Summary and recommendation
W&B exposes user lifecycle management exclusively through a SCIM 2.0 API at `https://api.wandb.ai/scim/v2`, available on Enterprise plans only.
There is no documented public REST API for user management outside of SCIM;
the internal GraphQL API used by the W&B UI is unsupported for production use.
Authentication requires a service account API key passed as a Bearer token - personal user API keys may lack the org-admin privilege level required by SCIM endpoints.
W&B API keys carry full user-level permissions with no scope restriction, which means key compromise has broad blast radius;
rotate service account keys regularly.
Rate limits are not publicly documented;
implement exponential backoff in any provisioning workflow.
The SCIM user object exposes standard fields (`id`, `userName`, `emails`, `active`, `externalId`, `groups`, `meta.created`, `meta.lastModified`) that map cleanly into an identity graph for cross-system user state reconciliation.
API quick reference
| Has user API | Yes |
| Auth method | API Key (Bearer token via HTTP Authorization header or WANDB_API_KEY environment variable) |
| Base URL | Official docs |
| SCIM available | Yes |
| SCIM plan required | Enterprise |
Authentication
Auth method: API Key (Bearer token via HTTP Authorization header or WANDB_API_KEY environment variable)
Setup steps
- Log in to your W&B account at https://wandb.ai
- Navigate to User Settings > API Keys (https://wandb.ai/settings)
- Click 'New API Key' to generate a key
- Store the key securely; it is shown only once
- Pass the key as Authorization: Bearer
in HTTP headers, or set WANDB_API_KEY environment variable for SDK use - For service accounts (Enterprise), generate a service account API key from the organization or team settings page
Required scopes
| Scope | Description | Required for |
|---|---|---|
| N/A | W&B API keys are not scope-limited; they carry the full permissions of the generating user or service account | All API operations |
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| id | string | Unique W&B user identifier | system-assigned | immutable | Used as SCIM resource ID |
| userName | string | Unique username / login handle | required | supported | Maps to SCIM userName attribute; typically email address |
| emails | array | List of email objects with value and primary flag | required | supported | Primary email used for login and notifications |
| displayName | string | Human-readable full name | optional | supported | Shown in W&B UI |
| name.givenName | string | First name | optional | supported | SCIM name sub-attribute |
| name.familyName | string | Last name | optional | supported | SCIM name sub-attribute |
| active | boolean | Whether the user account is active | defaults to true | supported (set false to deactivate) | Setting active=false deactivates the user without deleting them |
| externalId | string | Identifier from the external IdP (e.g., Okta user ID) | optional | supported | Used to correlate W&B user with IdP identity |
| groups | array | Groups/teams the user belongs to | optional | managed via Group SCIM endpoints | Read via SCIM; membership managed through Group resources |
| meta.created | datetime (ISO 8601) | Timestamp when the user was created | system-assigned | immutable | SCIM meta attribute |
| meta.lastModified | datetime (ISO 8601) | Timestamp of last modification | system-assigned | system-assigned | SCIM meta attribute |
| meta.resourceType | string | Always 'User' for user resources | system-assigned | immutable | SCIM meta attribute |
Core endpoints
List Users (SCIM)
- Method: GET
- URL:
https://api.wandb.ai/scim/v2/Users - Watch out for: Requires a service account API key with org-level admin permissions; personal API keys may lack sufficient privilege.
Request example
GET /scim/v2/Users?startIndex=1&count=20
Authorization: Bearer <SERVICE_ACCOUNT_API_KEY>
Accept: application/scim+json
Response example
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults": 42,
"startIndex": 1,
"itemsPerPage": 20,
"Resources": [{"id":"abc123","userName":"user@example.com","active":true}]
}
Get User by ID (SCIM)
- Method: GET
- URL:
https://api.wandb.ai/scim/v2/Users/{id} - Watch out for: The {id} is the W&B internal user ID, not the email address.
Request example
GET /scim/v2/Users/abc123
Authorization: Bearer <SERVICE_ACCOUNT_API_KEY>
Accept: application/scim+json
Response example
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": "abc123",
"userName": "user@example.com",
"active": true,
"emails": [{"value":"user@example.com","primary":true}]
}
Create User (SCIM)
- Method: POST
- URL:
https://api.wandb.ai/scim/v2/Users - Watch out for: User is provisioned into the organization associated with the service account's API key. Seat licensing applies.
Request example
POST /scim/v2/Users
Authorization: Bearer <SERVICE_ACCOUNT_API_KEY>
Content-Type: application/scim+json
{"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"userName":"newuser@example.com","emails":[{"value":"newuser@example.com","primary":true}],"active":true}
Response example
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": "xyz789",
"userName": "newuser@example.com",
"active": true
}
Update User (SCIM PATCH)
- Method: PATCH
- URL:
https://api.wandb.ai/scim/v2/Users/{id} - Watch out for: Use PATCH with op=replace and active=false to deactivate (soft-delete) a user rather than DELETE.
Request example
PATCH /scim/v2/Users/xyz789
Authorization: Bearer <SERVICE_ACCOUNT_API_KEY>
Content-Type: application/scim+json
{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"replace","path":"active","value":false}]}
Response example
{
"id": "xyz789",
"userName": "newuser@example.com",
"active": false
}
Delete User (SCIM)
- Method: DELETE
- URL:
https://api.wandb.ai/scim/v2/Users/{id} - Watch out for: Permanently removes the user from the organization. Prefer PATCH active=false for reversible deactivation.
Request example
DELETE /scim/v2/Users/xyz789
Authorization: Bearer <SERVICE_ACCOUNT_API_KEY>
Response example
HTTP 204 No Content
List Groups (SCIM)
- Method: GET
- URL:
https://api.wandb.ai/scim/v2/Groups - Watch out for: Groups in W&B SCIM correspond to W&B Teams. Group membership changes affect team access to projects.
Request example
GET /scim/v2/Groups?startIndex=1&count=20
Authorization: Bearer <SERVICE_ACCOUNT_API_KEY>
Accept: application/scim+json
Response example
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults": 5,
"Resources": [{"id":"grp1","displayName":"ml-team","members":[]}]
}
Create Group (SCIM)
- Method: POST
- URL:
https://api.wandb.ai/scim/v2/Groups - Watch out for: Member values must be W&B internal user IDs, not email addresses.
Request example
POST /scim/v2/Groups
Authorization: Bearer <SERVICE_ACCOUNT_API_KEY>
Content-Type: application/scim+json
{"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"displayName":"new-team","members":[{"value":"abc123"}]}
Response example
{
"id": "grp2",
"displayName": "new-team",
"members": [{"value":"abc123","display":"user@example.com"}]
}
Filter Users by userName (SCIM)
- Method: GET
- URL:
https://api.wandb.ai/scim/v2/Users?filter=userName+eq+%22user@example.com%22 - Watch out for: SCIM filter support may be limited to userName eq; complex filter expressions are not confirmed in official docs.
Request example
GET /scim/v2/Users?filter=userName+eq+%22user@example.com%22
Authorization: Bearer <SERVICE_ACCOUNT_API_KEY>
Response example
{
"totalResults": 1,
"Resources": [{"id":"abc123","userName":"user@example.com","active":true}]
}
Rate limits, pagination, and events
Rate limits: W&B does not publicly document specific rate limit values or tiers in official docs as of the knowledge cutoff.
Rate-limit headers: No
Retry-After header: No
Rate-limit notes: No official rate limit figures, headers, or Retry-After behavior documented publicly. Contact W&B support for enterprise rate limit details.
Pagination method: cursor
Default page size: 0
Max page size: 0
Pagination pointer: cursor / after (GraphQL-style pagination used in the internal API; SCIM uses startIndex + count per SCIM 2.0 spec)
Webhooks available: No
Webhook notes: W&B does not document a native webhook system for user lifecycle events in official documentation.
Alternative event strategy: Use SCIM provisioning via an IdP (e.g., Okta, Azure AD) to trigger user lifecycle actions, or poll the SCIM /Users endpoint for changes.
SCIM API status
SCIM available: Yes
SCIM version: 2.0
Plan required: Enterprise
Endpoint: https://api.wandb.ai/scim/v2
Supported operations: GET /Users (list), GET /Users/{id}, POST /Users (create), PATCH /Users/{id} (update/deactivate), DELETE /Users/{id}, GET /Groups (list), GET /Groups/{id}, POST /Groups (create), PATCH /Groups/{id} (update membership), DELETE /Groups/{id}
Limitations:
- Only available on Enterprise plan
- Requires a service account API key with organization admin privileges
- SCIM filter support is limited; complex filter expressions not confirmed
- Groups map to W&B Teams; not all team settings are manageable via SCIM
- No official documentation of SCIM schema discovery endpoint (/ServiceProviderConfig, /Schemas) behavior
- PUT (full replace) for Users/Groups not confirmed; PATCH is the documented update method
Common scenarios
Three provisioning patterns cover the majority of operational needs.
For new-hire provisioning: POST to /scim/v2/Users with userName, emails, and active=true, capture the returned W&B id, then PATCH /scim/v2/Groups/{team_id} to add the user to the correct team
team membership is never implicit from org provisioning.
For offboarding: resolve the W&B id via GET /scim/v2/Users?filter=userName+eq+"user@example.com", then PATCH active=false for reversible deactivation;
use DELETE only when data retention policy explicitly permits permanent removal, as it is irreversible.
For IdP-driven group sync (Okta, Azure AD): configure the SCIM connector with base URL https://api.wandb.ai/scim/v2 and the service account key as the bearer token, map IdP groups to W&B Teams before the initial sync, and validate that team names align
mismatched names on first sync will create duplicate teams.
SCIM Groups map 1:1 to W&B Teams;
all project access flows through team membership, not org membership alone.
Provision a new employee into W&B via SCIM
- Obtain a service account API key from W&B org admin settings (Enterprise required).
- POST to https://api.wandb.ai/scim/v2/Users with userName (email), emails array, and active=true.
- Capture the returned W&B user id from the response.
- PATCH https://api.wandb.ai/scim/v2/Groups/{team_id} with op=add, path=members, value=[{"value": "
"}] to add the user to the appropriate team. - Verify access by checking GET /scim/v2/Users/{id} returns active=true and correct group membership.
Watch out for: Team membership (Groups) must be set separately after user creation; creating a user does not auto-assign them to any team.
Deprovision a departing employee
- Look up the user's W&B ID via GET /scim/v2/Users?filter=userName+eq+%22user@example.com%22.
- PATCH /scim/v2/Users/{id} with op=replace, path=active, value=false to deactivate the account.
- Optionally DELETE /scim/v2/Users/{id} for permanent removal if data retention policy allows.
- Confirm deactivation via GET /scim/v2/Users/{id} and verify active=false.
Watch out for: DELETE is irreversible. Prefer active=false deactivation to preserve audit history and allow reactivation if needed.
Sync IdP groups to W&B Teams via SCIM
- Configure your IdP (e.g., Okta, Azure AD) SCIM connector with base URL https://api.wandb.ai/scim/v2 and the service account API key as the bearer token.
- Map IdP groups to W&B Teams in the IdP SCIM app configuration.
- Trigger a full sync in the IdP to push all assigned users and group memberships to W&B.
- Validate in W&B org admin UI that teams and members reflect the IdP state.
- Enable ongoing push provisioning in the IdP so future group changes propagate automatically.
Watch out for: W&B SCIM Groups map 1:1 to W&B Teams; ensure IdP group names match intended W&B team names before initial sync to avoid duplicate team creation.
Why building this yourself is a trap
The primary operational trap is the org/team membership split: a user provisioned into the org via SCIM has no project access until separately added to at least one team (Group). Automations that only call POST /scim/v2/Users and consider the job done will produce users who can authenticate but cannot reach any data.
A secondary trap is deactivation semantics: PATCH active=false deactivates login but W&B does not confirm immediate seat release - verify seat-count behavior with W&B support before relying on deactivation for cost control. SCIM filter support is confirmed only for userName eq; complex filter expressions are not documented and should not be assumed.
The Terraform provider (wandb/wandb) is the recommended IaC path for bulk user and team management and may expose operations unavailable through raw SCIM - evaluate it before building a custom SCIM integration from scratch.
Automate Weights & Biases workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
