SCIM 2.0 Provisioning API

Enterprise directory sync via SCIM 2.0 (RFC 7644). Automatically provision and deprovision users and groups from your identity provider (Okta, Azure AD, OneLogin, etc.). Requires Business tier or higher.

🔑 SCIM Authentication

SCIM endpoints use a per-organization SCIM bearer token (not your regular JWT). Generate tokens via the Token Management endpoints or the dashboard. Base URL: https://api.privabase.com/api/v1/scim/v2

Discovery

GET /api/v1/scim/v2/ServiceProviderConfig 🔒 SCIM Token

Returns SCIM service provider configuration — supported features, authentication schemes, and bulk/filter capabilities.

curl https://api.privabase.com/api/v1/scim/v2/ServiceProviderConfig \
  -H "Authorization: Bearer SCIM_TOKEN"

// JavaScript
const res = await fetch('https://api.privabase.com/api/v1/scim/v2/ServiceProviderConfig', {
  headers: { 'Authorization': 'Bearer SCIM_TOKEN' }
});

# Python
resp = requests.get('https://api.privabase.com/api/v1/scim/v2/ServiceProviderConfig',
    headers={'Authorization': 'Bearer SCIM_TOKEN'})

GET /api/v1/scim/v2/Schemas 🔒 SCIM Token

List supported SCIM schemas (User, Group, Enterprise User extension).

GET /api/v1/scim/v2/ResourceTypes 🔒 SCIM Token

List SCIM resource types (User, Group).

Users

GET /api/v1/scim/v2/Users 🔒 SCIM Token

List users with optional SCIM filtering.

Query Parameters

Param	Type	Description
`filter`	string	SCIM filter (e.g. `userName eq "john@company.com"`)
`startIndex`	integer	1-based pagination start (default 1)
`count`	integer	Results per page (default 100)

curl "https://api.privabase.com/api/v1/scim/v2/Users?filter=userName%20eq%20%22john%40company.com%22" \
  -H "Authorization: Bearer SCIM_TOKEN"

Response

{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
  "totalResults": 42,
  "startIndex": 1,
  "itemsPerPage": 100,
  "Resources": [
    {
      "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
      "id": "user-uuid-123",
      "userName": "john@company.com",
      "name": { "givenName": "John", "familyName": "Doe" },
      "emails": [{ "value": "john@company.com", "primary": true }],
      "active": true
    }
  ]
}

POST /api/v1/scim/v2/Users 🔒 SCIM Token

Create (provision) a user from IdP push.

curl -X POST https://api.privabase.com/api/v1/scim/v2/Users \
  -H "Authorization: Bearer SCIM_TOKEN" \
  -H "Content-Type: application/scim+json" \
  -d '{
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
    "userName": "jane@company.com",
    "name": { "givenName": "Jane", "familyName": "Smith" },
    "emails": [{ "value": "jane@company.com", "primary": true }],
    "active": true
  }'

// JavaScript
const res = await fetch('https://api.privabase.com/api/v1/scim/v2/Users', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer SCIM_TOKEN',
    'Content-Type': 'application/scim+json'
  },
  body: JSON.stringify({
    schemas: ['urn:ietf:params:scim:schemas:core:2.0:User'],
    userName: 'jane@company.com',
    name: { givenName: 'Jane', familyName: 'Smith' },
    emails: [{ value: 'jane@company.com', primary: true }],
    active: true
  })
});

# Python
resp = requests.post('https://api.privabase.com/api/v1/scim/v2/Users',
    headers={
        'Authorization': 'Bearer SCIM_TOKEN',
        'Content-Type': 'application/scim+json'
    },
    json={
        'schemas': ['urn:ietf:params:scim:schemas:core:2.0:User'],
        'userName': 'jane@company.com',
        'name': {'givenName': 'Jane', 'familyName': 'Smith'},
        'emails': [{'value': 'jane@company.com', 'primary': True}],
        'active': True
    })

GET /api/v1/scim/v2/Users/:id 🔒 SCIM Token

Get a user by ID.

PUT /api/v1/scim/v2/Users/:id 🔒 SCIM Token

Replace a user (full update).

PATCH /api/v1/scim/v2/Users/:id 🔒 SCIM Token

Partial update of user attributes. Follows SCIM PATCH operations format.

curl -X PATCH https://api.privabase.com/api/v1/scim/v2/Users/user-uuid-123 \
  -H "Authorization: Bearer SCIM_TOKEN" \
  -H "Content-Type: application/scim+json" \
  -d '{
    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
    "Operations": [
      { "op": "replace", "path": "active", "value": false }
    ]
  }'

DELETE /api/v1/scim/v2/Users/:id 🔒 SCIM Token

Deprovision (delete) a user. Returns 204 No Content.

curl -X DELETE https://api.privabase.com/api/v1/scim/v2/Users/user-uuid-123 \
  -H "Authorization: Bearer SCIM_TOKEN"

Groups

GET /api/v1/scim/v2/Groups 🔒 SCIM Token

List groups with optional SCIM filtering.

curl https://api.privabase.com/api/v1/scim/v2/Groups \
  -H "Authorization: Bearer SCIM_TOKEN"

POST /api/v1/scim/v2/Groups 🔒 SCIM Token

Create a group.

curl -X POST https://api.privabase.com/api/v1/scim/v2/Groups \
  -H "Authorization: Bearer SCIM_TOKEN" \
  -H "Content-Type: application/scim+json" \
  -d '{
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
    "displayName": "Engineering",
    "members": [
      { "value": "user-uuid-123", "display": "John Doe" }
    ]
  }'

GET /api/v1/scim/v2/Groups/:id 🔒 SCIM Token

Get a group by ID.

PUT /api/v1/scim/v2/Groups/:id 🔒 SCIM Token

Replace a group (full update).

PATCH /api/v1/scim/v2/Groups/:id 🔒 SCIM Token

Update group members. Used by IdPs to add/remove members.

curl -X PATCH https://api.privabase.com/api/v1/scim/v2/Groups/group-uuid-456 \
  -H "Authorization: Bearer SCIM_TOKEN" \
  -H "Content-Type: application/scim+json" \
  -d '{
    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
    "Operations": [
      { "op": "add", "path": "members", "value": [{ "value": "user-uuid-789" }] }
    ]
  }'

DELETE /api/v1/scim/v2/Groups/:id 🔒 SCIM Token

Delete a group. Returns 204 No Content.

Token Management

These endpoints use standard JWT authentication (not SCIM tokens). Requires Business tier.

GET /api/v1/scim/v2/tokens 🔒

List SCIM tokens for the organization.

curl https://api.privabase.com/api/v1/scim/v2/tokens \
  -H "Authorization: Bearer YOUR_TOKEN"

POST /api/v1/scim/v2/tokens 🔒

Generate a new SCIM token. The token value is shown only once in the response.

Request Body

{ "description": "Okta SCIM provisioning" }

curl -X POST https://api.privabase.com/api/v1/scim/v2/tokens \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "description": "Okta SCIM provisioning" }'

Response `201`

{
  "data": {
    "id": "scim-token-123",
    "token": "scim_live_abc123...(shown only once)",
    "description": "Okta SCIM provisioning",
    "created_at": "2026-03-14T10:30:00Z"
  }
}

DELETE /api/v1/scim/v2/tokens/:id 🔒

Revoke a SCIM token. Returns 204 No Content.

curl -X DELETE https://api.privabase.com/api/v1/scim/v2/tokens/scim-token-123 \
  -H "Authorization: Bearer YOUR_TOKEN"

Error Format

SCIM errors follow RFC 7644 format:

{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
  "detail": "User not found",
  "status": "404"
}

💡 IdP Setup

When configuring your IdP, use these values:
SCIM Base URL: https://api.privabase.com/api/v1/scim/v2
Auth: Bearer token (generate via Token Management above)
Supported operations: Create, Read, Update, Delete, Filter

SCIM 2.0 Provisioning API

Discovery

Users

Query Parameters

Response

Groups

Token Management

Request Body

Response 201

Error Format

Response `201`