Skip to main content
SCIM (System for Cross-domain Identity Management) enables organizations to automatically provision and deprovision members from their workforce identity provider (IdP). When IT administrators make changes in their IdP like Okta or Microsoft Entra, those changes are automatically synchronized to your application through Stytch.

SCIM provisioning flow

1

Create a SCIM connection

Create a SCIM connection for an organization to get the base URL and bearer token:
curl --request POST \
  --url https://test.stytch.com/v1/b2b/scim/organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931/connection \
  --header 'Content-Type: application/json' \
  --user 'PROJECT_ID:SECRET' \
  --data '{
    "display_name": "Okta SCIM Connection"
  }'
Response:
{
  "status_code": 201,
  "connection": {
    "connection_id": "scim-connection-test-...",
    "organization_id": "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
    "status": "active",
    "display_name": "Okta SCIM Connection",
    "base_url": "https://api.stytch.com/v1/b2b/scim/...",
    "bearer_token": "scim_bearer_token_..."
  }
}
Provide the base_url and bearer_token to the organization’s IT administrator to configure in their IdP.
2

Configure the IdP

The organization’s IT administrator configures SCIM in their identity provider:
  • Sets the SCIM base URL from step 1
  • Adds the bearer token for authentication
  • Maps user attributes (email, name, etc.)
  • Optionally configures group provisioning
Once configured, the IdP will begin sending SCIM requests to Stytch automatically.
3

IdP syncs users and groups

The IdP sends SCIM requests to Stytch when:
  • A user is provisioned (added to the application)
  • User information is updated
  • A user is deprovisioned (removed or deactivated)
  • Groups are created, updated, or deleted
  • Users are added to or removed from groups
Stytch processes these requests and updates members, sessions, and RBAC roles accordingly.
4

Handle webhooks (optional)

Stytch triggers webhooks for all SCIM events. Subscribe to these to keep your internal systems in sync:
  • scim.member.create - Member provisioned from IdP
  • scim.member.update - Member information updated
  • scim.member.delete - Member deprovisioned
  • scim.idp_group.create - IdP group created
  • scim.idp_group.update - IdP group updated
  • scim.idp_group.delete - IdP group deleted
  • scim.idp_group.member_add - Member added to group
  • scim.idp_group.member_delete - Member removed from group

SCIM and RBAC

Map IdP groups to Stytch roles using the Update Connection endpoint. Members automatically receive roles based on their group membership, and role changes propagate to active sessions within 5 minutes through JWT refresh. Learn more in the SCIM guide.

Learn more

SCIM guide

Comprehensive SCIM documentation

Admin Portal

Pre-built UI for SCIM management