Summary and recommendation
Sinch exposes a project-scoped member management API under https://us.api.sinch.com/projects/{projectId}/members.
Authentication uses OAuth 2.0 client_credentials grant - POST to https://auth.sinch.com/oauth2/token with client_id and client_secret to receive a Bearer token valid for 3600 seconds.
HTTP Basic Auth using Access Key ID and Secret is also supported.
Critical caveat: the Account/User Management API is architecturally separate from the communications APIs (SMS, Voice, Conversation).
Base URLs and auth tokens are not interchangeable across product surfaces.
Regional variants exist (eu.api.sinch.com) and must be selected to satisfy data residency requirements.
For teams building identity graph integrations, Sinch's user object carries user_id, email, role (OWNER, ADMIN, MEMBER, READONLY), status (ACTIVE, PENDING, SUSPENDED), and project_id
sufficient to map Sinch project membership into a cross-application identity graph alongside other SaaS entitlements.
API quick reference
| Has user API | Yes |
| Auth method | OAuth 2.0 (client_credentials grant using Access Key ID and Access Key Secret) or HTTP Basic Auth with Access Key ID and Secret |
| Base URL | Official docs |
| SCIM available | Yes |
| SCIM plan required | Enterprise (SSO prerequisite required) |
Authentication
Auth method: OAuth 2.0 (client_credentials grant using Access Key ID and Access Key Secret) or HTTP Basic Auth with Access Key ID and Secret
Setup steps
- Log in to the Sinch Customer Dashboard (dashboard.sinch.com).
- Navigate to Settings > Access Keys and create a new Access Key.
- Note the Key ID and Key Secret (secret shown only once).
- For OAuth 2.0: POST to https://auth.sinch.com/oauth2/token with grant_type=client_credentials, client_id=
, client_secret= to obtain a Bearer token. - Include the Bearer token in the Authorization header for subsequent API calls.
Required scopes
| Scope | Description | Required for |
|---|---|---|
| N/A – scope-based OAuth not publicly documented per official docs | Sinch uses project-level and role-based access control rather than explicit OAuth scopes in the token request | All API operations |
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| string | User's email address, used as login identifier | required | optional | Must be unique within the account | |
| display_name | string | Human-readable display name for the user | optional | optional | |
| role | string (enum) | User's role within the project or account (e.g., OWNER, ADMIN, MEMBER, READONLY) | required | optional | Role values are account-level or project-level |
| user_id | string | Unique identifier for the user within Sinch | server-assigned | immutable | |
| status | string (enum) | Account status (e.g., ACTIVE, PENDING, SUSPENDED) | server-assigned | optional | |
| project_id | string | The project the user is associated with | required (in URL path) | immutable | Users are scoped to projects |
| created_at | string (ISO 8601) | Timestamp when the user was created | server-assigned | immutable | |
| updated_at | string (ISO 8601) | Timestamp of last update | server-assigned | server-assigned |
Core endpoints
List members of a project
- Method: GET
- URL:
https://us.api.sinch.com/projects/{projectId}/members - Watch out for: Endpoint path and exact response schema not fully published; verify against current developer portal.
Request example
GET /projects/{projectId}/members
Authorization: Bearer <token>
Response example
{
"members": [
{"email":"user@example.com","role":"ADMIN","status":"ACTIVE"}
],
"next_page_token": "abc123"
}
Invite a user to a project
- Method: POST
- URL:
https://us.api.sinch.com/projects/{projectId}/members - Watch out for: Invited users receive an email and must accept before status changes from PENDING to ACTIVE.
Request example
POST /projects/{projectId}/members
Authorization: Bearer <token>
{
"email": "newuser@example.com",
"role": "MEMBER"
}
Response example
{
"email": "newuser@example.com",
"role": "MEMBER",
"status": "PENDING"
}
Update a project member's role
- Method: PATCH
- URL:
https://us.api.sinch.com/projects/{projectId}/members/{userId} - Watch out for: Only account OWNER or ADMIN roles can modify member roles.
Request example
PATCH /projects/{projectId}/members/{userId}
Authorization: Bearer <token>
{
"role": "READONLY"
}
Response example
{
"user_id": "usr_abc123",
"role": "READONLY",
"status": "ACTIVE"
}
Remove a member from a project
- Method: DELETE
- URL:
https://us.api.sinch.com/projects/{projectId}/members/{userId} - Watch out for: Removing a member does not delete the Sinch account; it only revokes project access.
Request example
DELETE /projects/{projectId}/members/{userId}
Authorization: Bearer <token>
Response example
HTTP 204 No Content
List Access Keys for a project
- Method: GET
- URL:
https://us.api.sinch.com/projects/{projectId}/access-keys - Watch out for: Key secrets are only returned at creation time and cannot be retrieved afterward.
Request example
GET /projects/{projectId}/access-keys
Authorization: Bearer <token>
Response example
{
"access_keys": [
{"key_id":"key_abc","display_name":"CI Key","created_at":"2024-01-01T00:00:00Z"}
]
}
Create an Access Key
- Method: POST
- URL:
https://us.api.sinch.com/projects/{projectId}/access-keys - Watch out for: Store key_secret immediately; it is not retrievable after this response.
Request example
POST /projects/{projectId}/access-keys
Authorization: Bearer <token>
{
"display_name": "My Service Key"
}
Response example
{
"key_id": "key_xyz",
"key_secret": "s3cr3t",
"display_name": "My Service Key"
}
Delete an Access Key
- Method: DELETE
- URL:
https://us.api.sinch.com/projects/{projectId}/access-keys/{keyId} - Watch out for: Deleting an active key immediately revokes all API calls using that key.
Request example
DELETE /projects/{projectId}/access-keys/{keyId}
Authorization: Bearer <token>
Response example
HTTP 204 No Content
Get OAuth 2.0 token
- Method: POST
- URL:
https://auth.sinch.com/oauth2/token - Watch out for: Token expiry is 3600 seconds; implement token refresh logic to avoid 401 errors mid-session.
Request example
POST /oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id=<key_id>&client_secret=<key_secret>
Response example
{
"access_token": "eyJ...",
"token_type": "bearer",
"expires_in": 3600
}
Rate limits, pagination, and events
Rate limits: Sinch does not publicly document specific rate limit values per endpoint in its developer docs. Rate limits are enforced but thresholds are not published.
Rate-limit headers: No
Retry-After header: No
Rate-limit notes: No explicit rate-limit headers or Retry-After behavior documented in official sources. Contact Sinch support for enterprise rate-limit details.
Pagination method: token
Default page size: 20
Max page size: 100
Pagination pointer: page_token
Webhooks available: No
Webhook notes: Sinch does not document account/user-management webhooks (e.g., user invited, role changed) in its official developer docs. Webhooks exist for communications events (SMS delivery, voice call status) but not for IAM events.
Alternative event strategy: Poll the members list endpoint or use SCIM provisioning (Enterprise) with an IdP that supports push events.
SCIM API status
SCIM available: Yes
SCIM version: 2.0
Plan required: Enterprise (SSO prerequisite required)
Endpoint: Connector-specific endpoint provided by Sinch upon Enterprise SSO setup; not a generic public URL
Supported operations: Create user, Update user, Deactivate user, List users
Limitations:
- Requires SSO (Okta or Microsoft Entra ID) to be configured first
- SCIM endpoint URL is provisioned per-customer and not publicly documented
- Group push support not confirmed in official docs
- Only available on Enterprise plan; not available on pay-as-you-go or self-serve tiers
Common scenarios
Three primary automation scenarios are supported by the documented API surface.
Onboard a team member: POST to /projects/{projectId}/members with email and role.
The invited user receives an email and must accept before status transitions from PENDING to ACTIVE.
There is no documented API to resend invitations;
use the dashboard for that edge case.
Rotate an Access Key: POST to /projects/{projectId}/access-keys to create a new key, capture key_secret immediately (it is never retrievable again), migrate all consumers, then DELETE the old key.
Deleting before migration causes immediate 401 failures across all dependent services.
Deprovision via SCIM (Enterprise only): Deactivate the user in Okta or Entra ID;
the IdP sends a SCIM PATCH (active=false) or DELETE to the Sinch SCIM endpoint.
The SCIM endpoint URL is customer-specific and provisioned by Sinch support - it cannot be self-configured via the dashboard.
Onboard a new team member to a Sinch project
- Authenticate: POST to https://auth.sinch.com/oauth2/token with client_credentials to obtain Bearer token.
- Invite user: POST to /projects/{projectId}/members with email and desired role.
- User receives invitation email and accepts; status transitions from PENDING to ACTIVE.
- Verify: GET /projects/{projectId}/members and confirm the user appears with ACTIVE status.
Watch out for: If the user does not accept the invitation, they remain PENDING and cannot access the project. There is no documented API to resend invitations; use the dashboard.
Rotate an API Access Key for a service account
- Authenticate with an existing ADMIN-level Bearer token.
- Create a new key: POST to /projects/{projectId}/access-keys with a display_name; store the returned key_secret immediately.
- Update all services to use the new key_id and key_secret.
- Delete the old key: DELETE /projects/{projectId}/access-keys/{oldKeyId}.
- Confirm deletion: GET /projects/{projectId}/access-keys and verify old key is absent.
Watch out for: Deleting the old key before updating services will cause immediate 401 failures. Ensure all consumers are migrated first.
Deprovision a user via SCIM (Enterprise)
- Ensure SSO and SCIM are configured in the Sinch Enterprise account with Okta or Entra ID.
- In the IdP, deactivate or remove the user from the Sinch application assignment.
- The IdP sends a SCIM PATCH (active=false) or DELETE to the Sinch SCIM endpoint.
- Sinch deactivates the user, revoking project access.
- Verify via the Sinch dashboard or GET /projects/{projectId}/members that the user status is SUSPENDED or removed.
Watch out for: SCIM endpoint URL is customer-specific and provided by Sinch support; it cannot be self-configured. SSO must be active or SCIM provisioning will not function.
Why building this yourself is a trap
Several non-obvious constraints create integration risk at scale. Pagination uses a page_token cursor with a default page size of 20 and a maximum of 100; callers must handle multi-page traversal to get a complete member list.
Rate limits are enforced but thresholds are not published in official documentation, and no Retry-After or rate-limit headers are returned - meaning backoff logic must be implemented defensively without guidance on safe retry intervals.
Exact endpoint paths for member management are not fully published in the public developer portal as of the research date; verify all paths against the latest API reference before shipping.
Additionally, removing a member from a project via DELETE does not delete the underlying Sinch account - the user retains their Sinch identity and may hold access to other projects, a gap that matters for thorough offboarding in an identity graph context.
SCIM group push support is not confirmed in official documentation, limiting IdP-driven role management to individual user operations only.
Automate Sinch workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
