Summary and recommendation
PayPal supports SCIM through its Braintree platform, but only on Enterprise accounts with transaction-based pricing starting at 2.59% + $0.49 per transaction. The bigger issue: SCIM onboarding is irreversible—once enabled, you can never revert to manual user management in the control panel. You also can't create or delete groups via SCIM (only update existing ones), and all non-SSO users must be converted to SSO before SCIM activation.
This creates a significant deployment risk for payment operations teams. The irreversible nature means you're locked into SCIM management permanently, while the group limitations force manual administration for new merchant access patterns. For finance teams managing payment platform access, this inflexibility conflicts with the dynamic nature of payment operations where user roles and merchant account access frequently change.
The strategic alternative
PayPal gates SCIM behind Enterprise (Braintree). Skip the Enterprise (Braintree) plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages PayPal accounts manually. Here's what that costs:
The PayPal pricing problem
PayPal gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard | Transaction-based (2.59% + $0.49) | ||
| Enterprise (Braintree) | Custom pricing |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Standard | Transaction-based (2.59% + $0.49) | ❌ |
| Enterprise (Braintree) | Custom pricing | ✓ |
Note: SCIM requires Enterprise Braintree accounts with custom negotiated rates. Standard PayPal accounts cannot access SCIM functionality.
What this means in practice
PayPal's SCIM implementation creates a point of no return:
For payment operations teams, this creates a high-stakes implementation where careful planning is essential—any mistakes in the initial setup become permanent.
Additional constraints
Summary of challenges
- PayPal supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
PayPal doesn't sell SCIM separately—it's only available through Braintree Enterprise accounts and comes bundled with their full payment platform:
The catch: you're not just paying for identity management—you're buying into Braintree's entire payment processing ecosystem with transaction-based pricing (2.59% + $0.49 per transaction). If you only need SCIM for user management, you're paying processing fees on every transaction to access identity features.
Stitchflow Insight
We estimate ~60% of Braintree Enterprise features are payment processing capabilities that teams seeking basic SCIM automation don't need. The irreversible nature of SCIM onboarding makes this an expensive, high-commitment solution for simple user provisioning.
What IT admins are saying
Community sentiment on PayPal's SCIM implementation centers around its irreversible nature and complex setup requirements. Common complaints:
- The one-way SCIM onboarding that cannot be reverted once enabled
- Complex pre-requirements including sandbox setup and SSO conversion
- Limited group management capabilities (can only update, not create/delete groups)
- Loss of manual user management capabilities in the control panel after SCIM activation
SCIM onboarding is one-way - cannot revert to non-SCIM once enabled
Cannot edit/create/delete SSO users in control panel after SCIM
The recurring theme
PayPal's SCIM feels more like a permanent commitment than a flexible automation tool, with significant operational trade-offs that require careful planning before implementation.
The decision
| Your Situation | Recommendation |
|---|---|
| Need SCIM but hesitant about one-way commitment | Use Stitchflow: maintain flexibility without irreversible changes |
| Enterprise Braintree account with SCIM included | Use native SCIM: you're already paying for it |
| Want group creation/deletion capabilities | Use Stitchflow: native SCIM can only update existing groups |
| Complex onboarding requirements concern you | Use Stitchflow: skip sandbox setup and SSO user conversion |
| Small payments team with stable access needs | Manual may work: but monitor for compliance gaps |
The bottom line
PayPal's Braintree SCIM comes with significant limitations—it's irreversible once enabled, requires complex onboarding, and can't create or delete groups. For organizations wanting payment platform automation without the commitment and restrictions, Stitchflow provides full provisioning control at predictable flat-rate pricing.
Make PayPal workflows AI-native
PayPal gates SCIM behind Enterprise (Braintree). We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- SCIM onboarding is one-way - cannot revert
- Cannot edit/create/delete SSO users in control panel after SCIM
- Cannot create or delete groups via SCIM - only update
- Sandbox merchant required before production SCIM
- Must convert non-SSO users to SSO before SCIM onboarding
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Braintree SCIM app in Okta OIN. Supports automated user provisioning, de-provisioning, and role/merchant account access management. Email used as unique identifier.
PayPal gates SCIM behind Enterprise (Braintree). Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Braintree SCIM supports Microsoft Entra. Supports user deletion (unlike Okta). Group sync requires exact name matching with 'BT SANDBOX' or 'BT PRODUCTION' prefixes.
PayPal gates SCIM behind Enterprise (Braintree). Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
PayPal
PayPal gates SCIM behind Enterprise (Braintree) plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
