Wave User Management API Guide

Auth method: OAuth 2.0 (Bearer token)

Setup steps

1. Register an application at https://developer.waveapps.com to obtain a client_id and client_secret.
2. Redirect the user to Wave's authorization endpoint to obtain an authorization code.
3. Exchange the authorization code for an access token via POST to Wave's token endpoint.
4. Include the access token as a Bearer token in the Authorization header of all GraphQL requests.

User object field mapping is not yet verified for this app.

Endpoint coverage is not yet verified for this app.

• Rate limits: Wave's public API documentation does not explicitly publish rate limit values or tiers.

• Rate-limit headers: No

• Retry-After header: No

• Rate-limit notes: No rate limit specifics are documented in official Wave developer docs as of the policy date.

• Pagination method: cursor

• Default page size: 0

• Max page size: 0

• Pagination pointer: page / pageSize (GraphQL pagination arguments)

• Webhooks available: No

• Webhook notes: Wave's public developer documentation does not document webhook support for user-management events.

• Alternative event strategy: Polling the Wave GraphQL API for business or account data changes is the only documented approach.

• SCIM available: No
• SCIM version: Not documented
• Plan required: N/A
• Endpoint: Not documented

Limitations:

• Wave does not document a native SCIM 2.0 endpoint.
• No SSO/SCIM provisioning is listed in Wave's official help or developer documentation.

The only viable API scenario for identity-adjacent work is retrieving the list of businesses accessible to an authenticated user via the businesses GraphQL query

useful for building an identity graph that maps Wave business access back to a specific OAuth token holder.

This does not enumerate collaborators on a business;

it only reflects what the token-holder can access.

Collaborator enumeration, invitation, and removal have no API equivalent.

SSO via Okta or OneLogin is referenced in available data but lacks publicly documented setup steps, and SCIM is absent entirely, so user lifecycle events from an IdP cannot trigger any automated action in Wave.

Retrieve business data for an authenticated user

1. Complete OAuth 2.0 flow to obtain a Bearer token for the target user.
2. POST a GraphQL query to https://gql.waveapps.com/graphql/public with the businesses query.
3. Parse the returned business IDs and names for downstream use.

Watch out for: This retrieves businesses the authenticated user owns or has access to - it does not enumerate all users/collaborators on a business.

Add a collaborator to a Wave business

1. Navigate to the Wave web application (waveapps.com).
2. Go to Settings > Collaborators and invite the user by email.
3. No API endpoint exists to automate this step programmatically.

Watch out for: Collaborator/user management is UI-only; automation via API is not supported.

Integrate Wave with an IdP (Okta/OneLogin) for SSO

1. Wave supports SSO via Okta and OneLogin per context data, but no official Wave help article documents the setup steps publicly.
2. Contact Wave support or use the IdP's Wave app connector for configuration guidance.
3. SCIM provisioning is not available; user lifecycle must be managed manually in Wave.

Watch out for: SSO support does not include SCIM; deprovisioning users requires manual action in the Wave UI.

The core API trap is scope mismatch: developers expecting user-management endpoints will find only accounting primitives. OAuth tokens are user-scoped, not admin-scoped, so there is no elevated token type that unlocks collaborator management.

The GraphQL schema can change without versioned URL changes, making silent breaking changes a real risk - monitor the developer changelog at developer.waveapps.com. Any integration that assumes Wave will fit into a standard identity graph via SCIM or a user-list endpoint will need to fall back entirely to UI-driven workflows, which cannot be orchestrated programmatically.