SCIM Provisioning
ACTIVATE exposes a read-only SCIM 2.0 API that lets external services synchronize your organization's users and groups. This is how systems outside ACTIVATE discover who your users are, what groups they belong to, and the POSIX identity and SSH keys associated with each account.
Direction of sync
ACTIVATE is the source of identity, not a destination. Consuming services read users and groups from ACTIVATE; they cannot create, modify, or delete them through this API. Every write request (POST, PUT, PATCH, DELETE) returns 501 Not Implemented.
Enabling SCIM
- From the Organizations list, select your organization.
- In the left sidebar, under Settings, click SCIM Provisioning.
- Toggle Enable SCIM provisioning.
Once enabled, the page displays your organization's SCIM endpoint URL. Provide this URL to the consuming service:
https://<platform-host>/api/organizations/<organization>/scim/v2The endpoint is scoped to a single organization - only that organization's users and groups are returned.
Bearer Tokens
SCIM requests are authenticated with a bearer token. Tokens are scoped to the organization and are independent of any single user account.
To create a token:
- On the SCIM Provisioning page, find the Bearer Tokens section.
- Click Create SCIM token.
- Enter a descriptive name. Optionally set an expiration (in days); leave it blank for a non-expiring token.
- Copy the generated token.
Tokens are shown once
The full token value is displayed only at creation time and is never shown again. Store it securely (for example in the consuming service's secret manager) before closing the dialog. If you lose it, revoke the token and create a new one.
The consuming service sends the token as a standard bearer credential on every request:
Authorization: Bearer <token>To revoke access, delete the token from the Bearer Tokens list. Any service using that token immediately loses access to the SCIM API.
Token creation requires a browser session
For security, SCIM tokens can only be minted from a logged-in browser session by an organization admin - not via the API itself.
What the API Exposes
The API implements the SCIM 2.0 discovery and resource endpoints:
| Endpoint | Purpose |
|---|---|
GET /ServiceProviderConfig | Advertises supported capabilities (filtering, bearer auth). |
GET /ResourceTypes | Lists the User and Group resource types. |
GET /Schemas | Returns the core User/Group schemas plus the CoreWeave extensions. |
GET /Users, GET /Users/{id} | List or fetch users. |
GET /Groups, GET /Groups/{id} | List or fetch groups. |
Filtering and pagination
- Users can be filtered by
userName,externalId, ordisplayNameusing theeqoperator, e.g.?filter=userName eq "jdoe@example.com". - Groups can be filtered by
displayName eq. - Results are paginated with
startIndex(1-based) andcount(default 50, maximum 200).
CoreWeave extension attributes
ACTIVATE groups map directly to SCIM groups, and ACTIVATE users to SCIM users. In addition to the standard SCIM fields, each resource carries a CoreWeave extension that exposes the POSIX identity consumers need to provision Linux accounts.
The extension blocks are omitted by default and are only returned when explicitly requested via the attributes query parameter:
?attributes=urn:coreweave:params:scim:schemas:extension:coreweave:2.0:CoreWeaveUserUser extension (urn:coreweave:params:scim:schemas:extension:coreweave:2.0:CoreWeaveUser):
| Attribute | Description |
|---|---|
sunkPosixUsername | The user's POSIX (Linux) username. |
sunkPosixUserId | The user's POSIX UID. |
sunkPosixGroupId | The user's primary POSIX GID. |
sunkLoginShell | Login shell (defaults to /bin/bash). |
sunkPreferredHomeDirectory | Home directory (defaults to /home/<username>). |
sunkSshKeys | The user's registered authorized SSH public keys. |
Group extension (urn:coreweave:params:scim:schemas:extension:coreweave:2.0:CoreWeaveGroup):
| Attribute | Description |
|---|---|
sunkPosixGroupId | The group's POSIX GID. |
sunkPosixGroupName | The group's POSIX name. |
Excluding inactive users
When listing groups, pass ?excludeInactiveUsers=true to drop disabled users from each group's member list. CoreWeave's identity cache uses this so that deactivated ACTIVATE accounts stop resolving on the cluster.
Next Steps
- Connecting a CoreWeave Slurm Cluster - the most common consumer of this API, which uses SCIM to populate Linux users, groups, and SSH keys on the cluster.