Skip to main content

SCIM Provisioning

AlphaSwarm exposes a SCIM 2.0 provisioning surface at /scim/v2/* for Auth0 Actions or scheduled Auth0 jobs.

Security

Enable SCIM with:

ALPHASWARM_AUTH_SCIM_ENABLED=true
ALPHASWARM_AUTH_PROVIDER=auth0
ALPHASWARM_AUTH_REQUIRED=true

Authentication is Bearer-only. AlphaSwarm accepts either:

a JWT validated against the configured OIDC issuer with audience ALPHASWARM_AUTH_SCIM_M2M_AUDIENCE (or ALPHASWARM_AUTH_M2M_AUDIENCE), or
a long random static token whose SHA-256 digest is stored in ALPHASWARM_AUTH_SCIM_BEARER_TOKEN_HASH.

Do not store the raw token in the repository.

Resource Mapping

SCIM User maps to users.
SCIM Group maps to teams.
SCIM Group.members maps to memberships with scope_kind="team".

Create, patch, replace, deactivate, and group membership operations emit security audit events through alphaswarm.auth.audit.emit_audit_event.

Auth0 Integration

The alphaswarm_platform/terraform/modules/auth0_identity module creates:

the AlphaSwarm SPA application,
the AlphaSwarm API audience and scopes,
an M2M client grant for SCIM and Auth0 sync,
default alphaswarm-viewer and alphaswarm-admin roles,
a post-login Action that calls /_internal/auth0/sync and injects AlphaSwarm tenancy claims.

For direct enterprise SCIM, point the upstream IdP or Auth0 automation at https://<alphaswarm-host>/scim/v2.

Security
Resource Mapping
Auth0 Integration