SCIM 2.0

User and group provisioning, attribute mapping, sync.

SCIM 2.0 keeps your directory and oauth.work in sync — users and groups are provisioned, updated, and deprovisioned by your IdP, not by hand.

Endpoint

Base URL:  https://acme.oauth.work/scim/v2
Auth:      Bearer <scim-token>   (admin-minted, scim:write scope)

Provision a user

POST /scim/v2/Users
Content-Type: application/scim+json

{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "userName": "ada@acme.com",
  "name": { "givenName": "Ada", "familyName": "Lovelace" },
  "active": true
}

Sync that doesn’t drift

• Deprovision is real — active: false (or DELETE) revokes the user’s sessions and tokens immediately, not on next login.
• Groups map to roles — SCIM groups feed the RBAC model, so directory membership is the source of truth for authorization.
• PATCH is supported — partial updates are applied atomically per resource.

Group and role changes are written to the tenant’s Durable Object and recorded in the audit log.