Summary and recommendation
Modern Treasury's REST API uses HTTP Basic Auth - the Organization ID is passed as the username and the API key as the password, encoded as Base64.
This is distinct from Bearer token auth;
misconfiguring the header is the most common integration failure point.
Both the Organization ID and API key are found in dashboard Settings → API Keys.
The base URL is https://app.moderntreasury.com/api, and all requests must be made over HTTPS.
Live mode and sandbox mode share the same base URL but require separate API keys - ensure the correct key is scoped per environment.
The REST API is read-oriented for user data: GET /api/users and GET /api/users/{id} are the supported operations.
Provisioning and deprovisioning are handled exclusively via SCIM 2.0 on Enterprise plans at https://app.moderntreasury.com/scim/v2.
Attempting SCIM calls on non-Enterprise plans will fail.
Pagination is cursor-based using after_cursor and before_cursor parameters;
page/offset patterns are not supported.
The default page size is 25 and the maximum is 1000.
API quick reference
| Has user API | Yes |
| Auth method | HTTP Basic Auth (API key as username, empty password; or Organization ID + API key pair) |
| Base URL | Official docs |
| SCIM available | Yes |
| SCIM plan required | Enterprise |
Authentication
Auth method: HTTP Basic Auth (API key as username, empty password; or Organization ID + API key pair)
Setup steps
- Log in to the Modern Treasury dashboard.
- Navigate to Settings → API Keys.
- Create a new API key; note the Organization ID shown in the same settings area.
- Encode 'organization_id:api_key' in Base64 and pass as the Authorization header: 'Authorization: Basic
'. - All requests must be made over HTTPS.
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| id | string | Unique identifier for the user. | system-generated | immutable | UUID format. |
| object | string | Always 'user'. | system-generated | immutable | |
| live_mode | boolean | Indicates if the object exists in live mode. | system-generated | immutable | |
| created_at | datetime | ISO 8601 timestamp of user creation. | system-generated | immutable | |
| updated_at | datetime | ISO 8601 timestamp of last update. | system-generated | system-managed | |
| string | User's email address. | required | updatable | Must be unique within the organization. | |
| name | string | Full name of the user. | required | updatable | |
| role | string | User's role within the organization (e.g., admin, member). | required | updatable | Exact role enum values depend on organization configuration. |
Core endpoints
List Users
- Method: GET
- URL:
https://app.moderntreasury.com/api/users - Watch out for: Pagination uses cursor-based after_cursor/before_cursor params, not page numbers.
Request example
GET /api/users?per_page=25 HTTP/1.1
Host: app.moderntreasury.com
Authorization: Basic <base64(org_id:api_key)>
Response example
{
"object": "list",
"items": [{"id": "usr_abc123", "object": "user", "email": "alice@example.com", "name": "Alice"}],
"after_cursor": "cursor_xyz",
"per_page": 25
}
Get User
- Method: GET
- URL:
https://app.moderntreasury.com/api/users/{id} - Watch out for: Returns 404 if the user ID does not belong to the authenticated organization.
Request example
GET /api/users/usr_abc123 HTTP/1.1
Host: app.moderntreasury.com
Authorization: Basic <base64(org_id:api_key)>
Response example
{
"id": "usr_abc123",
"object": "user",
"email": "alice@example.com",
"name": "Alice",
"created_at": "2024-01-15T10:00:00Z"
}
Rate limits, pagination, and events
- Rate limits: Modern Treasury enforces rate limits per API key. The official docs note limits exist but do not publish specific numeric thresholds publicly.
- Rate-limit headers: Unknown
- Retry-After header: Unknown
- Rate-limit notes: Contact Modern Treasury support for specific rate limit figures. HTTP 429 is returned when limits are exceeded.
- Pagination method: cursor
- Default page size: 25
- Max page size: 1000
- Pagination pointer: after_cursor / before_cursor
| Plan | Limit | Concurrent |
|---|---|---|
| All plans | Not publicly documented | 0 |
- Webhooks available: Yes
- Webhook notes: Modern Treasury supports webhooks for event-driven notifications. Webhook endpoints are configured in the dashboard under Settings → Webhooks.
- Alternative event strategy: User-specific lifecycle events (e.g., user provisioned/deprovisioned) are handled via SCIM rather than webhooks.
- Webhook events: payment_order.created, payment_order.updated, transaction.created, transaction.updated, internal_account.updated, counterparty.created, counterparty.updated
SCIM API status
SCIM available: Yes
SCIM version: 2.0
Plan required: Enterprise
Endpoint: https://app.moderntreasury.com/scim/v2
Supported operations: Create User (POST /Users), Get User (GET /Users/{id}), List Users (GET /Users), Update User (PUT /Users/{id}), Deactivate User (PATCH /Users/{id} with active=false), Get Groups (GET /Groups), Create Group (POST /Groups), Update Group (PATCH /Groups/{id})
Limitations:
- Requires Enterprise plan.
- SCIM token is generated from the Modern Treasury dashboard under Settings → SCIM.
- IdP-specific connector configuration (Okta, Entra ID, etc.) must be set up on the IdP side using the SCIM base URL and bearer token.
- Group push support may vary by IdP connector; verify with Modern Treasury support.
Common scenarios
For identity graph construction, the audit scenario is the primary REST API use case: authenticate with Basic Auth, call GET /api/users?per_page=1000, and paginate using after_cursor until the field returns null.
Each user object surfaces id, email, name, role, created_at, updated_at, and live_mode - sufficient to join against an identity graph across your SaaS fleet.
For provisioning, the SCIM path is the only supported write mechanism.
Configure your IdP (Okta, Entra ID, etc.) with the SCIM base URL and a bearer token generated from Settings → SCIM.
The IdP then manages POST /scim/v2/Users on hire and PATCH /scim/v2/Users/{id} with active=false on departure.
SCIM token rotation requires IdP connector reconfiguration - plan for a maintenance window.
Deprovisioning via SCIM deactivates the user but may not immediately revoke active API sessions;
confirm session invalidation behavior directly with Modern Treasury support.
Webhooks are available for payment and transaction events but do not emit user lifecycle events.
User provisioning and deprovisioning signals must come from SCIM, not webhooks.
Audit all users in an organization
- Authenticate using Basic Auth with Organization ID and API key.
- GET /api/users?per_page=1000 to retrieve the first page of users.
- Check the after_cursor field in the response; if present, repeat with ?after_cursor=
until after_cursor is null. - Aggregate all user objects for audit logging.
Watch out for: Max per_page is 1000; large organizations may require multiple paginated requests.
Provision a new employee via SCIM (Enterprise)
- Ensure the organization is on the Enterprise plan.
- In the Modern Treasury dashboard, navigate to Settings → SCIM and generate a SCIM token.
- Configure your IdP (e.g., Okta) with SCIM base URL https://app.moderntreasury.com/scim/v2 and the bearer token.
- Assign the user to the Modern Treasury application in the IdP; the IdP will POST /scim/v2/Users with the user's profile.
- Modern Treasury creates the user and returns a SCIM User object with the assigned id.
Watch out for: SCIM token rotation requires reconfiguring the IdP connector; plan for downtime or use a maintenance window.
Deactivate a departed employee via SCIM
- In the IdP, remove or deactivate the user's assignment to the Modern Treasury application.
- The IdP sends a PATCH /scim/v2/Users/{id} request with {"Operations": [{"op": "replace", "path": "active", "value": false}]}.
- Modern Treasury deactivates the user, revoking their access.
- Verify deactivation by calling GET /api/users/{id} and confirming the user's status.
Watch out for: Deprovisioning via SCIM deactivates the user but may not immediately revoke active API sessions; confirm behavior with Modern Treasury support.
Why building this yourself is a trap
The most significant integration caveat is the hard dependency on the Enterprise plan for any write-path user management via SCIM. Teams on lower tiers have no API-based provisioning option and must fall back to manual dashboard operations. Rate limit thresholds are not publicly documented;
HTTP 429 is the only signal of exhaustion, and numeric limits must be obtained directly from Modern Treasury support - build in retry logic with exponential backoff from the start.
For teams building an identity graph with 60+ deep IT/identity integrations via an MCP server, the read-only REST API provides enough signal for access visibility, but automated lifecycle management requires confirming Enterprise plan status before committing to an API-driven architecture.
Automate Modern Treasury workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
