Authentication

Bearer Token Authentication

All SCIM API requests must include a valid JWT bearer token in the header:

Authorization: Bearer <your-jwt-token>

Note: The following discovery endpoints do not require authentication:

• /ResourceTypes
• /Schemas
• /ServiceProviderConfig

Token Requirements

Your JWT must include:

• tenant: Your Flip organization ID
• exp: Token expiration timestamp

{
  "tenant": "your-organization-id",
  "exp": 1234567890
}

SCIM User Schema Mappings

Core User Attributes

Contact Info & Department

Flip SCIM Extensions

Location Extension

"urn:ietf:params:scim:schemas:extension:flip:location:2.0:User": {
  "value": "Berlin Office"
}

“About Me” Extension

"urn:ietf:params:scim:schemas:extension:flip:aboutMe:2.0:User": {
  "value": "Product manager focused on mobile experiences"
}

Custom Attribute Extension

"urn:ietf:params:scim:schemas:extension:flip:custom:2.0:User": {
  "attributes": [
    { "technicalName": "employee_id", "value": "EMP123456" },
    { "technicalName": "cost_center", "value": "CC-100" }
  ]
}

⚠️ Note: Custom attributes must be created in the Flip Admin Console before they can be provisioned via SCIM.

Custom JSON Extension (Entra Workaround)

Schema URN: urn:ietf:params:scim:schemas:extension:flip:customJson:2.0:User
Property: writeOnly (not returned in GET/Read responses)

This extension allows sending custom attributes as raw JSON (string). It is primarily intended as a workaround for Microsoft Entra, which does not reliably send complex attributes during initial user provisioning (Microsoft Source).

Request example:

{
  "urn:ietf:params:scim:schemas:extension:flip:customJson:2.0:User": {
    "value": "{\"attributes\":[{\"technicalName\":\"employee_id\",\"value\":\"EMP123456\"},{\"technicalName\":\"cost_center\",\"value\":\"CC-100\"}]}"
  }
}

Merge behavior:

• Values from customJson are merged into the existing custom extension urn:ietf:params:scim:schemas:extension:flip:custom:2.0:User.
• If both ...:custom...:attributes and customJson are provided in the same request, attributes take precedence.

Note: Since customJson is writeOnly, it is not returned in read responses. Identity providers therefore cannot validate this part via read-back comparison.

Example SCIM User Request

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
    "urn:ietf:params:scim:schemas:extension:flip:location:2.0:User",
    "urn:ietf:params:scim:schemas:extension:flip:aboutMe:2.0:User",
    "urn:ietf:params:scim:schemas:extension:flip:custom:2.0:User"
  ],
  "userName": "john.doe@company.com",
  "name": {
    "givenName": "John",
    "familyName": "Doe"
  },
  "displayName": "John Doe",
  "emails": [
    {
      "value": "john.doe@company.com",
      "type": "work"
    }
  ],
  "phoneNumbers": [
    {
      "value": "+49 30 12345678",
      "type": "work"
    },
    {
      "value": "+49 170 9876543",
      "type": "mobile"
    }
  ],
  "title": "Senior Product Manager",
  "active": true,
  "externalId": "emp-12345",
  "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
    "department": "Product Management"
  },
  "urn:ietf:params:scim:schemas:extension:flip:location:2.0:User": {
    "value": "Berlin HQ"
  },
  "urn:ietf:params:scim:schemas:extension:flip:aboutMe:2.0:User": {
    "value": "Passionate about building great products"
  },
  "urn:ietf:params:scim:schemas:extension:flip:custom:2.0:User": {
    "attributes": [
      {
        "technicalName": "employee_number",
        "value": "DE-2024-001"
      }
    ]
  }
}

API Endpoints

Service Discovery

User Management