Summary and recommendation
LastPass exposes two programmatic surfaces: a proprietary Provisioning API at https://lastpass.com/enterpriseapi.php and a SCIM 2.0 endpoint at https://lastpass.com/scim/v2 (Business/Enterprise only). The Provisioning API is a single POST endpoint where the 'cmd' field in the JSON body determines the operation-there are no distinct REST resource URLs.
Auth is a plain provisioning hash ('provhash') passed in the request body alongside the company ID ('cid'); there is no OAuth 2.0 or Authorization header pattern. The API returns HTTP 200 for both success and logical errors, so response body inspection of the 'status' field is mandatory on every call.
Building LastPass into an identity graph requires polling 'getuserdata' on a schedule, since no webhooks are available and the endpoint returns all users in a single unpaginated payload-a payload size risk for large directories.
API quick reference
| Has user API | Yes |
| Auth method | API key (provisioning hash) passed as a field in the JSON POST body; no OAuth 2.0 |
| Base URL | Official docs |
| SCIM available | Yes |
| SCIM plan required | Business |
Authentication
Auth method: API key (provisioning hash) passed as a field in the JSON POST body; no OAuth 2.0
Setup steps
- Log in to the LastPass Admin Console as an admin.
- Navigate to Advanced Options > Enterprise API.
- Generate or copy the Provisioning Hash (API key) displayed there.
- Include the provisioning hash as the 'hash' field and your account's company ID as 'cid' in every API request body.
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| username | string | User's email address (primary identifier) | required | required | Must be a valid email; used as the unique key. |
| password | string | Initial master password for the user | optional | optional | Only relevant when not using federated login. |
| firstname | string | User's first name | optional | optional | |
| lastname | string | User's last name | optional | optional | |
| groupsin | array[string] | Groups to add the user to | optional | optional | Array of group name strings. |
| groupsout | array[string] | Groups to remove the user from | n/a | optional | Used in update/batch operations. |
| duousername | string | Duo Security username override | optional | optional | Only relevant if Duo MFA is configured. |
| securid_username | string | RSA SecurID username override | optional | optional | |
| department | string | User's department | optional | optional | |
| division | string | User's division | optional | optional | |
| employee_number | string | Employee number / HR identifier | optional | optional | |
| admin | boolean | Whether the user has admin privileges | optional | optional | Set to 1 to grant admin rights. |
| disabled | boolean | Whether the user account is disabled | optional | optional | Set to 1 to disable without deleting. |
Core endpoints
Create user
- Method: POST
- URL:
https://lastpass.com/enterpriseapi.php - Watch out for: All operations use the same POST endpoint; the 'cmd' field determines the action. 'batchadd' creates users and is idempotent if the user already exists.
Request example
{
"cid": "12345",
"provhash": "<provisioning_hash>",
"cmd": "batchadd",
"data": [{"username": "jane@example.com", "firstname": "Jane", "lastname": "Doe"}]
}
Response example
{
"status": "OK",
"results": [{"status": "OK", "username": "jane@example.com"}]
}
Update user
- Method: POST
- URL:
https://lastpass.com/enterpriseapi.php - Watch out for: User updates also use 'batchadd'; only supplied fields are updated. Omitted fields are not cleared.
Request example
{
"cid": "12345",
"provhash": "<provisioning_hash>",
"cmd": "batchadd",
"data": [{"username": "jane@example.com", "department": "Engineering"}]
}
Response example
{
"status": "OK",
"results": [{"status": "OK", "username": "jane@example.com"}]
}
Delete user
- Method: POST
- URL:
https://lastpass.com/enterpriseapi.php - Watch out for: 'deleteaction' controls behavior: 0=remove from company, 1=delete account + data, 2=delete account but transfer vault data. Irreversible for actions 1 and 2.
Request example
{
"cid": "12345",
"provhash": "<provisioning_hash>",
"cmd": "deluser",
"data": {"username": "jane@example.com", "deleteaction": 0}
}
Response example
{
"status": "OK"
}
Disable user
- Method: POST
- URL:
https://lastpass.com/enterpriseapi.php - Watch out for: Disabled users cannot log in but their vault data is retained. Use 'enableuser' cmd to re-enable.
Request example
{
"cid": "12345",
"provhash": "<provisioning_hash>",
"cmd": "disableuser",
"data": {"username": "jane@example.com"}
}
Response example
{
"status": "OK"
}
Get user data / list users
- Method: POST
- URL:
https://lastpass.com/enterpriseapi.php - Watch out for: Omitting 'username' from data returns all users in the account. Large accounts may return very large payloads; no pagination is supported.
Request example
{
"cid": "12345",
"provhash": "<provisioning_hash>",
"cmd": "getuserdata",
"data": {"username": "jane@example.com"}
}
Response example
{
"Users": {
"jane@example.com": {
"username": "jane@example.com",
"firstname": "Jane",
"lastname": "Doe",
"admin": 0,
"disabled": 0
}
}
}
Add user to group
- Method: POST
- URL:
https://lastpass.com/enterpriseapi.php - Watch out for: Groups must already exist in LastPass. Specifying a non-existent group name may silently fail or create the group depending on account settings.
Request example
{
"cid": "12345",
"provhash": "<provisioning_hash>",
"cmd": "batchadd",
"data": [{"username": "jane@example.com", "groupsin": ["Engineering"]}]
}
Response example
{
"status": "OK",
"results": [{"status": "OK", "username": "jane@example.com"}]
}
Reset master password
- Method: POST
- URL:
https://lastpass.com/enterpriseapi.php - Watch out for: Sends a password reset email to the user. Not applicable for federated (SSO) users whose authentication is managed by the IdP.
Request example
{
"cid": "12345",
"provhash": "<provisioning_hash>",
"cmd": "resetpassword",
"data": {"username": "jane@example.com"}
}
Response example
{
"status": "OK"
}
Get audit log / reporting
- Method: POST
- URL:
https://lastpass.com/enterpriseapi.php - Watch out for: Reporting endpoint supports date-range filtering and a 'pagesize' parameter, making it one of the few endpoints with partial pagination support.
Request example
{
"cid": "12345",
"provhash": "<provisioning_hash>",
"cmd": "reporting",
"data": {"from": "2024-01-01", "to": "2024-01-31", "pagesize": 100}
}
Response example
{
"status": "OK",
"data": [{"Time": "2024-01-15 10:22:00", "Username": "jane@example.com", "Action": "User Login"}]
}
Rate limits, pagination, and events
Rate limits: LastPass does not publish explicit rate limit tiers or numeric thresholds in official documentation. Practical guidance recommends avoiding bulk rapid requests.
Rate-limit headers: No
Retry-After header: No
Rate-limit notes: No documented rate limit headers or retry-after headers. Contact LastPass support for enterprise-level throughput guidance.
Pagination method: none
Default page size: 0
Max page size: 0
Pagination pointer: Not documented
Webhooks available: No
Webhook notes: LastPass does not offer native outbound webhooks for user or vault events as of the current documentation.
Alternative event strategy: Poll the 'reporting' API command on a schedule to detect user activity and provisioning events.
SCIM API status
SCIM available: Yes
SCIM version: 2.0
Plan required: Business
Endpoint: https://lastpass.com/scim/v2
Supported operations: GET /Users, GET /Users/{id}, POST /Users, PUT /Users/{id}, PATCH /Users/{id}, DELETE /Users/{id}, GET /Groups, POST /Groups, PUT /Groups/{id}, PATCH /Groups/{id}, DELETE /Groups/{id}
Limitations:
- Requires Business or Enterprise plan.
- SSO (federated login) must be configured as a prerequisite for SCIM provisioning.
- SCIM token is generated from the LastPass Admin Console under Advanced > SCIM.
- Supported IdPs with native connectors: Okta, Microsoft Entra ID (Azure AD), Google Workspace, OneLogin.
- SCIM provisioning does not sync vault items or shared folders; only user identity and group membership.
- Deprovisioning via SCIM disables the user; full vault deletion requires manual action or the provisioning API 'deluser' command.
Common scenarios
Three integration patterns cover the majority of production use cases. First, direct provisioning via the Provisioning API: POST cmd='batchadd' with username, firstname, lastname, and groupsin to create or update a user; 'batchadd' is idempotent if the user already exists.
Second, deprovisioning: POST cmd='disableuser' immediately to block access, then POST cmd='deluser' with deleteaction=0 (remove from company), 1 (delete account and all vault data), or 2 (delete account, transfer vault data)-actions 1 and 2 are irreversible and permanently destroy vault data.
Third, IdP-driven SCIM sync (e. g.
, Okta): generate a SCIM bearer token from Admin Console > Advanced > SCIM, configure the LastPass app in Okta with the SCIM base URL and token, then enable Push Users and Push Groups.
Rotating the SCIM token in LastPass immediately breaks the Okta connection; always update the token in Okta before rotating in production. For federated (SSO) users, never set a master password via the API-authentication state is owned by the IdP.
Onboard a new employee via Provisioning API
- POST to enterpriseapi.php with cmd='batchadd', supplying username (email), firstname, lastname, and groupsin array.
- Verify response body contains status='OK' for the user entry.
- Optionally POST cmd='resetpassword' to trigger a welcome/setup email if not using federated login.
Watch out for: If federated login (SSO) is active, do not set a password via the API-authentication is controlled by the IdP and setting a master password may conflict with federated account state.
Deprovision a departing employee
- POST cmd='disableuser' immediately to block access while deciding on data disposition.
- Coordinate with IT/security on vault data transfer requirements.
- POST cmd='deluser' with deleteaction=0 to remove from company without destroying vault, or deleteaction=1 to permanently delete all data.
Watch out for: deleteaction=1 and deleteaction=2 are irreversible. Confirm data transfer or backup requirements before executing. SCIM deprovisioning only disables the user; it does not delete vault data.
Sync users from Okta via SCIM
- Ensure LastPass Business plan is active and SSO/federated login is configured.
- In LastPass Admin Console, navigate to Advanced > SCIM and generate a SCIM bearer token.
- In Okta, add the LastPass application from the Okta Integration Network and configure SCIM provisioning with the LastPass SCIM base URL and bearer token.
- Enable 'Push Users' and 'Push Groups' in Okta provisioning settings.
- Assign users/groups in Okta; Okta will POST to LastPass SCIM /Users to create accounts automatically.
Watch out for: SCIM token rotation in LastPass invalidates the existing Okta connection immediately; update the token in Okta's provisioning settings before rotating in production.
Why building this yourself is a trap
The single-endpoint, cmd-driven design means there is no idiomatic REST structure to rely on, and no official SDK exists-every integration is built against raw HTTP. Rate limits are undocumented; LastPass publishes no numeric thresholds, no rate-limit headers, and no Retry-After headers, making backoff logic a best-guess exercise.
The 'getuserdata' list endpoint has no pagination, so full directory syncs for large accounts must handle arbitrarily large response payloads in a single call.
SCIM provisioning requires SSO/federated login to be active first-enabling SCIM without SSO is not supported, which creates a sequencing dependency that can block identity graph population if SSO is not yet rolled out.
Group names in the Provisioning API are case-sensitive and must match the Admin Console exactly; a mismatch may silently fail or create a duplicate group depending on account configuration.
Automate LastPass workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
