> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# SCIM overview

> Automate user provisioning and deprovisioning with SCIM using the Stytch API

SCIM (System for Cross-domain Identity Management) enables organizations to automatically provision and deprovision members from their workforce identity provider (IdP). When IT administrators make changes in their IdP like Okta or Microsoft Entra, those changes are automatically synchronized to your application through Stytch.

## SCIM provisioning flow

<Steps>
  <Step title="Create a SCIM connection">
    Create a SCIM connection for an organization to get the base URL and bearer token:

    ```bash theme={null}
    curl --request POST \
      --url https://test.stytch.com/v1/b2b/scim/organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931/connection \
      --header 'Content-Type: application/json' \
      --user 'PROJECT_ID:SECRET' \
      --data '{
        "display_name": "Okta SCIM Connection"
      }'
    ```

    **Response:**

    ```json theme={null}
    {
      "status_code": 201,
      "connection": {
        "connection_id": "scim-connection-test-...",
        "organization_id": "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
        "status": "active",
        "display_name": "Okta SCIM Connection",
        "base_url": "https://api.stytch.com/v1/b2b/scim/...",
        "bearer_token": "scim_bearer_token_..."
      }
    }
    ```

    Provide the `base_url` and `bearer_token` to the organization's IT administrator to configure in their IdP.
  </Step>

  <Step title="Configure the IdP">
    The organization's IT administrator configures SCIM in their identity provider:

    * Sets the SCIM base URL from step 1
    * Adds the bearer token for authentication
    * Maps user attributes (email, name, etc.)
    * Optionally configures group provisioning

    Once configured, the IdP will begin sending SCIM requests to Stytch automatically.
  </Step>

  <Step title="IdP syncs users and groups">
    The IdP sends SCIM requests to Stytch when:

    * A user is provisioned (added to the application)
    * User information is updated
    * A user is deprovisioned (removed or deactivated)
    * Groups are created, updated, or deleted
    * Users are added to or removed from groups

    Stytch processes these requests and updates members, sessions, and RBAC roles accordingly.
  </Step>

  <Step title="Handle webhooks (optional)">
    Stytch triggers webhooks for all SCIM events. Subscribe to these to keep your internal systems in sync:

    * `scim.member.create` - Member provisioned from IdP
    * `scim.member.update` - Member information updated
    * `scim.member.delete` - Member deprovisioned
    * `scim.idp_group.create` - IdP group created
    * `scim.idp_group.update` - IdP group updated
    * `scim.idp_group.delete` - IdP group deleted
    * `scim.idp_group.member_add` - Member added to group
    * `scim.idp_group.member_delete` - Member removed from group
  </Step>
</Steps>

## SCIM and RBAC

Map IdP groups to Stytch roles using the [Update Connection](/api-reference/b2b/api/scim/connection-management/update-scim-connection) endpoint. Members automatically receive roles based on their group membership, and role changes propagate to active sessions within 5 minutes through JWT refresh. Learn more in the [SCIM guide](/multi-tenant-auth/enterprise-ready/scim/overview).

## Learn more

<CardGroup cols={2}>
  <Card title="SCIM guide" icon="book" href="/multi-tenant-auth/enterprise-ready/scim/overview">
    Comprehensive SCIM documentation
  </Card>

  <Card title="Admin Portal" icon="grid-2x2-check" href="/multi-tenant-auth/enterprise-ready/admin-portal">
    Pre-built UI for SCIM management
  </Card>
</CardGroup>