Summary and recommendation
Carta's public API is cap-table-centric, not user-management-centric. It exposes endpoints for securities, equity grants, and stakeholder records via OAuth 2.0, but does not offer a general directory or user-lifecycle API. Stakeholder objects represent equity holders and cannot be used to provision or deprovision Carta login accounts.
OAuth scopes are not publicly enumerated - scope requirements must be confirmed directly with Carta's developer or partner team, and API access itself may require a partnership agreement rather than self-service signup.
API quick reference
| Has user API | No |
| Auth method | OAuth 2.0 |
| Base URL | Official docs |
| SCIM available | No |
| SCIM plan required | Enterprise |
Authentication
Auth method: OAuth 2.0
Setup steps
- Register an application in the Carta Developer Portal to obtain a client_id and client_secret.
- Direct users through the OAuth 2.0 authorization code flow at Carta's authorization endpoint.
- Exchange the authorization code for an access token and refresh token.
- Include the access token as a Bearer token in the Authorization header of API requests.
User object / data model
User object field mapping is not yet verified for this app.
Core endpoints
Endpoint coverage is not yet verified for this app.
Rate limits, pagination, and events
Rate limits: Carta does not publicly document specific rate limit values in its developer docs.
Rate-limit headers: Unknown
Retry-After header: Unknown
Rate-limit notes: No publicly documented rate limits found. Contact Carta support for partner-level details.
Pagination method: cursor
Default page size: Not documented
Max page size: Not documented
Pagination pointer: Not documented
Webhooks available: No
Webhook notes: No publicly documented webhook system for user or stakeholder events found in Carta's developer docs.
Alternative event strategy: Polling the Carta API for stakeholder/equity changes is the only documented approach.
SCIM API status
- SCIM available: No
- SCIM version: Not documented
- Plan required: Enterprise
- Endpoint: Not documented
Limitations:
- Carta does not offer a publicly documented SCIM 2.0 endpoint as of early 2025.
- SSO via SAML 2.0 is available on the Scale plan (Okta, Entra ID), but automated user provisioning/deprovisioning via SCIM is not documented.
- User management within Carta is performed manually through the Carta UI or via cap-table-specific API objects (stakeholders), not a SCIM-compliant user API.
Common scenarios
Three scenarios cover the realistic integration surface. For SSO, Carta supports SAML 2.
0 on the Scale plan with Okta and Entra ID; configuration is done through Carta Settings → Security → SSO using Carta's SP metadata, but SCIM provisioning is not available, so user add/remove remains manual post-SSO setup. For cap table data access, the OAuth 2.
0 authorization code flow yields an access token scoped to stakeholder and securities endpoints, with cursor-based pagination; this is read-oriented and cannot be used to manage login access.
For offboarding, there is no automated path - admins must deactivate the user in the Carta UI and separately in the IdP, and neither action alone is sufficient without SCIM.
Enable SSO for Carta on Scale plan
- Upgrade to the Carta Scale plan (500+ stakeholders, $67,200+/year).
- Navigate to Carta Settings > Security > SSO.
- Configure SAML 2.0 with your IdP (Okta or Entra ID) using Carta's SP metadata.
- Test SSO login and enforce SSO for all users via Carta's admin settings.
Watch out for: SCIM provisioning is not available; users must still be added/removed manually in Carta even after SSO is configured.
Access cap table stakeholder data via API
- Register an OAuth 2.0 application in the Carta Developer Portal.
- Complete the OAuth authorization code flow to obtain an access token.
- Call Carta's stakeholder/securities endpoints to read cap table data.
- Handle pagination using cursor parameters as documented.
Watch out for: Stakeholder records represent equity holders, not login users. This API cannot be used to create or deactivate Carta user accounts.
Manually offboard a departing employee in Carta
- Log in to Carta as an admin.
- Navigate to the stakeholder or team member record for the departing employee.
- Remove their access or update their role in the Carta UI.
- If SSO is enabled, also disable the user in your IdP to revoke SSO-based login.
Watch out for: Without SCIM, there is no automated deprovisioning. IdP deactivation alone does not remove Carta access if the user has a direct login.
Why building this yourself is a trap
The core integration trap is conflating cap table stakeholder records with user accounts. A stakeholder object reflects an equity position, not a login identity - writing to it does not affect who can authenticate into Carta.
Teams expecting to wire Carta into an IGA or HRIS workflow via API will find the surface too narrow without a dedicated integration layer.
The Stitchflow MCP server with ~100 deep IT/identity integrations is designed for exactly this gap: it handles user lifecycle orchestration that Carta's API does not expose, connecting IdP deactivation events to Carta manual-step workflows without requiring a custom-built polling workaround. Rate limits are also undocumented publicly, adding uncertainty to any production integration design.
Automate Carta workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
