Set up SCIM for a customer

As a Reseller you can create a SCIM integration for a customer (sub-company) so that customer can sync target users from their identity provider (Entra ID, Okta, OneLogin, JumpCloud, etc.) into Keepnet. The SCIM integration is created in the customer’s context, not your Reseller company. Get the customer’s Company ID, then call the SCIM endpoints with X-KEEPNET-Company-Id. Use a credential with Client Role = Reseller. After creation, share the returned SCIM token and endpoint URL with the customer so they can configure their IdP.

POST /api/companies/search

Get the customer’s Company ID. Use the resourceId of the desired company in the next steps.

Retrieves a paginated list of all companies you manage with license details. Each item includes resourceId — use it as the Company ID for scoped requests. Test it: Authorize with Client ID/Secret, then Send — request body is pre-filled.

Retrieves a list of all companies

post

Required scopes

This endpoint requires the following scopes:

: API

Authorizations

OAuth2clientCredentialsRequired

Client ID and Client Secret from Company → Company Settings → REST API. Enter credentials to auto-fetch token.

Token URL:

Body

pageNumberintegerRequiredExample: 1

pageSizeintegerRequiredExample: 10

orderBystringRequiredExample: CreateTime

ascendingbooleanRequiredExample: false

isTargetUserCountExceededLimitbooleanOptional

If true, only companies exceeding license limit are returned

Example: false

Responses

200

application/json

statusstringOptional

messagestring · nullableOptional

validationMessagesstring[] · nullableOptional

post

/api/companies/search

POST /api/companies/search HTTP/1.1
Host: api.keepnetlabs.com
Authorization: Bearer YOUR_OAUTH2_TOKEN
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 126

{
  "pageNumber": 1,
  "pageSize": 10,
  "orderBy": "CreateTime",
  "ascending": false,
  "filter": {
    "Condition": "AND",
    "SearchInputTextValue": ""
  }
}

200

{
  "data": {
    "limitExceededCompanyCount": 1,
    "pageNumber": 1,
    "pageSize": 1,
    "totalNumberOfPages": 1,
    "totalNumberOfRecords": 1,
    "results": [
      {
        "companyName": "text",
        "companyResourceId": "text",
        "resellerName": "text",
        "industryName": "text",
        "industryResourceId": "text",
        "licenseTypeName": "text",
        "licenseTypeResourceId": "text",
        "isNumberOfUsersLimited": true,
        "numberOfUsers": "text",
        "privacyDurationId": 1,
        "licenceExpired": true,
        "licenseEndDate": "2026-03-09T12:56:28.598Z",
        "createTime": "2026-03-09T12:56:28.598Z",
        "targetUserCount": 1,
        "children": [
          {
            "companyName": "text",
            "companyResourceId": "text",
            "resellerName": "text",
            "industryName": "text",
            "industryResourceId": "text",
            "licenseTypeName": "text",
            "licenseTypeResourceId": "text",
            "isNumberOfUsersLimited": true,
            "numberOfUsers": "text",
            "privacyDurationId": 1,
            "licenceExpired": true,
            "licenseEndDate": "2026-03-09T12:56:28.598Z",
            "createTime": "2026-03-09T12:56:28.598Z",
            "targetUserCount": 1,
            "children": "[Circular Reference]",
            "tags": [
              "text"
            ],
            "deletedTargetUserCount": 1,
            "inactiveTargetUserCount": 1,
            "monthlyActiveUserCount": 1
          }
        ],
        "tags": [
          "text"
        ],
        "deletedTargetUserCount": 1,
        "inactiveTargetUserCount": 1,
        "monthlyActiveUserCount": 1
      }
    ]
  },
  "status": "text",
  "message": "text",
  "validationMessages": [
    "text"
  ]
}

From the response, pick the company and note its resourceId. Example: "resourceId": "xC5kfGz7w2Nz" → use xC5kfGz7w2Nz as Company ID when creating the SCIM integration.

GET /api/scim/fields

Returns available SCIM fields for mapping (e.g. IdP attributes to Keepnet custom fields). Send X-KEEPNET-Company-Id for the customer.

Returns all available scim fields. As a Reseller, send X-KEEPNET-Company-Id: <companyResourceId>.

Returns all available scim fields

get

Required scopes

This endpoint requires the following scopes:

: API

Authorizations

OAuth2clientCredentialsRequired

Client ID and Client Secret from Company → Company Settings → REST API. Enter credentials to auto-fetch token.

Token URL:

Responses

200

application/json

statusstringOptional

messagestring · nullableOptional

validationMessagesstring[] · nullableOptional

get

/api/scim/fields

GET /api/scim/fields HTTP/1.1
Host: api.keepnetlabs.com
Authorization: Bearer YOUR_OAUTH2_TOKEN
Accept: */*

200

{
  "data": {
    "fields": [
      {
        "resourceId": "text",
        "name": "text"
      }
    ]
  },
  "status": "text",
  "message": "text",
  "validationMessages": [
    "text"
  ]
}

Target group: To sync users into a specific target group, get the customer's target groups via the target-groups API with the same header. Pass groupResourceId in the create-SCIM request; if omitted, synced users appear under Target Users > People.

POST /api/scim

Creates a new SCIM integration for that customer. Send the Company ID in the X-KEEPNET-Company-Id header. The request body requires name (e.g. "Entra ID Sync"). Optional: groupResourceId (target group to sync users into), groupBySCIMFieldResourceId (e.g. group by department), fieldMappings (array of SCIM attribute → custom field mapping), syncPlatformGroup (boolean). The response includes the SCIM token and endpoint URL — the customer uses these in their identity provider to complete the SCIM setup.

Creates a new scim integration. As a Reseller, send X-KEEPNET-Company-Id: <companyResourceId> so the integration is created for the chosen customer. Test it: Endpoints → SCIM → Creates a new scim integration — use dummy data (H8d) and set the header to a Company ID from companies/search.

Creates a new scim integration

post

Required scopes

This endpoint requires the following scopes:

: API

Authorizations

OAuth2clientCredentialsRequired

Client ID and Client Secret from Company → Company Settings → REST API. Enter credentials to auto-fetch token.

Token URL:

Body

namestring · min: 1 · max: 30Required

groupResourceIdstring · max: 12 · nullableOptional

groupBySCIMFieldResourceIdstring · max: 12 · nullableOptional

syncPlatformGroupbooleanOptional

Responses

200

application/json

statusstringOptional

messagestring · nullableOptional

validationMessagesstring[] · nullableOptional

post

/api/scim

POST /api/scim HTTP/1.1
Host: api.keepnetlabs.com
Authorization: Bearer YOUR_OAUTH2_TOKEN
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 181

{
  "name": "text",
  "groupResourceId": "text",
  "groupBySCIMFieldResourceId": "text",
  "fieldMappings": [
    {
      "customFieldResourceId": "text",
      "scimFieldResourceId": "text"
    }
  ],
  "syncPlatformGroup": true
}

200

{
  "data": {
    "token": "text"
  },
  "status": "text",
  "message": "text",
  "validationMessages": [
    "text"
  ]
}

Example request headers:

Authorization: Bearer <your_access_token>
Content-Type: application/json
X-KEEPNET-Company-Id: xC5kfGz7w2Nz

Example body (dummy data — minimal; syncs users to no specific group):

{
  "name": "Acme Entra ID Sync"
}

With an optional target group (use a valid groupResourceId for that customer):

{
  "name": "Acme Entra ID Sync",
  "groupResourceId": "gR4pL2mK9xYz"
}

After creation, provide the customer with the SCIM token and the Keepnet SCIM base URL from the response so they can configure their IdP (e.g. SCIM Setup in Entra ID, Okta, etc.).

POST /api/scim/search

List SCIM integrations for that customer. Send X-KEEPNET-Company-Id.

Returns a list of the scim integrations. As a Reseller, send X-KEEPNET-Company-Id: <companyResourceId>.

Returns a list of the scim integrations

post

Required scopes

This endpoint requires the following scopes:

: API

Authorizations

OAuth2clientCredentialsRequired

Client ID and Client Secret from Company → Company Settings → REST API. Enter credentials to auto-fetch token.

Token URL:

Body

pageNumberinteger · int32Optional

pageSizeinteger · int32Optional

orderBystring · nullableOptional

ascendingbooleanOptional

Responses

200

application/json

statusstringOptional

messagestring · nullableOptional

validationMessagesstring[] · nullableOptional

post

/api/scim/search

POST /api/scim/search HTTP/1.1
Host: api.keepnetlabs.com
Authorization: Bearer YOUR_OAUTH2_TOKEN
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 427

{
  "filter": {
    "searchInputTextValue": "text",
    "condition": "text",
    "filterGroups": [
      {
        "condition": "text",
        "filterItems": [
          {
            "fieldName": "text",
            "operator": "text",
            "value": "text",
            "customFieldName": "text"
          }
        ],
        "filterGroups": [
          {
            "condition": "text",
            "filterItems": [
              {
                "fieldName": "text",
                "operator": "text",
                "value": "text",
                "customFieldName": "text"
              }
            ],
            "filterGroups": "[Circular Reference]"
          }
        ]
      }
    ]
  },
  "pageNumber": 1,
  "pageSize": 1,
  "orderBy": "text",
  "ascending": true
}

200

{
  "data": {
    "pageNumber": 1,
    "pageSize": 1,
    "totalNumberOfPages": 1,
    "totalNumberOfRecords": 1,
    "results": [
      {
        "resourceId": "text",
        "name": "text",
        "groupName": "text",
        "groupByCustomFieldName": "text",
        "createTime": "2026-03-09T12:56:28.598Z"
      }
    ]
  },
  "status": "text",
  "message": "text",
  "validationMessages": [
    "text"
  ]
}

GET /api/scim/{resourceId}

Get SCIM integration details. Replace {resourceId} with the SCIM integration ID from the search response. Send X-KEEPNET-Company-Id.

Retrieves the details of an existing scim setting. As a Reseller, send X-KEEPNET-Company-Id: <companyResourceId>.

Retrieves the details of an existing scim setting

get

Required scopes

This endpoint requires the following scopes:

: API

Authorizations

OAuth2clientCredentialsRequired

Client ID and Client Secret from Company → Company Settings → REST API. Enter credentials to auto-fetch token.

Token URL:

Path parameters

resourceIdstringRequired

Responses

200

application/json

statusstringOptional

messagestring · nullableOptional

validationMessagesstring[] · nullableOptional

get

/api/scim/{resourceId}

GET /api/scim/{resourceId} HTTP/1.1
Host: api.keepnetlabs.com
Authorization: Bearer YOUR_OAUTH2_TOKEN
Accept: */*

200

{
  "data": {
    "resourceId": "text",
    "name": "text",
    "groupName": "text",
    "groupByCustomFieldName": "text",
    "mappingDetails": [
      {
        "scimPath": "text",
        "customFieldName": "text"
      }
    ],
    "syncPlatformGroup": true
  },
  "status": "text",
  "message": "text",
  "validationMessages": [
    "text"
  ]
}

PUT /api/scim/{resourceId}

Update the SCIM integration (e.g. name, field mappings). Replace {resourceId} with the SCIM integration ID. Send X-KEEPNET-Company-Id.

Updates an existing scim integration. As a Reseller, send X-KEEPNET-Company-Id: <companyResourceId>.

Updates an existing scim integration

put

Required scopes

This endpoint requires the following scopes:

: API

Authorizations

OAuth2clientCredentialsRequired

Client ID and Client Secret from Company → Company Settings → REST API. Enter credentials to auto-fetch token.

Token URL:

Path parameters

resourceIdstringRequired

Body

namestring · nullableOptional

Responses

200

application/json

statusstringOptional

messagestring · nullableOptional

validationMessagesstring[] · nullableOptional

put

/api/scim/{resourceId}

PUT /api/scim/{resourceId} HTTP/1.1
Host: api.keepnetlabs.com
Authorization: Bearer YOUR_OAUTH2_TOKEN
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 15

{
  "name": "text"
}

200

{
  "data": {
    "resourceId": "text"
  },
  "status": "text",
  "message": "text",
  "validationMessages": [
    "text"
  ]
}

POST /api/scim/{resourceId}/revoke

Revoke the current token and generate a new one (e.g. if the token was exposed). Replace {resourceId} with the SCIM integration ID. Send X-KEEPNET-Company-Id.

Revokes the current token of the scim integration and generates a new token. As a Reseller, send X-KEEPNET-Company-Id: <companyResourceId>.

Revokes the current token of the scim integration and generates a new token

post

Required scopes

This endpoint requires the following scopes:

: API

Authorizations

OAuth2clientCredentialsRequired

Client ID and Client Secret from Company → Company Settings → REST API. Enter credentials to auto-fetch token.

Token URL:

Path parameters

resourceIdstringRequired

Responses

200

application/json

statusstringOptional

messagestring · nullableOptional

validationMessagesstring[] · nullableOptional

post

/api/scim/{resourceId}/revoke

POST /api/scim/{resourceId}/revoke HTTP/1.1
Host: api.keepnetlabs.com
Authorization: Bearer YOUR_OAUTH2_TOKEN
Accept: */*

200

{
  "data": {
    "pageNumber": 1,
    "pageSize": 1,
    "totalNumberOfPages": 1,
    "totalNumberOfRecords": 1,
    "results": [
      {
        "token": "text"
      }
    ]
  },
  "status": "text",
  "message": "text",
  "validationMessages": [
    "text"
  ]
}

Common errors

403 Forbidden — Credential is not Reseller, or the Company ID is not one you manage. Set Client Role = Reseller. Roles and permissions →
401 Unauthorized — Missing or invalid token. Request a new token via POST /connect/token.
404 Not Found / 400 Bad Request — Invalid Company ID or invalid groupResourceId (must be a target group belonging to that customer). Verify Company ID from POST /api/companies/search and ensure you send X-KEEPNET-Company-Id for the customer.

Related: Scope API requests to a customer →. List or export target users for a customer →. For SCIM setup in the UI and IdP-specific guides: Getting Started with SCIM.

PreviousAdd system user for a customer NextTraining

Last updated 1 day ago

hashtagPOST /api/companies/search

hashtagRetrieves a list of all companies

hashtagGET /api/scim/fields

hashtagReturns all available scim fields

hashtagPOST /api/scim

hashtagCreates a new scim integration

hashtagPOST /api/scim/search

hashtagReturns a list of the scim integrations

hashtagGET /api/scim/{resourceId}

hashtagRetrieves the details of an existing scim setting

hashtagPUT /api/scim/{resourceId}

hashtagUpdates an existing scim integration

hashtagPOST /api/scim/{resourceId}/revoke

hashtagRevokes the current token of the scim integration and generates a new token

hashtagCommon errors

POST /api/companies/search

Retrieves a list of all companies

GET /api/scim/fields

Returns all available scim fields

POST /api/scim

Creates a new scim integration

POST /api/scim/search

Returns a list of the scim integrations

GET /api/scim/{resourceId}

Retrieves the details of an existing scim setting

PUT /api/scim/{resourceId}

Updates an existing scim integration

POST /api/scim/{resourceId}/revoke

Revokes the current token of the scim integration and generates a new token

Common errors