WalkMe User Management API Guide

Auth method: OAuth 2.0 (client credentials flow); Bearer token passed in Authorization header

Setup steps

1. Log in to the WalkMe Console and navigate to Settings > Integrations > API.
2. Create an API application to obtain a Client ID and Client Secret.
3. POST to https://api.walkme.com/accounts/connect/token with grant_type=client_credentials, client_id, and client_secret to receive an access_token.
4. Include the token as 'Authorization: Bearer ' on all subsequent API requests.
5. Tokens are time-limited; re-authenticate when the token expires.

Required scopes

List Users

• Method: GET
• URL: https://api.walkme.com/users
• Watch out for: Pagination parameters must be included explicitly; omitting them may return only the first page.

Request example

GET /users?page=1&pageSize=100
Authorization: Bearer <token>

Response example

{
  "users": [{"id":"abc123","email":"user@example.com","status":"active"}],
  "total": 250,
  "page": 1
}

Get User by ID

• Method: GET
• URL: https://api.walkme.com/users/{userId}
• Watch out for: Returns 404 if the userId does not exist in the account scope of the token.

Request example

GET /users/abc123
Authorization: Bearer <token>

Response example

{
  "id": "abc123",
  "email": "user@example.com",
  "firstName": "Jane",
  "role": "Editor",
  "status": "active"
}

Create User

• Method: POST
• URL: https://api.walkme.com/users
• Watch out for: Duplicate email addresses return a 409 Conflict error.

Request example

POST /users
Content-Type: application/json

{"email":"new@example.com","firstName":"John","role":"Viewer"}

Response example

{
  "id": "def456",
  "email": "new@example.com",
  "status": "pending"
}

Update User

• Method: PUT
• URL: https://api.walkme.com/users/{userId}
• Watch out for: Full replacement semantics; omitted fields may be cleared. Use PATCH for partial updates if supported.

Request example

PUT /users/def456
Content-Type: application/json

{"role":"Editor","status":"active"}

Response example

{
  "id": "def456",
  "role": "Editor",
  "status": "active"
}

Delete User

• Method: DELETE
• URL: https://api.walkme.com/users/{userId}
• Watch out for: Deletion is permanent. Consider setting status=inactive for reversible deactivation.

Request example

DELETE /users/def456
Authorization: Bearer <token>

Response example

HTTP 204 No Content

List Groups

• Method: GET
• URL: https://api.walkme.com/groups
• Watch out for: Groups are used for content segmentation; group membership affects which WalkMe content users see.

Request example

GET /groups
Authorization: Bearer <token>

Response example

{
  "groups": [{"id":"grp1","name":"Sales"}]
}

Add User to Group

• Method: POST
• URL: https://api.walkme.com/groups/{groupId}/users
• Watch out for: User must already exist in WalkMe before being added to a group.

Request example

POST /groups/grp1/users
Content-Type: application/json

{"userId":"abc123"}

Response example

HTTP 200 OK
{"groupId":"grp1","userId":"abc123"}

Remove User from Group

• Method: DELETE
• URL: https://api.walkme.com/groups/{groupId}/users/{userId}
• Watch out for: Removing a user from all groups may affect content targeting and analytics segmentation.

Request example

DELETE /groups/grp1/users/abc123
Authorization: Bearer <token>

Response example

HTTP 204 No Content

• Rate limits: WalkMe's public documentation does not explicitly publish rate-limit thresholds or tier-based limits as of the policy date.

• Rate-limit headers: Unknown

• Retry-After header: Unknown

• Rate-limit notes: No explicit rate-limit values, headers, or Retry-After behavior documented in official sources. Contact WalkMe support for current limits.

• Pagination method: offset

• Default page size: 100

• Max page size: 1000

• Pagination pointer: page / pageSize

• Webhooks available: No

• Webhook notes: WalkMe's official developer documentation does not describe outbound webhook events for user lifecycle changes as of the policy date.

• Alternative event strategy: Use SCIM provisioning with Okta or Entra ID to automate user lifecycle events via IdP-driven push.

• SCIM available: Yes

• SCIM version: 2.0

• Plan required: Enterprise

• Endpoint: https://api.walkme.com/scim/v2

• Supported operations: GET /Users, GET /Users/{id}, POST /Users, PUT /Users/{id}, PATCH /Users/{id}, DELETE /Users/{id}, GET /Groups, POST /Groups, PATCH /Groups/{id}, DELETE /Groups/{id}

Limitations:

• Requires SSO to be configured before SCIM provisioning can be enabled.
• Officially supported IdPs are Okta and Microsoft Entra ID (Azure AD); other IdPs may work but are not officially documented.
• Google Workspace and OneLogin are not listed as supported IdPs in official documentation.
• SCIM token is generated in the WalkMe Console under Settings > Security > SCIM; token rotation requires manual regeneration.
• Enterprise plan required; not available on lower tiers.

Three integration patterns are well-supported by the available API surface.

For automated onboarding via SCIM with Okta, the prerequisite chain is strict: Enterprise plan active → SSO fully configured and verified → SCIM token generated → Okta SCIM 2.0 app configured with attribute mappings for userName, name.givenName, name.familyName, and groups.

SCIM push fires on Okta group assignment;

if SSO is not active at enablement time, provisioning will silently fail.

For bulk imports via REST, there is no batch-create endpoint;

each user requires an individual POST to /users.

Build retry logic for transient errors and handle 409 Conflict on duplicate emails by skipping or patching existing records, then follow up with group assignments via POST to /groups/{groupId}/users.

For offboarding, prefer PATCH with status=inactive over DELETE /users/{userId} - deletion is permanent and irreversible via API, which breaks audit trail continuity.

If the user is IdP-managed via SCIM, unassigning them in Okta or Entra ID triggers automatic deprovisioning without a direct API call.

Automated Employee Onboarding via SCIM (Okta)

1. Ensure WalkMe Enterprise plan is active and SSO (SAML/OIDC) is configured in the WalkMe Console.
2. In WalkMe Console, navigate to Settings > Security > SCIM and generate a SCIM bearer token.
3. In Okta, add WalkMe as a SCIM 2.0 application using the WalkMe SCIM endpoint and bearer token.
4. Configure Okta attribute mappings for userName (email), name.givenName, name.familyName, and groups.
5. Assign the Okta application to user groups; Okta will push new users to WalkMe automatically on assignment.
6. Verify provisioned users appear in WalkMe Console under Users with correct roles and group memberships.

Watch out for: If SSO is not active, SCIM provisioning will not function. Confirm SSO login works before enabling SCIM push.

Bulk User Import via REST API

1. Obtain an OAuth 2.0 access token via POST to https://api.walkme.com/accounts/connect/token.
2. Prepare a list of users (email, firstName, lastName, role) from your HR or directory system.
3. For each user, POST to https://api.walkme.com/users with the user payload.
4. Handle 409 Conflict responses for duplicate emails by skipping or updating existing records.
5. After creation, POST to https://api.walkme.com/groups/{groupId}/users to assign users to relevant groups.
6. Verify users in WalkMe Console and confirm group assignments for correct content targeting.

Watch out for: No bulk-create endpoint is documented; each user requires an individual POST request. Implement retry logic for transient errors.

User Deactivation on Offboarding

1. Obtain a valid Bearer token via the OAuth 2.0 client credentials flow.
2. Look up the departing user's WalkMe ID via GET /users?email=user@example.com or GET /users/{userId}.
3. PATCH or PUT the user record with status=inactive to deactivate without permanent deletion.
4. Optionally, remove the user from all groups via DELETE /groups/{groupId}/users/{userId} to revoke content targeting.
5. If using SCIM with Okta or Entra ID, unassigning the user in the IdP will trigger automatic deprovisioning.

Watch out for: Prefer status=inactive over DELETE for audit trail retention. Permanent deletion cannot be undone via API.

Building a point-to-point integration directly against the WalkMe REST or SCIM API introduces several maintenance risks that compound over time. OAuth tokens are short-lived with no documented refresh endpoint behavior, requiring robust token lifecycle management in your integration layer.

The SCIM endpoint base URL is tenant-specific and must be retrieved from the console after SCIM is enabled - it is not derivable from the REST base URL. WalkMe roles control Console authoring access only;

end-user content targeting is governed by group membership and variables, meaning a correctly provisioned user with the wrong group assignment will receive incorrect or no WalkMe guidance. No official SDK is documented, so all integrations are raw HTTP.

An identity graph built on top of a platform like Stitchflow's MCP server with 60+ deep IT/identity integrations avoids re-implementing token refresh, pagination handling, and cross-system role reconciliation for each connected app - and surfaces the WalkMe user object alongside the rest of your identity data without custom glue code.