Mint a SCIM token
- Sign in as a workspace admin at
/console/settings/sso/scim. - Click Mint SCIM token. Copy the value — it’s shown exactly once.
- Store it in your IdP’s SCIM connector config.
Configure your IdP
The integration is documented per IdP:- Okta: Applications → your gavAI app → Provisioning tab → Configure API integration.
- Entra ID: Enterprise applications → your gavAI app → Provisioning → Automatic.
- Google Workspace: Apps → Web and mobile apps → your gavAI app → Auto-provisioning.
| SCIM attribute | Source |
|---|---|
userName | primary email |
emails[0].value | primary email (same) |
name.givenName | first name |
name.familyName | last name |
active | account-enabled flag |
What gavAI does on a SCIM call
| SCIM op | gavAI behaviour |
|---|---|
POST /Users | Create the user (if absent) and the workspace_members row (role: member). |
PATCH /Users/{id} (active=true) | Re-activate the membership if previously archived. |
PATCH /Users/{id} (active=false) | Archive the membership (matches the in-product Leave workspace flow). |
PUT/PATCH name/emails | Update the gavAI profile. |
DELETE /Users/{id} | Hard-delete the user (rare; archive is preferred). |
POST /Groups) maps to gavAI’s tenant_groups (Enterprise tier).
Token rotation
Mint a new token in/console/settings/sso/scim, swap it in your IdP connector, then revoke the old one. There is no grace period.
Troubleshooting
| Symptom | Likely cause |
|---|---|
IdP shows 401 | Token revoked or wrong. Re-mint. |
IdP shows 404 on /Users/{id} | The user existed but was hard-deleted; recreate. |
Member appears in IdP’s Assigned but not in gavAI | Auto-provisioning isn’t enabled, or the user’s email domain isn’t verified in /console/settings/sso. |