Stitchflow
Back to directory
Spekit logo

Spekit User Management API Guide

API workflow

How to automate user lifecycle operations through APIs with caveats that matter in production.

UpdatedMar 16, 2026

Summary and recommendation

Spekit does not expose a public REST API for user management.

There is no developer portal, API reference, or SDK available.

All programmatic user lifecycle operations - provisioning, attribute updates, and deprovisioning - must route through SCIM 2.0 via a supported IdP (Okta, Azure AD/Entra, or OneLogin).

The SCIM endpoint URL and bearer token are generated inside the Spekit admin UI after SSO is configured;

neither value is published in official documentation, and the token rotation procedure is not documented publicly.

Rate limits for the SCIM endpoint are also undocumented.

API quick reference

Has user APINo
SCIM availableYes
SCIM plan requiredPremium or Enterprise (SSO is a prerequisite; SCIM is documented as available on Premium/Enterprise tiers)

Authentication

Auth method: Not documented

User object / data model

User object field mapping is not yet verified for this app.

Core endpoints

Endpoint coverage is not yet verified for this app.

Rate limits, pagination, and events

  • Rate limits: Not documented

  • Rate-limit headers: No

  • Retry-After header: No

  • Rate-limit notes: Not documented

  • Pagination method: none

  • Default page size: 0

  • Max page size: 0

  • Pagination pointer: Not documented

  • Webhooks available: No

  • Webhook notes: No webhook or REST user-management API is documented in Spekit's official help center or developer resources.

  • Alternative event strategy: User lifecycle management is handled exclusively via SCIM 2.0 through a supported IdP (Okta, Azure AD/Entra, OneLogin).

SCIM API status

  • SCIM available: Yes

  • SCIM version: 2.0

  • Plan required: Premium or Enterprise (SSO is a prerequisite; SCIM is documented as available on Premium/Enterprise tiers)

  • Endpoint: Not documented

  • Supported operations: Create user, Update user attributes, Deactivate/deprovision user, Group push (where supported by IdP connector)

Limitations:

  • SCIM endpoint URL is generated per-IdP inside the Spekit admin UI; no single published base URL in official docs.
  • SSO must be configured before SCIM provisioning can be enabled.
  • Supported IdPs are Okta, Azure AD (Entra), and OneLogin; Google Workspace is not listed as supported.
  • No publicly documented SCIM bearer token rotation procedure in official help articles.
  • Rate limits for SCIM endpoint are not published in official documentation.
  • Specific SCIM attribute mappings beyond standard userName/email/name are not detailed in public docs.

Common scenarios

Three IdP-driven SCIM flows are supported.

For Okta: configure SAML/OIDC SSO first, generate the SCIM token and endpoint in Spekit admin, enter both in the Okta app integration under Provisioning → Integration, then enable Create, Update, and Deactivate operations before assigning users or groups.

For Azure AD/Entra deprovisioning: remove the user from the Spekit app assignment or disable the account in Entra;

Entra sends a SCIM PATCH (active=false) or DELETE - the exact deactivation behavior (soft vs.

hard delete) is not fully documented.

For OneLogin group push: after SSO and SCIM are configured, map OneLogin roles or groups to Spekit and verify that group provisioning is listed as a supported feature in the OneLogin app catalog for the specific connector version in use.

In all three scenarios, SSO must be fully active before SCIM can be enabled - this is a hard prerequisite, not a recommendation.

The SCIM bearer token is shown only once at generation time;

store it in a secrets manager immediately.

Provision new employees via Okta

  1. Configure SSO for Spekit in Okta (SAML or OIDC) and verify SSO is active in Spekit admin.
  2. In Spekit admin settings, navigate to SCIM provisioning and generate a SCIM bearer token and endpoint URL.
  3. In Okta, open the Spekit app integration, go to Provisioning > Integration, and enter the SCIM base URL and bearer token.
  4. Enable 'Create Users', 'Update User Attributes', and 'Deactivate Users' in Okta provisioning settings.
  5. Assign users or groups to the Spekit app in Okta to trigger provisioning.

Watch out for: SSO must be active before SCIM setup; the SCIM token is only shown once at generation time - store it securely.

Deprovision departed employees via Azure AD (Entra)

  1. Ensure Spekit Enterprise app in Entra ID has SCIM provisioning configured with the Spekit-generated endpoint and token.
  2. Remove the user from the Spekit app assignment in Entra ID or disable the user account.
  3. Entra ID sends a SCIM PATCH (active=false) or DELETE to Spekit, deactivating the user.

Watch out for: Deprovisioning behavior (soft deactivate vs. hard delete) depends on Spekit's SCIM implementation details, which are not fully documented publicly.

Push groups/teams via OneLogin

  1. Configure SSO and SCIM in Spekit admin; copy endpoint URL and bearer token.
  2. In OneLogin, add the Spekit connector and enter SCIM credentials.
  3. Map OneLogin roles or groups to Spekit and enable group push if supported by the connector.
  4. Assign users to the mapped roles to trigger provisioning and group membership sync.

Watch out for: Group push support depends on the specific OneLogin connector version for Spekit; verify in OneLogin's app catalog that group provisioning is listed as a supported feature.

Why building this yourself is a trap

The absence of a public REST API means Spekit cannot be integrated into an identity graph or automated provisioning pipeline without an intermediary IdP. Any workflow that attempts direct API-based user management will find no documented endpoints to call.

Google Workspace is not a supported IdP for SCIM, which is a hard blocker for Google-first organizations. Beyond IdP selection, the undocumented SCIM attribute mapping surface - only standard userName, email, and name fields are referenced publicly - limits how richly user records can be synchronized.

Teams building identity graph pipelines that depend on extended attribute fidelity (department, cost center, custom fields) should validate actual attribute support directly with Spekit before committing to an integration architecture.

Automate Spekit workflows without one-off scripts

Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.

Every app coverage, including apps without APIs
60+ app integrations plus browser automation for apps without APIs
IT graph reconciliation across apps and your IdP
Less than a week to launch, maintained as APIs and admin consoles change
SOC 2 Type II. ~2 hours of your team's time
Book a Demo

UpdatedMar 16, 2026

* Details sourced from official product documentation and admin references.

Keep exploring

Related apps

AdRoll logo

AdRoll

Manual Only
AutomationNot Supported
Last updatedMar 2026

AdRoll's user management is handled through Settings > Company > User Permissions. Only Admins can add, edit, or remove users — General Users cannot manage teammates or access billing by default. AdRoll offers unlimited user seats, so there is no docum

Admin guideAPI guide
Ahrefs logo

Ahrefs

Manual Only
AutomationNot Supported
Last updatedFeb 2026

Ahrefs provides a four-tier workspace access model — Owner, Admin, Member, and Guest — governed by workspace-level roles combined with per-object share settings. Every app in your stack that handles SEO data access should have a clear offboarding path;

Admin guideAPI guide
Atlassian Loom logo

Atlassian Loom

Manual Only
AutomationNot Supported
Last updatedFeb 2026

Atlassian Loom uses a fixed, workspace-scoped role model: Admin, Creator (also called Member on legacy Enterprise contracts), Creator Lite (deprecated for new users after February 2026), and Viewer (Education plans only). There are no custom roles or p

Admin guideAPI guide