Skip to main content

Identity and Provisioning APIs

Identity APIs span three areas:
  • OAuth 2.0 provider and OAuth app management
  • SAML SSO connection and login flow
  • SCIM 2.0 directory/user/group provisioning

OAuth provider endpoints

  • GET /oauth/authorize
  • POST /oauth/authorize
  • POST /oauth/token
  • GET /oauth/userinfo
  • POST /oauth/revoke
OAuth app management endpoints:
  • GET /oauth/apps
  • POST /oauth/apps
  • GET /oauth/apps/:id
  • PATCH /oauth/apps/:id
  • DELETE /oauth/apps/:id
  • POST /oauth/apps/:id/rotate-secret
OAuth behavior highlights:
  • Authorization Code flow with optional/required PKCE (per app settings).
  • Scope validation against app-allowed scopes.
  • Role-aware granted scope trimming at consent time.
  • Token endpoint supports authorization_code and refresh_token.
  • UserInfo requires valid access token with user.read scope.
  • Revocation follows RFC-style idempotent behavior.

SAML endpoints

  • GET /saml/metadata/:workspaceId
  • POST /saml/connections
  • GET /saml/connections
  • PATCH /saml/connections/:id
  • DELETE /saml/connections/:id
  • PATCH /saml/enforce
  • GET /saml/authorize/:workspaceId
  • POST /saml/callback
  • GET /saml/check
  • GET /saml/logout/:workspaceId
  • POST /saml/logout/callback
  • GET /saml/logout/callback
SAML behavior highlights:
  • Workspace admin setup only.
  • Enterprise plan required.
  • Supports metadata-based or manual IdP configuration.
  • Enforce mode requires valid corporate allowed domains.
  • Assertion replay defenses and certificate validation are applied server-side.

SCIM endpoints

Directory management:
  • POST /scim/directories
  • GET /scim/directories
  • PATCH /scim/directories/:id
  • DELETE /scim/directories/:id
  • POST /scim/directories/:id/regenerate-token
SCIM service resources:
  • GET /scim/v2/ServiceProviderConfig
  • GET /scim/v2/ResourceTypes
  • GET /scim/v2/Schemas
  • GET|POST /scim/v2/Users
  • GET|PUT|PATCH|DELETE /scim/v2/Users/:id
  • GET|POST /scim/v2/Groups
  • GET|PUT|PATCH|DELETE /scim/v2/Groups/:id
SCIM behavior highlights:
  • /scim/directories/* endpoints are workspace-admin management APIs.
  • SCIM provisioning routes (/scim/v2/*) use bearer token auth tied to the SCIM directory.
  • User provisioning can auto-create workspace members and auto-deactivate/remove on IdP deactivation.
  • Group provisioning supports full replace and PATCH member add/remove operations.

Availability and access

  • SAML and SCIM are enterprise-focused capabilities.
  • OAuth app management requires integration read/manage permissions.
  • SAML and SCIM management require workspace admin/owner scope.
  • SCIM provisioning endpoints use bearer-token authentication from your IdP (no dashboard session cookie).
  • CSRF protection applies to state-changing management routes.

Typical failures

  • 400/422 invalid OAuth/SAML/SCIM payloads
  • 401 invalid client credentials, bearer tokens, or session state
  • 403 plan or permission restrictions
  • 404 unknown connection/app/directory/resource IDs
  • 409 duplicate OAuth app/SCIM user/group uniqueness conflicts
Related docs:
  • /user-guides/manual/workspace/security-and-compliance
  • /api-reference/auth/overview
  • /api-reference/identity/oauth-apps-and-provider
  • /api-reference/identity/saml-sso
  • /api-reference/identity/scim-provisioning