Terminus User Management API Guide

Auth method: Not documented

User object field mapping is not yet verified for this app.

Endpoint coverage is not yet verified for this app.

• Rate limits: Not documented

• Rate-limit headers: No

• Retry-After header: No

• Rate-limit notes: Not documented

• Pagination method: none

• Default page size: 0

• Max page size: 0

• Pagination pointer: Not documented

• Webhooks available: No

• Webhook notes: No publicly documented webhook system for user lifecycle events found in official Terminus documentation.

• Alternative event strategy: User provisioning and deprovisioning must be performed manually via the Terminus UI or through SSO/SAML-based authentication (Okta, Entra, OneLogin). No SCIM or webhook automation is documented.

• SCIM available: No
• SCIM version: Not documented
• Plan required: Enterprise
• Endpoint: Not documented

Limitations:

• No SCIM provisioning is documented in official Terminus help or developer resources.
• SSO via SAML is supported (Okta, Entra, OneLogin) but does not include automated user provisioning/deprovisioning via SCIM.
• Enterprise plan context noted from pricing data but SCIM availability is not confirmed by official documentation.

Three scenarios are relevant for identity graph reconciliation against Terminus.

First, SSO onboarding: configure SAML in the Terminus admin panel, assign the user in your IdP, and manually assign roles post-first-login

JIT provisioning behavior is undocumented and should be confirmed with Terminus support.

Second, deprovisioning: disable the user in your IdP to block future logins, then manually deactivate the account in the Terminus UI;

without SCIM, IdP revocation alone does not close the Terminus session or record.

Third, bulk audit: user listing must be performed through the Terminus admin UI export function if available, or via a support-requested data export - no programmatic listing endpoint exists.

Onboard a new user via SSO

1. Configure SAML SSO in Terminus admin settings using your IdP (Okta, Entra, or OneLogin).
2. Assign the user to the Terminus application in your IdP.
3. User authenticates via IdP-initiated or SP-initiated SAML flow; Terminus creates a session.
4. Manually assign roles/permissions within the Terminus UI after first login if JIT provisioning is not configured.

Watch out for: Just-in-time (JIT) provisioning behavior via SAML is not explicitly documented; confirm with Terminus support whether user records are auto-created on first SSO login.

Deprovision a user

1. Remove or disable the user in your IdP to prevent future SSO logins.
2. Manually deactivate or remove the user account in the Terminus admin UI.
3. No automated deprovisioning via SCIM is available.

Watch out for: Without SCIM, revoking IdP access does not automatically deactivate the Terminus account; manual UI action is required to fully deprovision.

Bulk user audit

1. Navigate to the Terminus admin user management section in the UI.
2. Export user list if the UI provides an export function.
3. No API-based bulk user query is publicly documented.

Watch out for: No programmatic user listing endpoint is available; audits must be performed through the UI or by contacting Terminus support for data exports.

The core integration trap here is assuming SAML SSO provides full lifecycle coverage. It does not: a user removed from your IdP retains an active Terminus account until a separate manual UI action is taken.

For teams building an identity graph with 60+ deep IT/identity integrations via an MCP server, Terminus will appear as a coverage gap - no SCIM operations to sync, no API to poll for user state, and no webhooks to trigger deprovisioning workflows.

Until Terminus documents a provisioning API or confirms SCIM availability, treat this app as requiring a manual reconciliation step in any identity audit pipeline.