ShareOTP
Sign inStart for free

SCIM docs

SCIM provisioning for ShareOTP

ShareOTP exposes a workspace-scoped SCIM 2.0 surface for identity-provider-driven user provisioning and deprovisioning.

On this page:OverviewAuthenticationEndpointsFieldsExamplesDeprovisioning

Authentication

Generate a SCIM bearer token in Admin - Settings - Security. Tokens are workspace-scoped, shown once when created, and independent from normal ShareOTP REST API keys.

Authorization header
curl https://your-domain.com/api/scim/v2/ServiceProviderConfig \
  -H "Authorization: Bearer scim_shareotp_..."

Supported endpoints

Method
Path
Description
GET
/api/scim/v2/ServiceProviderConfig
Discover supported SCIM features
GET
/api/scim/v2/Users
List users with pagination and supported filters
POST
/api/scim/v2/Users
Create or upsert a user by externalId or userName
GET
/api/scim/v2/Users/{id}
Fetch one user resource
PATCH
/api/scim/v2/Users/{id}
Update fields or set active=false

Supported user fields

The SCIM implementation is intentionally focused on workforce sync for ShareOTP users.

Roles are ignored unless SCIM role sync is enabled in workspace settings. When enabled, only valid ADMIN and MEMBER values are accepted, and ShareOTP blocks changes that would leave the workspace without an active admin.

externalId
userName
displayName
name.formatted
emails
roles
active

Supported filters

Use filters for directory reconcile jobs and identity-provider lookups.

externalId eq "00u123"
externalId pr
userName eq "[email protected]"
id eq "user_123"
active eq true
active eq false

Examples

Create or upsert a user
curl https://your-domain.com/api/scim/v2/Users \
  -H "Authorization: Bearer scim_shareotp_..." \
  -H "Content-Type: application/scim+json" \
  -d '{
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
    "externalId": "00u123",
    "userName": "[email protected]",
    "displayName": "Alice Example",
    "active": true,
    "emails": [{ "value": "[email protected]", "primary": true }]
  }'
List SCIM-managed users
curl "https://your-domain.com/api/scim/v2/Users?filter=externalId%20pr&startIndex=1&count=100" \
  -H "Authorization: Bearer scim_shareotp_..."

Deprovisioning behavior

When SCIM sets active=false, ShareOTP soft-disables the user, revokes their API keys and org-level artifacts, deletes account permissions and login/session artifacts, and removes them from active seat usage.

Disable a user
curl https://your-domain.com/api/scim/v2/Users/user_123 \
  -X PATCH \
  -H "Authorization: Bearer scim_shareotp_..." \
  -H "Content-Type: application/scim+json" \
  -d '{
    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
    "Operations": [
      { "op": "replace", "path": "active", "value": false }
    ]
  }'
Recommended full reconcile
  1. Upsert every active user with POST /Users.
  2. List managed users with GET /Users?filter=externalId pr.
  3. PATCH active=false for previously managed users that no longer exist in the source directory.
Back to product documentation