Skip to main contentSCIM Provisioning
SCIM provides IdP-driven provisioning for enterprise workspaces.
Directory management endpoints
POST /api/scim/directoriesGET /api/scim/directoriesPATCH /api/scim/directories/:idDELETE /api/scim/directories/:idPOST /api/scim/directories/:id/regenerate-token
SCIM discovery endpoints
GET /api/scim/v2/ServiceProviderConfigGET /api/scim/v2/ResourceTypesGET /api/scim/v2/Schemas
User resource endpoints
GET /api/scim/v2/UsersGET /api/scim/v2/Users/:idPOST /api/scim/v2/UsersPUT /api/scim/v2/Users/:idPATCH /api/scim/v2/Users/:idDELETE /api/scim/v2/Users/:id
Group resource endpoints
GET /api/scim/v2/GroupsGET /api/scim/v2/Groups/:idPOST /api/scim/v2/GroupsPUT /api/scim/v2/Groups/:idPATCH /api/scim/v2/Groups/:idDELETE /api/scim/v2/Groups/:id
Auth and access model
- Directory management uses session auth and admin-level workspace permissions.
- SCIM
/v2/* resources use SCIM bearer token auth.
Provisioning behavior
Directory settings control automation:
- user sync
- group sync
- auto-create users
- auto-deactivate users
- default role assignment
Token regeneration invalidates old token material for subsequent SCIM requests.
Common errors
401: missing or invalid SCIM token403: unauthorized directory/workspace access404: user/group/directory not found409: identity conflict on provisioning operations
