Release Notes

SCIM API Reference

APIs for automating user and group provisioning.

Veza's SCIM 2.0 API enables automated user provisioning and management through your identity provider (IdP). This reference documents the API endpoints, request/response formats, and authentication requirements.

About This API

  • Version: 2.0

  • Base URL: https://{tenant}.vezacloud.com/scim/v2

  • Protocol: HTTPS only

  • Data Format: JSON

  • Authentication: Bearer token

  • Query Limit: 200 requests per minute

Compliance

This API implements the SCIM 2.0 protocol specifications:

Resource Types

The API supports the following SCIM resource types:

Resource
Description
Endpoints

Users

Individual user accounts

/Users

Groups

User groups mapped to Veza Teams

/Groups

Schemas

Resource type definitions

/Schemas

ServiceProviderConfig

Service provider configuration

/ServiceProviderConfig

ResourceTypes

Available resource types

/ResourceTypes

Authentication

All API requests require authentication using a bearer token in the Authorization header:

Authorization: Bearer YOUR_API_KEY

API keys are generated in the Veza Administration console. See Authentication for details on creating and managing API keys.

Security Considerations

  • Store and transmit API keys securely as they have administrative privileges

  • All connections must use TLS 1.2 or higher

  • SCIM API access should be restricted to your IdP's dedicated service account

  • You can implement monitoring using Veza APIs or event subscriptions for unexpected provisioning or deprovisioning activities

Error Handling

The API returns standard HTTP status codes and a SCIM-compliant error response:

{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
  "status": "400",
  "scimType": "invalidValue",
  "detail": "Email must be marked as primary"
}

SCIM Endpoints

Important notes:

  • All user management should be performed through your IdP once SCIM is enabled

  • At least one admin user must exist on the root team as a break glass account

  • Filtering operations are limited to equality (EQ) comparisons

  • Error responses follow the SCIM error schema

  • Dates use ISO 8601 format

Create Group

CreateGroup

post

Creates a new Veza group in the system

Authorizations
Query parameters
idstringOptional

A unique request id used for tracing and debugging purposes.

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Body
anyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

Responses
200
OK
*/*
post
POST /scim/v2/Groups HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Content-Type: application/json
Accept: */*

No content

The displayName attribute is required for group creation.

Delete Group

DeleteGroup

delete

Deletes a specific Veza group by id

Authorizations
Path parameters
idstringRequired

A unique request id used for tracing and debugging purposes.

Query parameters
payloadanyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Responses
200
OK
*/*
delete
DELETE /scim/v2/Groups/{id} HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Accept: */*

No content

Deleting a group removes it from Veza but does not affect the source group in your IdP.

List Groups

GetGroups

get

Retrieves a list of Veza groups

Authorizations
Query parameters
idstringOptional

A unique request id used for tracing and debugging purposes.

payloadanyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Responses
200
OK
*/*
get
GET /scim/v2/Groups HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Accept: */*

No content

  • Maximum of 200 groups returned per request

  • Filtering is limited to equality operations (EQ)

Get Schema

GetSchemas

get

Returns the schema definitions supported by Veza including all attributes,

their mutability, returned status, uniqueness, and type information.

Authorizations
Query parameters
idstringOptional

A unique request id used for tracing and debugging purposes.

payloadanyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Responses
200
OK
*/*
get
GET /scim/v2/Schemas HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Accept: */*

No content

Returns the SCIM schema definition supported by Veza.

Create User

CreateUser

post

Creates a new Veza user in the system.

Authorizations
Query parameters
idstringOptional

A unique request id used for tracing and debugging purposes.

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Body
anyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

Responses
200
OK
*/*
post
POST /scim/v2/Users HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Content-Type: application/json
Accept: */*

No content

Required attributes:

  • givenName

  • familyName

  • userName (must match email address)

  • displayName

Additional requirements:

  • Email attribute must be marked as primary

  • Groups cannot be specified with group metadata

  • When using SAML JIT, changing the email address may result in a new user being provisioned

List Resource Types

GetResourceTypes

get

Returns the types of resources available in Veza's SCIM implementation (Users, Groups).

Each resource type includes the endpoint, schema URI, and supported operations.

Authorizations
Query parameters
idstringOptional

A unique request id used for tracing and debugging purposes.

payloadanyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Responses
200
OK
*/*
get
GET /scim/v2/ResourceTypes HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Accept: */*

No content

Returns the resource types supported by the SCIM implementation.

Get Users

GetUsers

get

Retrieves a list of Veza users. Supports filtering, pagination and sorting.

Authorizations
Query parameters
idstringOptional

A unique request id used for tracing and debugging purposes.

payloadanyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Responses
200
OK
*/*
get
GET /scim/v2/Users HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Accept: */*

No content

Returns a list of provisioned users.

Patch Group

UpdateGroup

patch

Updates an existing Veza group's attributes using patch operations

Authorizations
Path parameters
idstringRequired

A unique request id used for tracing and debugging purposes.

Query parameters
start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Body
anyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

Responses
200
OK
*/*
patch
PATCH /scim/v2/Groups/{id} HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Content-Type: application/json
Accept: */*

No content

Only the following attributes can be modified:

  • displayName

  • members

  • externalId

Patch User

UpdateUser

patch

Updates an existing Veza user's attributes using PATCH operations.

Supports operations: add, replace, remove

Authorizations
Path parameters
idstringRequired

A unique request id used for tracing and debugging purposes.

Query parameters
start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Body
anyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

Responses
200
OK
*/*
patch
PATCH /scim/v2/Users/{id} HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Content-Type: application/json
Accept: */*

No content

Updates specific attributes of a user's metadata.

  • Veza does not accept password changes

  • When Veza receives an update for a local user account, the account is converted to an SSO account. Going forward, the user must sign into their SSO provider.

Update User

ReplaceUser

put

Replaces an existing Veza user with a new profile

Authorizations
Path parameters
idstringRequired

A unique request id used for tracing and debugging purposes.

Query parameters
start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Body
anyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

Responses
200
OK
*/*
put
PUT /scim/v2/Users/{id} HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Content-Type: application/json
Accept: */*

No content

Replaces a user's metadata entirely. Note:

  • Email attribute must be marked as primary

  • SCIM-provisioned users cannot change their details in Veza

  • Username must match email address

  • The request cannot include groups information

  • Veza does not accept password changes

  • When Veza receives an update for a local user account, the account is converted to an SSO account. Going forward, the user must sign into their SSO provider.

Get Service Provider Configuration

GetServiceProviderConfig

get

Returns SCIM protocol features supported by Veza, including authentication

schemes, patch support, bulk operations capability, and filtering features.

Authorizations
Query parameters
idstringOptional

A unique request id used for tracing and debugging purposes.

payloadanyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Responses
200
OK
*/*
get
GET /scim/v2/ServiceProviderConfig HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Accept: */*

No content

Returns the SCIM service provider configuration.

Delete User

DeleteUser

delete

Deletes a specific Veza user by id

Authorizations
Path parameters
idstringRequired

A unique request id used for tracing and debugging purposes.

Query parameters
payloadanyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Responses
200
OK
*/*
delete
DELETE /scim/v2/Users/{id} HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Accept: */*

No content

Deactivates the user in Veza. User management should be performed through your IdP once SCIM is enabled.

PreviousSCIM ProvisioningNextSCIM Provisioning with Okta

Last updated

Was this helpful?