Summary and recommendation
Five9 exposes two distinct API surfaces for user management. The primary admin interface is a SOAP-based Configuration Web Services API (WSDL at https://api.five9.com/wsadmin/v12/AdminWebService?wsdl), authenticated via HTTP Basic Auth using Domain Administrator credentials.
A SCIM 2.0 REST interface is available at https://api.five9.com/scim/v2, authenticated with a long-lived static Bearer token generated in the Five9 Admin console; this token does not auto-rotate and must be manually regenerated if compromised, which immediately breaks all IdP integrations until updated.
SCIM is gated behind both an Enterprise plan (Optimum or Ultimate tier) and an active SAML 2.0 SSO configuration. Neither gate is optional: provisioning users via SCIM without SSO enabled results in accounts that exist in Five9 but cannot authenticate.
The identity graph between your IdP, Five9 SCIM users, and Five9 Circles (the proprietary skill-assignment layer) must be mapped and validated before any bulk provisioning run.
Rate limits for both the Configuration API and SCIM endpoint are not publicly documented. Five9 recommends event-driven patterns over polling; concurrent admin session limits exist per domain but thresholds are undisclosed. Implement retry logic with exponential backoff for any batch operation.
API quick reference
| Has user API | Yes |
| Auth method | Basic Auth (username/password) for Configuration Web Services SOAP API; Bearer token (API key) for REST endpoints; SAML 2.0 for SSO; SCIM uses long-lived Bearer token generated in Five9 Admin console. |
| Base URL | Official docs |
| SCIM available | Yes |
| SCIM plan required | Enterprise (Optimum or Ultimate tier; $199–$299/agent/month) |
Authentication
Auth method: Basic Auth (username/password) for Configuration Web Services SOAP API; Bearer token (API key) for REST endpoints; SAML 2.0 for SSO; SCIM uses long-lived Bearer token generated in Five9 Admin console.
Setup steps
- Log in to Five9 VCC Admin application as a Domain Administrator.
- For SOAP/REST Configuration API: use a dedicated admin account username and password as HTTP Basic Auth credentials.
- For SCIM: navigate to Admin > Identity > SCIM Settings, enable SCIM 2.0, and generate a Bearer token.
- Copy the generated SCIM Bearer token and configure it in your IdP (Okta, Entra ID) as the API token.
- For SSO: configure SAML 2.0 IdP metadata in Five9 Admin under Identity > SSO Settings before enabling SCIM.
Required scopes
| Scope | Description | Required for |
|---|---|---|
| Domain Administrator role | Full administrative access to the Five9 domain; required for Configuration API user management calls. | Create, update, delete agents/supervisors via Configuration API |
| SCIM Bearer Token | Long-lived token generated in Five9 Admin console; scoped to SCIM provisioning operations only. | SCIM 2.0 user provisioning and deprovisioning |
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| userName | string | Unique username / login for the agent or supervisor (typically email format). | required | optional | Used as the SCIM userName attribute; maps to Five9 agent login. |
| firstName | string | Agent's first name. | required | optional | Maps to SCIM name.givenName. |
| lastName | string | Agent's last name. | required | optional | Maps to SCIM name.familyName. |
| string | Primary email address of the user. | required | optional | Used for notifications and SSO matching. | |
| password | string | Initial password for the user account. | required (non-SSO) | optional | Not applicable when SSO is enforced. |
| active | boolean | Whether the user account is active (enabled) or disabled. | optional (defaults true) | optional | SCIM active=false triggers account disable/deprovision. |
| roles | array |
Assigned roles such as Agent, Supervisor, Administrator. | required | optional | At least one role must be assigned. |
| skills | array | Skills assigned to the agent with proficiency level. | optional | optional | Can be managed via Circles in Identity Service 2.0 for automated assignment. |
| agentGroups | array |
Agent groups the user belongs to. | optional | optional | Group membership can drive skill assignment via Circles. |
| extension | string | Internal phone extension for the agent. | optional | optional | |
| federationId | string | SSO federation identifier linking the Five9 user to the IdP identity. | optional | optional | Required when SAML SSO is enabled; typically the IdP user's email or NameID. |
| locale | string | User locale/language preference (e.g., en_US). | optional | optional | |
| timeZone | string | User's time zone setting. | optional | optional | |
| id | string | Five9-assigned unique identifier for the user (SCIM id). | system-generated | read-only | Returned by Five9 on create; used as the SCIM resource id. |
| externalId | string | External identifier from the provisioning source (IdP). | optional | optional | Set by IdP during SCIM provisioning for correlation. |
Core endpoints
List Users (SCIM)
- Method: GET
- URL:
https://api.five9.com/scim/v2/Users - Watch out for: Filter support is limited; not all SCIM filter operators may be supported. Verify supported filters in Five9 Identity Service docs.
Request example
GET /scim/v2/Users?filter=userName+eq+"jdoe@example.com"
Authorization: Bearer {scim_token}
Accept: application/scim+json
Response example
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults": 1,
"Resources": [{
"id": "abc123",
"userName": "jdoe@example.com",
"active": true
}]
}
Create User (SCIM)
- Method: POST
- URL:
https://api.five9.com/scim/v2/Users - Watch out for: SCIM provisioning requires Enterprise plan and SAML SSO to be configured first. Users created via SCIM without SSO enabled may not be able to log in.
Request example
POST /scim/v2/Users
Authorization: Bearer {scim_token}
Content-Type: application/scim+json
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName":"jdoe@example.com",
"name":{"givenName":"Jane","familyName":"Doe"},
"active":true
}
Response example
{
"id": "abc123",
"userName": "jdoe@example.com",
"active": true,
"meta": {"resourceType": "User"}
}
Update User (SCIM PATCH)
- Method: PATCH
- URL:
https://api.five9.com/scim/v2/Users/{id} - Watch out for: Setting active=false disables the agent but does not delete the account. A separate DELETE is required for full deprovisioning.
Request example
PATCH /scim/v2/Users/abc123
Authorization: Bearer {scim_token}
Content-Type: application/scim+json
{
"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[{"op":"replace","path":"active","value":false}]
}
Response example
{
"id": "abc123",
"userName": "jdoe@example.com",
"active": false
}
Delete User (SCIM)
- Method: DELETE
- URL:
https://api.five9.com/scim/v2/Users/{id} - Watch out for: Deleting a user removes them from the Five9 domain. Historical reporting data associated with the agent may be affected. Consider disabling (active=false) instead of deleting for audit retention.
Request example
DELETE /scim/v2/Users/abc123
Authorization: Bearer {scim_token}
Response example
HTTP 204 No Content
Get User by ID (SCIM)
- Method: GET
- URL:
https://api.five9.com/scim/v2/Users/{id}
Request example
GET /scim/v2/Users/abc123
Authorization: Bearer {scim_token}
Accept: application/scim+json
Response example
{
"id": "abc123",
"userName": "jdoe@example.com",
"name": {"givenName":"Jane","familyName":"Doe"},
"active": true
}
Create Agent (Configuration SOAP API)
- Method: POST
- URL:
https://api.five9.com/wsadmin/v12/AdminWebService - Watch out for: The Configuration API is SOAP-based (WSDL-driven). REST wrappers may be available in newer API versions but SOAP remains the primary interface for admin operations.
Request example
SOAPAction: createAgent
<createAgent>
<agentInfo>
<userName>jdoe@example.com</userName>
<firstName>Jane</firstName>
<lastName>Doe</lastName>
<password>Temp@1234</password>
<roles><role>Agent</role></roles>
</agentInfo>
</createAgent>
Response example
<createAgentResponse>
<return>true</return>
</createAgentResponse>
List Groups (SCIM)
- Method: GET
- URL:
https://api.five9.com/scim/v2/Groups - Watch out for: Five9 Circles (skill-group mappings) are managed separately from SCIM Groups. SCIM Groups map to Five9 Agent Groups, not directly to skill assignments.
Request example
GET /scim/v2/Groups
Authorization: Bearer {scim_token}
Accept: application/scim+json
Response example
{
"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults": 2,
"Resources":[{"id":"grp1","displayName":"Sales Team"}]
}
Update Group Membership (SCIM PATCH)
- Method: PATCH
- URL:
https://api.five9.com/scim/v2/Groups/{id} - Watch out for: Adding a user to a group linked to a Circle will trigger automated skill assignment. Verify Circle configuration before bulk group updates.
Request example
PATCH /scim/v2/Groups/grp1
Authorization: Bearer {scim_token}
Content-Type: application/scim+json
{
"Operations":[{"op":"add","path":"members",
"value":[{"value":"abc123"}]}]
}
Response example
HTTP 204 No Content
Rate limits, pagination, and events
- Rate limits: Five9 does not publicly document specific rate limit thresholds for the Configuration API. Concurrent session limits apply per domain.
- Rate-limit headers: No
- Retry-After header: No
- Rate-limit notes: Five9 recommends avoiding high-frequency polling; use event-driven patterns where possible. Concurrent admin API sessions per domain may be limited. Contact Five9 support for specific limits.
- Pagination method: none
- Default page size: 0
- Max page size: 0
- Pagination pointer: Not documented
| Plan | Limit | Concurrent |
|---|---|---|
| All plans (Configuration API) | Not publicly documented | 0 |
| Enterprise (SCIM) | Not publicly documented | 0 |
- Webhooks available: No
- Webhook notes: Five9 does not publicly document outbound webhooks for user lifecycle events (create, update, delete). Event-driven user management is handled via inbound SCIM provisioning from an IdP.
- Alternative event strategy: Use IdP-driven SCIM provisioning (Okta, Entra ID) to push user lifecycle events into Five9. For call/interaction events, Five9 offers a Statistics API and Supervisor REST API for polling.
SCIM API status
SCIM available: Yes
SCIM version: 2.0
Plan required: Enterprise (Optimum or Ultimate tier; $199–$299/agent/month)
Endpoint: https://api.five9.com/scim/v2
Supported operations: GET /Users, GET /Users/{id}, POST /Users, PUT /Users/{id}, PATCH /Users/{id}, DELETE /Users/{id}, GET /Groups, GET /Groups/{id}, POST /Groups, PATCH /Groups/{id}, DELETE /Groups/{id}
Limitations:
- Requires SAML 2.0 SSO to be configured and enabled before SCIM can be activated.
- Enterprise plan required; not available on Digital, Core, or Premium tiers.
- SCIM Bearer token is a long-lived static token; rotation requires manual regeneration in Five9 Admin console.
- Circles (automated skill assignment via group membership) must be configured separately in Five9 Admin; not managed via SCIM schema extensions.
- SCIM filter operator support may be limited compared to full RFC 7644 specification.
- Pagination behavior for large user sets is not fully documented publicly.
Common scenarios
The three primary automation scenarios each carry distinct caveats. For IdP-driven provisioning (e.
g. , Okta SCIM), the sequence is: validate SSO, enable SCIM in Five9 Admin, generate Bearer token, configure SCIM app in Okta with base URL https://api.five9.com/scim/v2, map attributes (userName → email, givenName, familyName, active), then assign users.
Circles for automated skill assignment must be configured separately in Five9 Admin - they are not exposed via standard SCIM schema extensions and will not self-configure from group membership alone.
For offboarding, prefer PATCH /scim/v2/Users/{id} with active=false over DELETE. A DELETE removes the agent record from Five9 and may affect historical reporting and call recording associations; this is irreversible. Confirm no active sessions are in progress before issuing either operation.
For bulk creation via the Configuration SOAP API, each agent requires an individual createAgent call - there is no batch operation. Skill assignments require a separate addAgentSkill call per agent. The WSDL version (v12 as of last documentation) and base URL may vary by domain region (US vs. EU); verify the correct endpoint for your deployment before scripting.
Provision new agent via Okta SCIM
- Confirm Five9 Enterprise plan is active and SAML SSO is configured with Okta as IdP.
- In Five9 Admin, navigate to Identity > SCIM Settings, enable SCIM 2.0, and generate Bearer token.
- In Okta, add the Five9 SCIM app, set SCIM base URL to https://api.five9.com/scim/v2, and paste the Bearer token.
- Map Okta profile attributes to Five9 SCIM attributes (userName → email, givenName, familyName, active).
- Assign the Okta app to the user or group; Okta pushes POST /scim/v2/Users to Five9.
- Verify user appears in Five9 Admin with correct role; configure Circles in Five9 Admin to auto-assign skills based on group membership.
Watch out for: If SSO is not fully configured before enabling SCIM, provisioned users will exist in Five9 but cannot authenticate. Always validate SSO login before enabling SCIM provisioning.
Deprovision agent when employee offboards
- In Okta (or Entra ID), deactivate or remove the user from the Five9 SCIM app assignment.
- IdP sends PATCH /scim/v2/Users/{id} with active=false to Five9, disabling the account.
- Optionally, IdP sends DELETE /scim/v2/Users/{id} for full removal if configured.
- Verify in Five9 Admin that the agent status shows as inactive/disabled.
- Confirm active calls or sessions are not in progress before deletion to avoid disruption.
Watch out for: Prefer PATCH active=false over DELETE to preserve historical reporting data. Deletion is irreversible and removes the agent record from Five9.
Bulk create agents via Configuration SOAP API
- Obtain WSDL from https://api.five9.com/wsadmin/v12/AdminWebService?wsdl.
- Authenticate using Domain Administrator credentials via HTTP Basic Auth.
- For each agent, call the createAgent SOAP operation with required fields: userName, firstName, lastName, password, roles.
- Assign skills by calling addAgentSkill or equivalent operation per agent.
- Handle SOAP faults for duplicate usernames or invalid role assignments.
- Validate created agents in Five9 Admin console.
Watch out for: The SOAP API does not support bulk operations in a single request. Each agent requires an individual createAgent call. For large batches, implement retry logic and respect any undocumented concurrent session limits.
Why building this yourself is a trap
The most consequential trap in the Five9 API surface is the SCIM/SSO dependency ordering. Teams that enable SCIM before fully validating SAML SSO will provision users who cannot log in - and the failure mode is silent from the IdP's perspective, since the SCIM POST returns success.
The identity graph must be verified end-to-end (IdP → SCIM → Five9 login) on a test account before any production provisioning.
The static SCIM Bearer token is a second operational risk. Because it is a single domain-scoped token with no automatic expiry, a rotation event (whether forced by a security incident or routine hygiene) requires coordinated updates across every IdP integration simultaneously. There is no token versioning or grace period.
Finally, the SOAP-first architecture of the Configuration API means that REST tooling assumptions (JSON payloads, standard HTTP status codes, predictable pagination) do not apply. The SCIM endpoint is REST/JSON, but full user management - including skill assignment - still requires SOAP calls.
Any integration that assumes a unified REST surface will need to maintain two separate client implementations.
Automate Five9 workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
