Summary and recommendation
Darktrace exposes a REST API, but it is scoped to threat intelligence, device queries, and model breach data - not user lifecycle management.
No publicly documented endpoints exist for creating, updating, or deprovisioning users.
API documentation is fully gated behind the Darktrace Customer Portal and requires an active support contract to access.
Authentication appears to use HMAC-based token signing (public token + private token per request), based on community references to the Darktrace API guide, but this cannot be independently verified from open sources.
API quick reference
| Has user API | No |
| Auth method | HMAC-based token authentication (public token + private token used to generate a per-request HMAC signature) — confirmed in community references to the Darktrace API guide, but not independently verifiable from public docs |
| SCIM available | No |
| SCIM plan required | N/A |
Authentication
Auth method: HMAC-based token authentication (public token + private token used to generate a per-request HMAC signature) - confirmed in community references to the Darktrace API guide, but not independently verifiable from public docs
User object / data model
User object field mapping is not yet verified for this app.
Core endpoints
Endpoint coverage is not yet verified for this app.
Rate limits, pagination, and events
Rate limits: Not documented
Rate-limit headers: No
Retry-After header: No
Rate-limit notes: Not documented
Pagination method: none
Default page size: 0
Max page size: 0
Pagination pointer: Not documented
Webhooks available: No
Webhook notes: No publicly documented webhook system for user-management events has been found in official Darktrace documentation.
Alternative event strategy: Darktrace supports alerting integrations (e.g., email, syslog, SIEM connectors) for security events, but these are not user-management webhooks.
SCIM API status
- SCIM available: No
- SCIM version: Not documented
- Plan required: N/A
- Endpoint: Not documented
Limitations:
- No SCIM 2.0 support documented in any publicly accessible official source.
- No IdP (Okta, Entra ID, Google Workspace, OneLogin) SCIM connector for Darktrace found in official app catalogs.
Common scenarios
No supported API scenarios for user provisioning or deprovisioning have been verified.
Darktrace does not appear in major IdP app catalogs - including the Okta Integration Network and Microsoft Entra Gallery - with SCIM provisioning support as of the policy date.
There are no documented webhooks for user-management events;
alerting integrations (email, syslog, SIEM connectors) exist for security events only and are not a substitute.
Any identity graph reconciliation against Darktrace user state would require manual portal access or a vendor-negotiated custom integration, not a standard API call.
Scenario implementations are not yet verified for this app.
Why building this yourself is a trap
The core API trap with Darktrace is assuming the REST API surface covers identity operations because it covers security data operations - it does not. HMAC signature generation details are only available in the non-public API guide, meaning community references may be outdated or incomplete.
No SCIM 2.0 support is documented in any publicly accessible official source, and no IdP SCIM connector for Darktrace has been found in official app catalogs. For teams building an identity graph that requires authoritative, API-driven user state from every connected application, Darktrace represents a gap that cannot currently be closed through standard integration patterns.
Automate Darktrace workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
