Skip to main content

Overview

The System for Cross-domain Identity Management (SCIM) API allows instance or organization admins to manage users, groups, and custom roles in their W&B organization. SCIM groups map to W&B teams. W&B’s SCIM API is compatible with major identity providers including Okta, enabling automated user provisioning and deprovisioning. For SSO configuration with Okta and other identity providers, see the SSO documentation. For practical Python examples demonstrating how to interact with the SCIM API, visit our wandb-scim repository.

Supported Features

  • Filtering: The API supports filtering for /Users and /Groups endpoints
  • PATCH Operations: Supports PATCH for partial resource updates
  • ETag Support: Conditional updates using ETags for conflict detection
  • Service Account Authentication: Organization service accounts can access the API
If you are an admin of multiple Enterprise Multi-tenant SaaS organizations, you must configure the organization where SCIM API requests are sent to ensure SCIM API requests sent using your API Key affect the correct organization. Click your profile image, then click User Settings, then check the setting Default API organization.The chosen hosting option determines the value for the <host-url> placeholder used in the examples in this page.In addition, examples use user IDs such as abc and def. Real requests and responses have hashed values for user IDs.

Authentication

Choose to authenticate using a user identity or a service account, after reviewing the key differences.

Key differences

  • Who should use it: Users are best for interactive, one-off admin actions; service accounts are best for automation and integrations (CI/CD, provisioning tools).
  • Credentials: Users send username and API key; service accounts send only an API key (no username).
  • Authorization header payload: Users encode username:API-KEY; service accounts encode :API-KEY (leading colon).
  • Scope and permissions: Both require admin privileges; service accounts are organization-scoped and headless, providing clearer audit trails for automation.
  • Where to get credentials: Users copy their API key from User Settings; service account keys are in the organization’s Service account tab.
  • Multi-tenant Cloud: If you have access to more than one Multi-tenant Cloud organizations, you must set the Default API organization to ensure that SCIM API calls are routed to the intended organization.

Users

Use your personal admin credentials when performing interactive admin tasks. Construct the HTTP Authorization header as Basic <base64(username:API-KEY)>. For example, authorize as demo:p@55w0rd:

Service accounts

Use an organization-scoped service account for automation or integrations. Construct the HTTP Authorization header as Basic <base64(:API-KEY)> (note the leading colon and empty username). Find service account API keys in the organization dashboard under the Service account tab. Refer to Organization-scoped service accounts. For example, authorize with API key sa-p@55w0rd:

User management

The SCIM user resource maps to W&B users. Use these endpoints to manage users in your organization.

Get user

Retrieves information for a specific user in your organization.

Endpoint

  • URL: <host-url>/scim/Users/{id}
  • Method: GET

Parameters

Example

List users

Retrieves a list of all users in your organization.

Filter users

The /Users endpoint supports filtering users by username or email:
  • userName eq "value" - Filter by username
  • emails.value eq "value" - Filter by email address
Example

Endpoint

  • URL: <host-url>/scim/Users
  • Method: GET

Example

Create User

Creates a new user in your organization.

Endpoint

  • URL: <host-url>/scim/Users
  • Method: POST

Parameters

Example

Response

Delete User

Maintain admin accessYou must ensure that at least one admin user exists in your instance or organization at all times. Otherwise, no user will be able to configure or maintain your organization’s W&B account. If an organization uses SCIM or another automated process to deprovision users from W&B, a deprovisioning operation could inadvertently remove the last remaining admin from the instance or organization.For assistance with developing operational procedures, or to restore admin access, contact support.
Fully deletes a user from your organization.

Endpoint

  • URL: <host-url>/scim/Users/{id}
  • Method: DELETE

Parameters

Example

To temporarily deactivate the user, refer to Deactivate user API which uses the PATCH endpoint.

Update user email

Updates a user’s primary email address. Not supported for Multi-tenant Cloud, where a user’s account is not managed by the organization.

Endpoint

  • URL: <host-url>/scim/Users/{id}
  • Method: PATCH

Parameters

Example

Update user display name

Updates a user’s display name. Not supported for Multi-tenant Cloud, where a user’s account is not managed by the organization.

Endpoint

  • URL: <host-url>/scim/Users/{id}
  • Method: PATCH

Parameters

Example

Deactivate user

Deactivates a user in your organization. The actual result differs by deployment type:
  • Dedicated Cloud / Self-Managed: Sets the user’s active field to false. To restore a deactivated user’s access your organization, see Reactivate user.
  • Multi-tenant Cloud: Removes the user from the organization. To restore the user’s access, re-add them to your organization. See Create user. In Multi-tenant Cloud, a user’s account is not managed by the organization.

Endpoint

  • URL: <host-url>/scim/Users/{id}
  • Method: PATCH

Parameters

Example

Response

Reactivate User

Reactivates a previously deactivated user in your organization.
User reactivation is not supported in Multi-tenant Cloud. To restore the user’s access, re-add them to your organization. See Create user. In Multi-tenant Cloud, a user’s account is not managed by the organization. An attempt to reactivate a user results in a HTTP 400 error:

Endpoint

  • URL: <host-url>/scim/Users/{id}
  • Method: PATCH

Parameters

Example

Assign Organization Role

Assigns an organization-level role to a user.

Endpoint

  • URL: <host-url>/scim/Users/{id}
  • Method: PATCH

Parameters

The viewer role is deprecated and can no longer be set in the UI. W&B assigns the member role to a user if you attempt to assign the viewer role using SCIM. The user is automatically provisioned with Models and Weave seats if possible. Otherwise, a Seat limit reached error is logged. For organizations that use Registry, the user is automatically assigned the viewer role in registries that are visible at the organization level.

Example

Assign Team Role

Assigns a team-level role to a user.

Endpoint

  • URL: <host-url>/scim/Users/{id}
  • Method: PATCH

Parameters

Example

Add to Registry

Adds a user to a registry with an assigned registry-level role.

Endpoint

  • URL: <host-url>/scim/Users/{id}
  • Method: PATCH

Parameters

Example

Remove from Registry

Removes a user from a registry.
The remove operations follow RFC 7644 SCIM protocol specifications. Use the filter syntax "registryRoles[registryName eq \"{registry_name}\"]" to remove a user from a specific registry, or "registryRoles" to remove the user from all registries.

Endpoint

  • URL: <host-url>/scim/Users/{id}
  • Method: PATCH

Parameters

Example

Group resource

When you create a SCIM group in your IAM, it creates and maps to a W&B Team, and other SCIM group operations operate on the team.

Service Accounts

When a W&B Team is created using SCIM, all organization-level service accounts are automatically added to the team, to maintain the service account’s access to team resources.

Filtering Groups

The /Groups endpoint supports filtering to search for specific teams:

Supported Filters

  • displayName eq "value" - Filter by team display name

Example

Get team

Retrieve team information by providing the team’s unique ID.

Endpoint

  • URL: <host-url>/scim/Groups/{id}
  • Method: GET

Example

List teams

Retrieve a list of teams.

Endpoint

  • URL: <host-url>/scim/Groups
  • Method: GET

Example

Create team

  • Endpoint: <host-url>/scim/Groups
  • Method: POST
  • Description: Create a new team resource.
  • Supported Fields:

Example

Creating a team called wandb-support with dev-user2 as its member.

Update team

  • Endpoint: <host-url>/scim/Groups/{id}
  • Method: PATCH
  • Description: Update an existing team’s membership list.
  • Supported Operations: add member, remove member, replace members
The remove operations follow RFC 7644 SCIM protocol specifications. Use the filter syntax members[value eq "{user_id}"] to remove a specific user, or members to remove all users from the team.User Identification: The {user_id} in member operations can be either:
Replace {team_id} with the actual team ID and {user_id} with the actual user ID or email address in your requests.

Replace team members

Replaces all members of a team with a new list.
  • Endpoint: <host-url>/scim/Groups/{id}
  • Method: PUT
  • Description: Replace the entire team membership list.
Adding a user to a team Adding dev-user2 to acme-devs:
Removing a specific user from a team Removing dev-user2 from acme-devs:
Removing all users from a team Removing all users from acme-devs:

Delete team

  • Deleting teams is currently unsupported by the SCIM API since there is additional data linked to teams. Delete teams from the app to confirm you want everything deleted.

Role resource

The SCIM role resource maps to W&B custom roles. As mentioned earlier, the /Roles endpoints are not part of the official SCIM schema, W&B adds /Roles endpoints to support automated management of custom roles in W&B organizations.

Get custom role

Retrieve information for a custom role by providing the role’s unique ID.

Endpoint

  • URL: <host-url>/scim/Roles/{id}
  • Method: GET

Example

List custom roles

Retrieve information for all custom roles in the W&B organization.

Endpoint

  • URL: <host-url>/scim/Roles
  • Method: GET

Example

Create custom role

  • Endpoint: <host-url>/scim/Roles
  • Method: POST
  • Description: Create a new custom role in the W&B organization.
  • Supported Fields:

Example

Update custom role

Add permissions to role

  • Endpoint: <host-url>/scim/Roles/{id}
  • Method: PATCH
  • Description: Add permissions to an existing custom role.

Remove a permission from a role

  • Endpoint: <host-url>/scim/Roles/{id}
  • Method: PATCH
  • Description: Remove permissions from an existing custom role.

Replace custom role

  • Endpoint: <host-url>/scim/Roles/{id}
  • Method: PUT
  • Description: Replace an entire custom role definition.

Delete custom role

Delete a custom role in the W&B organization. Use it with caution. The predefined role from which the custom role inherited is now assigned to all users that were assigned the custom role before the operation.

Endpoint

  • URL: <host-url>/scim/Roles/{id}
  • Method: DELETE

Example

Advanced Features

ETag Support

The SCIM API supports ETags for conditional updates to prevent concurrent modification conflicts. ETags are returned in the ETag response header and the meta.version field.

ETags

To use Etags:
  1. Get current ETag: When you GET a resource, note the ETag header in the response
  2. Conditional update: Include the ETag in the If-Match header when updating

Example

A 412 Precondition Failed error response indicates that the resources has been modified since you retrieved it.

Error handling

The SCIM API returns standard SCIM error responses:

Implementation differences per deployment type

W&B maintains two separate SCIM API implementations, and the features differ between them:

Limitations

  • Maximum results: 9999 items per request.
  • Single-tenant environments: Only support one email per user.
  • Team deletion: Not supported via SCIM (use the W&B web interface).
  • User reactivation: Not supported in Multi-tenant Cloud environments.
  • Seat limits: Operations may fail if organization seat limits are reached.