Replit User Management API Guide

Auth method: Not documented

User object field mapping is not yet verified for this app.

Endpoint coverage is not yet verified for this app.

• Rate limits: Not documented

• Rate-limit headers: No

• Retry-After header: No

• Rate-limit notes: Not documented

• Pagination method: none

• Default page size: 0

• Max page size: 0

• Pagination pointer: Not documented

• Webhooks available: No

• Webhook notes: No publicly documented webhook system for user-management events in Replit's official docs.

• Alternative event strategy: SCIM provisioning events (create/update/deactivate) are driven by the IdP (Okta, Entra ID) push rather than Replit-originated webhooks.

• SCIM available: Yes

• SCIM version: 2.0

• Plan required: Enterprise

• Endpoint: https://replit.com/scim/v2

• Supported operations: Create User (POST /Users), Get User (GET /Users/{id}), List Users (GET /Users), Update User (PUT /Users/{id}), Deactivate User (PATCH /Users/{id} active=false), Create Group (POST /Groups), Get Group (GET /Groups/{id}), List Groups (GET /Groups), Update Group Members (PATCH /Groups/{id}), Delete Group (DELETE /Groups/{id})

Limitations:

• Requires Enterprise plan; not available on Core or Teams plans.
• SSO/SAML must be configured and active before SCIM can be enabled.
• SCIM provisioning is built on WorkOS; configuration is done via the Replit Enterprise admin dashboard, not a self-serve API key.
• Supported IdPs are Okta and Microsoft Entra ID (Azure AD); Google Workspace and OneLogin are not officially supported.
• Hard-delete of users is not supported; deprovisioning sets active=false (deactivation only).
• Exact base URL and bearer token format are provisioned through the WorkOS/Replit admin setup flow and not publicly documented as a static endpoint; the URL above is inferred from WorkOS SCIM conventions and community references.
• No publicly documented rate limits specific to the SCIM endpoint.

Three primary integration scenarios are supported by the SCIM implementation.

First, provisioning a new employee via Okta: configure the SCIM base URL and bearer token in the Okta Replit app, enable Push Users and Push Groups, then assign the user - Okta POSTs to /Users and the account is created in Replit.

Second, deprovisioning via Entra ID: removing the user from the Entra application assignment triggers a PATCH /Users/{id} with active=false, revoking access while retaining the user's Repls.

Third, group sync: push an IdP group to /Groups, then manage membership via PATCH /Groups/{id} - group-to-team mapping is configured entirely in the IdP, not in Replit.

In all scenarios, SSO must be active before SCIM push will succeed; failure without SSO may be silent or return WorkOS-level errors.

Provision a new employee via Okta SCIM

1. Ensure Enterprise plan is active and SAML SSO is configured in Replit admin dashboard.
2. In Replit admin dashboard, navigate to Security > SCIM and generate a SCIM bearer token.
3. In Okta, add the Replit SCIM app, set the SCIM base URL to the provisioned endpoint, and paste the bearer token.
4. Enable 'Push Users' and 'Push Groups' in Okta provisioning settings.
5. Assign the Okta user to the Replit app; Okta POSTs to /Users, creating the account in Replit.
6. Verify the user appears in the Replit Enterprise admin user list.

Watch out for: If SSO is not yet active, SCIM provisioning will fail silently or return errors from WorkOS. Always validate SSO login before enabling SCIM push.

Deprovision a departing employee via Entra ID

1. In Entra ID (Azure AD), remove the user from the Replit Enterprise application assignment.
2. Entra ID sends a PATCH /Users/{id} with active=false to the Replit SCIM endpoint.
3. Replit deactivates the user account; the user loses access but their Repls are retained.
4. Confirm deactivation in Replit admin dashboard under Users.

Watch out for: Deactivation does not delete the user's Repls or transfer ownership. Plan a separate offboarding process for resource reassignment.

Sync a team group from IdP to Replit

1. Create a group in Okta or Entra ID representing the Replit team (e.g., 'Engineering').
2. Configure the IdP to push the group to the Replit SCIM endpoint (POST /Groups).
3. Add members to the IdP group; the IdP sends PATCH /Groups/{id} with member updates.
4. Verify group membership reflects in the Replit team in the admin dashboard.

Watch out for: Group-to-team mapping behavior depends on IdP push configuration. Replit does not support arbitrary group attribute mapping beyond standard SCIM group schema.

Replit's SCIM layer is the correct integration point for identity graph synchronization - mapping IdP group membership to Replit team access and keeping the identity graph consistent across systems - but it carries several non-obvious constraints.

The SCIM bearer token is generated inside the Replit Enterprise admin UI and must be rotated manually if compromised; there is no API-based token rotation. The base URL and token are provisioned through the WorkOS setup flow and are not static public endpoints, meaning automation that assumes a fixed URL must account for per-tenant provisioning.

No publicly documented rate limits exist for the SCIM endpoint, so implementers should apply conservative retry logic with exponential backoff. Deprovisioning does not clean up owned Repls or transfer resources, requiring a separate offboarding process outside the SCIM flow.

Any WorkOS SCIM attribute limitations - including unsupported custom schema extensions - apply directly to Replit's implementation.