SCIM provisioning
Push users, deprovisions, and group changes from your IdP into Mnemos automatically.
SCIM is available on Business and Enterprise plans. It requires SSO to be configured first.
Endpoint and credentials
Mnemos implements SCIM 2.0 (RFC 7644) with bearer-token authentication. Generate the token from Settings → SCIM. Rotate it at least every 12 months; you can keep two tokens active during a rotation window.
Base URL: https://scim.mnemos.ai/v2/<org_id>
Auth: Authorization: Bearer <scim_token>
Resources: /Users /Groups /ServiceProviderConfig /Schemas
Filters: eq, sw, co, pr (per RFC 7644)
Patch: application/scim+json, PATCH opsAttribute mapping
Mnemos accepts standard SCIM 2.0 core and enterprise extension attributes. The default mapping is below; per-org overrides can be set in the admin console.
| SCIM attribute | Mnemos field | Note |
|---|---|---|
| userName | Used as the canonical login identifier. | |
| name.givenName | first_name | Display name component. |
| name.familyName | last_name | Display name component. |
| emails[type eq 'work'].value | Falls back to userName when absent. | |
| active | status | false deprovisions; true reactivates. |
| title | title | Job title; used by onboarding journeys. |
| department | department | Suggests default project membership. |
| groups[].value | role | Group name pattern mnemos-<role> maps to role. |
| urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value | manager_email | Enables ramp manager dashboards. |
Group-to-role mapping
Create groups in your IdP named mnemos-owner, mnemos-admin, mnemos-curator, mnemos-contributor, mnemos-viewer. Membership pushes are honored on every SCIM PATCH. If a user appears in multiple Mnemos groups, the highest-privilege wins.
Deprovisioning behavior
Setting active=false immediately revokes sessions, API keys created by that user, and membership in all projects. Their authored content is retained; ownership of SOPs and entities is reassigned to the role's fallback owner if one is configured. After 30 days, the account is hard-deleted unless re-activated.
SCIM will reject any operation that would leave the workspace with zero Owners. Transfer ownership first.