Claude (Anthropic) User Management API Guide

Auth method: API Key (x-api-key header)

Setup steps

1. Log in to console.anthropic.com.
2. Navigate to Settings → API Keys.
3. Click 'Create Key', name it, and copy the generated key.
4. Pass the key in the request header: x-api-key: .
5. Also set the header anthropic-version: 2023-06-01 on all requests.

User object field mapping is not yet verified for this app.

Endpoint coverage is not yet verified for this app.

• Rate limits: Rate limits are enforced per API key and vary by plan tier and model. Limits are expressed in Requests Per Minute (RPM), Tokens Per Minute (TPM), and Tokens Per Day (TPD).
• Rate-limit headers: Yes
• Retry-After header: Yes
• Rate-limit notes: Rate limit headers returned: anthropic-ratelimit-requests-limit, anthropic-ratelimit-requests-remaining, anthropic-ratelimit-requests-reset, anthropic-ratelimit-tokens-limit, anthropic-ratelimit-tokens-remaining, anthropic-ratelimit-tokens-reset. On 429, retry-after header is also returned. Limits apply per model family.
• Pagination method: none
• Default page size: 0
• Max page size: 0
• Pagination pointer: Not documented

• Webhooks available: No
• Webhook notes: Anthropic does not offer webhooks for user-management or admin events via the public API as of the policy date.
• Alternative event strategy: Enterprise customers can use SCIM provisioning events via their IdP (Okta, Entra ID, Google Workspace) to track user lifecycle changes. Audit logs are available in the Enterprise admin console.

• SCIM available: Yes

• SCIM version: 2.0

• Plan required: Enterprise

• Endpoint: https://api.anthropic.com/scim/v2

• Supported operations: List Users (GET /Users), Get User (GET /Users/{id}), Create User (POST /Users), Update User (PUT /Users/{id}), Patch User (PATCH /Users/{id}), Deactivate/Delete User (DELETE /Users/{id}), List Groups (GET /Groups), Get Group (GET /Groups/{id}), Create Group (POST /Groups), Update Group (PUT /Groups/{id}), Patch Group (PATCH /Groups/{id}), Delete Group (DELETE /Groups/{id})

Limitations:

• Requires Enterprise plan; not available on Free, Pro, Team, or Max plans.
• SSO must be configured before SCIM can be enabled.
• Supported IdPs: Okta, Microsoft Entra ID (Azure AD), Google Workspace. OneLogin not officially listed.
• WorkOS powers the underlying SSO/SCIM infrastructure.
• SCIM token is generated in the Claude admin console under Security settings.
• Group-to-role mapping behavior may be limited; verify role assignment capabilities with Anthropic account team.
• SCIM endpoint URL and token must be obtained from the Claude Enterprise admin console, not the API developer console.

The three primary automation scenarios against Claude's SCIM endpoint follow standard SCIM 2.0 patterns, with Claude-specific prerequisites that must be sequenced correctly.

For Okta provisioning: SSO (SAML via WorkOS) must be fully operational before SCIM is enabled. Generate a SCIM bearer token in the Claude admin console under Security settings, configure the Okta SCIM app with base URL https://api.anthropic.com/scim/v2 and that token, then assign users. Okta issues POST /Users; Claude activates the account for SSO-based login with no separate password.

For deprovisioning: remove the user from the IdP app assignment. The IdP sends DELETE /Users/{id} or PATCH /Users/{id} with active=false - confirm which your IdP uses, as behavior differs. Verify deactivation status in the Claude admin console; data retention post-deprovisioning should be confirmed with Anthropic directly.

For group sync: push groups via POST /Groups. Group-to-role mapping behavior is not fully documented publicly; validate supported capabilities with the Anthropic account team before building automated role assignment into your identity graph.

Provision a new employee via Okta SCIM

1. Ensure Enterprise plan is active and SSO (SAML via WorkOS) is configured in Claude admin console.
2. In Claude admin console (claude.ai/settings/security), generate a SCIM bearer token and note the SCIM base URL.
3. In Okta, add the Claude SCIM app, enter the base URL (https://api.anthropic.com/scim/v2) and bearer token.
4. Assign the new employee to the Okta Claude app.
5. Okta sends POST /Users to the SCIM endpoint; Claude creates the user account.
6. User receives SSO-based login access; no separate password is set.

Watch out for: If SSO is not fully configured before SCIM is enabled, provisioning calls will fail. Verify SSO login works for at least one test user before enabling SCIM sync.

Deprovision a departing employee

1. Remove the departing employee from the Claude app assignment in the IdP (Okta/Entra/Google Workspace).
2. IdP sends DELETE /Users/{id} or PATCH /Users/{id} with active=false to the SCIM endpoint.
3. Claude deactivates the user's access immediately.
4. Verify in Claude admin console that the user's status shows as deactivated.

Watch out for: Confirm whether DELETE vs. PATCH (active=false) is used by your IdP - behavior may differ. Test with a non-critical account first.

Assign users to a Claude workspace group via SCIM

1. Create a group in the IdP that maps to a Claude workspace or role.
2. Push the group to Claude via POST /Groups with the desired members.
3. Verify group membership in Claude admin console.
4. Confirm role/permission mapping is configured as expected - contact Anthropic account team if group-to-role mapping is needed.

Watch out for: Group-to-role mapping capabilities in Claude's SCIM implementation are not fully documented publicly. Validate supported group behaviors with Anthropic before relying on automated role assignment.

The most common integration mistake is treating the inference API as a user-management surface - it is not. Developers building on api.anthropic.com/v1 will find zero endpoints for listing members, inviting users, or modifying roles; those operations do not exist in the public API.

A second trap is enabling SCIM before SSO is confirmed working. SCIM provisioning calls will fail silently or with opaque errors if the underlying WorkOS SSO configuration is incomplete. Test SSO login end-to-end with at least one account before activating directory sync.

For teams building an identity graph that includes Claude workspace membership, the only reliable programmatic surface is the SCIM 2.0 endpoint - and it is gated behind Enterprise plan and a correctly sequenced SSO setup.

There are no webhooks for user-management or admin events in the public API; IdP-side SCIM events and Enterprise audit logs are the only available signals for lifecycle state changes.