Summary and recommendation
Zapier exposes user management exclusively through a SCIM 2.0 API at `https://scim.zapier.com/scim/v2`; there is no separate general-purpose REST user API. Access requires an Enterprise plan and a fully configured SAML SSO setup - SCIM cannot be enabled without SSO in place.
Authentication is a static Bearer token (API key) generated in Company Settings → Provisioning; there is no OAuth flow for this surface. This SCIM endpoint is the integration point for building or extending an identity graph that tracks Zapier seat state alongside other SaaS provisioning records.
API quick reference
| Has user API | Yes |
| Auth method | API Key (Bearer token in Authorization header) |
| Base URL | Official docs |
| SCIM available | Yes |
| SCIM plan required | Enterprise |
Authentication
Auth method: API Key (Bearer token in Authorization header)
Setup steps
- Upgrade to Zapier Enterprise plan.
- Configure SAML SSO for your organization (required prerequisite before SCIM can be enabled).
- In Zapier Company Settings, navigate to 'Provisioning' and enable SCIM.
- Copy the generated SCIM API key (Bearer token) displayed in the provisioning settings.
- Supply the base URL (https://scim.zapier.com/scim/v2) and the Bearer token in your IdP or HTTP client.
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| id | string | Zapier-assigned unique user identifier | server-generated | immutable | Returned by Zapier; do not supply on create. |
| userName | string | User's email address used as the unique login identifier | required | supported | Must match the email domain verified for the Enterprise org. |
| name.givenName | string | User's first name | optional | supported | |
| name.familyName | string | User's last name | optional | supported | |
| emails[0].value | string | Primary email address | required | supported | Should match userName. |
| emails[0].primary | boolean | Marks the email as primary | required | supported | Set to true for the primary email. |
| active | boolean | Whether the user account is active | optional | supported | Setting to false deactivates (deprovisions) the user. |
| schemas | array | SCIM schema URNs | required | required | Must include urn:ietf:params:scim:schemas:core:2.0:User. |
| externalId | string | IdP-assigned external identifier for the user | optional | supported | Used by IdPs (Okta, Azure AD, OneLogin) to correlate records. |
| groups | array | Groups the user belongs to (read-only on User resource) | read-only | read-only | Manage group membership via the Group resource. |
Core endpoints
List Users
- Method: GET
- URL:
https://scim.zapier.com/scim/v2/Users - Watch out for: Pagination uses SCIM standard startIndex (1-based) and count parameters.
Request example
GET /scim/v2/Users?startIndex=1&count=10
Authorization: Bearer <api_key>
Response example
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults": 42,
"startIndex": 1,
"itemsPerPage": 10,
"Resources": [{"id":"abc123","userName":"user@example.com"}]
}
Get User
- Method: GET
- URL:
https://scim.zapier.com/scim/v2/Users/{id} - Watch out for: Use Zapier's internal id (not externalId) in the URL path.
Request example
GET /scim/v2/Users/abc123
Authorization: Bearer <api_key>
Response example
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": "abc123",
"userName": "user@example.com",
"active": true
}
Create User
- Method: POST
- URL:
https://scim.zapier.com/scim/v2/Users - Watch out for: User's email domain must belong to the verified Enterprise organization domain.
Request example
POST /scim/v2/Users
Authorization: Bearer <api_key>
Content-Type: application/scim+json
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName":"newuser@example.com",
"active":true
}
Response example
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": "xyz789",
"userName": "newuser@example.com",
"active": true
}
Update User (full replace)
- Method: PUT
- URL:
https://scim.zapier.com/scim/v2/Users/{id} - Watch out for: PUT replaces the full user object; omitted optional fields may be cleared.
Request example
PUT /scim/v2/Users/xyz789
Authorization: Bearer <api_key>
Content-Type: application/scim+json
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName":"newuser@example.com",
"active":true,
"name":{"givenName":"Jane","familyName":"Doe"}
}
Response example
{
"id": "xyz789",
"userName": "newuser@example.com",
"active": true
}
Update User (partial)
- Method: PATCH
- URL:
https://scim.zapier.com/scim/v2/Users/{id} - Watch out for: Primary use case is deactivating users by setting active=false (deprovision).
Request example
PATCH /scim/v2/Users/xyz789
Authorization: Bearer <api_key>
Content-Type: application/scim+json
{
"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[{"op":"replace","path":"active","value":false}]
}
Response example
{
"id": "xyz789",
"userName": "newuser@example.com",
"active": false
}
Delete User
- Method: DELETE
- URL:
https://scim.zapier.com/scim/v2/Users/{id} - Watch out for: Zapier's recommended deprovision method is PATCH active=false rather than DELETE; verify behavior with Zapier support before using DELETE in production.
Request example
DELETE /scim/v2/Users/xyz789
Authorization: Bearer <api_key>
Response example
HTTP 204 No Content
List Groups
- Method: GET
- URL:
https://scim.zapier.com/scim/v2/Groups - Watch out for: Group support scope (create/update/delete) should be verified with Zapier; not all SCIM Group operations may be fully supported.
Request example
GET /scim/v2/Groups
Authorization: Bearer <api_key>
Response example
{
"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults": 3,
"Resources":[{"id":"grp1","displayName":"Engineering"}]
}
Get ServiceProviderConfig
- Method: GET
- URL:
https://scim.zapier.com/scim/v2/ServiceProviderConfig - Watch out for: Use this endpoint to discover which SCIM features Zapier's implementation actually supports before building integrations.
Request example
GET /scim/v2/ServiceProviderConfig
Authorization: Bearer <api_key>
Response example
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
"patch":{"supported":true},
"bulk":{"supported":false}
}
Rate limits, pagination, and events
Rate limits: Zapier does not publicly document specific rate limits for the SCIM API. Standard SCIM provisioning rate limits apply as enforced by Zapier's infrastructure; no official numbers are published.
Rate-limit headers: Unknown
Retry-After header: Unknown
Rate-limit notes: No publicly documented rate limit figures. Contact Zapier Enterprise support for specifics.
Pagination method: offset
Default page size: 100
Max page size: Not documented
Pagination pointer: startIndex / count (SCIM 2.0 standard parameters)
Webhooks available: No
Webhook notes: Zapier does not expose outbound webhooks from its SCIM/user-management API. Zapier's platform is itself a webhook/automation tool, but the SCIM provisioning endpoint is inbound-only (IdP pushes changes to Zapier).
Alternative event strategy: Use your IdP's (Okta, Azure AD, OneLogin) provisioning logs and event hooks to monitor SCIM sync activity.
SCIM API status
SCIM available: Yes
SCIM version: 2.0
Plan required: Enterprise
Endpoint: https://scim.zapier.com/scim/v2
Supported operations: GET /Users (list), GET /Users/{id} (read), POST /Users (create), PUT /Users/{id} (full update), PATCH /Users/{id} (partial update / deactivate), DELETE /Users/{id} (delete), GET /Groups (list), GET /ServiceProviderConfig
Limitations:
- Requires SAML SSO to be configured before SCIM can be enabled.
- Enterprise plan required; not available on Free, Professional, or Team plans.
- API key is a static Bearer token generated in Company Settings; no OAuth flow for SCIM.
- Officially tested IdPs: Okta, Azure AD (Entra ID), OneLogin. Google Workspace SCIM not listed as supported.
- Bulk SCIM operations (POST /Bulk) not confirmed as supported.
- Group provisioning support scope not fully documented publicly; verify with Zapier Enterprise support.
- No publicly documented rate limits for the SCIM endpoint.
Common scenarios
Three primary automation scenarios are supported by the documented endpoints. Provisioning: assign a user in Okta/Azure AD/OneLogin → IdP sends POST /Users → Zapier creates the account; the user's email domain must match the verified Enterprise domain or the request fails.
Deprovisioning: unassign or deactivate in the IdP → IdP sends PATCH /Users/{id} with active=false → access is revoked; Zap ownership is not automatically reassigned, so critical automations must be transferred separately. Audit queries: `GET /Users?
startIndex=1&count=100with paginated iteration returns the full user list withactivestatus for reconciliation against HR systems. ForPUT /Users/{id}(full replace), omitted optional fields may be cleared - preferPATCH` for targeted attribute updates.
DELETE /Users/{id} behavior is not fully documented; Zapier's own guidance favors PATCH active=false for deprovisioning, and DELETE should be validated in a non-production context before use.
Provision a new employee via Okta
- Ensure Zapier Enterprise plan is active and SAML SSO is configured with Okta.
- In Zapier Company Settings > Provisioning, enable SCIM and copy the API key.
- In Okta, add Zapier as a SCIM application using base URL https://scim.zapier.com/scim/v2 and the Bearer token.
- Assign the new employee to the Zapier app in Okta.
- Okta sends POST /scim/v2/Users to Zapier, creating the user account automatically.
- Verify the user appears in Zapier's People settings.
Watch out for: The user's email domain must match the verified domain on the Zapier Enterprise account or provisioning will fail.
Deprovision a departing employee
- In your IdP (Okta/Azure AD/OneLogin), unassign the user from the Zapier application or deactivate their IdP account.
- The IdP sends PATCH /scim/v2/Users/{id} with active=false to Zapier.
- Zapier deactivates the user, revoking their access.
- Confirm deactivation in Zapier Company Settings > People.
Watch out for: Deprovisioned users may retain ownership of Zaps; reassign critical Zaps before or immediately after deprovisioning to avoid broken automations.
Manually query and audit users via SCIM API
- Retrieve the SCIM API key from Zapier Company Settings > Provisioning.
- Send GET https://scim.zapier.com/scim/v2/Users?startIndex=1&count=100 with Authorization: Bearer
. - Iterate through paginated results using startIndex increments to collect all users.
- Cross-reference active=true/false status against your HR system for audit compliance.
Watch out for: No official rate limit is documented; implement exponential backoff and avoid high-frequency polling to prevent potential throttling.
Why building this yourself is a trap
Several non-obvious constraints can break integrations built against this API. The SCIM token is a long-lived static credential with no automatic rotation; a compromised token requires manual regeneration in Company Settings. No rate limits are publicly documented, which means polling strategies must implement exponential backoff defensively.
Group provisioning operations beyond GET /Groups are not fully confirmed in public documentation - verify scope with Zapier Enterprise support before building group-sync logic. Google Workspace is not a supported SCIM IdP; only Okta, Azure AD (Entra ID), and OneLogin are officially tested.
Finally, Zapier's developer platform at docs.zapier.com covers Zap and automation management - it is a completely separate API surface from the SCIM provisioning endpoint, and the two should not be conflated when designing an identity graph integration.
Automate Zapier workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
