Skip to main content
SCIM (System for Cross-domain Identity Management) is available on the Business plan and above. It enables automated user provisioning and lifecycle management through your identity provider (IdP). When enabled, users are automatically added to your workspace when assigned in your IdP and removed when unassigned, keeping your team in sync without manual intervention.

Prerequisites

Before setting up SCIM provisioning, you need:
  • IdP admin access (Okta, Auth0, Microsoft Entra ID, or any other provider you’re using)
  • Lovable workspace owner or admin role
  • An active SSO provider configured (OIDC or SAML). See Set up single sign-on (SSO) for more information.
If you already have SSO configured, you can create a separate application in your IdP specifically for SCIM provisioning. This allows you to keep SSO authentication and provisioning configurations independent. Lovable will continue to use your existing SSO provider for user authentication, regardless of which IdP application handles SCIM.

Why use SCIM

SCIM helps you manage workspace access centrally and reduces manual user administration. Key benefits include:
  • Automated provisioning: Users are automatically added to your workspace when assigned in your IdP
  • Automatic deprovisioning: Users are removed when unassigned or deactivated in your IdP
  • Group-based role assignment: Map IdP groups to Lovable workspace roles for automatic access control
  • Single source of truth: Manage all user access from your IdP

How SCIM works in Lovable

This section explains how Lovable processes SCIM events from your identity provider.

User provisioning

When your IdP creates or assigns a user to the Lovable application:
  1. The IdP sends a SCIM request to Lovable.
  2. Lovable verifies that the user’s email domain is verified for your workspace.
  3. A new user account is created if one does not already exist.
  4. The user is added to your workspace with the appropriate role.
  5. The user receives an email invitation to join.

User deprovisioning

When your IdP removes or deactivates a user:
  1. The IdP sends a deactivation request to Lovable.
  2. The user is removed from your workspace.
  3. The user can no longer log in to the workspace.
Workspace owners cannot be deprovisioned via SCIM. This prevents accidental lockout of workspace administration.

Group push and role updates

When group-based provisioning is enabled in your IdP:
  1. Group membership changes are pushed to Lovable.
  2. Users added to a mapped group receive the corresponding role.
  3. Users removed from all mapped groups are removed from the workspace.

Supported SCIM operations

Lovable implements the SCIM 2.0 specification and supports the following operations:
ResourceSupported operations
UsersCreate, read, update, delete, list
GroupsCreate, read, update, delete, list, member push

Enable SCIM provisioning

Follow these steps to enable SCIM provisioning for your workspace.
1

Open identity settings and enable SCIM

Go to Settings → Workspace → Identity → SCIM provisioning and enable SCIM provisioning.
2

Copy configuration values

When SCIM is enabled, the following values are displayed:
  • SCIM base URL: The endpoint your IdP uses to sync users.
  • API token: A secure token used for authenticating SCIM requests (shown only once)
Save the API token immediately. The full token is shown only once. If you lose it, you must rotate the token to generate a new one.
Copy these values. You will need them in the next step.
3

Configure your IdP

Add the SCIM base URL and API token to your identity provider’s SCIM configuration. See your IdP’s documentation for specific setup instructions.Use the following values when configuring SCIM in your IdP:
SettingValue
SCIM base URLhttps://api.lovable.dev/scim/v2
AuthenticationBearer token
API tokenGenerated when SCIM is enabled

Provider-specific setup guides

Okta

  1. In the Okta Admin Console, go to Applications → Your Lovable app.
  2. Navigate to Provisioning → Integration.
  3. Enable SCIM integration.
  4. Configure the SCIM connector:
    • SCIM connector base URL: https://api.lovable.dev/scim/v2
    • Unique identifier field: userName
    • Authentication mode: HTTP header
    • Authorization: Bearer <your API token>
  5. Under To app, enable the provisioning features you want:
    • Create users
    • Update user attributes
    • Deactivate users
  6. Save and test the connection.

Microsoft Entra ID (Azure AD)

  1. In the Azure portal, go to Enterprise applications → Your Lovable app.
  2. Select Provisioning → Get started.
  3. Set Provisioning mode to Automatic.
  4. Under Admin credentials:
    • Tenant URL: https://api.lovable.dev/scim/v2
    • Secret token: your SCIM API token
  5. Click Test connection to verify the setup.
  6. Configure attribute mappings as needed.
  7. Set Provisioning status to On.

Configure role mapping

SCIM supports automatic role assignment based on IdP group membership, allowing you to control workspace permissions centrally.

Set a default role

The default role is assigned to users who do not match any group mapping. Available roles are:
  • Viewer: Read-only access
  • Editor: Can create and edit projects
  • Admin: Full workspace management

Map IdP groups to roles

Map your IdP groups to Lovable workspace roles for fine-grained access control. To add a group role mapping:
  1. Go to Settings → Workspace → Identity → SCIM provisioning.
  2. Under Group role mappings, click Add to create a new mapping.
  3. Enter the Group name exactly as it appears in your IdP (for example, engineering-admins)
  4. Select the Role to assign (viewer, editor, or admin)
  5. Click Add to save.
Group names are case-insensitive. For example, Engineering-Admins and engineering-admins both match.
Example mappings
IdP groupLovable role
lovable-adminsAdmin
engineeringEditor
contractorsViewer
When a user is provisioned:
  • Lovable checks whether the user belongs to any mapped groups.
  • If a match is found, the corresponding role is assigned.
  • If no match is found, the default role is assigned.

Manage SCIM provisioning

Use the identity settings to manage SCIM provisioning over time.

Rotate the API token

Rotate the API token if it may have been compromised or needs to be regenerated:
  1. Go to Settings → Workspace → Identity → SCIM provisioning.
  2. Click Rotate next to the API token.
  3. Confirm the rotation.
  4. Copy and save the new token immediately.
  5. Update your IdP with the new token.
Rotating the token immediately invalidates the previous token. Update your IdP configuration right away to avoid provisioning interruptions.

Disable SCIM provisioning

To stop automatic provisioning:
  1. Go to Settings → Workspace → Identity → SCIM provisioning.
  2. Disable SCIM provisioning.
Disabling SCIM stops automatic provisioning but does not remove existing workspace members. Users previously provisioned via SCIM will remain in the workspace until manually removed.

Troubleshooting

SCIM only provisions users whose email domain is verified for your workspace. To fix:
  1. Go to Settings → Workspace → Identity
  2. Add and verify the email domain under Verified domains
  3. Retry provisioning from your IdP.
Verify that:
  • Your SSO provider is correctly configured.
  • Users are assigned to the SSO application in your IdP.
Users provisioned via SCIM must authenticate through SSO.
Check that:
  • Group names in your mappings exactly match what your IdP sends (case-insensitive)
  • Your IdP is configured to send group membership data in SCIM requests
  • Group push is enabled in your IdP

FAQ

No, SCIM requires an active SSO provider. Users provisioned via SCIM authenticate using your configured SSO provider.
Existing workspace members are not affected when you enable SCIM. SCIM manages users provisioned through your IdP. Previously invited users continue to exist alongside SCIM-provisioned users.
The API token is only shown once when generated. If you’ve lost it:
  1. Go to Settings → Workspace → Identity → SCIM provisioning.
  2. Click Rotate next to the API token and confirm the rotation.
  3. Update your IdP with the new token.