Sync your Employment Hero users (and optional employment history and leave data) into Vanta via OAuth 2.0
Who it’s for: Vanta and Employment Hero Admins, IT, Security
Estimated setup time: ~10 minutes
Plan or product availability:
Employment Hero: Platinum subscription and above developer.employmenthero.com
Requirements
Role/permissions in both systems
Vanta: Must be a Vanta Admin able to install integrations.
Employment Hero:
Subscription: Platinum (or above) plan to enable API access developer.employmenthero.com
Account role: Admin or Owner account for your organisation (to grant all needed endpoint scopes) developer.employmenthero.com
Developer Portal access: Ability to register an OAuth 2.0 application in the Employment Hero Developer Portal developer.employmenthero.com
Feature plan eligibility
For leave-requests sync, ensure the “Leave Requests” API is enabled in your plan.
For employment-history sync, ensure the “Employment History” API is enabled.
External dependencies
No SSO requirement—direct OAuth is supported.
HTTPS redirect URI(s) for OAuth callbacks.
Technical constraints
OAuth scopes are fixed at app creation—you cannot add scopes later without re-creating the app.
SSO-enforced orgs: only one SSO organisation can be authorised per token.
How it works
One-way sync: Vanta polls Employment Hero for organisations, employees, (optionally) employment history and approved leave.
OAuth 2.0: Uses a bearer token granted by the Employment Hero OAuth server (expires every 15 minutes; refreshed via a long-lived refresh token).
Data flow:
Organisations → Vanta
Employees → Vanta
Employment histories → Vanta (if enabled)
Leave requests → Vanta (if enabled)
Use Cases
Auto-provision users: New employees appear in Vanta automatically.
De-provision terminated employees: Users whose termination_date is in the past are disabled in Vanta.
Enrich profiles: Pull in department, job title, manager, and upcoming leave dates.
Access controls: Leverage your HRIS to drive Vanta access.
Overview
To complete this setup, you will:
Register an OAuth 2.0 application in Employment Hero
Copy client ID, secret, and select scopes
Connect the integration in Vanta
Authorize Vanta to access your Employment Hero data
Connect the integration
Register OAuth app
Sign in to Employment Hero → Developer Portal
Create a new OAuth 2.0 application
Scopes:
urn:mainapp:organisations:read
urn:mainapp:employees:read
Optional (for full sync):
urn:mainapp:employment_histories:read
urn:mainapp:leave_requests:read developer.employmenthero.com
Copy credentials
Client ID & Client Secret
In Vanta
Navigate to Admin → Integrations
Select “Employment Hero” → “Connect”
Paste Client ID, Client Secret, Redirect URI
Authorize when prompted
Verify
After a successful grant you’ll see a “Connected” status
Run a manual sync to pull users
Permissions
Vanta will be able to view:
Organisations
Needed to list your Employment Hero organisations so you can choose which one to sync.Employee profiles
Needed to import user details and confirm hire, role, and offboarding status.Employment histories
Needed to determine each user’s start and end dates for accurate access controls.Leave requests
Needed to surface upcoming approved leave dates and flag potential coverage gaps.
No other actions (create, update, or delete) are performed in your Employment Hero instance.
Frequently Asked Questions
Q: Why does the integration show “Connection failed” instead of syncing employees?
A: The OAuth user you granted must be an Admin or Owner in that Employment Hero organisation, and when you registered your OAuth app you need to have included at least the following scopes:
organisations:read
employees:read
If either the user role or those scopes are missing, Vanta can’t complete the API handshake and the connection will fail.
Q: I need additional permissions later—how can I add more scopes?
A: OAuth scopes are fixed when you create the app. To add or change scopes, you must delete and recreate the OAuth application in Employment Hero with the new scope set.