SCIM API Reference
APIs for automating user and group provisioning.
Veza's SCIM 2.0 API enables automated user provisioning and management through your identity provider (IdP). This reference documents the API endpoints, request/response formats, and authentication requirements.
About This API
Version: 2.0
Base URL:
https://{tenant}.vezacloud.com/scim/v2
Protocol: HTTPS only
Data Format: JSON
Authentication: Bearer token
Query Limit: 200 requests per minute
Compliance
This API implements the SCIM 2.0 protocol specifications:
Resource Types
The API supports the following SCIM resource types:
Users
Individual user accounts
/Users
Groups
User groups mapped to Veza Teams
/Groups
Schemas
Resource type definitions
/Schemas
ServiceProviderConfig
Service provider configuration
/ServiceProviderConfig
ResourceTypes
Available resource types
/ResourceTypes
Authentication
All API requests require authentication using a bearer token in the Authorization header:
Authorization: Bearer YOUR_API_KEY
API keys are generated in the Veza Administration console. See Authentication for details on creating and managing API keys.
Security Considerations
Store and transmit API keys securely as they have administrative privileges
All connections must use TLS 1.2 or higher
SCIM API access should be restricted to your IdP's dedicated service account
You can implement monitoring using Veza APIs or event subscriptions for unexpected provisioning or deprovisioning activities
Error Handling
The API returns standard HTTP status codes and a SCIM-compliant error response:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"status": "400",
"scimType": "invalidValue",
"detail": "Email must be marked as primary"
}
SCIM Endpoints
Important notes:
All user management should be performed through your IdP once SCIM is enabled
At least one admin user must exist on the root team as a break glass account
Filtering operations are limited to equality (EQ) comparisons
Error responses follow the SCIM error schema
Dates use ISO 8601 format
Create Group
Creates a new Veza group in the system
A unique request id used for tracing and debugging purposes.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "[email protected]"")
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
POST /scim/v2/Groups HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Content-Type: application/json
Accept: */*
No content
The displayName
attribute is required for group creation.
Delete Group
Deletes a specific Veza group by id
A unique request id used for tracing and debugging purposes.
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "[email protected]"")
DELETE /scim/v2/Groups/{id} HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Accept: */*
No content
Deleting a group removes it from Veza but does not affect the source group in your IdP.
List Groups
Retrieves a list of Veza groups
A unique request id used for tracing and debugging purposes.
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "[email protected]"")
GET /scim/v2/Groups HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Accept: */*
No content
Maximum of 200 groups returned per request
Filtering is limited to equality operations (EQ)
Get Schema
Returns the schema definitions supported by Veza including all attributes,
their mutability, returned status, uniqueness, and type information.
A unique request id used for tracing and debugging purposes.
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "[email protected]"")
GET /scim/v2/Schemas HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Accept: */*
No content
Returns the SCIM schema definition supported by Veza.
Create User
Creates a new Veza user in the system.
A unique request id used for tracing and debugging purposes.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "[email protected]"")
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
POST /scim/v2/Users HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Content-Type: application/json
Accept: */*
No content
Required attributes:
givenName
familyName
userName
(must match email address)displayName
Additional requirements:
Email attribute must be marked as primary
Groups cannot be specified with group metadata
When using SAML JIT, changing the email address may result in a new user being provisioned
List Resource Types
Returns the types of resources available in Veza's SCIM implementation (Users, Groups).
Each resource type includes the endpoint, schema URI, and supported operations.
A unique request id used for tracing and debugging purposes.
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "[email protected]"")
GET /scim/v2/ResourceTypes HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Accept: */*
No content
Returns the resource types supported by the SCIM implementation.
Get Users
Retrieves a list of Veza users. Supports filtering, pagination and sorting.
A unique request id used for tracing and debugging purposes.
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "[email protected]"")
GET /scim/v2/Users HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Accept: */*
No content
Returns a list of provisioned users.
Patch Group
Updates an existing Veza group's attributes using patch operations
A unique request id used for tracing and debugging purposes.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "[email protected]"")
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
PATCH /scim/v2/Groups/{id} HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Content-Type: application/json
Accept: */*
No content
Only the following attributes can be modified:
displayName
members
externalId
Patch User
Updates an existing Veza user's attributes using PATCH operations.
Supports operations: add, replace, remove
A unique request id used for tracing and debugging purposes.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "[email protected]"")
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
PATCH /scim/v2/Users/{id} HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Content-Type: application/json
Accept: */*
No content
Updates specific attributes of a user's metadata.
Veza does not accept password changes
When Veza receives an update for a local user account, the account is converted to an SSO account. Going forward, the user must sign into their SSO provider.
Update User
Replaces an existing Veza user with a new profile
A unique request id used for tracing and debugging purposes.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "[email protected]"")
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
PUT /scim/v2/Users/{id} HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Content-Type: application/json
Accept: */*
No content
Replaces a user's metadata entirely. Note:
Email attribute must be marked as primary
SCIM-provisioned users cannot change their details in Veza
Username must match email address
The request cannot include groups information
Veza does not accept password changes
When Veza receives an update for a local user account, the account is converted to an SSO account. Going forward, the user must sign into their SSO provider.
Get Service Provider Configuration
Returns SCIM protocol features supported by Veza, including authentication
schemes, patch support, bulk operations capability, and filtering features.
A unique request id used for tracing and debugging purposes.
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "[email protected]"")
GET /scim/v2/ServiceProviderConfig HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Accept: */*
No content
Returns the SCIM service provider configuration.
Delete User
Deletes a specific Veza user by id
A unique request id used for tracing and debugging purposes.
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "[email protected]"")
DELETE /scim/v2/Users/{id} HTTP/1.1
Host:
Authorization: Bearer Bearer <API key>
Accept: */*
No content
Deactivates the user in Veza. User management should be performed through your IdP once SCIM is enabled.
Last updated
Was this helpful?