1 of 1

SCIM API Reference

APIs for automating user and group provisioning.

Veza's SCIM 2.0 API enables automated user provisioning and management through your identity provider (IdP). This reference documents the API endpoints, request/response formats, and authentication requirements.

About This API

Version: 2.0
Base URL: https://{tenant}.vezacloud.com/scim/v2
Protocol: HTTPS only
Data Format: JSON
Authentication: Bearer token
Query Limit: 200 requests per minute

Compliance

This API implements the SCIM 2.0 protocol specifications:

- SCIM Core Schema
- SCIM Protocol

Resource Types

The API supports the following SCIM resource types:

Resource

Description

Endpoints

Authentication

All API requests require authentication using a bearer token in the Authorization header:

API keys are generated in the Veza Administration console. See for details on creating and managing API keys.

Security Considerations

Store and transmit API keys securely as they have administrative privileges
All connections must use TLS 1.2 or higher
SCIM API access should be restricted to your IdP's dedicated service account

Error Handling

The API returns standard HTTP status codes and a SCIM-compliant error response:

SCIM Endpoints

Important notes:

All user management should be performed through your IdP once SCIM is enabled
At least one admin user must exist on the root team as a break glass account
Filtering operations are limited to equality (EQ) comparisons

Create Group

The displayName attribute is required for group creation.

Delete Group

Deleting a group removes it from Veza but does not affect the source group in your IdP.

List Groups

Maximum of 200 groups returned per request
Filtering is limited to equality operations (EQ)

Get Schema

Returns the SCIM schema definition supported by Veza.

Create User

Required attributes:

givenName
familyName
userName (must match email address)

Additional requirements:

Email attribute must be marked as primary
Groups cannot be specified with group metadata
When using SAML JIT, changing the email address may result in a new user being provisioned

List Resource Types

Returns the resource types supported by the SCIM implementation.

Get Users

Returns a list of provisioned users.

Patch Group

Only the following attributes can be modified:

displayName
members
externalId

Patch User

Updates specific attributes of a user's metadata.

Veza does not accept password changes
When Veza receives an update for a local user account, the account is converted to an SSO account. Going forward, the user must sign into their SSO provider.

Update User

Replaces a user's metadata entirely. Note:

Email attribute must be marked as primary
SCIM-provisioned users cannot change their details in Veza
Username must match email address

Get Service Provider Configuration

Returns the SCIM service provider configuration.

Delete User

Deactivates the user in Veza. User management should be performed through your IdP once SCIM is enabled.

SCIM API Reference

APIs for automating user and group provisioning.

About This API

Version: 2.0
Base URL: https://{tenant}.vezacloud.com/scim/v2
Protocol: HTTPS only
Data Format: JSON
Authentication: Bearer token
Query Limit: 200 requests per minute

Compliance

This API implements the SCIM 2.0 protocol specifications:

- SCIM Core Schema
- SCIM Protocol

Resource Types

The API supports the following SCIM resource types:

Resource

Description

Endpoints

Authentication

All API requests require authentication using a bearer token in the Authorization header:

API keys are generated in the Veza Administration console. See for details on creating and managing API keys.

Security Considerations

Store and transmit API keys securely as they have administrative privileges
All connections must use TLS 1.2 or higher
SCIM API access should be restricted to your IdP's dedicated service account

Error Handling

The API returns standard HTTP status codes and a SCIM-compliant error response:

SCIM Endpoints

Important notes:

All user management should be performed through your IdP once SCIM is enabled
At least one admin user must exist on the root team as a break glass account
Filtering operations are limited to equality (EQ) comparisons

Create Group

The displayName attribute is required for group creation.

Delete Group

Deleting a group removes it from Veza but does not affect the source group in your IdP.

List Groups

Maximum of 200 groups returned per request
Filtering is limited to equality operations (EQ)

Get Schema

Returns the SCIM schema definition supported by Veza.

Create User

Required attributes:

givenName
familyName
userName (must match email address)

Additional requirements:

Email attribute must be marked as primary
Groups cannot be specified with group metadata
When using SAML JIT, changing the email address may result in a new user being provisioned

List Resource Types

Returns the resource types supported by the SCIM implementation.

Get Users

Returns a list of provisioned users.

Patch Group

Only the following attributes can be modified:

displayName
members
externalId

Patch User

Updates specific attributes of a user's metadata.

Veza does not accept password changes
When Veza receives an update for a local user account, the account is converted to an SSO account. Going forward, the user must sign into their SSO provider.

Update User

Replaces a user's metadata entirely. Note:

Email attribute must be marked as primary
SCIM-provisioned users cannot change their details in Veza
Username must match email address

Get Service Provider Configuration

Returns the SCIM service provider configuration.

Delete User

Deactivates the user in Veza. User management should be performed through your IdP once SCIM is enabled.

GetSchemas

get

Returns the schema definitions supported by Veza including all attributes,

their mutability, returned status, uniqueness, and type information.

Authorizations

AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Query parameters

idstringOptional

A unique request id used for tracing and debugging purposes.

payloadanyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Responses

200

*/*

default

Default error response

application/json

get

/scim/v2/Schemas

GetResourceTypes

get

Returns the types of resources available in Veza's SCIM implementation (Users, Groups).

Each resource type includes the endpoint, schema URI, and supported operations.

Authorizations

AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Query parameters

idstringOptional

A unique request id used for tracing and debugging purposes.

payloadanyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Responses

200

*/*

default

Default error response

application/json

get

/scim/v2/ResourceTypes

UpdateGroup

patch

Updates an existing Veza group's attributes using patch operations

Authorizations

AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Path parameters

idstringRequired

A unique request id used for tracing and debugging purposes.

Query parameters

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Body

anyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

Responses

200

*/*

default

Default error response

application/json

patch

/scim/v2/Groups/{id}

UpdateUser

patch

Updates an existing Veza user's attributes using PATCH operations.

Supports operations: add, replace, remove

Authorizations

AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Path parameters

idstringRequired

A unique request id used for tracing and debugging purposes.

Query parameters

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Body

anyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

Responses

200

*/*

default

Default error response

application/json

patch

/scim/v2/Users/{id}

GetServiceProviderConfig

get

Returns SCIM protocol features supported by Veza, including authentication

schemes, patch support, bulk operations capability, and filtering features.

Authorizations

AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Query parameters

idstringOptional

A unique request id used for tracing and debugging purposes.

payloadanyOptional

Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values.

start_indexinteger · int32Optional

startIndex: 1-based index of the first result to return (default: 1)

countinteger · int32Optional

filterstringOptional

filter: SCIM filter expression (e.g. "userName eq "[email protected]"")

Responses

200

*/*

default

Default error response

application/json

get

/scim/v2/ServiceProviderConfig

SCIM API Reference

hashtagAbout This API

hashtagCompliance

hashtagResource Types

hashtagAuthentication

hashtagSecurity Considerations

hashtagError Handling

hashtagSCIM Endpoints

hashtagCreate Group

hashtagDelete Group

hashtagList Groups

hashtagGet Schema

hashtagCreate User

hashtagList Resource Types

hashtagGet Users

hashtagPatch Group

hashtagPatch User

hashtagUpdate User

hashtagGet Service Provider Configuration

hashtagDelete User

SCIM API Reference

hashtagAbout This API

hashtagCompliance

hashtagResource Types

hashtagAuthentication

hashtagSecurity Considerations

hashtagError Handling

hashtagSCIM Endpoints

hashtagCreate Group

hashtagDelete Group

hashtagList Groups

hashtagGet Schema

hashtagCreate User

hashtagList Resource Types

hashtagGet Users

hashtagPatch Group

hashtagPatch User

hashtagUpdate User

hashtagGet Service Provider Configuration

hashtagDelete User

hashtagCreateGroup

hashtagDeleteGroup

hashtagGetGroups

hashtagGetSchemas

hashtagCreateUser

hashtagGetResourceTypes

hashtagGetUsers

hashtagUpdateGroup

hashtagUpdateUser

hashtagReplaceUser

hashtagGetServiceProviderConfig

hashtagDeleteUser

About This API

Compliance

Resource Types

Authentication

Security Considerations

Error Handling

SCIM Endpoints

Create Group

Delete Group

List Groups

Get Schema

Create User

List Resource Types

Get Users

Patch Group

Patch User

Update User

Get Service Provider Configuration

Delete User

About This API

Compliance

Resource Types

Authentication

Security Considerations

Error Handling

SCIM Endpoints

Create Group

Delete Group

List Groups

Get Schema

Create User

List Resource Types

Get Users

Patch Group

Patch User

Update User

Get Service Provider Configuration

Delete User

CreateGroup

DeleteGroup

GetGroups

GetSchemas

CreateUser

GetResourceTypes

GetUsers

UpdateGroup

UpdateUser

ReplaceUser

GetServiceProviderConfig

DeleteUser