Skip to main content
SCIM 2.0 provisioning is available on Scale and Enterprise plans, in addition to SAML SSO. Once enabled, your IdP creates, updates, and deactivates gavAI memberships automatically as employees join, change roles, or leave.

Mint a SCIM token

  1. Sign in as a workspace admin at /console/settings/sso/scim.
  2. Click Mint SCIM token. Copy the value — it’s shown exactly once.
  3. Store it in your IdP’s SCIM connector config.
The base URL for the SCIM endpoint is shown next to the token.

Configure your IdP

The integration is documented per IdP:
  • Okta: Applications → your gavAI app → Provisioning tab → Configure API integration.
  • Entra ID: Enterprise applications → your gavAI app → Provisioning → Automatic.
  • Google Workspace: Apps → Web and mobile apps → your gavAI app → Auto-provisioning.
Paste the base URL and bearer token. Map at minimum:
SCIM attributeSource
userNameprimary email
emails[0].valueprimary email (same)
name.givenNamefirst name
name.familyNamelast name
activeaccount-enabled flag

What gavAI does on a SCIM call

SCIM opgavAI behaviour
POST /UsersCreate the user (if absent) and the workspace_members row (role: member).
PATCH /Users/{id} (active=true)Re-activate the membership if previously archived.
PATCH /Users/{id} (active=false)Archive the membership (matches the in-product Leave workspace flow).
PUT/PATCH name/emailsUpdate the gavAI profile.
DELETE /Users/{id}Hard-delete the user (rare; archive is preferred).
Group sync (POST /Groups) maps to gavAI’s tenant_groups (Enterprise tier).

Token rotation

Mint a new token in /console/settings/sso/scim, swap it in your IdP connector, then revoke the old one. There is no grace period.

Troubleshooting

SymptomLikely cause
IdP shows 401Token revoked or wrong. Re-mint.
IdP shows 404 on /Users/{id}The user existed but was hard-deleted; recreate.
Member appears in IdP’s Assigned but not in gavAIAuto-provisioning isn’t enabled, or the user’s email domain isn’t verified in /console/settings/sso.