Summary and recommendation
Lacework exposes a REST API at https://<account>.lacework.net/api/v2 using short-lived Bearer tokens obtained by exchanging a keyId and secret via POST /api/v2/access/tokens.
Tokens expire (default 1 hour);
automation pipelines must implement refresh logic.
The base URL is tenant-specific - substitute your account subdomain before scripting.
Org-level user management (TeamMembers endpoints) requires an org-scoped API key;
account-level keys will not surface org-wide user data.
Lacework does not publish numeric rate limits in official documentation;
contact support before building high-frequency polling loops.
For identity graph use cases, the user object's `accounts` array is the key field: it enumerates every sub-account a user can access along with their `userRoles` per account, enabling you to reconstruct a full cross-account access map from a single GET /api/v2/TeamMembers response.
The `orgAdmin` and `orgUser` boolean fields on the top-level object distinguish org-level privilege from account-level membership.
There is no SCIM endpoint;
IdP-driven provisioning via Okta or Azure AD requires a custom integration against the TeamMembers REST API.
API quick reference
| Has user API | Yes |
| Auth method | Bearer token (short-lived JWT access token obtained via key ID + secret exchange) |
| Base URL | Official docs |
| SCIM available | No |
| SCIM plan required | N/A |
Authentication
Auth method: Bearer token (short-lived JWT access token obtained via key ID + secret exchange)
Setup steps
- In the Lacework console, navigate to Settings > API Keys and create an API key (downloads a JSON file containing keyId and secret).
- POST to https://
.lacework.net/api/v2/access/tokens with the keyId and secret in the request body to receive a short-lived access token. - Include the token in subsequent requests as the Authorization header: 'Authorization: Bearer
'. - Tokens expire (typically 1 hour); re-authenticate by repeating step 2.
Required scopes
| Scope | Description | Required for |
|---|---|---|
| Account Admin | Full administrative access including user creation, update, and deletion. | POST /UserGroups, DELETE /UserGroups, user role assignments |
| Account User (read-only) | Read access to user profile and account information. | GET /UserProfile |
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| username | string | The user's email address used as their login username. | required | immutable | Must be a valid email address; serves as unique identifier. |
| orgAdmin | boolean | Whether the user has organization-level admin privileges. | optional | updatable | Only applicable in organization-level accounts. |
| orgUser | boolean | Whether the user is an organization-level user. | optional | updatable | Mutually exclusive with orgAdmin in some contexts. |
| accounts | array | List of sub-account objects the user has access to, each containing accountName and userRoles. | optional | updatable | Used in organization-level account structures. |
| userRoles | array | Roles assigned to the user within an account (e.g., ADMIN, USER). | optional | updatable | Valid values include 'ADMIN' and 'USER'. |
| url | string | The Lacework account URL associated with the user profile. | system-generated | read-only | Returned in GET responses; not settable. |
Core endpoints
Get current user profile
- Method: GET
- URL:
https://<account>.lacework.net/api/v2/UserProfile - Watch out for: Returns the profile of the authenticated API key owner, not an arbitrary user. Cannot query other users' profiles via this endpoint.
Request example
GET /api/v2/UserProfile
Authorization: Bearer <token>
Response example
{
"data": [{
"username": "user@example.com",
"orgAdmin": false,
"orgUser": true,
"accounts": [{"accountName": "myaccount", "admin": true}]
}]
}
Get access token
- Method: POST
- URL:
https://<account>.lacework.net/api/v2/access/tokens - Watch out for: The keyId must also be passed as the X-LW-UAKS header. Token lifetime is configurable via expiryTime (seconds) but capped by platform policy.
Request example
POST /api/v2/access/tokens
X-LW-UAKS: <keyId>
Content-Type: application/json
{"keyId": "<keyId>", "expiryTime": 3600}
Response example
{
"token": "<jwt_access_token>",
"expiresAt": "2024-01-01T01:00:00Z"
}
List all API keys
- Method: GET
- URL:
https://<account>.lacework.net/api/v2/ApiKeys - Watch out for: Requires Account Admin role. Returns API keys for the account, not end-user accounts.
Request example
GET /api/v2/ApiKeys
Authorization: Bearer <token>
Response example
{
"data": [{
"keyId": "LACEWORK_ABC123",
"enabled": 1,
"props": {"description": "CI key"}
}]
}
Create API key
- Method: POST
- URL:
https://<account>.lacework.net/api/v2/ApiKeys - Watch out for: The secret is only returned at creation time. Store it immediately; it cannot be retrieved again.
Request example
POST /api/v2/ApiKeys
Authorization: Bearer <token>
{"enabled": 1, "props": {"description": "Automation key"}}
Response example
{
"data": {
"keyId": "LACEWORK_XYZ789",
"secret": "<secret_value>",
"enabled": 1
}
}
Update API key (enable/disable)
- Method: PATCH
- URL:
https://<account>.lacework.net/api/v2/ApiKeys/{keyId} - Watch out for: Disabling a key immediately invalidates all tokens issued from it.
Request example
PATCH /api/v2/ApiKeys/LACEWORK_XYZ789
Authorization: Bearer <token>
{"enabled": 0}
Response example
{
"data": {
"keyId": "LACEWORK_XYZ789",
"enabled": 0
}
}
Delete API key
- Method: DELETE
- URL:
https://<account>.lacework.net/api/v2/ApiKeys/{keyId} - Watch out for: Deletion is permanent and immediately revokes all associated tokens.
Request example
DELETE /api/v2/ApiKeys/LACEWORK_XYZ789
Authorization: Bearer <token>
Response example
HTTP 204 No Content
List team members (org-level)
- Method: GET
- URL:
https://<account>.lacework.net/api/v2/TeamMembers - Watch out for: This endpoint is available at the organization level. At the standalone account level, user management may differ. Requires Admin role.
Request example
GET /api/v2/TeamMembers
Authorization: Bearer <token>
Response example
{
"data": [{
"username": "user@example.com",
"userEnabled": 1,
"props": {"firstName": "Jane", "lastName": "Doe"}
}]
}
Create team member (org-level)
- Method: POST
- URL:
https://<account>.lacework.net/api/v2/TeamMembers - Watch out for: User receives an email invitation to set their password. The API does not set passwords directly. Username must be a valid email.
Request example
POST /api/v2/TeamMembers
Authorization: Bearer <token>
{"username": "newuser@example.com", "userEnabled": 1, "props": {"firstName": "John", "lastName": "Smith", "accountAdmin": true}}
Response example
{
"data": {
"username": "newuser@example.com",
"userEnabled": 1
}
}
Rate limits, pagination, and events
Rate limits: Lacework does not publicly document specific numeric rate limits in their official API docs as of the latest available documentation.
Rate-limit headers: No
Retry-After header: No
Rate-limit notes: No explicit rate limit tiers, headers, or Retry-After behavior documented in official Lacework API v2 reference. Contact Lacework support for current limits.
Pagination method: token
Default page size: 5000
Max page size: 5000
Pagination pointer: nextPage
Webhooks available: No
Webhook notes: Lacework does not offer user-management-specific webhooks. Lacework supports alert channels (Slack, PagerDuty, webhook URLs) for security event notifications, not for user lifecycle events.
Alternative event strategy: Use Lacework's audit log API (GET /api/v2/AuditLogs) to poll for user-related activity events.
SCIM API status
- SCIM available: No
- SCIM version: Not documented
- Plan required: N/A
- Endpoint: Not documented
Limitations:
- Lacework does not natively support SCIM provisioning as of the latest official documentation.
- User provisioning via IdPs (Okta, Azure AD) is handled through SSO/SAML configuration, not SCIM.
- Automated provisioning requires use of the TeamMembers REST API or manual console management.
Common scenarios
Three automation scenarios are well-supported by the current API surface:
Onboarding: POST /api/v2/TeamMembers with username (must be a valid email), userEnabled: 1, and role flags in props. The platform sends an invitation email automatically; there is no API call to resend it - if the invite is missed, delete and recreate the user or use the console.
API key rotation: Create a new key via POST /api/v2/ApiKeys and capture the secret immediately (it is returned only once). Disable the old key via PATCH /api/v2/ApiKeys/{keyId} - this immediately invalidates all tokens derived from it - then delete after confirming no consumers remain.
Audit log polling: GET /api/v2/AuditLogs supports date-range filters and returns user lifecycle events (USER_CREATED, USER_DELETED). Paginate using the nextPage token until absent. Note: available event categories and retention period are not fully enumerated in public docs; validate with Lacework support for compliance use cases.
Onboard a new user to a Lacework organization account
- Authenticate: POST /api/v2/access/tokens with org-level API keyId and secret to obtain a Bearer token.
- Create the user: POST /api/v2/TeamMembers with username (email), userEnabled: 1, and desired role in props (e.g., accountAdmin: true).
- User receives an email invitation; they must complete registration before API access is active.
- Verify creation: GET /api/v2/TeamMembers and confirm the new username appears in the response data array.
Watch out for: The invitation email is sent automatically; there is no API call to resend it. If the user misses it, they must be deleted and re-created or an admin must use the console to resend.
Rotate an API key for a service account
- Authenticate with an existing valid token.
- Create a new API key: POST /api/v2/ApiKeys - capture the returned secret immediately.
- Update all consumers to use the new keyId and secret.
- Disable the old key: PATCH /api/v2/ApiKeys/{oldKeyId} with {"enabled": 0}.
- After confirming no consumers use the old key, delete it: DELETE /api/v2/ApiKeys/{oldKeyId}.
Watch out for: Disabling the old key in step 4 immediately invalidates all tokens derived from it. Ensure all consumers are updated before disabling.
Audit recent user activity via API
- Authenticate: POST /api/v2/access/tokens.
- Query audit logs: GET /api/v2/AuditLogs with optional filters (e.g., date range via query params).
- Parse the response data array for events with eventType related to user actions (e.g., USER_CREATED, USER_DELETED).
- If response contains a nextPage token, repeat GET /api/v2/AuditLogs?nextPage=
until exhausted.
Watch out for: AuditLogs retention period and available event types are not fully enumerated in public docs; verify available event categories with Lacework support for compliance use cases.
Why building this yourself is a trap
The most common integration pitfall is scope mismatch: TeamMembers endpoints behave differently at org vs. standalone account level, and using an account-scoped key against org endpoints will return incomplete or empty data without a clear error.
A second trap is the userEnabled field - Lacework uses an integer (1/0) rather than a boolean in some endpoints, which will silently fail typed validation in strictly-typed API clients. Finally, there are no user-management webhooks; the only event-driven alternative is polling AuditLogs, which introduces latency and requires managing pagination state.
Teams building deprovisioning automation should also note that GET /api/v2/UserProfile returns only the authenticated key owner's profile - it cannot be used to look up arbitrary users.
Automate Lacework workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
