SCIM 2.0 (Users + Groups)
Okta/Entra-style provisioning and deprovisioning — SCIM Users, Groups, and PatchOp membership sync, with per-tenant bearer tokens.
Qeet ID implements SCIM 2.0 for both Users and Groups, including PatchOp membership sync — the Okta/Entra-style protocol that keeps directories in step. IdPs authenticate with a per-tenant bearer token distinct from user JWTs.
Users AND Groups
SCIM Users alone is common; SCIM Groups with PatchOp membership is the part that drives group-level RBAC. Both are implemented.
Per-tenant SCIM token
Provision a token in the tenant, set it in your IdP's SCIM connector, and rotate as
needed. The IdP sends it as Authorization: Bearer <scim-token>.
/v1/tenants/{tenantID}/scimSCIM config / status/v1/tenants/{tenantID}/scim/tokenRotate the SCIM token/v1/tenants/{tenantID}/scim/tokenRevoke the SCIM tokenDiscovery
Standard SCIM service-discovery endpoints let the IdP introspect capabilities.
/scim/v2/ServiceProviderConfigProvider config/scim/v2/SchemasSchemas/scim/v2/ResourceTypesResource typesUsers
Full CRUD and filtering; bodies use application/scim+json.
/scim/v2/UsersList / filter users/scim/v2/UsersProvision a user/scim/v2/Users/{id}Patch a user (e.g. deactivate)curl https://api.qeetid.com/scim/v2/Users \
-H "Authorization: Bearer $SCIM_TOKEN" \
-H 'Accept: application/scim+json'Deprovisioning (setting active: false) disables the account — instant offboarding.
Groups
Groups support full CRUD plus PatchOp membership add/remove — how an IdP keeps group membership in sync without resending the full group.
/scim/v2/GroupsList groups/scim/v2/GroupsCreate a group/scim/v2/Groups/{id}PatchOp — add/remove members{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{ "op": "add", "path": "members", "value": [{ "value": "<scim-user-id>" }] }
]
}Synced groups map to Qeet ID groups, so assigning a role to a group (Authorization → Group roles) means directory membership changes flow straight through to access.