search
Release Notes

SCIM API Reference

APIs for automating user and group provisioning.

Veza's SCIM 2.0 API enables automated user provisioning and management through your identity provider (IdP). This reference documents the API endpoints, request/response formats, and authentication requirements.

hashtag
About This API

  • Version: 2.0

  • Base URL: https://{tenant}.vezacloud.com/scim/v2

  • Protocol: HTTPS only

  • Data Format: JSON

  • Authentication: Bearer token

  • Query Limit: 200 requests per minute

hashtag
Compliance

This API implements the SCIM 2.0 protocol specifications:

hashtag
Resource Types

The API supports the following SCIM resource types:

Resource
Description
Endpoints

Users

Individual user accounts

/Users

Groups

User groups mapped to Veza Teams

/Groups

Schemas

Resource type definitions

/Schemas

ServiceProviderConfig

Service provider configuration

/ServiceProviderConfig

ResourceTypes

Available resource types

/ResourceTypes

hashtag
Authentication

All API requests require authentication using a bearer token in the Authorization header:

API keys are generated in the Veza Administration console. See Authentication for details on creating and managing API keys.

hashtag
Security Considerations

  • Store and transmit API keys securely as they have administrative privileges

  • All connections must use TLS 1.2 or higher

  • SCIM API access should be restricted to your IdP's dedicated service account

  • You can implement monitoring using Veza APIs or event subscriptions for unexpected provisioning or deprovisioning activities

hashtag
Error Handling

The API returns standard HTTP status codes and a SCIM-compliant error response:

hashtag
SCIM Endpoints

Important notes:

  • All user management should be performed through your IdP once SCIM is enabled

  • At least one admin user must exist on the root team as a break glass account

  • Filtering operations are limited to equality (EQ) comparisons

  • Error responses follow the SCIM error schema

  • Dates use ISO 8601 format

hashtag
Create Group

hashtag
CreateGroup

post

Creates a new Veza group in the system

Authorizations
AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Query parameters
idstringOptional

A unique request id used for tracing and debugging purposes.

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Body
anyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

Responses
chevron-right
200

OK

*/*
post
/scim/v2/Groups

The displayName attribute is required for group creation.

hashtag
Delete Group

hashtag
DeleteGroup

delete

Deletes a specific Veza group by id

Authorizations
AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Path parameters
idstringRequired

A unique request id used for tracing and debugging purposes.

Query parameters
payloadanyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Responses
chevron-right
200

OK

*/*
delete
/scim/v2/Groups/{id}

Deleting a group removes it from Veza but does not affect the source group in your IdP.

hashtag
List Groups

hashtag
GetGroups

get

Retrieves a list of Veza groups

Authorizations
AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Query parameters
idstringOptional

A unique request id used for tracing and debugging purposes.

payloadanyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Responses
chevron-right
200

OK

*/*
get
/scim/v2/Groups

  • Maximum of 200 groups returned per request

  • Filtering is limited to equality operations (EQ)

hashtag
Get Schema

hashtag
GetSchemas

get

Returns the schema definitions supported by Veza including all attributes,

their mutability, returned status, uniqueness, and type information.

Authorizations
AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Query parameters
idstringOptional

A unique request id used for tracing and debugging purposes.

payloadanyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Responses
chevron-right
200

OK

*/*
get
/scim/v2/Schemas

Returns the SCIM schema definition supported by Veza.

hashtag
Create User

hashtag
CreateUser

post

Creates a new Veza user in the system.

Authorizations
AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Query parameters
idstringOptional

A unique request id used for tracing and debugging purposes.

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Body
anyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

Responses
chevron-right
200

OK

*/*
post
/scim/v2/Users

Required attributes:

  • givenName

  • familyName

  • userName (must match email address)

  • displayName

Additional requirements:

  • Email attribute must be marked as primary

  • Groups cannot be specified with group metadata

  • When using SAML JIT, changing the email address may result in a new user being provisioned

hashtag
List Resource Types

hashtag
GetResourceTypes

get

Returns the types of resources available in Veza's SCIM implementation (Users, Groups).

Each resource type includes the endpoint, schema URI, and supported operations.

Authorizations
AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Query parameters
idstringOptional

A unique request id used for tracing and debugging purposes.

payloadanyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Responses
chevron-right
200

OK

*/*
get
/scim/v2/ResourceTypes

Returns the resource types supported by the SCIM implementation.

hashtag
Get Users

hashtag
GetUsers

get

Retrieves a list of Veza users. Supports filtering, pagination and sorting.

Authorizations
AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Query parameters
idstringOptional

A unique request id used for tracing and debugging purposes.

payloadanyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Responses
chevron-right
200

OK

*/*
get
/scim/v2/Users

Returns a list of provisioned users.

hashtag
Patch Group

hashtag
UpdateGroup

patch

Updates an existing Veza group's attributes using patch operations

Authorizations
AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Path parameters
idstringRequired

A unique request id used for tracing and debugging purposes.

Query parameters
start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Body
anyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

Responses
chevron-right
200

OK

*/*
patch
/scim/v2/Groups/{id}

Only the following attributes can be modified:

  • displayName

  • members

  • externalId

hashtag
Patch User

hashtag
UpdateUser

patch

Updates an existing Veza user's attributes using PATCH operations.

Supports operations: add, replace, remove

Authorizations
AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Path parameters
idstringRequired

A unique request id used for tracing and debugging purposes.

Query parameters
start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Body
anyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

Responses
chevron-right
200

OK

*/*
patch
/scim/v2/Users/{id}

Updates specific attributes of a user's metadata.

  • Veza does not accept password changes

  • When Veza receives an update for a local user account, the account is converted to an SSO account. Going forward, the user must sign into their SSO provider.

hashtag
Update User

hashtag
ReplaceUser

put

Replaces an existing Veza user with a new profile

Authorizations
AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Path parameters
idstringRequired

A unique request id used for tracing and debugging purposes.

Query parameters
start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Body
anyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

Responses
chevron-right
200

OK

*/*
put
/scim/v2/Users/{id}

Replaces a user's metadata entirely. Note:

  • Email attribute must be marked as primary

  • SCIM-provisioned users cannot change their details in Veza

  • Username must match email address

  • The request cannot include groups information

  • Veza does not accept password changes

  • When Veza receives an update for a local user account, the account is converted to an SSO account. Going forward, the user must sign into their SSO provider.

hashtag
Get Service Provider Configuration

hashtag
GetServiceProviderConfig

get

Returns SCIM protocol features supported by Veza, including authentication

schemes, patch support, bulk operations capability, and filtering features.

Authorizations
AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Query parameters
idstringOptional

A unique request id used for tracing and debugging purposes.

payloadanyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Responses
chevron-right
200

OK

*/*
get
/scim/v2/ServiceProviderConfig

Returns the SCIM service provider configuration.

hashtag
Delete User

hashtag
DeleteUser

delete

Deletes a specific Veza user by id

Authorizations
AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Path parameters
idstringRequired

A unique request id used for tracing and debugging purposes.

Query parameters
payloadanyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

count: Maximum number of resources to return (default: server-determined)

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Responses
chevron-right
200

OK

*/*
delete
/scim/v2/Users/{id}

Deactivates the user in Veza. User management should be performed through your IdP once SCIM is enabled.

PreviousSCIM ProvisioningNextSCIM Provisioning with Okta

Last updated

Was this helpful?