Summary and recommendation
Autodesk exposes a REST API at https://developer.api.autodesk.com using OAuth 2.0 client credentials flow. Core user lifecycle operations-list, get, create, update, deactivate, delete, and team assignment-are available as discrete endpoints.
SCIM 2.0 is also supported at https://scim.autodesk.com/v2, but requires the Business Success Plan and a configured SSO provider (Okta or Microsoft Entra ID) before any SCIM call will succeed.
Teams building on the Stitchflow MCP server with ~100 deep IT/identity integrations can treat Autodesk as a first-class node in a broader identity graph without standing up custom middleware.
API quick reference
| Has user API | Yes |
| Auth method | OAuth 2.0 with service account credentials |
| Base URL | Official docs |
| SCIM available | Yes |
| SCIM plan required | Business Success Plan |
Authentication
Auth method: OAuth 2.0 with service account credentials
Setup steps
- Register application in Autodesk Developer Console
- Generate client ID and client secret
- Request OAuth 2.0 token using client credentials flow
- Include Bearer token in Authorization header for API requests
Required scopes
| Scope | Description | Required for |
|---|---|---|
| user:read | Read user profile and account information | Retrieving user details |
| user:write | Modify user account settings and profile | Creating and updating users |
| organization:read | Read organization and team information | Listing teams and organizational structure |
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| id | string | Unique user identifier (UUID) | auto-generated | read-only | Immutable system identifier |
| string | User email address | required | mutable | Must be unique within organization | |
| firstName | string | User first name | optional | mutable | |
| lastName | string | User last name | optional | mutable | |
| status | string | User account status (active, inactive, pending) | optional | mutable | Controls login access |
| role | string | User role within organization (admin, user, viewer) | optional | mutable | Determines permission level |
| createdAt | timestamp | Account creation timestamp | auto-generated | read-only | ISO 8601 format |
| lastLogin | timestamp | Last successful login timestamp | auto-generated | read-only | Updated on each authentication |
Core endpoints
List users
- Method: GET
- URL:
/users - Watch out for: Pagination uses offset; max 100 per page
Request example
GET /users?limit=20&offset=0
Response example
{"data":[{"id":"user-123","email":"user@example.com","firstName":"John","status":"active"}],"pagination":{"total":150,"limit":20,"offset":0}}
Get user details
- Method: GET
- URL:
/users/{userId} - Watch out for: User ID is UUID format; case-sensitive
Request example
GET /users/user-123
Response example
{"id":"user-123","email":"user@example.com","firstName":"John","lastName":"Doe","status":"active","role":"user","createdAt":"2024-01-15T10:30:00Z"}
Create user
- Method: POST
- URL:
/users - Watch out for: Email must be unique; new users start in pending status until they accept invitation
Request example
{"email":"newuser@example.com","firstName":"Jane","lastName":"Smith","role":"user"}
Response example
{"id":"user-456","email":"newuser@example.com","firstName":"Jane","status":"pending","createdAt":"2024-02-20T14:22:00Z"}
Update user
- Method: PATCH
- URL:
/users/{userId} - Watch out for: Cannot update email via PATCH; use separate endpoint if supported
Request example
{"firstName":"John","role":"admin"}
Response example
{"id":"user-123","email":"user@example.com","firstName":"John","role":"admin","status":"active"}
Deactivate user
- Method: PATCH
- URL:
/users/{userId} - Watch out for: Deactivation is soft-delete; user data retained; cannot be reversed via API
Request example
{"status":"inactive"}
Response example
{"id":"user-123","status":"inactive","deactivatedAt":"2024-02-20T15:45:00Z"}
Delete user
- Method: DELETE
- URL:
/users/{userId} - Watch out for: Hard delete; irreversible; recommend deactivation instead for audit trails
Request example
DELETE /users/user-123
Response example
{"success":true,"message":"User deleted"}
List user teams
- Method: GET
- URL:
/users/{userId}/teams - Watch out for: Returns user's team memberships and roles within each team
Request example
GET /users/user-123/teams
Response example
{"data":[{"id":"team-789","name":"Design Team","role":"member"}]}
Assign user to team
- Method: POST
- URL:
/users/{userId}/teams - Watch out for: User must exist before team assignment; role options vary by team type
Request example
{"teamId":"team-789","role":"member"}
Response example
{"userId":"user-123","teamId":"team-789","role":"member","assignedAt":"2024-02-20T16:10:00Z"}
Rate limits, pagination, and events
- Rate limits: Rate limiting applies to API requests; specific limits vary by endpoint and plan tier
- Rate-limit headers: Yes
- Retry-After header: Yes
- Rate-limit notes: Check X-RateLimit-Remaining and X-RateLimit-Reset headers; implement exponential backoff for 429 responses
- Pagination method: offset
- Default page size: 20
- Max page size: 100
- Pagination pointer: limit
| Plan | Limit | Concurrent |
|---|---|---|
| Standard | 1000 requests per hour | 10 |
| Business | 5000 requests per hour | 50 |
- Webhooks available: Yes
- Webhook notes: Autodesk supports webhooks for user lifecycle events through Admin Center configuration
- Alternative event strategy: Poll user endpoints at regular intervals if webhooks unavailable
- Webhook events: user.created, user.updated, user.deactivated, user.deleted, user.invited, user.accepted_invitation
SCIM API status
SCIM available: Yes
SCIM version: 2.0
Plan required: Business Success Plan
Endpoint: https://scim.autodesk.com/v2
Supported operations: Create user (POST /Users), Read user (GET /Users/{id}), Update user (PATCH /Users/{id}), Delete user (DELETE /Users/{id}), List users (GET /Users), Create group (POST /Groups), Manage group membership
Limitations:
- Requires Business Success Plan subscription
- Requires SSO (Okta or Microsoft Entra ID) to be configured
- Group operations limited to directory-synced groups
- Custom attributes not fully supported
- Deprovisioning may require manual cleanup in some scenarios
Common scenarios
Three primary automation scenarios are well-supported by the API. First, Okta-to-Autodesk SCIM sync: provision users and groups from Okta with attribute mapping (email, firstName, lastName); note that sync is strictly one-way-changes made in Autodesk do not propagate back to Okta.
Second, programmatic user creation and team assignment via REST: POST to /users, then POST to /users/{userId}/teams once the user accepts their invitation-new users start in pending status and cannot be team-assigned until activated.
Third, bulk deactivation via iterated PATCH calls: no bulk endpoint exists, so large deactivation runs must be queued and rate-limit-aware (Standard: 1,000 req/hr. Business: 5,000 req/hr).
implement exponential backoff on 429 responses and monitor X-RateLimit-Remaining headers.
Sync users from Okta to Autodesk via SCIM
- Ensure Business Success Plan is active
- Configure Okta SCIM integration in Autodesk Admin Center
- Map Okta user attributes to Autodesk fields (email, firstName, lastName)
- Enable push provisioning in Okta app configuration
- Test with single user; monitor sync logs in Admin Center
- Enable full sync once validated
Watch out for: SCIM sync is one-way (Okta to Autodesk); changes in Autodesk not reflected back to Okta
Programmatically create and assign users to teams
- Authenticate with OAuth 2.0 service account credentials
- POST to /users with email, firstName, lastName
- Wait for user to accept invitation (check status field)
- POST to /users/{userId}/teams with teamId and role
- Verify team assignment via GET /users/{userId}/teams
Watch out for: New users start in pending status; cannot assign to teams until they accept invitation or admin activates them
Bulk deactivate users based on external criteria
- Query GET /users with filters (if supported) or retrieve all users
- Identify users matching deactivation criteria
- Iterate through users and PATCH status to inactive
- Log deactivation timestamps for audit trail
- Verify deactivation via GET /users/{userId}
Watch out for: No bulk endpoint; must call PATCH individually; rate limits apply; consider implementing queue for large batches
Why building this yourself is a trap
Several API behaviors create silent failure modes worth flagging explicitly. Deactivated users cannot be reactivated via API-restoration requires a support case, making accidental deactivation a high-cost error. Email is case-insensitive at login but case-sensitive in API responses, which can cause lookup mismatches in pipelines that normalize casing.
Pagination is offset-based with a maximum page size of 100 and no cursor support, making full-dataset traversal slow and fragile for large orgs. SCIM custom attributes are not fully supported, and deprovisioning via SCIM may require manual cleanup steps in some product configurations.
OAuth tokens expire and must be refreshed for any long-running automation; there is no burst allowance beyond the concurrent request caps (10 for Standard, 50 for Business).
Automate Autodesk workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
