Summary and recommendation
Thoropass publishes no documented public REST API or SCIM endpoint for user management as of the current research date. The integration partner program references a 'developer-friendly partner API' scoped to evidence and compliance data ingestion - not user provisioning or identity lifecycle operations.
No base URL, authentication method, supported scopes, rate limit headers, or pagination contract for a user management API has been found in any official Thoropass developer resource. Treat all third-party claims that 'Thoropass provides an API' as referring to its compliance evidence integrations, not a user provisioning surface.
API quick reference
| Has user API | No |
| SCIM available | No |
| SCIM plan required | Enterprise |
Authentication
Auth method: Not documented
User object / data model
User object field mapping is not yet verified for this app.
Core endpoints
Endpoint coverage is not yet verified for this app.
Rate limits, pagination, and events
Rate limits: Not documented
Rate-limit headers: No
Retry-After header: No
Rate-limit notes: Not documented
Pagination method: none
Default page size: 0
Max page size: 0
Pagination pointer: Not documented
Webhooks available: No
Webhook notes: No public webhook documentation found for Laika/Thoropass user-management events.
Alternative event strategy: Laika/Thoropass supports SSO via Okta and Microsoft Entra ID for identity federation; user provisioning is managed through those IdPs rather than a native API.
SCIM API status
- SCIM available: No
- SCIM version: Not documented
- Plan required: Enterprise
- Endpoint: Not documented
Limitations:
- No public SCIM endpoint documented by Laika/Thoropass as of research date.
- Context data confirms no native SCIM support.
- SSO integrations with Okta and Entra ID exist but do not expose a SCIM provisioning endpoint.
Common scenarios
The only documented identity integration path is IdP-side SSO: Thoropass supports SAML-based SSO via Okta and Microsoft Entra ID, with just-in-time user provisioning enabled by default on the Entra ID integration.
This means a user record is created in Thoropass on first authenticated login - no pre-provisioning call is made. There is no documented SCIM endpoint, no webhook surface for user lifecycle events, and no REST endpoint for create/update/deactivate user operations.
For teams building identity graph coverage across their SaaS stack, Thoropass represents a gap: user state inside the platform cannot be read or written programmatically without a direct vendor integration agreement.
Scenario implementations are not yet verified for this app.
Why building this yourself is a trap
The absence of a public user management API creates a specific risk for identity graph completeness.
If your pipeline relies on SCIM or REST to enumerate active users, detect role changes, or confirm deprovisioning, Thoropass will produce a blind spot - active accounts will not surface in automated access reviews unless the IdP SSO session log is used as a proxy.
The rebrand from Laika to Thoropass also means any legacy API references or integration configs built against 'laika.com' endpoints should be audited for breakage.
Until Thoropass publishes a versioned user management API with documented auth, scopes, and rate limits, programmatic lifecycle management is not a viable path; SSO with manual offboarding verification is the only defensible pattern.
Automate Laika workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
