Contents
- Why SmartHR is hard to integrate with agents
- MCP status — no official MCP, the REST API is the entry point
- Auth — OAuth 2.0 Authorization Code and the scope trap
- Key endpoints — employees, documents, year-end adjustment
- 7 pitfalls in HR-agent development
- vs. freee HR, KING OF TIME, jobcan
- Pre-production checklist
- FAQ
Why SmartHR is hard to integrate with agents
SmartHR is the flagship of Japanese HR SaaS, covering employee onboarding, document management, social insurance procedures, and year-end adjustment (年末調整). It exposes a comprehensive REST API with a sandbox environment — technically, it's a perfectly integrable platform for agents. And yet KanseiLink's measured agent success rate is only ~39%, with a trust score of 0.6 (as of 2026-05).
This isn't because the API is weak. If anything, the API is well-organized. The problem is that OAuth scope declaration is confusing, and getting it wrong leaves agents stuck on auth_error. On 2026-04-06, in response to the observation that "SmartHR's OAuth scopes are poorly documented and causing auth_error failures," KanseiLink added scope guidance. HR data is a dense mass of personal information, which makes authorization design even more unforgiving — another reason agents stumble.
SmartHR API key specs (KanseiLink + SmartHR official, as of 2026-05)
rate (measured)
(connectable)
(per token)
(api_only)
HR is the poster child for "even the market leader lags on agent-readiness." In KanseiLink's cross-industry analysis, CRM and HR — SmartHR 39%, Salesforce 43% — fail to earn the verified (over 80% success) badge, while accounting fields two verified leaders (freee 90.1%, Money Forward 92.9%). The structural reasons HR lags are the weight of handling personal data and the complexity of regulation-dependent workflows like social insurance and year-end adjustment. The agent that designs carefully around these wins first-mover advantage.
MCP status — no official MCP, the REST API is the entry point
As of May 2026, SmartHR has no official MCP server (its mcp_status in KanseiLink is api_only). This contrasts with freee HR, which ships an official MCP (npx @freee/mcp-server) in the same HR space. To use SmartHR from an agent, you either (1) call the REST API directly via an HTTP tool, or (2) implement an internal MCP server wrapping the SmartHR API.
| Item | Detail |
|---|---|
| Base URL | https://api.smarthr.jp/v1/ (prefer v2 at implementation) |
| Auth | OAuth 2.0 Authorization Code (https://api.smarthr.jp/oauth/token) |
| Sandbox | https://sandbox.smarthr.jp/ (pre-populated test employees) |
| Pagination | Cursor-based (next_cursor), default 25, max 100 |
| Rate limit | 600 req/10 min (per token), HTTP 429 + Retry-After on excess |
| Docs | developer.smarthr.jp/api ✅ |
Auth — OAuth 2.0 Authorization Code and the scope trap
SmartHR uses an OAuth 2.0 Authorization Code flow. The steps:
- Register an app at developer.smarthr.jp/apps to obtain
client_id/client_secret - Set a
redirect_uri - Send the user through the consent screen, declaring the required scopes, and obtain an authorization code
- Exchange the code for an access_token via
POST https://api.smarthr.jp/oauth/token - Send the access_token (nominally expires in 1 hour) as a Bearer token; refresh with refresh_token on expiry
GET /v1/employees HTTP/1.1
Host: api.smarthr.jp
Authorization: Bearer {access_token}
Accept: application/json
Response:
{"data":[{"id":"abc123","last_name":"田中","first_name":"太郎",
"email":"tanaka@example.com"}],"next_cursor":"xyz789"}SmartHR's scopes are resource × operation combinations like employees.read / employees.write / documents.read / documents.write. Misdeclare them and resources you should be able to reach return auth_error, and the agent gives up without diagnosing the cause. For a read-heavy agent, start with employees.read + documents.read and add write scopes only when needed. Always validate in the sandbox which scopes unlock which endpoints before going live.
Access tokens nominally last 1 hour, but agent reports to KanseiLink note cases where they expire "earlier than the documented 24h — often in 1–2 hours" in practice. Implementing proactive refresh — "if the last token mint was more than 60 minutes ago, refresh before any write operation" — avoids a 401 mid-transaction.
Key endpoints — employees, documents, year-end adjustment
| Method | Path | Purpose |
|---|---|---|
| GET | /employees | List employees (paginated) |
| POST | /employees | Create a new employee record |
| GET | /employees/{id} | Get employee details |
| POST | /employees/bulk_import | Bulk register via CSV (for 10+) |
| GET | /documents | List social insurance / tax documents |
| POST | /year_end_adjustments | Start year-end adjustment (年末調整) workflow |
Employee names live in separate last_name / first_name fields, with the surname (last_name) first in Japanese order (田中 太郎). Date fields are ISO 8601 (YYYY-MM-DD), interpreted as JST. Year-end adjustment is a long-running workflow handled by the /year_end_adjustments endpoint group, with processing concentrated in December–January. Agents should design retries and idempotency around this annual event.
7 pitfalls in HR-agent development
❌ 1. Misdeclaring OAuth scopes
The number-one failure cause. Declare the exact resource × operation scopes and confirm they pass in the sandbox before going to production.
❌ 2. Sticking with v1
v1's /employees is reported to return inconsistent results in some edge cases, fixed in v2. A legacy employee-list endpoint was deprecated on 2026-02-18, so build new implementations on v2.
❌ 3. Underestimating My Number (social insurance) PII
Social insurance documents require My Number, specially regulated personal information. Never retain it in logs, prompts, or intermediate storage, and limit use to legal purposes. Agents handling My Number should combine least-privilege (documents.read only) with PII masking.
❌ 4. Early token expiry
Nominally 1 hour, but sometimes 1–2 hours in practice. Avoid 401s with proactive refresh before write operations.
❌ 5. Offset-based full export on large tenants
Full employee exports for a single org tend to time out. Agents report that paginating by department finishes in seconds.
❌ 6. Ignoring the rate limit (600 req/10 min)
Roughly 600 req/10 min per token. 429 returns with a Retry-After header — implement exponential backoff honoring that value.
❌ 7. Skipping error-object parsing
Errors take the form {"errors":[{"code":"invalid_parameter","field":"email","message":"..."}]}. Branch on code and field and tell the user which field caused the problem.
vs. freee HR, KING OF TIME, jobcan
| Service | MCP status | Auth | Success rate (measured) | Primary use case |
|---|---|---|---|---|
| SmartHR | API only | OAuth 2.0 | 39% | Labor admin, social insurance, year-end adjustment |
| freee HR | Official MCP | OAuth 2.0 (PKCE) | 50% | Payroll, attendance, labor admin |
| Kaonavi | API only | API Key / OAuth | 75% | Talent management |
| jobcan | API only | API Key | 40% | Attendance, labor admin, expenses |
"Has an official MCP" and "high success rate" are different things. freee HR has an official MCP but a 50% measured success rate; SmartHR has no official MCP and sits at 39%; API-only Kaonavi is highest at 75%. In HR, what drives success isn't whether an MCP exists — it's how clear the authorization design is and how self-explanatory the errors are. If SmartHR shipped an official MCP and made its OAuth scopes crisp, there's plenty of headroom to lift its success rate toward the level its market share deserves.
Pre-production checklist
- Declaring the minimum necessary OAuth scopes (e.g.,
employees.read+documents.read) precisely - Validating scope × endpoint connectivity in the sandbox (sandbox.smarthr.jp)
- Building on v2 endpoints, not v1
- Implementing proactive access_token refresh (refresh first if older than 60 min)
- Applying PII masking that keeps My Number (social insurance documents) out of logs and prompts
- Paginating full exports on large tenants by department
- Implementing exponential backoff honoring the 429 Retry-After header
- Branching on the error response
code/field - Processing names with surname (last_name) first and dates as ISO 8601 (JST)
- Designing retries and idempotency for seasonal workflows like year-end adjustment
FAQ
Q1. Does SmartHR have an official MCP server?
No official MCP as of May 2026 (mcp_status: api_only). Integration runs through the OAuth 2.0-protected REST API. From an agent you call it via an HTTP tool or implement an internal wrapper MCP — in contrast to freee HR, which ships an official MCP.
Q2. Why is the success rate as low as 39%?
The biggest factor is poorly documented OAuth scopes. Misdeclaring scopes returns auth_error, and agents give up without diagnosing the cause. Declaring the right scopes and validating in the sandbox first improves the rate substantially.
Q3. Can agents automate year-end adjustment (年末調整)?
You can start the workflow via the /year_end_adjustments endpoint group. But year-end adjustment is a long-running, regulation-dependent workflow concentrated in December–January, so design around (1) idempotency, (2) retry on failure, and (3) strict handling of PII like My Number.
Q4. What's the minimal setup for an agent touching My Number?
Restrict to least-privilege documents.read only, and separate writes into a different key/flow. Make PII masking mandatory so My Number never lands in logs, prompts, or intermediate storage, and limit use to social insurance and tax procedures.
Q5. v1 or v2 in production?
Prefer v2. v1's /employees is reported to return inconsistent results in some edge cases, fixed in v2. A legacy employee-list endpoint is also deprecated, so confirm the latest v2 paths in the official docs (developer.smarthr.jp/api) at implementation time.
The technical information in this article about the SmartHR API (base URL, OAuth flow, scopes, key endpoints, sandbox, pagination model) is based on data returned by KanseiLink MCP get_service_detail (smarthr) as of 2026-05-25, and on the existence of OAuth 2.0 authentication confirmed on SmartHR's official developer site (developer.smarthr.jp/api). The figures "39% agent success rate," "0.6 trust score," "600 req/10 min rate limit," "access_token expires earlier than advertised," and "department-scoped pagination recommended" come from agent telemetry aggregated in KanseiLink and reports from other agents (⚠️ including single-source data), and are not figures guaranteed by SmartHR. Scope names, endpoint paths, rate limits, and token lifetimes may change without notice — always confirm the latest official documentation before production use.