The Contentstack SCIM API implements the System for Cross-domain Identity Management (SCIM 2.0) standard to enable automated user lifecycle management within a Contentstack organization. It allows Identity Providers (IdPs) to provision and deprovision users, manage group memberships, and synchronize user attributes between the IdP and Contentstack.
openapi: 3.1.0
info:
title: Contentstack SCIM API
description: >-
The Contentstack SCIM API implements the System for Cross-domain Identity
Management (SCIM 2.0) standard to enable automated user lifecycle management
within a Contentstack organization. It allows Identity Providers (IdPs) to
provision and deprovision users, manage group memberships, and synchronize
user attributes between the IdP and Contentstack. This API is primarily used
by enterprise organizations that manage Contentstack access through
centralized identity management platforms such as Okta, Azure AD, or
OneLogin. Group mappings in Contentstack allow IdP-managed groups to control
role-based access within the CMS.
version: '2.0'
contact:
name: Contentstack Support
url: https://www.contentstack.com/contact
termsOfService: https://www.contentstack.com/legal/terms-of-service
externalDocs:
description: Contentstack SCIM API Documentation
url: https://www.contentstack.com/docs/developers/apis/scim-api
servers:
- url: https://auth-api.contentstack.com
description: AWS North America Production Server
- url: https://eu-auth-api.contentstack.com
description: AWS Europe Production Server
- url: https://au-auth-api.contentstack.com
description: AWS Australia Production Server
- url: https://azure-na-auth-api.contentstack.com
description: Azure North America Production Server
- url: https://azure-eu-auth-api.contentstack.com
description: Azure Europe Production Server
- url: https://gcp-na-auth-api.contentstack.com
description: GCP North America Production Server
- url: https://gcp-eu-auth-api.contentstack.com
description: GCP Europe Production Server
tags:
- name: SCIM Groups
description: >-
SCIM group endpoints allow Identity Providers to manage group memberships
in Contentstack, which map to role-based access control within the CMS.
- name: SCIM Schema Discovery
description: >-
Schema discovery endpoints implement the SCIM 2.0 service provider
configuration, returning supported schemas and resource types for
IdP compatibility validation.
- name: SCIM Users
description: >-
SCIM user endpoints enable Identity Providers to provision, update, and
deprovision user accounts within a Contentstack organization following
the SCIM 2.0 User schema.
security:
- bearerAuth: []
paths:
/scim/v2.0/organizations/{organization_uid}/Users:
get:
operationId: listScimUsers
summary: List SCIM users
description: >-
Retrieves all users in the organization following the SCIM 2.0 ListResponse
format. Supports filtering by userName (email address) using the
filter query parameter for user lookup during IdP sync operations.
tags:
- SCIM Users
parameters:
- $ref: '#/components/parameters/OrganizationUid'
- name: filter
in: query
description: >-
SCIM filter expression for searching users. Example:
userName eq "[email protected]"
schema:
type: string
responses:
'200':
description: A SCIM ListResponse containing user resources.
content:
application/json:
schema:
$ref: '#/components/schemas/ScimListResponse'
'401':
$ref: '#/components/responses/Unauthorized'
post:
operationId: createScimUser
summary: Create a SCIM user
description: >-
Provisions a new user in the Contentstack organization via SCIM. The
user is created with the attributes provided in the SCIM User resource
and assigned to the organization's default role unless group mappings
specify otherwise.
tags:
- SCIM Users
parameters:
- $ref: '#/components/parameters/OrganizationUid'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ScimUser'
responses:
'201':
description: The newly provisioned SCIM user resource.
content:
application/json:
schema:
$ref: '#/components/schemas/ScimUser'
'400':
$ref: '#/components/responses/BadRequest'
'401':
$ref: '#/components/responses/Unauthorized'
'409':
description: A user with this userName already exists.
content:
application/json:
schema:
$ref: '#/components/schemas/ScimError'
/scim/v2.0/organizations/{organization_uid}/Users/{user_id}:
get:
operationId: getScimUser
summary: Get a SCIM user
description: >-
Retrieves the SCIM User resource for a specific user by their SCIM
user ID within the organization.
tags:
- SCIM Users
parameters:
- $ref: '#/components/parameters/OrganizationUid'
- $ref: '#/components/parameters/UserId'
responses:
'200':
description: The SCIM user resource.
content:
application/json:
schema:
$ref: '#/components/schemas/ScimUser'
'401':
$ref: '#/components/responses/Unauthorized'
'404':
$ref: '#/components/responses/NotFound'
put:
operationId: replaceScimUser
summary: Replace a SCIM user
description: >-
Fully replaces a SCIM user resource with the provided attributes.
All attributes not included in the request will be cleared or reset
to defaults following SCIM 2.0 PUT semantics.
tags:
- SCIM Users
parameters:
- $ref: '#/components/parameters/OrganizationUid'
- $ref: '#/components/parameters/UserId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ScimUser'
responses:
'200':
description: The updated SCIM user resource.
content:
application/json:
schema:
$ref: '#/components/schemas/ScimUser'
'400':
$ref: '#/components/responses/BadRequest'
'401':
$ref: '#/components/responses/Unauthorized'
'404':
$ref: '#/components/responses/NotFound'
patch:
operationId: updateScimUser
summary: Update a SCIM user
description: >-
Partially updates a SCIM user resource using SCIM 2.0 PATCH operations.
Commonly used to activate or deactivate users by setting the active
attribute, or to update specific profile attributes without replacing
the entire resource.
tags:
- SCIM Users
parameters:
- $ref: '#/components/parameters/OrganizationUid'
- $ref: '#/components/parameters/UserId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ScimPatchRequest'
responses:
'200':
description: The updated SCIM user resource.
content:
application/json:
schema:
$ref: '#/components/schemas/ScimUser'
'400':
$ref: '#/components/responses/BadRequest'
'401':
$ref: '#/components/responses/Unauthorized'
'404':
$ref: '#/components/responses/NotFound'
/scim/v2.0/organizations/{organization_uid}/Groups:
get:
operationId: listScimGroups
summary: List SCIM groups
description: >-
Retrieves all groups in the organization following the SCIM 2.0
ListResponse format. Supports filtering by displayName for group
lookup during IdP sync operations.
tags:
- SCIM Groups
parameters:
- $ref: '#/components/parameters/OrganizationUid'
- name: filter
in: query
description: >-
SCIM filter expression for searching groups. Example:
displayName eq "Editors"
schema:
type: string
responses:
'200':
description: A SCIM ListResponse containing group resources.
content:
application/json:
schema:
$ref: '#/components/schemas/ScimListResponse'
'401':
$ref: '#/components/responses/Unauthorized'
post:
operationId: createScimGroup
summary: Create a SCIM group
description: >-
Creates a new group in the Contentstack organization via SCIM. Groups
can be mapped to specific roles and stacks in Contentstack to control
member access permissions.
tags:
- SCIM Groups
parameters:
- $ref: '#/components/parameters/OrganizationUid'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ScimGroup'
responses:
'201':
description: The newly created SCIM group resource.
content:
application/json:
schema:
$ref: '#/components/schemas/ScimGroup'
'400':
$ref: '#/components/responses/BadRequest'
'401':
$ref: '#/components/responses/Unauthorized'
/scim/v2.0/organizations/{organization_uid}/Groups/{group_id}:
get:
operationId: getScimGroup
summary: Get a SCIM group
description: >-
Retrieves the SCIM Group resource for a specific group by its SCIM
group ID within the organization.
tags:
- SCIM Groups
parameters:
- $ref: '#/components/parameters/OrganizationUid'
- $ref: '#/components/parameters/GroupId'
responses:
'200':
description: The SCIM group resource.
content:
application/json:
schema:
$ref: '#/components/schemas/ScimGroup'
'401':
$ref: '#/components/responses/Unauthorized'
'404':
$ref: '#/components/responses/NotFound'
put:
operationId: replaceScimGroup
summary: Replace a SCIM group
description: >-
Fully replaces a SCIM group resource including all member assignments.
Use this to synchronize the complete group membership from the IdP.
tags:
- SCIM Groups
parameters:
- $ref: '#/components/parameters/OrganizationUid'
- $ref: '#/components/parameters/GroupId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ScimGroup'
responses:
'200':
description: The updated SCIM group resource.
content:
application/json:
schema:
$ref: '#/components/schemas/ScimGroup'
'401':
$ref: '#/components/responses/Unauthorized'
'404':
$ref: '#/components/responses/NotFound'
patch:
operationId: updateScimGroup
summary: Update a SCIM group
description: >-
Partially updates a SCIM group using SCIM 2.0 PATCH operations.
Commonly used to add or remove individual members from the group
without replacing the entire membership list.
tags:
- SCIM Groups
parameters:
- $ref: '#/components/parameters/OrganizationUid'
- $ref: '#/components/parameters/GroupId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ScimPatchRequest'
responses:
'200':
description: The updated SCIM group resource.
content:
application/json:
schema:
$ref: '#/components/schemas/ScimGroup'
'401':
$ref: '#/components/responses/Unauthorized'
'404':
$ref: '#/components/responses/NotFound'
delete:
operationId: deleteScimGroup
summary: Delete a SCIM group
description: >-
Removes a SCIM group from the Contentstack organization. Members of
the group retain their individual user accounts but lose the role
permissions granted by the group mapping.
tags:
- SCIM Groups
parameters:
- $ref: '#/components/parameters/OrganizationUid'
- $ref: '#/components/parameters/GroupId'
responses:
'204':
description: Group deleted successfully.
'401':
$ref: '#/components/responses/Unauthorized'
'404':
$ref: '#/components/responses/NotFound'
/scim/v2.0/Schemas:
get:
operationId: getScimSchemas
summary: Get SCIM schemas
description: >-
Returns the SCIM schemas supported by the Contentstack SCIM API,
enabling IdP clients to understand the available attributes for
User and Group resources.
tags:
- SCIM Schema Discovery
security: []
responses:
'200':
description: A list of SCIM schemas supported by the API.
content:
application/json:
schema:
$ref: '#/components/schemas/ScimListResponse'
/scim/v2.0/ResourceTypes:
get:
operationId: getScimResourceTypes
summary: Get SCIM resource types
description: >-
Returns the SCIM resource types supported by the Contentstack SCIM API
including Users and Groups, enabling IdP clients to discover available
endpoints and their schemas.
tags:
- SCIM Schema Discovery
security: []
responses:
'200':
description: A list of SCIM resource types.
content:
application/json:
schema:
$ref: '#/components/schemas/ScimListResponse'
components:
securitySchemes:
bearerAuth:
type: http
scheme: bearer
description: Bearer token from the Identity Provider client for SCIM authentication.
parameters:
OrganizationUid:
name: organization_uid
in: path
required: true
description: The unique identifier of the Contentstack organization.
schema:
type: string
UserId:
name: user_id
in: path
required: true
description: The SCIM user ID of the user within the organization.
schema:
type: string
GroupId:
name: group_id
in: path
required: true
description: The SCIM group ID of the group within the organization.
schema:
type: string
responses:
BadRequest:
description: The SCIM request is malformed or contains invalid attribute values.
content:
application/json:
schema:
$ref: '#/components/schemas/ScimError'
Unauthorized:
description: The SCIM bearer token is missing or invalid.
content:
application/json:
schema:
$ref: '#/components/schemas/ScimError'
NotFound:
description: The requested SCIM resource was not found.
content:
application/json:
schema:
$ref: '#/components/schemas/ScimError'
schemas:
ScimListResponse:
type: object
description: A SCIM 2.0 ListResponse container for multi-resource responses.
properties:
schemas:
type: array
description: SCIM schema URNs identifying this as a ListResponse.
items:
type: string
example:
- urn:ietf:params:scim:api:messages:2.0:ListResponse
totalResults:
type: integer
description: Total number of resources matching the query.
startIndex:
type: integer
description: 1-based index of the first result in this page.
itemsPerPage:
type: integer
description: Number of results returned in this response.
Resources:
type: array
description: Array of SCIM resource objects (Users or Groups).
items:
type: object
ScimUser:
type: object
description: A SCIM 2.0 User resource representing a Contentstack user account.
properties:
schemas:
type: array
description: SCIM schema URNs for this resource.
items:
type: string
example:
- urn:ietf:params:scim:schemas:core:2.0:User
id:
type: string
description: SCIM-assigned unique identifier for the user.
userName:
type: string
format: email
description: The user's email address used as the primary unique identifier.
name:
type: object
description: The user's name components.
properties:
givenName:
type: string
description: The user's first name.
familyName:
type: string
description: The user's last name.
emails:
type: array
description: List of email addresses for the user.
items:
type: object
properties:
value:
type: string
format: email
description: The email address value.
primary:
type: boolean
description: Indicates whether this is the primary email address.
active:
type: boolean
description: >-
Indicates whether the user account is active. Set to false to
deprovision (deactivate) the user in Contentstack.
ScimGroup:
type: object
description: A SCIM 2.0 Group resource representing a Contentstack user group.
properties:
schemas:
type: array
description: SCIM schema URNs for this resource.
items:
type: string
example:
- urn:ietf:params:scim:schemas:core:2.0:Group
id:
type: string
description: SCIM-assigned unique identifier for the group.
displayName:
type: string
description: The display name of the group.
members:
type: array
description: List of user members in the group.
items:
type: object
properties:
value:
type: string
description: The SCIM user ID of the group member.
display:
type: string
description: The display name of the group member.
ScimPatchRequest:
type: object
description: A SCIM 2.0 PatchOp request for partial resource updates.
properties:
schemas:
type: array
description: SCIM schema URN identifying this as a PatchOp request.
items:
type: string
example:
- urn:ietf:params:scim:api:messages:2.0:PatchOp
Operations:
type: array
description: List of PATCH operations to perform.
items:
$ref: '#/components/schemas/ScimPatchOperation'
ScimPatchOperation:
type: object
description: A single SCIM PATCH operation.
required:
- op
properties:
op:
type: string
description: The operation type.
enum:
- add
- remove
- replace
path:
type: string
description: The attribute path to target for the operation.
value:
description: The value to apply for add or replace operations.
ScimError:
type: object
description: A SCIM 2.0 error response.
properties:
schemas:
type: array
description: SCIM schema URN for error responses.
items:
type: string
example:
- urn:ietf:params:scim:api:messages:2.0:Error
status:
type: string
description: HTTP status code as a string.
detail:
type: string
description: Human-readable description of the error.