Summary and recommendation
Payhawk, the corporate card and expense management platform, does not offer SCIM provisioning on any plan. While Payhawk supports SAML 2.0 SSO with major identity providers including Okta, Microsoft Entra, and Google Workspace, this only handles authentication through their Amazon Cognito implementation. User provisioning, deprovisioning, and attribute updates must all be handled manually through the Payhawk admin interface, creating a significant operational burden for IT teams managing employee onboarding and offboarding.
This limitation is particularly problematic for corporate card platforms where rapid provisioning and deprovisioning directly impacts financial security. When employees leave or change roles, IT teams must remember to manually revoke access to corporate cards and expense reporting—a process that's both error-prone and creates compliance risks. The gap between SSO authentication and actual user lifecycle management means organizations lose the automation benefits that make SCIM essential for financial applications.
The strategic alternative
Stitchflow provides SCIM-level provisioning through resilient browser automation for Payhawk without requiring enterprise-level contracts or custom pricing negotiations. Works with any Payhawk plan and any identity provider. Flat pricing under $5K/year, regardless of team size.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ❌ | Payhawk supports SSO with Okta via custom SAML 2.0 app configuration. No pre-built OIN integration. Contact Payhawk Implementation Manager for setup. |
| Microsoft Entra ID | ✓ | ❌ | SAML SSO available with Microsoft Entra ID via custom enterprise app. No SCIM provisioning documented. Contact Payhawk for enterprise identity features. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Payhawk accounts manually. Here's what that costs:
The Payhawk pricing problem
Payhawk gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Starter | Custom pricing |
Pricing and provisioning features
| Plan | Pricing | SCIM | SSO |
|---|---|---|---|
| Starter | Custom pricing | ❌ Not available | ✓ SAML 2.0 |
All Payhawk plans require custom quotes based on admin seats, card volume, and transaction processing needs. The promotional rate of £149/month (24-month commitment) provides a baseline, but enterprise deployments typically cost significantly more.
What this means in practice
Complete manual provisioning: Every user must be manually created, updated, and deprovisioned in Payhawk. For corporate card and expense management platforms, this creates significant overhead since employee turnover directly impacts financial system access.
SSO authentication only: While SAML SSO works with Okta, Entra ID, Google Workspace, and JumpCloud, it only handles authentication. User accounts must already exist in Payhawk before SSO can be used - there's no just-in-time provisioning.
Financial compliance risk: Manual user management in expense systems creates audit trail gaps. Terminated employees may retain access to corporate cards or expense reporting if IT doesn't coordinate deprovisioning with finance teams.
Additional constraints
Summary of challenges
- Payhawk does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Payhawk actually offers for identity
SAML SSO (Custom pricing)
Payhawk supports SAML 2.0 authentication through their Amazon Cognito integration:
| Setting | Details |
|---|---|
| Protocol | SAML 2.0 |
| Supported IdPs | Okta, Microsoft Entra ID, Google Workspace, JumpCloud |
| Configuration | Contact Implementation Manager for setup |
| Entity ID | urn:amazon:cognito:sp:eu-central-1_mcW4Iwl7p |
| User requirement | Manual provisioning required |
Critical limitation: Payhawk's SSO only handles authentication. There's no automated user provisioning - every employee must be manually added to the platform before they can authenticate via SSO.
No SCIM Provisioning
Payhawk doesn't offer SCIM provisioning at any tier:
Okta Integration
No pre-built Okta Integration Network (OIN) app exists for Payhawk. SSO requires custom SAML 2.0 configuration with manual setup assistance from Payhawk's Implementation Manager.
Why This Falls Short
For corporate card and expense management platforms, manual user provisioning creates significant operational overhead. When employees join, leave, or change roles, IT teams must separately manage their Payhawk access alongside their corporate card assignments - a process ripe for security gaps and administrative mistakes.
What IT admins are saying
Payhawk's lack of automated provisioning creates manual work for IT teams managing corporate card access:
- Manual user provisioning required despite SSO availability
- No automated onboarding/offboarding for expense management access
- Custom pricing makes budget planning difficult without sales engagement
- Identity management limited to authentication only - no account lifecycle automation
SAML SSO with Okta, Azure AD (Microsoft Entra), Google Workspace, JumpCloud... Contact Implementation Manager for SSO setup.
Custom pricing based on admin seats, cards, and transaction volume... contact sales
The recurring theme
While Payhawk supports SSO for streamlined login, IT teams still manually manage user accounts for corporate card and expense access. Every new hire or departure requires separate provisioning steps outside the identity provider workflow.
The decision
| Your Situation | Recommendation |
|---|---|
| Small finance team (<20 users) with stable staff | Manual management is acceptable |
| Growing company with frequent employee onboarding | Use Stitchflow: automation essential for scaling |
| Enterprise with compliance requirements | Use Stitchflow: automation essential for audit trail |
| Multi-subsidiary organizations | Use Stitchflow: automation strongly recommended |
| Companies prioritizing security hygiene | Use Stitchflow: automated deprovisioning prevents card access issues |
The bottom line
Payhawk offers solid corporate card and expense management, but it's stuck in manual provisioning mode with no SCIM support. For finance teams managing employee card access at scale, Stitchflow eliminates the risk of former employees retaining corporate card privileges through automated user lifecycle management.
Automate Payhawk without third-party complexity
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Payhawk at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- No SCIM provisioning documented
- SAML SSO only
- Central user management through IdP for authentication only
- Custom pricing - contact sales
Documentation not available.
Unlock SCIM for
Payhawk
Payhawk doesn't offer SCIM. Get an enterprise-grade SCIM endpoint in your IdP, even without native support.
See how it works
