The short version: PrismHR doesn’t use a “Sign in with PrismHR” button. Instead, your
admin creates a dedicated, locked-down Web Service User (a service account just for
HomecareHQ) and gives us three things: a User ID, a Password, and your PEO ID.
The three things you’ll hand us
| # | What | What it is | Secret? |
|---|---|---|---|
| 1 | Web Service User ID | The username of the service account you create for HomecareHQ | Yes |
| 2 | Web Service User Password | That account’s password | Yes |
| 3 | PEO ID | Your organization identifier inside PrismHR (you look it up) | No |
Before you start: check API access
Most of this is self-serve in your PrismHR Back Office. There are only two cases where you’d contact PrismHR support:- If the “Web Service Users” option isn’t there (step 3 below), your account likely doesn’t have API access enabled yet — ask PrismHR to turn it on.
- If your PEO ID is blank (step 2), submit a support request to have it populated.
Find your PEO ID (30 seconds)
In the PrismHR Back Office, go to System → Change, open the System Parameters
form, and note the value in the PEO ID field. That’s credential #3 — read it, don’t
change it.
Create the Web Service User
In Back Office, go to System → Change → System Parameters, then from the Actions
menu choose Web Service Users. Create a new user:
| Field | What to enter |
|---|---|
| User ID | Something recognizable, e.g. homecarehq. ⚠️ Can’t be changed after saving. (Credential #1.) |
| User Name | A friendly label, e.g. “HomecareHQ Integration”. |
| Password | A strong password. (Credential #2.) |
| Account Disabled | Leave unchecked. |
| Minimum API Version | Leave at the default unless support says otherwise. |
Set company access
On Company Access, choose either “Grant Access by Default, Deny to Specified” (sees all
your companies except those you list) or “Deny by Default, Grant to Only Specified” (sees
only the companies you list). Use the second option to limit HomecareHQ to specific entities.
Grant least-privilege methods
On the Allowed Methods grid, grant read access to the services below (wildcards like
EmployeeService.* are fine):| Grant | Why | Required? |
|---|---|---|
LoginService.createPeoSession | Log in / start a session | Always |
LoginService.getAPIPermissions | Confirm the account’s access | Always |
EmployeeService.* (read) | Employee roster, contact, hire/term dates, status | Yes |
ClientMasterService.* (read) | Company/client context | Yes |
| Onboarding methods | New-hire task status & progress | Yes |
| Document methods | Document references only — never file contents | Yes |
PayrollService.* (read) | Pay statements, earnings, deductions | Optional (opt-in) |
| Benefit methods | Benefit elections, enrollment, plan details | Optional (opt-in) |
Allow our servers through (Allowed IPs)
PrismHR can restrict the account to specific IP addresses. Because HomecareHQ connects
through our secure integration partner (Nango), requests come from their servers.
- Recommended: ask HomecareHQ for our integration partner’s current outbound IP list and enter it in Allowed IPs.
- Alternative (less secure): check Disable IP Restrictions — PrismHR recommends against this outside testing.
What we read — and what we don’t
You control how much. By default we turn on the three low-sensitivity areas and leave the two sensitive ones off until you opt in.| Data area | Default | What we read |
|---|---|---|
| Employee core | On | Demographics, contact, hire/termination dates, employment status |
| Onboarding | On | New-hire task status and completion progress |
| Documents | On | Document references/metadata only — never file contents |
| Payroll | Off (opt-in) | Pay statements, earnings, deductions, taxes |
| Benefits | Off (opt-in) | Benefit elections, enrollment status, plan details |
Hand us the credentials securely
Your credentials never touch HomecareHQ’s own systems. When you connect a system, you
enter its credentials into a secure dialog hosted by our credential vault partner
(Nango), where they are encrypted and stored. HomecareHQ only ever asks the vault to
fetch data on your behalf — it never sees or stores your password. You can disconnect at any
time from Admin Settings → Integrations.
FAQ
Is this OAuth / 'Sign in with PrismHR'?
Is this OAuth / 'Sign in with PrismHR'?
No. PrismHR uses a service-account model: a Web Service User (ID + password) plus your PEO
ID. We exchange those for a short-lived session behind the scenes.
Will this let HomecareHQ change anything in PrismHR?
Will this let HomecareHQ change anything in PrismHR?
No. For chat and dashboards, HomecareHQ is read-only — grant read access only.
Does the session expire?
Does the session expire?
PrismHR sessions idle out after about 30 minutes. Our integration partner refreshes the
session automatically — nothing for you to manage.
Can I revoke access later?
Can I revoke access later?
Yes — disable or delete the Web Service User in Back Office, or disconnect from
Admin Settings → Integrations. Either immediately stops access.
Do you store our employee data?
Do you store our employee data?
We cache a working copy to answer questions quickly, isolated to your organization. For
documents we store only references (the list), never file contents.

