Summary and recommendation
Cribl Stream exposes a REST API at `https://<cribl-instance>/api/v1` for full user lifecycle management.
Authentication uses Bearer tokens generated in Settings > Access > API Tokens;
OAuth 2.0/OIDC is supported for UI login but API calls require the Bearer token pattern.
Token scope is set at creation time - ensure the token's assigned role covers the operations you intend to run.
All API responses wrap results in an `items` array, including single-object lookups (e.g., `GET /api/v1/users/{id}`).
Pagination is not documented for user endpoints;
large deployments will receive all users in a single payload, so callers should handle potentially unbounded response sizes.
The base URL varies by deployment type: self-hosted instances use the instance hostname;
Cribl.Cloud tenants use a cloud-specific tenant URL.
Always verify endpoint availability against your deployment type, as Cribl.Cloud may enforce different API access controls than self-hosted.
API quick reference
| Has user API | Yes |
| Auth method | Bearer token (API token generated in Cribl UI; OAuth 2.0 / OIDC also supported for UI login but API calls use Bearer tokens) |
| Base URL | Official docs |
| SCIM available | No |
| SCIM plan required | N/A |
Authentication
Auth method: Bearer token (API token generated in Cribl UI; OAuth 2.0 / OIDC also supported for UI login but API calls use Bearer tokens)
Setup steps
- Log in to the Cribl Stream UI as an admin.
- Navigate to Settings > Access > API Tokens.
- Create a new API token and assign appropriate roles/scopes.
- Copy the generated token.
- Include the token in API requests as: Authorization: Bearer
Required scopes
| Scope | Description | Required for |
|---|---|---|
| admin | Full administrative access including user management. | Create, update, delete users |
| read | Read-only access to resources. | List and get users |
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| id | string | Unique identifier for the user. | auto-generated | immutable | Used as path parameter for get/update/delete. |
| username | string | The login username. | required | optional | Must be unique within the instance. |
| first | string | User's first name. | optional | optional | |
| last | string | User's last name. | optional | optional | |
| string | User's email address. | optional | optional | ||
| roles | array of strings | List of role IDs assigned to the user. | required | optional | Roles control access permissions. Built-in roles include admin, read, write. |
| password | string | User's password (local auth only). | required for local auth | optional | Not returned in GET responses. |
| disabled | boolean | Whether the user account is disabled. | optional | optional | Defaults to false. |
Core endpoints
List all users
- Method: GET
- URL:
/api/v1/users - Watch out for: Returns all users in a single response; no pagination parameters documented.
Request example
GET /api/v1/users
Authorization: Bearer <token>
Response example
{
"items": [
{"id":"user1","username":"alice","roles":["admin"]}
],
"count": 1
}
Get a specific user
- Method: GET
- URL:
/api/v1/users/{id} - Watch out for: Response is wrapped in an 'items' array even for single-user lookups.
Request example
GET /api/v1/users/user1
Authorization: Bearer <token>
Response example
{
"items": [
{"id":"user1","username":"alice","roles":["admin"],"email":"alice@example.com"}
]
}
Create a user
- Method: POST
- URL:
/api/v1/users - Watch out for: Password is required for local authentication users. Roles array must reference valid role IDs.
Request example
POST /api/v1/users
Authorization: Bearer <token>
Content-Type: application/json
{"username":"bob","password":"s3cr3t","roles":["read"]}
Response example
{
"items": [
{"id":"user2","username":"bob","roles":["read"]}
]
}
Update a user
- Method: PATCH
- URL:
/api/v1/users/{id} - Watch out for: Only fields included in the request body are updated.
Request example
PATCH /api/v1/users/user2
Authorization: Bearer <token>
Content-Type: application/json
{"roles":["admin"]}
Response example
{
"items": [
{"id":"user2","username":"bob","roles":["admin"]}
]
}
Delete a user
- Method: DELETE
- URL:
/api/v1/users/{id} - Watch out for: Deleting the last admin user may lock out API access. No soft-delete; action is permanent.
Request example
DELETE /api/v1/users/user2
Authorization: Bearer <token>
Response example
{
"items": [
{"id":"user2"}
]
}
List roles
- Method: GET
- URL:
/api/v1/roles - Watch out for: Role IDs returned here are what must be passed in the 'roles' field when creating/updating users.
Request example
GET /api/v1/roles
Authorization: Bearer <token>
Response example
{
"items": [
{"id":"admin","title":"Admin"},
{"id":"read","title":"Read Only"}
]
}
Rate limits, pagination, and events
Rate limits: Cribl's official documentation does not explicitly publish rate limit values or tiers for the REST API.
Rate-limit headers: No
Retry-After header: No
Rate-limit notes: No rate limit specifications found in official docs. Contact Cribl support for enterprise rate limit details.
Pagination method: none
Default page size: 0
Max page size: 0
Pagination pointer: Not documented
Webhooks available: No
Webhook notes: Cribl Stream does not document native outbound webhooks for user-management events.
Alternative event strategy: Use Cribl's notification system or poll the /api/v1/users endpoint for change detection.
SCIM API status
- SCIM available: No
- SCIM version: Not documented
- Plan required: N/A
- Endpoint: Not documented
Limitations:
- SCIM provisioning is not documented as a native feature of Cribl Stream.
- User provisioning must be done via the REST API or manually through the UI.
Common scenarios
Three core automation scenarios are well-supported by the API.
First, provisioning a read-only user: call GET /api/v1/roles to retrieve valid role IDs, then POST /api/v1/users with username, password, and roles:["<read-role-id>"].
Password is required for local auth users;
SSO-provisioned users may not need it.
Second, elevating a user to Admin: GET /api/v1/users to find the target id, then PATCH /api/v1/users/{id} with {"roles":["admin"]}.
Critical caveat: the PATCH replaces the entire roles array - include all desired roles in the payload or existing roles will be dropped.
Third, deprovisioning a departed user: locate the user via GET /api/v1/users, optionally soft-disable with PATCH /api/v1/users/{id} using {"disabled": true}, then hard-delete with DELETE /api/v1/users/{id}.
Deletion is permanent and immediate with no soft-delete at the API level.
Avoid deleting the last Admin account - doing so may lock out all API access.
Provision a new read-only user
- GET /api/v1/roles to retrieve valid role IDs and confirm the 'read' role ID.
- POST /api/v1/users with username, password, and roles:["read"] in the request body.
- Capture the returned user 'id' for future reference.
- Optionally PATCH /api/v1/users/{id} to add email or name fields.
Watch out for: If using SSO/OIDC, password may not be required but local auth users must have a password set at creation.
Elevate a user to admin
- GET /api/v1/users to find the target user's 'id'.
- PATCH /api/v1/users/{id} with body {"roles":["admin"]}.
- Verify the change with GET /api/v1/users/{id}.
Watch out for: Replacing the roles array overwrites existing roles; include all desired roles in the PATCH payload.
Deprovision a departed user
- GET /api/v1/users to locate the user by username and retrieve their 'id'.
- Optionally PATCH /api/v1/users/{id} with {"disabled": true} to disable without deleting.
- DELETE /api/v1/users/{id} to permanently remove the user.
Watch out for: Deletion is permanent and immediate. Consider disabling first to allow audit review before hard deletion.
Why building this yourself is a trap
The most significant integration risk is the SSO re-provisioning loop: if an IdP is still active, a user deleted from Cribl's local store can be re-created automatically on next SSO login.
Any identity graph built on top of Cribl's /api/v1/users endpoint must account for this - a user's absence from the API response does not guarantee they cannot re-authenticate.
Rate limits are undocumented. Cribl's official API reference does not publish rate limit values, tiers, or rate-limit response headers. Automated pipelines polling /api/v1/users for change detection should implement conservative retry logic and back-off, and should contact Cribl support for enterprise-specific limits before building high-frequency integrations.
SCIM is not available. User provisioning must go through the REST API or the UI - there is no SCIM endpoint to target from an IdP or identity orchestration layer.
Teams building automated joiner-mover-leaver workflows against Cribl must own the full provisioning logic, including role resolution via GET /api/v1/roles and explicit disabled flag management for soft-offboarding.
Automate Cribl workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
