Summary and recommendation
Rippling exposes a REST API at https://api.rippling.com/platform/api, designed primarily for partners building integrations in the Rippling App Shop.
Authentication uses OAuth 2.0 authorization code flow;
API key auth is also available for server-to-server use via the developer portal.
Access requires registering an application at developer.rippling.com and obtaining approval - arbitrary third-party API access is not open by default.
OAuth tokens are scoped to a single company tenant;
multi-tenant integrations require a separate OAuth flow per customer.
The API does not expose an inbound SCIM 2.0 endpoint: Rippling acts as an IdP that provisions outward to other apps, not as a SCIM target for external IdPs.
User management into Rippling is handled exclusively through its native REST API or direct HR workflows.
For teams building identity graph pipelines, Rippling's employee object is the authoritative source of record: it carries `employmentStatus` (ACTIVE / INACTIVE / TERMINATED), `department`, `manager` (by Rippling employee ID), `location`, `employmentType`, and `flsaStatus`
the full set of attributes needed to construct and maintain an identity graph across connected systems.
Group membership via `GET /groups` maps directly to Rippling's app access policies, making it the correct join key when reconciling access entitlements across downstream apps.
API quick reference
| Has user API | Yes |
| Auth method | OAuth 2.0 (authorization code flow); API key also available for server-to-server integrations via the developer portal |
| Base URL | Official docs |
| SCIM available | No |
| SCIM plan required | Custom |
Authentication
Auth method: OAuth 2.0 (authorization code flow); API key also available for server-to-server integrations via the developer portal
Setup steps
- Register an application in the Rippling Developer Portal (developer.rippling.com) to obtain a client_id and client_secret.
- Direct the Rippling account admin to the OAuth authorization URL: https://app.rippling.com/apps/PLATFORM/
/authorize with required scopes. - Exchange the returned authorization code for an access_token and refresh_token via POST https://api.rippling.com/auth/oauth2/token.
- Include the access token in all API requests as a Bearer token in the Authorization header.
- Refresh the access token using the refresh_token before expiry; Rippling tokens expire and must be refreshed.
Required scopes
| Scope | Description | Required for |
|---|---|---|
| employee:read | Read employee profile data including name, email, department, and employment status. | GET /employees, GET /employees/{id} |
| employee:write | Create or update employee records. | POST /employees, PATCH /employees/{id} |
| company:read | Read company-level metadata such as departments and teams. | GET /companies, GET /departments |
| leave:read | Read leave/time-off records for employees. | GET /leaves |
| group:read | Read group/team membership data. | GET /groups |
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| id | string | Rippling-internal unique identifier for the employee. | system-generated | immutable | Use this ID for all subsequent API calls referencing the employee. |
| workEmail | string | Primary work email address. | required | updatable | Used as the login identifier in most Rippling-provisioned apps. |
| firstName | string | Employee's legal first name. | required | updatable | |
| lastName | string | Employee's legal last name. | required | updatable | |
| employmentType | string (enum) | Type of employment: EMPLOYEE, CONTRACTOR, etc. | required | updatable | Affects which modules and benefits the employee is eligible for. |
| startDate | string (ISO 8601 date) | Employee's official start date. | required | updatable | |
| endDate | string (ISO 8601 date) | Employee's termination or contract end date. | optional | updatable | Setting this triggers offboarding workflows if configured. |
| department | object (id, name) | Department the employee belongs to. | optional | updatable | Must reference a valid department ID within the company. |
| title | string | Job title. | optional | updatable | |
| manager | object (id) | Reference to the employee's direct manager by Rippling employee ID. | optional | updatable | |
| employmentStatus | string (enum) | Current status: ACTIVE, INACTIVE, TERMINATED. | system-set | updatable | Drives access provisioning/deprovisioning across connected apps. |
| personalEmail | string | Personal email address. | optional | updatable | Used for pre-boarding communications before work email is active. |
| phoneNumber | string | Primary phone number. | optional | updatable | |
| location | object (id, name) | Work location assigned to the employee. | optional | updatable | Affects tax jurisdiction and compliance rules. |
| flsaStatus | string (enum) | FLSA classification: EXEMPT or NON_EXEMPT. | required for US employees | updatable | Required for payroll compliance in the US. |
| customFields | array of objects | Company-defined custom employee attributes. | optional | updatable | Field keys vary per Rippling company configuration. |
Core endpoints
List employees
- Method: GET
- URL:
https://api.rippling.com/platform/api/employees - Watch out for: Returns only employees visible to the OAuth app's authorized company. Terminated employees may be excluded by default; check filter params.
Request example
GET /platform/api/employees?limit=25
Authorization: Bearer <access_token>
Response example
{
"data": [
{"id": "emp_abc123", "workEmail": "jane@acme.com",
"firstName": "Jane", "lastName": "Doe",
"employmentStatus": "ACTIVE"}
],
"nextCursor": "cursor_xyz"
}
Get employee by ID
- Method: GET
- URL:
https://api.rippling.com/platform/api/employees/{id} - Watch out for: The {id} must be Rippling's internal employee ID, not an email or external HR ID.
Request example
GET /platform/api/employees/emp_abc123
Authorization: Bearer <access_token>
Response example
{
"id": "emp_abc123",
"workEmail": "jane@acme.com",
"firstName": "Jane",
"lastName": "Doe",
"title": "Engineer",
"employmentStatus": "ACTIVE"
}
Create employee
- Method: POST
- URL:
https://api.rippling.com/platform/api/employees - Watch out for: Creating an employee via API may trigger onboarding workflows and app provisioning configured in Rippling. Ensure downstream app licenses are available.
Request example
POST /platform/api/employees
Authorization: Bearer <access_token>
Content-Type: application/json
{"firstName":"John","lastName":"Smith",
"workEmail":"john@acme.com",
"startDate":"2025-06-01",
"employmentType":"EMPLOYEE"}
Response example
{
"id": "emp_new456",
"workEmail": "john@acme.com",
"employmentStatus": "ACTIVE"
}
Update employee
- Method: PATCH
- URL:
https://api.rippling.com/platform/api/employees/{id} - Watch out for: Partial updates are supported. Changing department or manager may trigger automated role-change workflows in Rippling.
Request example
PATCH /platform/api/employees/emp_abc123
Authorization: Bearer <access_token>
Content-Type: application/json
{"title": "Senior Engineer",
"department": {"id": "dept_789"}}
Response example
{
"id": "emp_abc123",
"title": "Senior Engineer",
"department": {"id": "dept_789", "name": "Engineering"}
}
List departments
- Method: GET
- URL:
https://api.rippling.com/platform/api/departments - Watch out for: Department IDs are required when assigning employees to departments via the employees endpoint.
Request example
GET /platform/api/departments
Authorization: Bearer <access_token>
Response example
{
"data": [
{"id": "dept_789", "name": "Engineering"},
{"id": "dept_101", "name": "Sales"}
]
}
List groups
- Method: GET
- URL:
https://api.rippling.com/platform/api/groups - Watch out for: Groups in Rippling map to teams/security groups used for app access policies. Requires group:read scope.
Request example
GET /platform/api/groups
Authorization: Bearer <access_token>
Response example
{
"data": [
{"id": "grp_001", "name": "Engineering Team",
"members": ["emp_abc123"]}
]
}
Get current authenticated company
- Method: GET
- URL:
https://api.rippling.com/platform/api/me - Watch out for: Useful for validating the OAuth token's company context before making employee queries.
Request example
GET /platform/api/me
Authorization: Bearer <access_token>
Response example
{
"companyId": "co_xyz",
"companyName": "Acme Corp"
}
List leaves (time-off)
- Method: GET
- URL:
https://api.rippling.com/platform/api/leaves - Watch out for: Requires leave:read scope. Leave data availability depends on whether the company has Rippling's Time & Attendance module enabled.
Request example
GET /platform/api/leaves?employeeId=emp_abc123
Authorization: Bearer <access_token>
Response example
{
"data": [
{"id": "leave_001", "employeeId": "emp_abc123",
"startDate": "2025-07-01", "endDate": "2025-07-05",
"type": "PTO"}
]
}
Rate limits, pagination, and events
Rate limits: Rippling's public developer documentation does not explicitly publish specific rate limit numbers or tier-based quotas as of the last known documentation review.
Rate-limit headers: Unknown
Retry-After header: Unknown
Rate-limit notes: No explicit rate limit values, headers, or Retry-After behavior documented publicly. Contact Rippling developer support for partner-tier limits.
Pagination method: cursor
Default page size: 25
Max page size: 100
Pagination pointer: cursor / limit
Webhooks available: Yes
Webhook notes: Rippling supports webhooks for app integrations built on the Rippling platform. Webhook events are delivered to a registered endpoint URL when employee lifecycle events occur (e.g., hire, termination, profile update). Webhooks are configured per-app in the Rippling Developer Portal.
Alternative event strategy: Polling the GET /employees endpoint with a lastModified filter can serve as a fallback if webhooks are not available for a given integration tier.
Webhook events: employee.created, employee.updated, employee.terminated, employee.rehired, employee.department_changed, employee.manager_changed
SCIM API status
- SCIM available: No
- SCIM version: Not documented
- Plan required: Custom
- Endpoint: Not documented
Limitations:
- Rippling functions as a SCIM identity provider that pushes provisioning TO other apps (e.g., via its App Shop connectors), not as a SCIM-inbound target for external IdPs.
- There is no publicly documented inbound SCIM 2.0 endpoint for provisioning users INTO Rippling from an external IdP.
- User management into Rippling is handled via its native REST API or direct HR workflows, not via SCIM.
Common scenarios
Three integration patterns cover the majority of production use cases.
Onboarding: POST to /platform/api/employees with firstName, lastName, workEmail, startDate, and employmentType.
Store the returned id.
App provisioning automations in Rippling fire asynchronously - an ACTIVE employmentStatus on the employee record does not guarantee all connected apps are provisioned immediately.
Verify via the App Management UI or a follow-up GET.
Profile sync: Register a webhook for employee.updated events in the Developer Portal.
On receipt, extract the id from the payload and re-fetch the full record via GET /platform/api/employees/{id} - webhook payloads may contain only changed fields, not the complete object.
Map Rippling fields to your target schema before writing.
Offboarding: Consume the employee.terminated webhook or poll for employmentStatus=INACTIVE.
Confirm endDate via GET /platform/api/employees/{id}, then trigger deprovisioning in external systems using workEmail or id.
Rippling's App Shop deprovisioning fires automatically for its own connected apps - it does not cover systems outside that ecosystem.
Onboard a new hire and verify provisioning
- POST /platform/api/employees with required fields (firstName, lastName, workEmail, startDate, employmentType).
- Store the returned employee id for future reference.
- Poll GET /platform/api/employees/{id} or listen for the employee.created webhook to confirm the record is ACTIVE.
- Verify downstream app provisioning was triggered by checking Rippling's App Management UI or querying connected app status if available via API.
Watch out for: App provisioning automations in Rippling are triggered asynchronously; the employee record being ACTIVE does not guarantee all connected apps are provisioned immediately.
Sync employee profile changes to an external system
- Register a webhook endpoint in the Rippling Developer Portal to receive employee.updated events.
- On webhook receipt, extract the employee id from the payload.
- Call GET /platform/api/employees/{id} to fetch the full updated employee record.
- Map Rippling fields to the external system's schema and apply the update.
Watch out for: Webhook payloads may contain only the changed fields or a reference ID, not the full employee object. Always re-fetch the full record via the REST API to ensure data completeness.
Offboard a terminated employee
- Receive the employee.terminated webhook event or detect termination by polling for employees with employmentStatus=INACTIVE.
- Call GET /platform/api/employees/{id} to confirm endDate and employmentStatus.
- Trigger deprovisioning logic in external systems using the employee's workEmail or id.
- Rippling's own connected app deprovisioning (App Shop integrations) fires automatically based on termination; no additional API call is needed for Rippling-managed apps.
Watch out for: Rippling's automated deprovisioning for its App Shop integrations is separate from any external system deprovisioning you implement. Do not assume Rippling's offboarding covers systems not connected via the App Shop.
Why building this yourself is a trap
Several non-obvious constraints create integration risk. Employee creation via API triggers Rippling's configured onboarding automations - app provisioning, equipment requests, and compliance tasks fire immediately in production environments; test against a sandbox tenant before going live.
Pagination is cursor-based only (cursor / limit params, default page size 25, max 100); offset-based pagination is not supported - always advance using the nextCursor value from the response. Custom fields (customFields) are company-specific;
field keys must be retrieved from the target company's Rippling configuration before use and cannot be assumed stable across tenants. Rate limit values are not publicly documented - implement exponential backoff and handle HTTP 429 responses defensively.
Changing department or manager via PATCH may trigger automated role-change workflows in Rippling, with downstream effects on app access policies. Finally, the /platform/api base path is specific to the partner/developer API; do not conflate it with internal Rippling service URLs.
Automate Rippling workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
