SCIM 2.0 Provisioning
RFC 7644 SCIM endpoints for automated user and group sync from your IdP.
Overview
BrainstormRouter implements SCIM 2.0 (RFC 7644) for automated user and group provisioning. Connect your IdP (Okta, Azure AD, OneLogin) to push user lifecycle events directly into your tenant.
All SCIM routes are mounted at /scim/v2/* with dedicated bearer token auth (separate from API keys). Tokens are stored in the scim_tokens table and scoped per-tenant.
Authentication
Authorization: Bearer scim_token_...SCIM bearer tokens are stored in the scim_tokens database table and are independent of BrainstormRouter API keys. Token provisioning is currently managed via direct database operations. A self-service token management API and dashboard UI are planned but not yet shipped.
Discovery endpoints
| Method | Path | Description |
|---|---|---|
| GET | /scim/v2/ServiceProviderConfig | Supported capabilities |
| GET | /scim/v2/Schemas | User and Group schemas |
| GET | /scim/v2/ResourceTypes | Available resource types |
Capabilities: patch supported, filter supported (max 200 results), bulk / sort / etag / changePassword not supported.
User endpoints
| Method | Path | Description |
|---|---|---|
| POST | /scim/v2/Users | Create or upsert user |
| GET | /scim/v2/Users | List users (filtered) |
| GET | /scim/v2/Users/:id | Get user by ID |
| PUT | /scim/v2/Users/:id | Replace user |
| PATCH | /scim/v2/Users/:id | Patch user attributes |
| DELETE | /scim/v2/Users/:id | Deactivate user |
Create user
curl -X POST https://api.brainstormrouter.com/scim/v2/Users \
-H "Authorization: Bearer scim_token_..." \
-H "Content-Type: application/scim+json" \
-d '{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "alice@corp.com",
"displayName": "Alice",
"active": true,
"emails": [{ "value": "alice@corp.com", "primary": true }]
}'Users are upserted on (tenantId, email) -- re-posting an existing email updates the record rather than creating a duplicate.
Filter support
GET /scim/v2/Users?filter=userName eq "alice@corp.com"Supports eq and co operators on userName, displayName, and externalId.
Group endpoints
| Method | Path | Description |
|---|---|---|
| POST | /scim/v2/Groups | Create group |
| GET | /scim/v2/Groups | List groups |
| GET | /scim/v2/Groups/:id | Get group by ID |
| PUT | /scim/v2/Groups/:id | Replace group |
| PATCH | /scim/v2/Groups/:id | Patch group membership |
| DELETE | /scim/v2/Groups/:id | Delete group |
Groups map to RBAC policy mappings via the group_policy_mappings table.