APIs for automating user and group provisioning.
Veza's SCIM 2.0 API enables automated user provisioning and management through your identity provider (IdP). This reference documents the API endpoints, request/response formats, and authentication requirements.
Version: 2.0
Base URL: https://{tenant}.vezacloud.com/scim/v2
Protocol: HTTPS only
Data Format: JSON
Authentication: Bearer token
Query Limit: 200 requests per minute
This API implements the SCIM 2.0 protocol specifications:
The API supports the following SCIM resource types:
Users
Individual user accounts
/Users
Groups
User groups mapped to Veza Teams
/Groups
Schemas
Resource type definitions
/Schemas
ServiceProviderConfig
Service provider configuration
/ServiceProviderConfig
ResourceTypes
Available resource types
/ResourceTypes
All API requests require authentication using a bearer token in the Authorization header:
Store and transmit API keys securely as they have administrative privileges
All connections must use TLS 1.2 or higher
SCIM API access should be restricted to your IdP's dedicated service account
You can implement monitoring using Veza APIs or event subscriptions for unexpected provisioning or deprovisioning activities
The API returns standard HTTP status codes and a SCIM-compliant error response:
Important notes:
All user management should be performed through your IdP once SCIM is enabled
At least one admin user must exist on the root team as a break glass account
Filtering operations are limited to equality (EQ) comparisons
Error responses follow the SCIM error schema
Dates use ISO 8601 format
The displayName attribute is required for group creation.
Deleting a group removes it from Veza but does not affect the source group in your IdP.
Maximum of 200 groups returned per request
Filtering is limited to equality operations (EQ)
Returns the SCIM schema definition supported by Veza.
Required attributes:
givenName
familyName
userName (must match email address)
displayName
Additional requirements:
Email attribute must be marked as primary
Groups cannot be specified with group metadata
When using SAML JIT, changing the email address may result in a new user being provisioned
Returns the resource types supported by the SCIM implementation.
Returns a list of provisioned users.
Only the following attributes can be modified:
displayName
members
externalId
Updates specific attributes of a user's metadata.
Veza does not accept password changes
When Veza receives an update for a local user account, the account is converted to an SSO account. Going forward, the user must sign into their SSO provider.
Replaces a user's metadata entirely. Note:
Email attribute must be marked as primary
SCIM-provisioned users cannot change their details in Veza
Username must match email address
The request cannot include groups information
Veza does not accept password changes
When Veza receives an update for a local user account, the account is converted to an SSO account. Going forward, the user must sign into their SSO provider.
Returns the SCIM service provider configuration.
Deactivates the user in Veza. User management should be performed through your IdP once SCIM is enabled.
- SCIM Core Schema
- SCIM Protocol
API keys are generated in the Veza Administration console. See for details on creating and managing API keys.
Deletes a specific Veza group by id
A unique request id used for tracing and debugging purposes.
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "john@example.com"")
No content
Retrieves a list of Veza groups
A unique request id used for tracing and debugging purposes.
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "john@example.com"")
No content
Returns the schema definitions supported by Veza including all attributes,
their mutability, returned status, uniqueness, and type information.
A unique request id used for tracing and debugging purposes.
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "john@example.com"")
No content
Returns the types of resources available in Veza's SCIM implementation (Users, Groups).
Each resource type includes the endpoint, schema URI, and supported operations.
A unique request id used for tracing and debugging purposes.
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "john@example.com"")
No content
Retrieves a list of Veza users. Supports filtering, pagination and sorting.
A unique request id used for tracing and debugging purposes.
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "john@example.com"")
No content
Returns SCIM protocol features supported by Veza, including authentication
schemes, patch support, bulk operations capability, and filtering features.
A unique request id used for tracing and debugging purposes.
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "john@example.com"")
No content
Deletes a specific Veza user by id
A unique request id used for tracing and debugging purposes.
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "john@example.com"")
No content
Creates a new Veza group in the system
A unique request id used for tracing and debugging purposes.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "john@example.com"")
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
No content
Creates a new Veza user in the system.
A unique request id used for tracing and debugging purposes.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "john@example.com"")
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
No content
Updates an existing Veza group's attributes using patch operations
A unique request id used for tracing and debugging purposes.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "john@example.com"")
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
No content
Updates an existing Veza user's attributes using PATCH operations.
Supports operations: add, replace, remove
A unique request id used for tracing and debugging purposes.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "john@example.com"")
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
No content
Replaces an existing Veza user with a new profile
A unique request id used for tracing and debugging purposes.
startIndex: 1-based index of the first result to return (default: 1)
count: Maximum number of resources to return (default: server-determined)
filter: SCIM filter expression (e.g. "userName eq "john@example.com"")
Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.
No content