SCIM 2.0 API
SCIM 2.0 (System for Cross-domain Identity Management) is the IETF standard for provisioning and managing users and groups across systems over HTTP + JSON. It is defined by two RFCs:
- RFC 7643 — SCIM Core Schema defines the
UserandGroupJSON resources and their standard attributes (userName,emails,members, etc.). - RFC 7644 — SCIM Protocol defines the HTTP API:
GET/POST/PUT/PATCH/DELETEon/Usersand/Groups, plus filter, sort, and pagination parameters.
LumoAuth's SCIM endpoints let an upstream IdP (Okta, Azure AD, OneLogin, and similar) keep LumoAuth users and groups in sync automatically.
Base URL
All SCIM endpoints are organization-scoped at:
curl -X GET "https://app.lumoauth.dev/orgs/acme-corp/api/v1/scim2.0/Users" \
-u "admin@acme.com:password" \
-H "Accept: application/scim+json"
OAuth 2.0 Bearer Token
curl -X GET "https://app.lumoauth.dev/orgs/acme-corp/api/v1/scim2.0/Users" \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." \
-H "Accept: application/scim+json"
Available Endpoints
GET
POST
PUT
DEL
/Users
Manage user resources. Supports filtering, pagination, sorting, and PATCH operations. View details →
GET
POST
PUT
DEL
/Groups
Manage group resources and memberships. View details →
GET
/ServiceProviderConfig, /ResourceTypes, /Schemas
Discovery endpoints for service capabilities and schema definitions. View details →
POST
/Bulk, /.search
Bulk operations and cross-resource search. View details →
Content Types
SCIM uses its own media types. Always include these headers:
| Header | Value | Description |
|---|---|---|
Content-Type | application/scim+json | Required for POST, PUT, PATCH requests |
Accept | application/scim+json | Recommended for all requests |
Error Responses
SCIM errors follow a standardized format per RFC 7644:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"status": "400",
"scimType": "invalidFilter",
"detail": "Filter syntax error at position 15"
}
| Status | scimType | Description |
|---|---|---|
400 | invalidFilter | Invalid filter syntax |
400 | invalidValue | Invalid attribute value |
401 | - | Authentication required |
404 | - | Resource not found |
409 | uniqueness | Unique constraint violation |
412 | mutability | ETag mismatch (optimistic locking) |