Register an application at developer.rippling.com to obtain a client_id, client_secret, and configure a redirect URI; declare the OAuth scopes your app requires.
Initiate the OAuth 2.0 authorization code flow by directing the installing Rippling company admin to Rippling's authorization URL with your client_id and requested scopes.
After the admin approves, Rippling redirects to your redirect URI with a code parameter; exchange this code for an access_token and refresh_token via POST to https://api.rippling.com/auth/oauth2/token.
Include the access_token as a Bearer token in the Authorization header of all API requests to Rippling's REST endpoints.
Before the access_token expires (check expires_in in the token response), use the refresh_token to obtain a new access_token without requiring the admin to re-authorize.
Known gotchas
Rippling OAuth tokens are scoped to a single company tenant — a separate OAuth authorization flow is required for each customer company your app connects to.
Rippling requires apps to declare scopes upfront during app registration; scope changes after registration require a review process and existing customers must re-authorize.
Access to the Rippling API is not fully open — arbitrary API integrations require registration and approval through the developer portal before production access is granted.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp