Summary and recommendation
Tines exposes a REST API at https://<tenant>.tines.com/api/v1 authenticated via Bearer token.
All user-management operations - list, get, create, update, delete - are available under /api/v1/users.
Team membership is a separate resource: creating a user and assigning them to a team are two distinct API calls (POST /users then POST /teams/{team_id}/memberships).
No official SDK is published;
all integrations require raw HTTP.
Tokens are user-scoped, so admin-level tokens are required for any user-management operation.
SCIM and REST API tokens are distinct credential types - do not interchange them.
For teams building against an identity graph, the user object exposes id, email, role, team_ids, active, created_at, and updated_at - enough to construct a normalized user-to-team membership graph across your tenant.
Paginate with page and per_page (max 500) and check meta.total_pages to determine full traversal depth.
API quick reference
| Has user API | Yes |
| Auth method | API token (Bearer token in Authorization header) |
| Base URL | Official docs |
| SCIM available | Yes |
| SCIM plan required | Enterprise |
Authentication
Auth method: API token (Bearer token in Authorization header)
Setup steps
- Log in to your Tines tenant as an admin.
- Navigate to your user profile and select 'API Tokens'.
- Generate a new API token and copy the value.
- Include the token in all API requests as: Authorization: Bearer
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| id | integer | Unique user identifier | auto-assigned | immutable | |
| string | User's email address | required | optional | Must be unique within the tenant | |
| first_name | string | User's first name | required | optional | |
| last_name | string | User's last name | required | optional | |
| role | string | User role within the tenant (e.g., admin, member) | optional | optional | |
| team_ids | array[integer] | IDs of teams the user belongs to | optional | optional | |
| created_at | string (ISO 8601) | Timestamp of user creation | auto-assigned | immutable | |
| updated_at | string (ISO 8601) | Timestamp of last update | auto-assigned | auto-updated | |
| active | boolean | Whether the user account is active | optional | optional | Used by SCIM for deprovisioning |
Core endpoints
List users
- Method: GET
- URL:
https://<tenant>.tines.com/api/v1/users - Watch out for: Pagination uses page/per_page query params; max per_page is 500.
Request example
GET /api/v1/users?page=1&per_page=20
Authorization: Bearer <token>
Response example
{
"users": [{"id": 1, "email": "user@example.com", "first_name": "Jane", "last_name": "Doe"}],
"meta": {"current_page": 1, "total_pages": 3}
}
Get user
- Method: GET
- URL:
https://<tenant>.tines.com/api/v1/users/{user_id} - Watch out for: Returns 404 if user_id does not exist in the tenant.
Request example
GET /api/v1/users/42
Authorization: Bearer <token>
Response example
{
"id": 42,
"email": "user@example.com",
"first_name": "Jane",
"last_name": "Doe",
"role": "member"
}
Create user
- Method: POST
- URL:
https://<tenant>.tines.com/api/v1/users - Watch out for: An invitation email is sent to the new user upon creation.
Request example
POST /api/v1/users
Authorization: Bearer <token>
Content-Type: application/json
{"email":"new@example.com","first_name":"John","last_name":"Smith","role":"member"}
Response example
{
"id": 99,
"email": "new@example.com",
"first_name": "John",
"last_name": "Smith",
"role": "member"
}
Update user
- Method: PUT
- URL:
https://<tenant>.tines.com/api/v1/users/{user_id} - Watch out for: Only fields included in the request body are updated.
Request example
PUT /api/v1/users/99
Authorization: Bearer <token>
Content-Type: application/json
{"role":"admin"}
Response example
{
"id": 99,
"email": "new@example.com",
"role": "admin"
}
Delete user
- Method: DELETE
- URL:
https://<tenant>.tines.com/api/v1/users/{user_id} - Watch out for: Deletion is permanent; consider deactivating via SCIM for reversible deprovisioning.
Request example
DELETE /api/v1/users/99
Authorization: Bearer <token>
Response example
HTTP 204 No Content
List teams
- Method: GET
- URL:
https://<tenant>.tines.com/api/v1/teams - Watch out for: Team membership is managed separately via team-specific endpoints.
Request example
GET /api/v1/teams
Authorization: Bearer <token>
Response example
{
"teams": [{"id": 5, "name": "Security Ops"}]
}
Add user to team
- Method: POST
- URL:
https://<tenant>.tines.com/api/v1/teams/{team_id}/memberships - Watch out for: User must already exist in the tenant before being added to a team.
Request example
POST /api/v1/teams/5/memberships
Authorization: Bearer <token>
Content-Type: application/json
{"user_id": 99}
Response example
{
"team_id": 5,
"user_id": 99
}
Remove user from team
- Method: DELETE
- URL:
https://<tenant>.tines.com/api/v1/teams/{team_id}/memberships/{user_id} - Watch out for: Does not delete the user from the tenant, only removes team membership.
Request example
DELETE /api/v1/teams/5/memberships/99
Authorization: Bearer <token>
Response example
HTTP 204 No Content
Rate limits, pagination, and events
Rate limits: Tines does not publicly document specific rate limit thresholds or per-plan tiers in its official docs as of the research date.
Rate-limit headers: Unknown
Retry-After header: Unknown
Rate-limit notes: No explicit rate limit values, headers, or Retry-After behavior documented in official sources.
Pagination method: offset
Default page size: 20
Max page size: 500
Pagination pointer: per_page / page
Webhooks available: No
Webhook notes: Tines does not expose outbound webhook events for user-management lifecycle events (create, update, delete) via its API. Tines itself is a workflow automation platform that receives webhooks as triggers for stories.
Alternative event strategy: Use Tines stories (workflows) with scheduled or event-driven triggers to poll the Users API and react to changes.
SCIM API status
SCIM available: Yes
SCIM version: 2.0
Plan required: Enterprise
Endpoint: https://
.tines.com/scim/v2 Supported operations: GET /Users (list users), GET /Users/{id} (get user), POST /Users (create/provision user), PUT /Users/{id} (replace user), PATCH /Users/{id} (update user attributes or deactivate), DELETE /Users/{id} (deprovision user), GET /Groups (list groups/teams), POST /Groups (create group), PATCH /Groups/{id} (update group membership), DELETE /Groups/{id} (delete group)
Limitations:
- Requires Enterprise plan.
- SSO must be configured and enabled before SCIM provisioning can be activated.
- SCIM token is generated separately from standard API tokens within the admin SSO settings.
- IdP-specific connector setup (e.g., Okta, Azure AD) is required on the IdP side; Tines does not publish pre-built IdP app catalog entries in its docs.
Common scenarios
Three integration patterns cover the majority of use cases.
For bulk onboarding, POST to /api/v1/users per user with email, first_name, last_name, and role, capture the returned id, then POST to /api/v1/teams/{team_id}/memberships
note that each user creation triggers an invitation email, so time bulk runs accordingly.
For deprovisioning on Enterprise, the preferred path is SCIM PATCH with active=false via the IdP rather than a REST DELETE, which is irreversible and does not support rollback.
For tenant audits, paginate GET /api/v1/users?page=1&per_page=500, iterate until meta.total_pages is exhausted, and extract id, email, role, and created_at for downstream logging.
Bulk onboard new team members via REST API
- Authenticate with an admin-scoped Bearer token.
- POST /api/v1/users for each new user with email, first_name, last_name, and role.
- Capture the returned user id for each created user.
- POST /api/v1/teams/{team_id}/memberships with each user_id to assign team membership.
Watch out for: Each POST /users triggers an invitation email; ensure users are ready to receive it before bulk creation.
Deprovision a user via SCIM (Enterprise)
- Ensure SSO and SCIM are configured in Tines admin settings.
- From the IdP (e.g., Okta), unassign the user from the Tines SCIM application.
- The IdP sends a PATCH /scim/v2/Users/{id} with active=false to Tines.
- Tines deactivates the user account without permanently deleting it.
Watch out for: SCIM deprovisioning only deactivates the account; a separate DELETE may be needed for full removal depending on compliance requirements.
Audit all users in a tenant
- GET /api/v1/users?page=1&per_page=500 with admin Bearer token.
- Check meta.total_pages in the response to determine if additional pages exist.
- Iterate through all pages by incrementing the page parameter until all users are retrieved.
- Process the users array to extract id, email, role, and created_at fields for audit logging.
Watch out for: per_page maximum is 500; large tenants will require multiple paginated requests.
Why building this yourself is a trap
The primary API trap is conflating deprovisioning methods. A REST DELETE on /api/v1/users/{user_id} is permanent with no soft-disable state; if reversibility matters for compliance, use SCIM PATCH (active=false) instead - but that path requires Enterprise and a fully configured SSO setup as a hard prerequisite.
A second trap: rate limits are not publicly documented, so any integration that does not implement exponential backoff is operating without a safety net.
A third: the base URL is tenant-specific (
Teams integrating Tines into a broader identity graph via an MCP server with 60+ deep IT/identity integrations should account for the SSO-first SCIM dependency when modeling provisioning state.
Automate Tines workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
