Summary and recommendation
BigID exposes a REST API at https://<your-bigid-host>/api/v1 covering full user lifecycle: create, read, update, disable, and delete. Authentication is credential-based session tokens - POST to /api/v1/sessions, then pass the returned auth_token directly as the Authorization header value. Note: some API versions do not use a 'Bearer' prefix; verify against your specific deployment.
SCIM is not publicly documented. There are no webhooks for user management events. Polling /api/v1/users is the only documented method for detecting changes.
Rate limits are not publicly disclosed; contact BigID support for enterprise-specific thresholds.
This API is the integration surface used by the Stitchflow MCP server with ~100 deep IT/identity integrations to automate provisioning, deprovisioning, and access reviews across BigID and connected systems.
API quick reference
| Has user API | Yes |
| Auth method | Session token (Bearer token obtained via login endpoint) |
| Base URL | Official docs |
| SCIM available | No |
| SCIM plan required | Enterprise |
Authentication
Auth method: Session token (Bearer token obtained via login endpoint)
Setup steps
- POST credentials (username + password) to /api/v1/sessions to obtain a session token.
- Include the token in subsequent requests as the Authorization header: 'Authorization:
'. - Tokens expire after a configured session timeout; re-authenticate to obtain a new token.
- For service accounts, create a dedicated user with appropriate roles and use its credentials programmatically.
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| id | string | Unique internal user identifier | auto-generated | immutable | MongoDB ObjectId format |
| name | string | Username / login name | required | optional | Used for login |
| firstName | string | User's first name | optional | optional | |
| lastName | string | User's last name | optional | optional | |
| string | User's email address | required | optional | ||
| password | string | User password (hashed at rest) | required for local users | optional | Not returned in GET responses |
| role | string | Assigned role name (e.g., Admin, Viewer) | required | optional | Controls permissions |
| isEnabled | boolean | Whether the user account is active | optional (default true) | optional | Set false to disable |
| origin | string | Authentication origin (e.g., local, saml) | optional | read-only | SAML users provisioned via IdP |
| createdAt | string (ISO 8601) | Timestamp of user creation | auto-generated | immutable | |
| updatedAt | string (ISO 8601) | Timestamp of last update | auto-generated | auto-updated |
Core endpoints
Authenticate / create session
- Method: POST
- URL:
/api/v1/sessions - Watch out for: Token is returned as auth_token; use it directly as the Authorization header value (no 'Bearer' prefix in some versions).
Request example
POST /api/v1/sessions
Content-Type: application/json
{
"username": "admin",
"password": "secret"
}
Response example
{
"auth_token": "eyJhbGci...",
"systemUser": "admin"
}
List users
- Method: GET
- URL:
/api/v1/users - Watch out for: Pagination uses skip/limit query params. Total count may be in a separate field.
Request example
GET /api/v1/users?skip=0&limit=50
Authorization: <auth_token>
Response example
{
"users": [
{"id": "abc123", "name": "jdoe", "email": "jdoe@example.com", "role": "Admin"}
],
"totalCount": 1
}
Get user by ID
- Method: GET
- URL:
/api/v1/users/{userId} - Watch out for: userId is the internal MongoDB ObjectId, not the username.
Request example
GET /api/v1/users/abc123
Authorization: <auth_token>
Response example
{
"id": "abc123",
"name": "jdoe",
"email": "jdoe@example.com",
"role": "Admin",
"isEnabled": true
}
Create user
- Method: POST
- URL:
/api/v1/users - Watch out for: Local user creation only; SAML users are provisioned via IdP and cannot be created via this endpoint.
Request example
POST /api/v1/users
Authorization: <auth_token>
Content-Type: application/json
{
"name": "jdoe",
"email": "jdoe@example.com",
"password": "P@ssw0rd",
"role": "Viewer"
}
Response example
{
"id": "def456",
"name": "jdoe",
"email": "jdoe@example.com",
"role": "Viewer"
}
Update user
- Method: PUT
- URL:
/api/v1/users/{userId} - Watch out for: Full PUT semantics may require sending all fields; partial updates behavior is not clearly documented.
Request example
PUT /api/v1/users/def456
Authorization: <auth_token>
Content-Type: application/json
{
"role": "Admin",
"isEnabled": true
}
Response example
{
"id": "def456",
"name": "jdoe",
"role": "Admin",
"isEnabled": true
}
Delete user
- Method: DELETE
- URL:
/api/v1/users/{userId} - Watch out for: Deletion is permanent. Disabling (isEnabled: false) is preferred for audit trail retention.
Request example
DELETE /api/v1/users/def456
Authorization: <auth_token>
Response example
{
"message": "User deleted successfully"
}
List roles
- Method: GET
- URL:
/api/v1/roles - Watch out for: Role names used in user create/update must exactly match names returned here.
Request example
GET /api/v1/roles
Authorization: <auth_token>
Response example
{
"roles": [
{"id": "r1", "name": "Admin"},
{"id": "r2", "name": "Viewer"}
]
}
Rate limits, pagination, and events
Rate limits: No publicly documented rate limits found in official BigID documentation.
Rate-limit headers: Unknown
Retry-After header: Unknown
Rate-limit notes: Rate limit details are not publicly disclosed. Contact BigID support for enterprise-specific limits.
Pagination method: offset
Default page size: 50
Max page size: Not documented
Pagination pointer: skip / limit
Webhooks available: No
Webhook notes: No publicly documented webhook or event-subscription system for user management events was found in BigID's official documentation.
Alternative event strategy: Poll the /api/v1/users endpoint periodically to detect changes, or use BigID's audit log API if available in your deployment.
SCIM API status
- SCIM available: No
- SCIM version: Not documented
- Plan required: Enterprise
- Endpoint: Not documented
Limitations:
- SCIM is not publicly documented by BigID.
- SAML SSO is supported (Okta, Entra ID) but automated SCIM provisioning is not confirmed.
- Contact BigID enterprise support to inquire about SCIM availability for your deployment.
Common scenarios
Three scenarios cover the majority of programmatic user management needs:
Provision a local user: POST /api/v1/sessions → GET /api/v1/roles (role name must exactly match) → POST /api/v1/users with name, email, password, and role → confirm via GET /api/v1/users/{newUserId}. SAML-origin users cannot be created through this endpoint.
Disable a departed employee: Authenticate → paginate /api/v1/users to locate userId by email → PUT /api/v1/users/{userId} with isEnabled: false → confirm. Prefer disable over DELETE to preserve audit history. For SAML users, also disable in the IdP to prevent re-provisioning on next login.
Bulk access review: Authenticate → GET /api/v1/users?skip=0&limit=50, record totalCount, iterate with increasing skip values → export id, name, email, role, isEnabled, and origin. No bulk export endpoint exists; pagination must be implemented manually.
Provision a new local user with a specific role
- POST /api/v1/sessions with admin credentials to obtain auth_token.
- GET /api/v1/roles to retrieve the exact role name/id needed.
- POST /api/v1/users with name, email, password, and role fields.
- Verify creation by GET /api/v1/users/{newUserId}.
Watch out for: Role name must exactly match the value returned by /api/v1/roles. SAML users cannot be created this way.
Disable a departed employee's account
- POST /api/v1/sessions to authenticate.
- GET /api/v1/users?skip=0&limit=100 and filter by email or name to find the userId.
- PUT /api/v1/users/{userId} with isEnabled: false to deactivate without deleting.
- Confirm with GET /api/v1/users/{userId} that isEnabled is false.
Watch out for: Prefer disabling over deleting to preserve audit history. For SAML users, also disable in the IdP to prevent re-provisioning on next login.
Bulk-list all users for an access review
- POST /api/v1/sessions to authenticate.
- GET /api/v1/users?skip=0&limit=50 and record totalCount.
- Iterate with increasing skip values (50, 100, 150...) until all users are retrieved.
- Export id, name, email, role, isEnabled, and origin fields for review.
Watch out for: There is no documented bulk export endpoint; pagination must be implemented manually. Large deployments may require many requests.
Why building this yourself is a trap
The session token model has no documented refresh mechanism - when a token expires, the service account must re-authenticate from scratch. This makes long-running automation jobs fragile without explicit retry and re-auth logic built in.
PUT /api/v1/users may require sending all fields (full replacement semantics); partial update behavior is not clearly documented, creating risk of accidentally overwriting role assignments or other fields. Always GET the current user object before issuing a PUT.
Base URL, available fields, and endpoint paths vary between BigID versions and between cloud and on-premises deployments. There is no fixed SaaS hostname. Any integration must be parameterized per deployment and validated against that instance's API documentation before running in production.
Automate BigID workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
