• URL: {tenant-scim-endpoint}/Users/{id}
• Watch out for: Hyperproof's public docs describe SCIM behavior at a high level; validate supported attributes in a non-production org first.

Request example

PATCH /Users/123 {"Operations":[{"op":"Replace","path":"active","value":false}]}

Response example

{"id":"123","active":false}

• Rate limits: Rate limit specifics are not publicly documented by Hyperproof.

• Rate-limit headers: Unknown

• Retry-After header: Unknown

• Rate-limit notes: No official rate-limit documentation found. Contact Hyperproof support for current limits.

• Pagination method: offset

• Default page size: Not documented

• Max page size: Not documented

• Pagination pointer: startIndex / count

• Webhooks available: Unknown

• Webhook notes: No official webhook documentation for user-management events was found in public Hyperproof docs.

• Alternative event strategy: Use SCIM provisioning via your IdP for automated user lifecycle management.

• SCIM available: Yes

• SCIM version: 2.0

• Plan required: Contact vendor; SSO is a prerequisite. Pricing context suggests Business or Enterprise tier (~$25K+/year) based on available pricing seeds, but not officially confirmed.

• Endpoint: https://api.hyperproof.io/scim/v2

• Supported operations: Create User, Update User, Deactivate User, List Users

Limitations:

• SSO must be configured before SCIM provisioning can be enabled.
• Exact SCIM endpoint URL is provisioned per-organization and may differ from the generic base shown here.
• Group/role provisioning support is not confirmed in public documentation.
• SCIM token is separate from the REST API token and is generated in the SSO/SCIM settings panel.

The primary automation scenario is IdP-driven provisioning via SCIM 2.0.

SSO (SAML or OIDC) must be fully configured before SCIM can be enabled - activating SCIM without a working SSO configuration will fail.

Once SCIM is active, standard IdP platforms (Okta, Entra ID) can drive Create, Update, Deactivate, and List User operations using the org-specific SCIM base URL and token copied from Settings > SCIM Provisioning.

Deprovisioning sends a PATCH /Users/{id} with active=false;

the user record is retained with audit history intact, and hard deletion requires a separate manual admin action.

For REST API access, generate a token under Settings > Integrations > API Tokens, store it in a secrets manager, and include it as Authorization: Bearer on all requests

token expiry and rotation policies are not publicly documented, so monitor for 401 responses as a signal to rotate.

Provision users via SCIM from an IdP

1. Configure SSO (SAML or OIDC) in Hyperproof Settings > SSO.
2. Navigate to Settings > SCIM Provisioning and enable SCIM.
3. Copy the SCIM base URL and Bearer token displayed.
4. In your IdP (e.g., Okta, Entra ID), add a new SCIM 2.0 application using the copied URL and token.
5. Assign users or groups in the IdP to trigger provisioning to Hyperproof.

Watch out for: SSO must be fully functional before SCIM provisioning is activated. Deprovisioning (deactivate) behavior should be tested in a non-production org first.

Deactivate a user via SCIM

1. In your IdP, unassign the user from the Hyperproof SCIM application.
2. The IdP sends a PATCH /Users/{id} with active=false to the Hyperproof SCIM endpoint.
3. Hyperproof deactivates the user account; the user loses access on next login attempt.

Watch out for: Deactivation via SCIM does not delete the user record; historical audit data is retained. Hard deletion may require manual admin action.

Authenticate to the REST API

1. Generate an API token in Hyperproof Settings > Integrations > API Tokens.
2. Store the token securely (e.g., in a secrets manager).
3. Include header: Authorization: Bearer on all REST API requests to https://api.hyperproof.io/v1.

Watch out for: Token scope and expiry policies are not publicly documented; rotate tokens periodically and monitor for 401 responses indicating token invalidation.

Building a direct REST API integration for user lifecycle management in Hyperproof carries meaningful risk given the sparse public documentation: endpoint schemas, pagination behavior, and rate limits are all unconfirmed. The SCIM token and REST API token are distinct credentials - conflating them will produce authentication failures that are non-obvious to debug.

Group and role provisioning support via SCIM is unconfirmed in public docs, which limits how far identity graph automation can propagate role assignments without manual fallback. Plan-tier gating for SCIM is not officially published; assume enterprise-tier requirements and validate with the vendor before scoping any integration that depends on SCIM availability.