Summary and recommendation
The Qualtrics REST API v3 exposes full user lifecycle operations - list, get, create, update, and delete/disable - under the base URL https://{datacenterid}.qualtrics.com/API/v3.
Authentication is via a per-user API token passed as the X-API-TOKEN header; administrative operations require a token belonging to a Brand Administrator account.
The datacenter ID (e.g., iad1, fra1, syd1) is account-specific and must be resolved from Account Settings → Qualtrics IDs before any requests are made - using the wrong datacenter returns authentication errors, not a routing error.
Pagination is token-based: the response includes a nextPage field containing a full absolute URL; iterate until nextPage is null. Default and maximum page size is 100.
Rate limits are enforced but numeric thresholds are not publicly documented; implement exponential backoff on HTTP 429. SCIM 2.0 is available on Enterprise plans with SSO configured, exposing a parallel endpoint at https://{datacenterid}.qualtrics.com/scim/v2 with a separate bearer token.
No native webhooks exist for user lifecycle events. Changes must be detected by polling GET /API/v3/users or by relying on SCIM push from a connected IdP.
API quick reference
| Has user API | Yes |
| Auth method | API Token (X-API-TOKEN header) |
| Base URL | Official docs |
| SCIM available | Yes |
| SCIM plan required | Enterprise (requires SSO to be configured first) |
Authentication
Auth method: API Token (X-API-TOKEN header)
Setup steps
- Log in to Qualtrics and navigate to Account Settings > Qualtrics IDs.
- Locate or generate your API Token under the 'API' section.
- Include the token in all API requests as the header: X-API-TOKEN:
. - Identify your datacenter ID from the same Qualtrics IDs page (e.g., 'iad1', 'fra1') and substitute it into the base URL.
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| id | string | Unique Qualtrics user ID (e.g., URH_xxxxxxxxxxxxxxx) | system-generated | immutable | Used as path parameter in user-specific endpoints. |
| username | string | User's login username (typically email) | required | optional | Must be unique within the organization. |
| firstName | string | User's first name | required | optional | |
| lastName | string | User's last name | required | optional | |
| string | User's email address | required | optional | Used for notifications and login. | |
| userType | string | Type of user account (e.g., 'UT_RESPONDENT', 'UT_BRAND_ADMINISTRATOR') | required | optional | Determines base permissions. |
| status | string | Account status: 'active' or 'disabled' | optional | optional | Defaults to 'active' on creation. |
| language | string | Preferred language code (e.g., 'EN') | optional | optional | |
| timeZone | string | User's time zone (e.g., 'America/Chicago') | optional | optional | |
| accountExpirationDate | string (ISO 8601) | Date when the account expires | optional | optional | Null means no expiration. |
| divisionId | string | ID of the division the user belongs to | optional | optional | Relevant for organizations using divisions. |
| organizationId | string | Brand/organization ID the user belongs to | system-assigned | immutable | |
| permissions | object | Map of permission keys to boolean values | optional | optional | Granular feature permissions; structure varies by userType. |
| password | string | User password (write-only) | optional | optional | Never returned in responses. |
Core endpoints
List Users
- Method: GET
- URL:
https://{datacenterid}.qualtrics.com/API/v3/users - Watch out for: Pagination uses a full URL in 'nextPage'; iterate until nextPage is null.
Request example
GET /API/v3/users?pageSize=100 HTTP/1.1
Host: iad1.qualtrics.com
X-API-TOKEN: <token>
Response example
{
"result": {
"elements": [{"id":"URH_abc","username":"user@example.com"}],
"nextPage": "https://iad1.qualtrics.com/API/v3/users?pageSize=100&offset=100"
},
"meta": {"httpStatus": "200 - OK"}
}
Get User
- Method: GET
- URL:
https://{datacenterid}.qualtrics.com/API/v3/users/{userId} - Watch out for: Use the Qualtrics user ID (URH_...), not the email address, as the path parameter.
Request example
GET /API/v3/users/URH_abc123 HTTP/1.1
Host: iad1.qualtrics.com
X-API-TOKEN: <token>
Response example
{
"result": {
"id": "URH_abc123",
"username": "user@example.com",
"firstName": "Jane",
"lastName": "Doe",
"email": "user@example.com",
"status": "active"
},
"meta": {"httpStatus": "200 - OK"}
}
Create User
- Method: POST
- URL:
https://{datacenterid}.qualtrics.com/API/v3/users - Watch out for: userType must be a valid type for your brand; invalid types return a 400 error.
Request example
POST /API/v3/users HTTP/1.1
Host: iad1.qualtrics.com
X-API-TOKEN: <token>
Content-Type: application/json
{"username":"new@example.com","firstName":"John","lastName":"Smith","email":"new@example.com","userType":"UT_RESPONDENT"}
Response example
{
"result": {"id": "URH_newuser123"},
"meta": {"httpStatus": "200 - OK"}
}
Update User
- Method: PUT
- URL:
https://{datacenterid}.qualtrics.com/API/v3/users/{userId} - Watch out for: Qualtrics uses PUT (not PATCH) for user updates; only include fields you wish to change.
Request example
PUT /API/v3/users/URH_abc123 HTTP/1.1
Host: iad1.qualtrics.com
X-API-TOKEN: <token>
Content-Type: application/json
{"firstName":"Jane","status":"disabled"}
Response example
{
"result": {},
"meta": {"httpStatus": "200 - OK"}
}
Delete User (Disable)
- Method: DELETE
- URL:
https://{datacenterid}.qualtrics.com/API/v3/users/{userId} - Watch out for: Deleting a user may disable rather than permanently remove the account depending on brand settings; verify behavior in your environment.
Request example
DELETE /API/v3/users/URH_abc123 HTTP/1.1
Host: iad1.qualtrics.com
X-API-TOKEN: <token>
Response example
{
"result": {},
"meta": {"httpStatus": "200 - OK"}
}
Get Authenticated User (Whoami)
- Method: GET
- URL:
https://{datacenterid}.qualtrics.com/API/v3/whoami - Watch out for: Useful for validating token identity and resolving the caller's userId and datacenter.
Request example
GET /API/v3/whoami HTTP/1.1
Host: iad1.qualtrics.com
X-API-TOKEN: <token>
Response example
{
"result": {
"userId": "URH_abc123",
"username": "admin@example.com",
"brandId": "mybrand"
},
"meta": {"httpStatus": "200 - OK"}
}
List Divisions
- Method: GET
- URL:
https://{datacenterid}.qualtrics.com/API/v3/divisions - Watch out for: Division IDs are required when assigning users to divisions during creation or update.
Request example
GET /API/v3/divisions HTTP/1.1
Host: iad1.qualtrics.com
X-API-TOKEN: <token>
Response example
{
"result": {
"elements": [{"id":"DV_abc","name":"Sales Division"}],
"nextPage": null
},
"meta": {"httpStatus": "200 - OK"}
}
Get User API Token
- Method: GET
- URL:
https://{datacenterid}.qualtrics.com/API/v3/users/{userId}/apitoken - Watch out for: Requires Brand Administrator privileges; returns the target user's API token, not the caller's.
Request example
GET /API/v3/users/URH_abc123/apitoken HTTP/1.1
Host: iad1.qualtrics.com
X-API-TOKEN: <admin_token>
Response example
{
"result": {"apiToken": "abc123tokenvalue"},
"meta": {"httpStatus": "200 - OK"}
}
Rate limits, pagination, and events
Rate limits: Qualtrics enforces rate limits per API token. The official docs note limits exist but do not publicly publish specific numeric thresholds per plan tier.
Rate-limit headers: No
Retry-After header: No
Rate-limit notes: Rate limit details are not publicly documented. Qualtrics returns HTTP 429 when limits are exceeded. Contact Qualtrics support for specific limits applicable to your license.
Pagination method: token
Default page size: 100
Max page size: 100
Pagination pointer: nextPage
Webhooks available: No
Webhook notes: Qualtrics does not offer native webhooks for user management events (user created, updated, deleted). Survey response events can trigger webhooks, but user lifecycle events are not supported.
Alternative event strategy: Poll the List Users endpoint periodically to detect changes, or use SCIM provisioning with a supported IdP (Okta, Entra ID) for automated lifecycle management.
SCIM API status
SCIM available: Yes
SCIM version: 2.0
Plan required: Enterprise (requires SSO to be configured first)
Endpoint: https://{datacenterid}.qualtrics.com/scim/v2
Supported operations: GET /Users, GET /Users/{id}, POST /Users, PUT /Users/{id}, PATCH /Users/{id}, DELETE /Users/{id}, GET /Groups, POST /Groups, PUT /Groups/{id}, DELETE /Groups/{id}
Limitations:
- SSO must be configured and active before SCIM can be enabled.
- Enterprise plan required; not available on self-serve or lower tiers.
- Officially documented IdP integrations are Okta and Microsoft Entra ID (Azure AD); other IdPs may require custom SCIM connector configuration.
- SCIM token is separate from the standard API token and is generated within the SSO/SCIM configuration screen.
- Group provisioning maps to Qualtrics Divisions or Groups depending on configuration.
Common scenarios
Provisioning a new user requires a POST to /API/v3/users with username (email), firstName, lastName, email, and a valid userType. The userType value must match a type licensed for the brand; invalid values return a 400.
The response returns the Qualtrics user ID (URH_...), which is the required path parameter for all subsequent user-specific calls - email address cannot be substituted. Division assignment requires a follow-up PUT with divisionId.
Deprovisioning should follow a two-step pattern: PUT status: disabled to immediately block access, then optionally DELETE if permanent removal is required by data retention policy.
DELETE behavior - whether it disables or permanently removes the account - varies by brand configuration and should be validated before automation. If SCIM is active, deprovisioning via the IdP triggers the SCIM DELETE or deactivation flow automatically.
For bulk sync via SCIM with Okta or Entra ID, the SCIM bearer token is generated separately within Admin → SSO → SCIM Provisioning. SSO must be fully active before the token generation option appears.
The SCIM endpoint supports GET, POST, PUT, PATCH, and DELETE on /scim/v2/Users, plus group operations that map to Qualtrics Divisions or Groups depending on configuration.
Provision a new employee user account
- Authenticate using a Brand Administrator API token.
- POST /API/v3/users with required fields: username (email), firstName, lastName, email, userType.
- Capture the returned 'id' (URH_...) from the response.
- If divisions are used, PUT /API/v3/users/{id} with the appropriate divisionId.
- Optionally set accountExpirationDate for contractors or temporary staff.
Watch out for: userType must match a type licensed for your brand. Confirm valid userTypes with your Qualtrics account team or by inspecting existing users via GET /users.
Deprovision a departing employee
- Resolve the user's Qualtrics ID by calling GET /API/v3/users and filtering by username/email, or use a stored mapping.
- Call PUT /API/v3/users/{userId} with status set to 'disabled' to immediately block access.
- Optionally call DELETE /API/v3/users/{userId} if permanent removal is required per your data retention policy.
- If SCIM is configured, deprovisioning via the IdP (Okta/Entra) will automatically trigger the SCIM DELETE or deactivation flow.
Watch out for: DELETE behavior (disable vs. permanent removal) may vary by brand configuration. Test in a non-production environment before automating.
Bulk-sync users via SCIM with Okta
- Confirm Enterprise plan and active SSO configuration in Qualtrics Admin > SSO.
- Navigate to Admin > SSO > SCIM Provisioning and generate a SCIM Bearer Token.
- In Okta, add the Qualtrics application from the Okta Integration Network.
- Configure the SCIM base URL as https://{datacenterid}.qualtrics.com/scim/v2 and paste the Bearer Token.
- Enable provisioning features: Push New Users, Push Profile Updates, Deactivate Users.
- Assign users/groups in Okta; Okta will POST /scim/v2/Users for each assigned user.
- Verify provisioned users appear in Qualtrics Admin > Users.
Watch out for: The SCIM token is distinct from the REST API token. SSO must be fully active before the SCIM token generation option appears in the admin UI.
Why building this yourself is a trap
The primary integration trap is datacenter-specificity: the base URL is not a single global endpoint. Hardcoding a datacenter ID that differs from the account's actual datacenter produces authentication failures that are easy to misdiagnose as token or permission errors. Always resolve the datacenter ID from the GET /whoami response or a stored, account-verified configuration value.
The REST API uses PUT for user updates - not PATCH. Sending only changed fields in a PUT may overwrite unspecified fields with nulls; include all fields you intend to retain. PATCH is only available via the SCIM endpoint.
This distinction matters when building an identity graph that tracks permission state across users: a partial PUT intended to update divisionId can inadvertently clear the permissions object if the full user record is not reconstructed before the call.
The permissions field is a map of boolean toggles, and its interaction with applied Permission Sets is not fully transparent via the API. A user may have a Permission Set applied at the division level that is not reflected in the per-user permissions object returned by GET.
Any identity graph built on top of the Qualtrics API must account for this layered resolution order - brand default, then division default, then per-user override - to accurately represent effective access state.
Automate Qualtrics workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
