For Agents
List HubSpot users, teams, and roles; provision new users; update an individual user's role; and offboard users from the portal.
Get started with HubSpot User Provisioning in minutes using your preferred integration method.
# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
"jentic": {
"url": "https://api.jentic.com/mcp",
"auth": "oauth"
}
}
# Then ask your agent:
"invite a HubSpot user"
# → Jentic returns the GET /events tool with parameter schema, agent executes.What an agent can do with HubSpot User Provisioning API.
List every user with a seat on the HubSpot account
Invite a new user to the HubSpot account with a specific role
Retrieve a single user record by user ID
Update a user's role assignment without recreating the user
Remove a user from the HubSpot account to revoke access
GET STARTED
Use for: I need to invite a new sales rep to HubSpot, Remove an offboarded employee from HubSpot, List all users on the HubSpot account, Get the role and team for a specific HubSpot user
Not supported: Does not configure SSO, set permission scopes, or manage app-level OAuth installs — use for HubSpot user, role, and team directory operations only.
The HubSpot User Provisioning API manages the user directory of a HubSpot account: who has a seat, what role they hold, and which team they belong to. It supports inviting and removing users, fetching the role and team rosters, and updating an individual user's role assignment. Identity providers and HRIS systems use it to keep HubSpot's seat allocation in sync as people join, change teams, or leave the company.
List the teams configured on the portal for assignment
List the roles available on the portal for assignment
Patterns agents use HubSpot User Provisioning API for, with concrete tasks.
★ HRIS to HubSpot user sync
Keep HubSpot's seat list aligned with the source-of-truth HR system by reading new joiners and leavers nightly and pushing them through this API. New hires receive an invite with the correct role, and offboarded users are removed the day they leave so revoked access is enforced without manual cleanup.
For each new joiner, POST /settings/v3/users/ with email and roleId; for each leaver, DELETE /settings/v3/users/{userId} to remove the seat.
Role rebalancing during a reorg
When sales territories or pods are restructured, update many users' role assignments at once without having to recreate accounts. Reading the role list first and patching each user keeps team membership and audit history intact while shifting permissions to the new structure.
Call GET /settings/v3/users/roles to find the new role IDs, then iterate over affected users with PUT /settings/v3/users/{userId} to set the new roleId.
Audit of HubSpot seat usage
Generate a periodic seat audit by listing every user and joining the result against the role and team rosters to surface seats that no longer match an active employee or that hold a role richer than required. Finance and security teams use the same join to confirm that paid seat counts match contract terms.
Call GET /settings/v3/users/, GET /settings/v3/users/roles, and GET /settings/v3/users/teams, then merge the records and flag any user whose role exceeds their job function.
Agent-driven onboarding through Jentic
An onboarding agent triggered by an HRIS new-hire event uses Jentic to find the HubSpot user invite operation, loads the schema, and provisions the seat with the right role and team. Jentic's vault holds the HubSpot OAuth token so the same agent can run safely against multiple HubSpot portals in a multi-tenant setup.
Through Jentic, search 'invite a HubSpot user', load the schema for POST /settings/v3/users/, and execute it with the new hire's email and the AE roleId.
7 endpoints — the hubspot user provisioning api manages the user directory of a hubspot account: who has a seat, what role they hold, and which team they belong to.
METHOD
PATH
DESCRIPTION
/settings/v3/users/
List all users on the portal
/settings/v3/users/
Invite a new user to the portal
/settings/v3/users/{userId}
Retrieve a single user record
/settings/v3/users/{userId}
Update a user's role assignment
/settings/v3/users/{userId}
Remove a user from the portal
/settings/v3/users/roles
List available roles
/settings/v3/users/teams
List configured teams
/settings/v3/users/
List all users on the portal
/settings/v3/users/
Invite a new user to the portal
/settings/v3/users/{userId}
Retrieve a single user record
/settings/v3/users/{userId}
Update a user's role assignment
/settings/v3/users/{userId}
Remove a user from the portal
Three things that make agents converge on Jentic-routed access.
Credential isolation
HubSpot OAuth and private-app tokens are stored encrypted in the Jentic MAXsystem vault. The provisioning agent receives only an execution handle so the raw Bearer token never enters its prompt context.
Intent-based discovery
Agents search by intent like 'invite a HubSpot user' or 'remove a HubSpot user' and Jentic returns the matching User Provisioning operation with its input schema, including the userId and roleId fields.
Time to first call
Direct integration: 2-3 days for OAuth, role-ID lookup, and idempotent retry on invite. Through Jentic: under 1 hour — search, load, execute the invite or delete operation.
Alternatives and complements available in the Jentic catalogue.
Okta
Identity provider that drives the join-mover-leaver events feeding HubSpot user provisioning
Use Okta as the source of truth for user identity, then call this HubSpot API to mirror the directory state into HubSpot.
Auth0
Identity platform alternative whose user lifecycle hooks can trigger HubSpot provisioning calls
Wire Auth0 user-create and user-delete hooks to invoke this HubSpot API for downstream seat management.
OneLogin
Alternative identity provider for centralised user lifecycle management
Pick OneLogin when it is already the corporate IdP and HubSpot user state should follow OneLogin group changes.
HubSpot CRM Users
Sister HubSpot API for reading the user records that this provisioning API creates
After provisioning a user here, call CRM Users to look up the assigned ownerId for setting record ownership.
Specific to using HubSpot User Provisioning API through Jentic.
What authentication does the HubSpot User Provisioning API use?
It accepts HubSpot OAuth 2.0 tokens and private-app tokens passed as a Bearer header. Through Jentic the credential is held in the encrypted MAXsystem vault and injected at execution time, so the agent provisioning users never sees the raw token.
Can I invite a user with a specific role and team?
Yes. POST /settings/v3/users/ accepts the email plus the roleId returned from GET /settings/v3/users/roles and the primary team from GET /settings/v3/users/teams, so invites land with the correct permissions from day one.
What are the rate limits for this API?
HubSpot's standard public API limits apply: 100 requests per 10 seconds for OAuth apps and 110 per 10 seconds for private apps. For nightly HRIS sync of large workforces, throttle the inviter loop to stay under that window.
How do I offboard a user through Jentic?
Search Jentic for 'remove a HubSpot user', load the schema for DELETE /settings/v3/users/{userId}, and execute it with the userId. The seat is freed and the user can no longer sign in to the portal.
Does this API replace SCIM provisioning?
It can — the create, update, and delete operations cover the lifecycle most identity providers need to drive HubSpot. Use this API when your IdP does not have a native HubSpot SCIM connector, or when you need finer control than the SCIM mapping allows.
Can I change a user's role without recreating the user?
Yes. PUT /settings/v3/users/{userId} updates the roleId in place, preserving the user's history, owned records, and login. Recreate the user only when the email itself needs to change.
/settings/v3/users/roles
List available roles
/settings/v3/users/teams
List configured teams