Codapult includes SCIM 2.0 provisioning for enterprise customers that manage users from an identity provider such as Okta, Azure AD, OneLogin, or Google Workspace.
What it does
SCIM lets an identity provider create, update, deactivate, and list users in a customer's organization. This is separate from SAML login: SAML signs users in, while SCIM keeps membership in sync.
Endpoints
SCIM requests are handled by src/app/api/scim/[...path]/route.ts and routed through src/lib/scim/index.ts.
| Endpoint | Methods | Purpose |
|---|---|---|
/api/scim/Users | GET, POST | List or create users |
/api/scim/Users/{id} | GET, PUT, PATCH, DELETE | Read, update, deactivate, or remove a user |
/api/scim/Groups | GET | List organization groups |
Requests must send a bearer token:
Authorization: Bearer scim_xxx
Content-Type: application/scim+json
Token management
SCIM tokens are generated and stored hashed in the scim_token table. Use:
generateScimToken(orgId, label)to create a token.listScimTokens(orgId)to show configured tokens.revokeScimToken(tokenId)to disable a token.
The token management API lives at /api/scim/tokens and requires an authenticated admin context.
Data model
SCIM provisioning updates:
userorganizationorganization_memberscim_token
New SCIM users are added to the target organization with the default member role unless you adapt the mapping for your product.
Setup checklist
- Enable
ENABLE_SSO. - Create or identify the enterprise customer's organization.
- Generate a SCIM token for that organization.
- Configure the identity provider with your SCIM base URL:
https://app.example.com/api/scim. - Paste the bearer token into the provider's SCIM settings.
- Run a test sync and verify organization membership.