Summary and recommendation
Adobe's User Management API (UMAPI) is a REST API authenticated via OAuth 2.0 Server-to-Server (client_credentials grant through Adobe IMS). JWT/Service Account credentials reached end-of-life on June 30, 2025 - all integrations must use the OAuth Server-to-Server flow. The base URL is https://usermanagement.adobe.io/v2/usermanagement.
Only a System Admin can create a UMAPI integration in the Adobe Developer Console; the option is grayed out for all other roles.
UMAPI is the programmatic complement to SCIM for orgs that cannot use Azure AD or Google Workspace sync, and it is the only supported API path for orgs running Okta or other IdPs. Stitchflow connects to Adobe via an MCP server with ~100 deep IT/identity integrations, handling token lifecycle, rate-limit backoff, and pagination automatically.
API quick reference
| Has user API | Yes |
| Auth method | OAuth 2.0 (Server-to-Server client_credentials grant via Adobe IMS) |
| Base URL | Official docs |
| SCIM available | Yes |
| SCIM plan required | Enterprise (custom pricing; Teams plan does NOT support SCIM) |
Authentication
Auth method: OAuth 2.0 (Server-to-Server client_credentials grant via Adobe IMS)
Setup steps
- Log in to Adobe Developer Console (developer.adobe.com/console) as a System Admin.
- Create a new Project and add the 'User Management API' service.
- Select 'OAuth Server-to-Server' as the credential type (JWT credentials are EOL as of June 30, 2025).
- Note the Client ID, Client Secret, and Organization ID from the credential page.
- Exchange credentials for an access token via POST to https://ims-na1.adobelogin.com/ims/token/v2 with grant_type=client_credentials, client_id, client_secret, and scope=openid,AdobeID,user_management_sdk.
- Pass the returned Bearer token in the Authorization header and Client ID in the x-api-key header on all UMAPI requests.
- Tokens are valid for 24 hours; previous tokens remain valid when new ones are issued (safe to overlap).
Required scopes
| Scope | Description | Required for |
|---|---|---|
| user_management_sdk | Grants access to the User Management API (UMAPI) endpoints for reading and writing user/group data. | All UMAPI calls (list users, create/update/delete users, manage group memberships) |
| openid | Standard OpenID Connect scope required by Adobe IMS token endpoint. | Token generation |
| AdobeID | Identifies the calling application to Adobe IMS. | Token generation |
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| id | string | Unique Adobe-assigned user identifier (UUID). | system-generated | immutable | Used to identify a user in GET /user/{orgId}/{email} responses. |
| string | User's email address; primary identifier for AdobeID and Enterprise ID users. | required | updatable for Enterprise/Federated ID only | Case-insensitive. For AdobeID users, email is the login identity managed by Adobe. | |
| username | string | Username for Enterprise and Federated ID users. Defaults to email for AdobeID users. | optional | updatable for Federated ID | For most AdobeID users this equals the email address. |
| firstname | string | User's first name. | optional (required for Federated ID in some configurations) | updatable for Enterprise/Federated ID | Not updatable for AdobeID (managed by user/Adobe). |
| lastname | string | User's last name. | optional | updatable for Enterprise/Federated ID | Not updatable for AdobeID. |
| country | string | ISO 3166-1 alpha-2 country code. | required for Federated ID; optional for others | updatable for Enterprise/Federated ID | Must be a valid 2-letter country code. |
| domain | string | The domain associated with the user's identity. | system-derived | immutable | Reflects the claimed/trusted domain in the Admin Console. |
| type | string (enum) | Identity type: adobeID | enterpriseID | federatedID | unknown. | required (determines which create action to use) | immutable | Determines which action command to use: addAdobeID, createEnterpriseID, or createFederatedID. |
| status | string | Account status: active | disabled. | system-set to active | managed via remove/add actions | For Azure-synced users, status reflects Azure AD account state (Active/Disabled). |
| groups | string[] | List of user group and product profile names the user belongs to. | not set at creation; managed via separate add action | managed via add/remove actions in POST /action | By default returns all groups (direct and indirect). Use directOnly=true query param to return only direct memberships. |
| adminRoles | string[] (deprecated) | Deprecated field; admin roles are now reflected in group memberships. | n/a | n/a | Do not rely on this field; use groups field instead. |
Core endpoints
List all users (paged)
- Method: GET
- URL:
https://usermanagement.adobe.io/v2/usermanagement/users/{orgId}/{page} - Watch out for: Max 2000 users per page. Iterate pages until lastPage=true. Rate limit: 25 req/min per client.
Request example
curl -X GET https://usermanagement.adobe.io/v2/usermanagement/users/12345@AdobeOrg/0 \
-H 'Authorization: Bearer {token}' \
-H 'X-Api-Key: {clientId}'
Response example
{
"lastPage": false,
"result": "success",
"users": [
{"id":"abc","email":"user@co.com","firstname":"Jane",
"lastname":"Doe","type":"enterpriseID",
"status":"active","groups":["CC All Apps"]}
]
}
Get single user by email
- Method: GET
- URL:
https://usermanagement.adobe.io/v2/usermanagement/users/{orgId}/{email} - Watch out for: Email parameter is case-insensitive. Returns 404 if user not found in the org.
Request example
curl -X GET https://usermanagement.adobe.io/v2/usermanagement/users/12345@AdobeOrg/user@co.com \
-H 'Authorization: Bearer {token}' \
-H 'X-Api-Key: {clientId}'
Response example
{
"result": "success",
"user": {
"id": "abc123",
"email": "user@co.com",
"type": "enterpriseID",
"status": "active"
}
}
Create/update/delete user (Action API)
- Method: POST
- URL:
https://usermanagement.adobe.io/v2/usermanagement/action/{orgId} - Watch out for: A single POST can include commands for multiple users. Rate limit: 10 req/min per client. Use testOnly=true query param to validate commands without making changes.
Request example
curl -X POST https://usermanagement.adobe.io/v2/usermanagement/action/12345@AdobeOrg \
-H 'Authorization: Bearer {token}' \
-H 'X-Api-Key: {clientId}' \
-H 'Content-Type: application/json' \
-d '[{"user":"user@co.com","do":[{"createEnterpriseID":{"email":"user@co.com","firstname":"Jane","lastname":"Doe","country":"US"}}]}]'
Response example
{
"result": "success",
"completed": 1,
"notCompleted": 0,
"completedInTestMode": 0
}
Add user to product profile / user group
- Method: POST
- URL:
https://usermanagement.adobe.io/v2/usermanagement/action/{orgId} - Watch out for: Product access is granted via product profile membership, not directly. Profile names must exactly match names in Admin Console.
Request example
[
{
"user": "user@co.com",
"do": [{
"add": {
"product": [{"productConfiguration": "CC All Apps"}]
}
}]
}
]
Response example
{
"result": "success",
"completed": 1,
"notCompleted": 0
}
Remove user from org (or delete)
- Method: POST
- URL:
https://usermanagement.adobe.io/v2/usermanagement/action/{orgId} - Watch out for: remove:org removes from org but does not delete the account. For Enterprise IDs, use delete action to permanently delete. AdobeID accounts cannot be deleted via API.
Request example
[
{
"user": "user@co.com",
"do": [{"remove": "org"}]
}
]
Response example
{
"result": "success",
"completed": 1,
"notCompleted": 0
}
List groups and product profiles
- Method: GET
- URL:
https://usermanagement.adobe.io/v2/usermanagement/groups/{orgId}/{page} - Watch out for: Rate limit: 5 req/min per client (lowest of all UMAPI endpoints). Returns user groups, product profiles, and admin groups.
Request example
curl -X GET https://usermanagement.adobe.io/v2/usermanagement/groups/12345@AdobeOrg/0 \
-H 'Authorization: Bearer {token}' \
-H 'X-Api-Key: {clientId}'
Response example
{
"lastPage": true,
"result": "success",
"groups": [
{"type":"PRODUCT_PROFILE","groupName":"CC All Apps",
"memberCount":42,"productName":"Creative Cloud"}
]
}
List users in a product profile or group
- Method: GET
- URL:
https://usermanagement.adobe.io/v2/usermanagement/users/{orgId}/{page}/{groupName} - Watch out for: Group name must be URL-encoded. Rate limit: 25 req/min per client.
Request example
curl -X GET 'https://usermanagement.adobe.io/v2/usermanagement/users/12345@AdobeOrg/0/CC%20All%20Apps' \
-H 'Authorization: Bearer {token}' \
-H 'X-Api-Key: {clientId}'
Response example
{
"lastPage": true,
"result": "success",
"users": [
{"id":"abc","email":"user@co.com","userType":"enterpriseID"}
]
}
Manage user groups (create/update/delete)
- Method: POST
- URL:
https://usermanagement.adobe.io/v2/usermanagement/action/{orgId} - Watch out for: Uses the usergroup root command (not user). Cannot assign or remove the _org_admin role via UMAPI.
Request example
[
{
"usergroup": "My Group",
"do": [{"createUserGroup":{"description":"Marketing team"}}]
}
]
Response example
{
"result": "success",
"completed": 1,
"notCompleted": 0
}
Rate limits, pagination, and events
- Rate limits: Per-endpoint throttling enforced by Adobe IMS. GET /users: 25 req/min per client, 100 req/min global. POST /action: 10 req/min per client, 100 req/min global. GET /groups: 5 req/min per client. Exceeding limits returns HTTP 429 with a Retry-After header. Adobe recommends running sync jobs no more than once every 2 hours.
- Rate-limit headers: No
- Retry-After header: Yes
- Rate-limit notes: The Retry-After header in 429 responses specifies seconds to wait before retrying. Global limits are shared across all clients; you cannot rely solely on your own call rate. Adobe added frequency controls in October 2021 that throttle clients running more frequently than every 2 hours, potentially blocking for 30–75 minutes.
- Pagination method: offset
- Default page size: 200
- Max page size: 2000
- Pagination pointer: page (zero-indexed integer in URL path, e.g. /users/{orgId}/{page})
| Plan | Limit | Concurrent |
|---|---|---|
| All enterprise plans (single tier) | GET users: 25 req/min per client / 100 req/min global; POST action: 10 req/min per client / 100 req/min global; GET groups: 5 req/min per client | 0 |
- Webhooks available: No
- Webhook notes: The Adobe User Management API (UMAPI) does not publish user lifecycle events (create/update/delete) as webhooks. Adobe I/O Events (developer.adobe.com/events) provides a webhook/journaling framework for other Adobe products (AEM, Experience Platform, Acrobat Sign), but no UMAPI-specific user provisioning event types are documented.
- Alternative event strategy: Poll the UMAPI GET /users endpoint on a scheduled basis (recommended no more than once every 2 hours). For Acrobat Sign-specific user events, Acrobat Sign has its own webhook system. Adobe I/O Events Journaling API can be used to collect events for supported products over a time window.
SCIM API status
SCIM available: Yes
SCIM version: 2.0
Plan required: Enterprise (custom pricing; Teams plan does NOT support SCIM)
Endpoint: Obtained from Adobe Admin Console > Settings > Identity > [Directory] > Sync tab (unique per org; not a fixed public URL)
Supported operations: Create user (POST /Users), Update user attributes (PATCH /Users/{id}), Deactivate/remove user (DELETE or PATCH active=false /Users/{id}), List users (GET /Users), Push groups/OUs as user group assignments
Limitations:
- SCIM provisioning is only supported from Azure AD (Microsoft Entra) and Google Workspace - Okta, OneLogin, and other IdPs are NOT supported natively.
- SSO (federated directory) must be configured before SCIM can be enabled.
- Cannot assign or remove product licenses via SCIM - only user creation and removal are handled; license assignment requires manual Admin Console action or UMAPI.
- Azure AD sync cycles are fixed at approximately every 40 minutes and cannot be accelerated from the Adobe side.
- SCIM cannot be used simultaneously with the User Sync Tool or UMAPI for the same directory - you must pause/remove the other integration first.
- SCIM only manages the primary (owning) Admin Console; trustee consoles in a trust relationship must use UMAPI, CSV, or User Sync Tool.
- Google Workspace SCIM sync supports OUs but not Groups for license assignment mapping.
Common scenarios
Three scenarios cover the majority of UMAPI automation use cases. Provisioning a new Federated ID user requires a POST to /action/{orgId} with a createFederatedID command, followed by a separate add.
product action to assign the target product profile - product access is never granted directly, only via profile membership, and profile names must exactly match Admin Console strings.
Deprovisioning uses remove:org to remove a user from the org without deleting the account; for Enterprise IDs, a subsequent delete action permanently removes the account, but AdobeID accounts cannot be deleted via API under any circumstances.
Bulk sync via the open-source User Sync Tool (Python CLI) wraps UMAPI calls against an LDAP/AD source and must be scheduled no more frequently than once every two hours - Adobe's frequency throttle introduced in October 2021 can block a client for 30–75 minutes if that threshold is exceeded.
Critical constraint across all three scenarios: if Azure Sync or Google Sync is active on a directory, UMAPI writes to that directory are blocked; the sync process owns user management exclusively.
Provision a new Federated ID user and assign a product profile
- Obtain an OAuth 2.0 access token via POST to https://ims-na1.adobelogin.com/ims/token/v2 with scope=openid,AdobeID,user_management_sdk.
- POST to /action/{orgId} with a createFederatedID command including email, firstname, lastname, country.
- In the same or a subsequent POST to /action/{orgId}, use the add.product action to add the user to the target product profile (e.g., 'CC All Apps').
- Verify by GET /users/{orgId}/{email} and confirm groups field includes the product profile.
Watch out for: The domain used in the email must be a claimed/trusted domain in your Admin Console. If the domain belongs to another org, you will receive error.user.belongs_to_another_org. Also, if Azure/Google Sync is active on the directory, UMAPI writes will be blocked.
Deprovision a user (offboarding)
- POST to /action/{orgId} with a remove action targeting the user's email and specifying remove:org to remove from the organization.
- For Enterprise IDs, optionally follow with a delete action to permanently delete the account.
- Verify removal by attempting GET /users/{orgId}/{email} - should return 404 or empty result.
Watch out for: remove:org only removes the user from the org; it does not delete the account. AdobeID accounts cannot be deleted via API. If SCIM sync is active, deprovisioning must be done from the IdP (Azure AD or Google Workspace), not via UMAPI.
Bulk-sync users from an external directory using User Sync Tool
- Create a UMAPI integration (OAuth Server-to-Server) in Adobe Developer Console.
- Install the User Sync Tool (open-source Python CLI) and configure connector-umapi.yml with Client ID, Client Secret, and Org ID.
- Configure user-sync-config.yml to map LDAP/AD attributes to Adobe user fields and define group-to-product-profile mappings.
- Run user-sync on a schedule (recommended: no more than once every 2 hours) to sync creates, updates, and removals.
- Monitor logs for 429 throttle errors and adjust schedule if needed.
Watch out for: Do not run User Sync Tool if Azure Sync or Google Sync is active on the same directory - they conflict. Running more frequently than every 2 hours triggers Adobe's frequency throttle, which can block the client for 30–75 minutes.
Why building this yourself is a trap
UMAPI has several non-obvious failure modes that cause silent or hard-to-diagnose errors in automation pipelines.
Rate limits are endpoint-specific and asymmetric: GET /groups is capped at 5 req/min per client - the most restrictive of any endpoint - while POST /action is 10 req/min and GET /users is 25 req/min; the global limit of 100 req/min is shared across all clients in the org, so a concurrent integration can exhaust your budget.
The _org_admin role cannot be assigned or removed via UMAPI and must be managed in the Admin Console UI. SCIM and UMAPI cannot operate on the same directory simultaneously - enabling one requires disabling the other, and SCIM itself is restricted to Azure AD and Google Workspace only, with no Okta support.
Webhooks are not available on UMAPI; Adobe I/O Events does not publish user lifecycle event types for UMAPI, so any real-time offboarding trigger must be implemented via scheduled polling. The tags field in user response objects was removed as of October 16, 2025, which is a silent breaking change for any integration parsing that field.
Automate Adobe workflows without one-off scripts
Stitchflow builds and maintains identity workflows for your exact setup. We cover every app, including the ones without APIs, and run deterministic trigger-to-report workflows with human approvals where they matter.
