Datto User Management API Guide

Auth method: API Key (public key + secret key pair passed via HTTP Basic Auth or custom header depending on product; Datto RMM uses OAuth 2.0 client credentials for API token generation)

Setup steps

1. Log in to the Datto RMM portal as an administrator.
2. Navigate to Setup > API Configuration to generate an API key pair (public key and secret key).
3. For RMM API v2: POST credentials to the token endpoint (https://.centrastage.net/auth/oauth/token) using client_credentials grant to obtain a Bearer token.
4. Include the Bearer token in the Authorization header for all subsequent API requests.
5. For BCDR/Partner Portal APIs: obtain API credentials from the Datto Partner Portal under account settings.

Required scopes

List Users (RMM Accounts/Users)

• Method: GET
• URL: https://<platform>.centrastage.net/api/v2/account/users
• Watch out for: The platform subdomain varies by region (e.g., pinotage, merlot, zinfandel). Use the subdomain matching your RMM portal URL.

Request example

GET /api/v2/account/users?page=1&pageSize=100
Authorization: Bearer <token>

Response example

{
  "pageDetails": {"page":1,"pageSize":100,"count":12},
  "users": [
    {"uid":"abc123","email":"user@example.com","role":"Admin"}
  ]
}

Get User by UID

• Method: GET
• URL: https://<platform>.centrastage.net/api/v2/account/user/{userUid}
• Watch out for: Returns 404 if the UID does not exist in the authenticated account context.

Request example

GET /api/v2/account/user/abc123
Authorization: Bearer <token>

Response example

{
  "uid": "abc123",
  "email": "user@example.com",
  "firstName": "Jane",
  "lastName": "Doe",
  "role": "Technician",
  "enabled": true
}

Create User

• Method: POST
• URL: https://<platform>.centrastage.net/api/v2/account/user
• Watch out for: User receives an email invitation to set their password. The account must have available user seats.

Request example

POST /api/v2/account/user
Authorization: Bearer <token>
Content-Type: application/json
{
  "email":"newuser@example.com",
  "firstName":"John",
  "lastName":"Smith",
  "role":"Technician"
}

Response example

{
  "uid": "def456",
  "email": "newuser@example.com",
  "role": "Technician",
  "enabled": true
}

Update User

• Method: PUT
• URL: https://<platform>.centrastage.net/api/v2/account/user/{userUid}
• Watch out for: Full object replacement semantics (PUT). Omitting fields may reset them to defaults.

Request example

PUT /api/v2/account/user/def456
Authorization: Bearer <token>
Content-Type: application/json
{
  "role": "Admin",
  "enabled": true
}

Response example

{
  "uid": "def456",
  "role": "Admin",
  "enabled": true
}

Delete User

• Method: DELETE
• URL: https://<platform>.centrastage.net/api/v2/account/user/{userUid}
• Watch out for: Deletion is permanent. Consider disabling (enabled: false) instead for audit trail retention.

Request example

DELETE /api/v2/account/user/def456
Authorization: Bearer <token>

Response example

HTTP 204 No Content

Get OAuth Token (RMM)

• Method: POST
• URL: https://<platform>.centrastage.net/auth/oauth/token
• Watch out for: Token expires in 4 hours (14400 seconds). Implement token refresh logic before expiry.

Request example

POST /auth/oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=<publicKey>
&client_secret=<secretKey>

Response example

{
  "access_token": "eyJ...",
  "token_type": "bearer",
  "expires_in": 14400
}

List Sites (for user-site scoping)

• Method: GET
• URL: https://<platform>.centrastage.net/api/v2/account/sites
• Watch out for: Site UIDs are needed to scope technician user permissions to specific client sites.

Request example

GET /api/v2/account/sites?page=1&pageSize=100
Authorization: Bearer <token>

Response example

{
  "sites": [
    {"uid":"site001","name":"Client A","description":"Main site"}
  ]
}

• Rate limits: Datto RMM API enforces rate limits per API key. Limits vary by platform tier. Requests exceeding limits return HTTP 429.
• Rate-limit headers: Yes
• Retry-After header: Yes
• Rate-limit notes: HTTP 429 is returned when rate limit is exceeded. Retry-After header indicates wait time. Exact limits for BCDR and Partner Portal APIs are not publicly documented.
• Pagination method: offset
• Default page size: 100
• Max page size: 250
• Pagination pointer: page / pageSize

• Webhooks available: No
• Webhook notes: Datto RMM does not expose a native webhook system for user-management events via the public API. Alert-based webhooks exist for device/monitoring events but not user lifecycle events.
• Alternative event strategy: Poll the /account/users endpoint periodically to detect user changes. For identity lifecycle events, use SCIM provisioning via Okta.

• SCIM available: Yes

• SCIM version: 2.0

• Plan required: Enterprise/Partner (requires SSO prerequisite; SCIM is configured via Okta integration for Datto Partner Portal)

• Endpoint: Provisioned via Okta SCIM connector; Datto-specific SCIM base URL provided during Okta app configuration in the Partner Portal

• Supported operations: Create User, Update User, Deactivate User, List Users

Limitations:

• SCIM is available for the Datto Partner Portal only; not confirmed for RMM or BCDR products independently.
• Requires SAML SSO to be configured and active before SCIM provisioning can be enabled.
• Group provisioning support is not confirmed in official documentation.
• SCIM endpoint URL is not publicly documented; obtained from Datto Partner Portal during Okta app setup.
• Entra ID (Azure AD) SCIM support is not officially documented; Okta is the confirmed IdP.
• Custom pricing/Enterprise agreement required; not available on standard MSP tiers.

Three scenarios cover the primary identity lifecycle operations.

To provision a new RMM technician: POST to /auth/oauth/token for a Bearer token, POST to /api/v2/account/user with role=Technician, then retrieve site UIDs via GET /api/v2/account/sites to apply site-level scoping - the invited user must complete email activation before login, which the API cannot bypass.

To deprovision via SCIM (Partner Portal only): SAML SSO must be active, SCIM must be configured in Okta using the portal-provided URL and token, and the user must have been originally provisioned via SCIM - manually created accounts are not linked to the SCIM identity and require manual deactivation.

To audit active RMM users: paginate GET /api/v2/account/users with pageSize=250, filter on enabled=true, and implement exponential backoff for 429 responses on large accounts.

Building an accurate identity graph across all Datto products requires separate authenticated sessions per product surface, since no unified user directory or cross-product API exists.

Provision a new technician user in Datto RMM

1. POST to /auth/oauth/token with client_credentials to obtain Bearer token.
2. POST to /api/v2/account/user with email, firstName, lastName, and role=Technician.
3. Capture the returned uid for future reference.
4. If site-scoping is needed, retrieve site UIDs via GET /api/v2/account/sites and associate via user update.
5. User receives email invitation to activate their account.

Watch out for: The invited user must complete email activation before they can log in. API does not bypass the invitation flow.

Deprovision a departed employee via SCIM (Partner Portal)

1. Ensure SAML SSO is active for the Datto Partner Portal.
2. Configure SCIM provisioning in Okta using the Datto Partner Portal SCIM URL and token from the portal.
3. In Okta, unassign the user from the Datto Partner Portal application.
4. Okta sends a SCIM PATCH (active: false) or DELETE to Datto, deactivating the user.
5. Verify deactivation in the Datto Partner Portal admin console.

Watch out for: SCIM deprovisioning only works if the user was originally provisioned via SCIM. Manually created users may not be linked to the SCIM identity and must be deactivated manually.

Audit all active RMM users across an account

1. Authenticate via POST /auth/oauth/token to get Bearer token.
2. GET /api/v2/account/users?page=1&pageSize=250 and iterate pages using pageDetails.count to determine total.
3. Filter results where enabled=true.
4. For each user, optionally GET /api/v2/account/user/{uid} for full detail including role and site associations.
5. Export results for compliance review.

Watch out for: Max pageSize is 250. Large accounts with many users require multiple paginated requests. Hitting rate limits (429) during bulk reads requires exponential backoff.

The most common integration mistake is treating Datto as a single API target. SCIM is confirmed only for the Partner Portal via Okta; applying SCIM-based deprovisioning logic to RMM or BCDR is unsupported and will silently fail to revoke access.

PUT semantics on the Update User endpoint perform full object replacement - omitting fields resets them to defaults, which can silently strip role or site-scope assignments. MSPs managing multiple client accounts must re-authenticate per account context; there is no multi-tenant API surface.

Finally, the December 2025 transition to Committed Minimum Quantity pricing may affect API access tiers under existing contracts, and Kaseya acquisition-related documentation drift means some official references now redirect to Kaseya developer resources rather than Datto-native docs.