You must enable javascript in order to use Slack. You can do this in your browser settings.
Go to Slack

SCIM API

Provision and manage user accounts and groups with the Slack SCIM API. SCIM is used by Single Sign-On (SSO) services and identity providers to manage people across a variety of tools, including Slack. It's also possible to write your own apps and scripts using the SCIM API to programmatically manage the members of your workspace.

Please note that the SCIM API is only available to Slack workspaces on the Plus plan and Slack Enterprise Grid.

Manage people in a workspace

SCIM is an API for managing the people on your team and the groups they belong to.

SCIM is an open standard supported by myriad services. It behaves slightly differently than other Slack APIs. For example, most of Slack's APIs can be described as "REST-like" but are, more accurately, actually RPC-style methods that use HTTP GET and POST interchangeably but no other verbs (such as PATCH or DELETE). SCIM, being a more proper REST API, expects HTTP verbs to be used in a specific manner.

While other APIs are for interacting with a Slack workspace directly, the SCIM APIs allow teams on the Plus and Enterprise Grid plans to administer the users on a workspace (or in an organization, in the case of Grid). If you've found yourself wishing for a set of users.admin.* endpoints, SCIM might be right for you.

Our SCIM implementation targets version 1.1 of the protocol.

Slack supports member provisioning via helper apps with supported identity providers. This document covers custom SCIM operations.

Be aware that it's possible to de-provision an entire workspace or Enterprise Grid organization with SCIM. Please test your scripts thoroughly before executing them. Of course, our support team is ready to assist you should you run into any trouble.

Accessing the SCIM API

Like other Slack API's, the SCIM methods are accessed over that old standby protocol, HTTP.

Being a REST API, the HTTP verb (e.g. GET or POST or PATCH or even DELETE) used for each API method is important. Typically you will use GET to retrieve information, POST to create new objects, PUT and PATCH to modify objects, and DELETE to remove. (Alas, we seem to have lost our HEAD.)

The base URL for all calls to the SCIM API is https://api.slack.com/scim/v1/. All SCIM methods are branches of this base URL.

An OAuth token with the admin scope is required to access the SCIM API. The simplest way to acquire this token is for an admin on a Workspace to create a new Slack app, add the admin OAuth scope, install the app, and use the generated token. If you intend to build a Slack app for other teams to install, your app will need to properly handle the OAuth flow to generate the proper token.

The API token must be included via an Authorization header with a type of Bearer when calling any of the SCIM methods.

Provide a JSON request body for POST, PUT, and PATCH write operations, and set your HTTP Content-type header to application/json.

An example SCIM call might look like this:

 GET /scim/v1/Users?count=1000 HTTP/1.1
 Host: api.slack.com
 Accept: application/json
 Authorization: Bearer xoxp-4956040672-4956040692-6476208902-xxxxxx

Particulars of permissions

On Plus, Slack Owners and Admins can generate a token to use the SCIM API. On Enterprise Grid, only Org Owners and Admins can use SCIM to modify users.

The token-generating account must remain an Admin or Owner in order to make SCIM updates.

One more note: the token generator can only action on accounts with the same or fewer permissions. For example, if an Admin account generates a SCIM token, they can take action on other Admins or members. They cannot take action on Owners.

Using SCIM on an Enterprise Grid organization

On Enterprise Grid, SCIM operations work across the entire organization, not individual workspaces. A SCIM app can provision, de-provision, and update team members in just one place rather than having to do so across every workspace in an organization.

For this reason, the OAuth token used for calling SCIM API methods must be obtained from installing the app on the organization, not just a workspace within the organization. To get a SCIM app working on a grid organization, do the following:

  1. The web service powering your app will need to be able to handle a standard OAuth 2 flow.
  2. Create a new Slack app.
  3. In the app's settings, select OAuth & Permissions from the left navigation. Scroll down to the section titled Scopes and add the admin scope and click the green Save Changes button.
  4. In the app's settings, select Manage Distribution from the left navigation. Under the section titled Share Your App with Other Workspaces, make sure all four sections have the green check. Then click the green Activate Public Distribution button.
  5. Under the Share Your App with Your Workspace section, copy the Sharable URL and paste it into a browser to initiate the OAuth handshake that will install the app on your organization. You will need to be logged in as an administrator of your Enterprise Grid organization to install the app.
  6. Check the dropdown in the upper right of the installation screen to make sure you are installing the app on the Enterprise Grid organization, not an individual workspace within the organization. (See image below.)
  7. Once your app completes the OAuth flow, you will be granted an OAuth token that can be used for calling all of the SCIM API methods for your organization. This token is the one your app should use to call the SCIM methods.

When installing the SCIM app, be sure to install it on your Grid organization, not a workspace within the organization.

Installing the app on a workspace

Usergroups on Enterprise Grid work a bit differently as well. Creating SCIM groups will create an IDP group, which may or may not be the correct behavior depending on what you hope to accomplish.

SCIM API endpoints

The SCIM API is RESTful and the endpoint URLs are different than other Slack API endpoints.

Service Provider Configuration

GET /ServiceProviderConfigs Returns Slack's configuration details for our SCIM API, including which operations are supported.

Schemas

Slack currently supports schemas for users and groups. Querying the schemas will provide the most up-to-date rendering of the supported SCIM attributes.

GET /Schemas/Users Returns Slack's configuration details for how users are formatted.

GET /Schemas/Groups Returns Slack's configuration details for how groups are formatted.

Users

As you might expect, users map to the individuals of your team across a workspace or Grid organization. Each user contains properties called attributes, like userName and title. You can list users, filter by attribute, add new users, update a user's profile information, or remove a user entirely.

User attributes

Attributes are the details associated with a user's account. These are the details that someone would typically set in their profile (for example, by clicking the Edit Profile button in the Slack application).

The following tables map SCIM attributes to the profile fields that Slack uses. Most of these profile fields are exposed directly in a person's profile in the Slack UI. Sometimes, multiple SCIM attributes map to a single Slack profile field --- for example, Slack's Display name field will populate from either the displayName or the userName SCIM attribute, depending on which is set. If both are set, it will use displayName.

Note: when you sync some user attributes to Slack via SCIM, these fields become locked in Slack and you can no longer delete them or edit them. However, you may choose to hide them from user profiles.

Attribute values will vary by identity provider. For example, some may use a single field for a user's full name, others may provide sub-attributes such as givenName and familyName, still others may provide both. Either is acceptable, but they should only describe the same name (i.e. sub-attributes should not contain additional or optional information, such as a nickname).

Not every attribute will be displayed in a user's profile --- for example, active does not appear as a field but can be used to determine if a user's account is active.

The password attribute is never returned but can be used to set the initial password for a user if the team is not using an identity manager.

Slack Profile Field SCIM Attribute Attribute Type Required
Username userName Singular True
Full Name name, { givenName, familyName } Singular False
Nickname nickName Singular False
Display Name displayName, userName Singular False
Email emails[0]['value'] Multi-Valued True
Profile URL profileUrl Singular False
Profile Photo photos[0]['values'] Multi-Valued False
Groups groups Multi-Valued False
What I Do title Singular False
Timezone timezone Singular False
Active active Singular False
Password password Singular False

Slack will also create profile fields if the following SCIM attributes are present:

Custom Profile Field SCIM Attribute Attribute Type
Addresses addresses Multi-Valued
Roles roles Multi-Valued
Phone phoneNumbers[0]['values'] Multi-Valued
UserType userType Singular
Title title Singular
Cost Center enterprise.costCenter Singular
Country addresses[primary]['country'] Singular
Department enterprise.department Singular
Division enterprise.division Singular
Employee ID enterprise.employeeNumber Singular
Honorific Prefix name.honorificPrefix Singular
Locale locale Singular
City addresses[primary]['locality'] Singular
Manager enterprise.manager.managerId Singular
Organization enterprise.organization Singular
Zip Code addresses[primary]['postalCode'] Singular
Preferred Language preferredLanguage Singular

User methods

GET /Users Returns a paginated list of users, ten users per page by default. When querying larger Slack instances, reduce the count parameter to 1,000 or less, and use the startIndex parameter to paginate through users. Pagination will be required for large lists of users as of August 30, 2019.

It's possible to return a list of specific types of users with the filter parameter.

 GET /scim/v1/Users?startIndex=4&count=500 HTTP/1.1
 Host: api.slack.com
 Accept: application/json
 Authorization: Bearer xoxp-4956040672-4956040692-6476208902-xxxxxx

GET /Users/{id} Retrieves a single user resource. The value of the {id} should be the user's corresponding Slack ID, beginning with either U or W.

 GET /scim/v1/Users/U1A23BC4D HTTP/1.1
 Host: api.slack.com
 Accept: application/json
 Authorization: Bearer xoxp-4956040672-4956040692-6476208902-xxxxxx

POST /Users Creates a user. Must include the userName attribute and at least one email address. You may provide an email address in the userName field, but it will be automatically converted to a Slack-appropriate username.

This example request body provides a detailed example of which attributes Slack uses, especially for the multi-valued attributes.

{
    "schemas": [
        "urn:scim:schemas:core:1.0",
        "urn:scim:schemas:extension:enterprise:1.0"
    ],
    "userName": "other_username",
    "nickName": "slack_username",
    "name": {
        "familyName": "Last",
        "givenName": "First",
        "honorificPrefix": "Ms."
    },
    "displayName": "First Last",
    "profileUrl": "https://login.example.com/slack_username",
    "emails": [
        {
            "value": "some@email.com",
            "type": "work",
            "primary": true
        },
        {
            "value": "some_other@email.com",
            "type": "home"
        }
    ],
    "addresses": [
        {
            "streetAddress": "1060 W Addison St",
            "locality": "Chicago",
            "region": "IL",
            "postalCode": "60613",
            "country": "USA",
            "primary": true
        }
    ],
    "phoneNumbers": [
        {
            "value": "555-555-5555",
            "type": "work"
        },
        {
            "value": "555-555-4444",
            "type": "mobile"
        }
    ],
    "photos": [
        {
            "value": "https://photos.example.com/profilephoto.jpg",
            "type": "photo"
        }
    ],
    "roles": [
        {
            "value": "Tech Lead",
            "primary": "true"
        }
    ],
    "userType": "Employee",
    "title": "Tour Guide",
    "preferredLanguage": "en_US",
    "locale": "en_US",
    "timezone": "America/Chicago",
    "active": true,
    "password": "Cub$winCub$win!!",
    "urn:scim:schemas:extension:enterprise:1.0": {
        "employeeNumber": "701984",
        "costCenter": "4130",
        "organization": "Chicago Cubs",
        "division": "Wrigley Field",
        "department": "Tour Operations",
        "manager": {
            "managerId": "U0XE15NHQ"
        }
    }
}

PATCH /Users/{id}

Updates an existing user resource, overwriting values for specified attributes. Attributes that are not provided in the request will remain unchanged. The value of the {id} should be the user's corresponding Slack ID, beginning with either U or W.

Updates to the password, externalId, and profileUrl attributes are not supported via PATCH.

active

Disable active users by setting the active attribute equal to false. Alternatively, re-enable disabled users by setting the active attribute equal to true.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "active": true
}

userName

Updates to the userName attribute will also update the nickName attribute and vice versa.

The userName attribute "cannot" be empty.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "userName": "other_username"
}

nickName

Updates to the nickName attribute will also update the userName attribute and vice versa.

The nickName attribute "cannot" be empty.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "nickName": "slack_username"
}

displayName

Updates a user's Slack display name profile field. The following request will update the user's handle to @First Last.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "displayName": "First Last"
}

title

Updates a user's "What I Do" profile field.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "title": "Tour Guide"
}

userType

Updates a user's userType profile field.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "userType": "Employee"
}

preferredLanguage

Updates the user's preferred language profile field.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "preferredLanguage":"en_US"
}

locale

Updates the user's locale profile field.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "locale": "en_US"
}

timezone

Updates the user's timezone profile field.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "timezone": "America/Chicago"
}

emails

Only two user emails are stored; the primary and secondary email. The primary email may be specified by setting the primary sub-attribute to true. If the primary sub-attribute is omitted, the type sub-attribute may be specified and set to "work". Otherwise, if both the primary and type sub-attributes are omitted, the secondary email will be updated.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "emails": [
        {
            "value": "some@email.com",
            "type": "work",
            "primary": true
        },
        {
            "value": "some_other@email.com",
            "type": "home"
        }
    ]
}

A user's primary email cannot be deleted, only updates are supported. Attempts to delete the primary email without providing a replacement value will result in a missing_primary_email error. However, the secondary email may be modified at will. For example, the following request will remove the secondary email.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "emails": [
        {
            "value": "some_other@email.com",
            "operation": "delete"
        }
    ]
}

Note: The following request will only remove the secondary email.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "meta": {
        "attributes": [
            "emails"
        ]
    }
}

phoneNumbers

Only two user phone numbers are stored; the primary and secondary phone numbers. The primary phone number may be specified by setting the primary sub-attribute to true. If the primary sub-attribute is omitted, the type sub-attribute may be specified and set to "mobile". If both the primary and type sub-attributes are omitted, the secondary phone number will be updated.

The type sub-attribute means different things depending on whether it's in the request or in the response. In the request, the "type": "mobile" sub-attribute specifies the primary phone number. In the response, "type": "mobile" is assigned to the secondary number.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "phoneNumbers": [
        {
            "value": "555-555-5555",
            "type": "work"
        },
        {
            "value": "555-555-4444",
            "type": "mobile"
        }
    ]
}

The primary or secondary phone numbers may be deleted by specifying their respective values and setting the operation sub-attribute to "delete". The following requests are equivalent, they will delete all of the user's phone numbers.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "phoneNumbers": [
        {
            "value": "555-555-5555",
            "operation": "delete"
        },
        {
            "value": "555-555-4444",
            "operation": "delete"
        }
    ]
}
{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "meta": {
        "attributes": [
            "phoneNumbers"
        ]
    }
}

photos

Only one user photo is stored and used as the user's profile photo. The photo may be specified by setting the primary sub-attribute to true. If the primary sub-attribute is omitted, the first element in the photos array will be selected.

After a successful PATCH request, the response will not reflect the updated value immediately. It takes a few moments for the URL to be generated and propagated to the Slack client.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "photos": [
        {
            "value": "https://photos.example.com/profilephoto.jpg",
            "primary": true
        }
    ]
}

addresses

Only one user address is stored. The address may be specified by setting the primary sub-attribute to true. If the primary sub-attribute is omitted, the first element in the addresses array will be selected. Only the streetAddress, locality, region, postalCode and country sub-attributes are supported.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "addresses": [
        {
            "streetAddress": "1060 W Addison St",
            "locality": "Chicago",
            "region": "IL",
            "postalCode": "60613",
            "country": "USA",
            "primary": true
        }
    ]
}

To remove a user address, provide the operation sub-attribute set to "delete". An address is only deleted if the streetAddress, locality, region, postalCode and country sub-attribute values all match the current value.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "addresses": [
        {
            "streetAddress": "1060 W Addison St",
            "locality": "Chicago",
            "region": "IL",
            "postalCode": "60613",
            "country": "USA",
            "operation": "delete"
        }
    ]
}

roles

Only one user role is stored. The SCIM spec does not specify a canonical type for the roles attribute so both of the following variations are accepted. The role may be specified by setting the primary sub-attribute to true. If the primary sub-attribute is omitted, the first element in the roles array will be selected.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "roles": [
        {
            "value": "Tech Lead",
            "primary": true
        }
    ]
}

or

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "roles": [
        "Tech Lead"
    ]
}

To remove a user's role, provide the operation sub-attribute and set it to "delete".

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "roles": [
        {
            "value": "Tech Lead",
            "operation": "delete"
        }
    ]
}

name

Updates the user's name profile fields. Only the familyName, givenName and honorificPrefix sub-attributes are supported. To update all of the name sub-attributes in one request, use the following request:

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "name": {
        "familyName": "Last",
        "givenName": "First",
        "honorificPrefix": "Ms."
    }
}

Otherwise, specify only the sub-attributes to update.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "name": {
        "givenName": "First"
    }
}

To remove a specific name sub-attribute, use:

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "meta": {
        "attributes": [
            "name.honorificPrefix"
        ]
    }
}

To remove all of the name sub-attributes, use:

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "meta": {
        "attributes": [
            "name"
        ]
    }
}

urn:scim:schemas:extension:enterprises:1.0

Updates a user's enterprise profile fields.

If the manager sub-attribute is specified, the managerId sub-attribute "must" be specified. The value for the managerId su- attribute must be a valid Slack ID, beginning with either U or W.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "urn:scim:schemas:extension:enterprise:1.0": {
        "employeeNumber": "701984",
        "costCenter": "4130",
        "organization": "Chicago Cubs",
        "division": "Wrigley Field",
        "department": "Tour Operations",
        "manager": {
            "managerId": "U0XE15NHQ"
        }
    }
}

Otherwise, specify only the sub-attributes to update.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "urn:scim:schemas:extension:enterprise:1.0": {
        "manager": {
            "managerId": "U0XE15NHQ"
        }
    }
}

To remove a specific urn:scim:schemas:extension:enterprise:1.0 sub-attribute, use:

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "meta": {
        "attributes": [
            "urn:scim:schemas:extension:enterprise:1.0.manager.managerId"
        ]
    }
}

To remove all of the urn:scim:schemas:extension:enterprise:1.0 sub-attributes, use:

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "meta": {
        "attributes": [
            "urn:scim:schemas:extension:enterprise:1.0"
        ]
    }
}

meta

To remove a specific attribute or sub-attributes, use the meta.attributes request.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "meta": {
        "attributes": [
            "roles",
            "name.familyName",
            "urn:scim:schemas:extension:enterprise:1.0.department"
        ]
    }
}

PUT /Users/{id}

Updates an existing user resource, overwriting all values for a user even if an attribute is empty or not provided. If an attribute that had been set previously is left blank during a PUT operation, the new value will be blank in accordance with the data type of the attribute and the storage provider.

Deactivated users can be re-enabled by setting the active attribute to true. The value of the {id} should be the user's corresponding Slack ID, beginning with either U or W.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "id": "U0XE15NH0",
    "active": false,
    "userName": "other_username",
    "nickName": "slack_username",
    "name": {
        "givenName": "First",
        "familyName": "Last"
    },
    "title": "Ms.",
    "emails": [
        {
            "value": "some@email.com",
            "primary": true
        }
    ],
    "photos": [
        {
            "value": "https://some.image/url",
            "type": "photo"
        }
    ]
}

DELETE /Users/{id} Sets a Slack user to deactivated and hides this user from all future requests. The value of the {id} should be the user's corresponding Slack ID, beginning with either U or W.

 DELETE /scim/v1/Users/42 HTTP/1.1
 Host: api.slack.com
 Accept: application/json
 Authorization: Bearer xoxp-4956040672-4956040692-6476208902-xxxxxx

Groups

Groups are for organizing users in logical divisions across a workspace, such as by team or affinity.

Slack Group Field SCIM Attribute Attribute Type Required
Name displayName String True
Members members Multi-valued True

Group attributes

Attributes are the details associated with a group.

GET /Groups Returns a paginated list of groups, ten groups per page by default. Use the startIndex and count (max 1000) query parameters to paginate long lists of groups. Pagination will be required as of August 30, 2019.

It's possible to return a list of specific types of groups, using the filter parameter.

 GET /scim/v1/Groups?startIndex=4&count=500 HTTP/1.1
 Host: api.slack.com
 Accept: application/json
 Authorization: Bearer xoxp-4956040672-4956040692-6476208902-xxxxxx

GET /Groups/{id} Retrieves a single group resource.

 GET /scim/v1/Groups/42 HTTP/1.1
 Host: api.slack.com
 Accept: application/json
 Authorization: Bearer xoxp-4956040672-4956040692-6476208902-xxxxxx

POST /Groups Creates a new group. Must include the displayName attribute (as defined in the schema specification). Users can be added to the group during creation by supplying the Slack user ID values in the members array attribute.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "id": "external_id",
    "displayName": "Group Name",
    "members": [
        {
            "value": "U0W0NQFFC"
        },
        {
            "value": "U0W0C30RE"
        }
    ]
}

PATCH /Groups/{id} Updates an existing group resource, allowing individual (or groups of) users to be added or removed from the group with a single operation.

Setting the operation attribute of a member object to delete will remove members from a group; add is the default operation for PATCH. More details on editing a resource with PATCH.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "members": [
        {
            "value": "U0W0NQFFC"
        },
        {
            "value": "U0W0QCPK4",
            "operation": "delete"
        },
        {
            "value": "U0W0C30RE"
        }
    ]
}

PUT /Groups/{id} Updates an existing group resource, overwriting all values for a group even if an attribute is empty or not provided. PUT will replace all members of a group with those members provided via the members attribute. If an attribute that had been set previously is left blank during a PUT operation, the new value will be blank in accordance with the data type of the attribute and the storage provider.

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "displayName": "New Group Name",
    "members": [
        {
            "value": "U0W0NQFFC"
        }
    ]
}

DELETE /Groups/{id} Permanently removes a group (members are not deleted, only the group).

 DELETE /scim/v1/Groups/42 HTTP/1.1
 Host: api.slack.com
 Accept: application/json
 Authorization: Bearer xoxp-4956040672-4956040692-6476208902-xxxxxx

Filter

For methods that return a list --- GET /Users and GET /Groups --- it's possible to filter the list by the username, email, restricted, and ultra_restricted attributes, and return only the values matching that filter. The following rules apply:

  • The filter parameter must contain one valid boolean operator
  • Each expression must contain an attribute name followed by an attribute operator, (also supports an optional value)
  • Multiple expressions may be combined using two logical operators.
  • Expressions can be grouped together using "( )"
  • Expressions must be evaluated using standard order of operations
  • String literals must be valid JSON strings

The following is a list of valid operators:

Operator Description
eq equal
co contains
sw starts with
pr present value
gt greater than
ge greater than or equal
lt less than
le less than or equal
and logical And
or logical Or

Attribute name and attribute operator are case insensitive. For example, the following two expressions will evaluate to the same logical value:

filter=userName Eq "Carly"
filter=username eq "carly"

Filters may be applied to the username and email user attributes, with the addition of two membership filters:

Attribute Name SCIM Attribute Attribute Type
Multi-Channel-Guest restricted Singular
Single-Channel-Guest ultra_restricted Singular

The following would return a list of all multi-channel guests of a workspace:

 GET /scim/v1/Users?filter=restricted eq '1' HTTP/1.1
 Host: api.slack.com
 Accept: application/json
 Authorization: Bearer xoxp-4956040672-4956040692-6476208902-xxxxxx

Errors

Occasionally, interacting with our APIs will result in an error instead of the result you're expecting. Slack will make every attempt to respond with a descriptive error message that will help you figure out what went wrong and how to fix it.

Error Description
addresses_invalid The addresses attribute provided is invalid.
bad_email_address The email address provided does not exist or was poorly formatted.
bad_endpoint The endpoint URL does not exist.
cannot_modify_owner A Workspace's ownership can not be modified via SCIM, please use the Slack admin.
cannot_modify_gdpr Users who have had their personal information forgotten under GDPR can not be modified.
cannot_disable_bot_user_with_scim The SCIM API can not be used to deactivate a bot user, this must be done via the bot admin.
cannot_disable_primary_owner The primary owner of a Workspace can not be disabled. If this user needs to be disabled, please make another team member the primary owner first.
email_empty The user's primary email is missing from the request.
email_invalid The provided user email values are invalid.
email_taken The provided user email value already exists.
emails_invalid The emails attribute provided is invalid.
group_members_create_failed An error occurred during an update to a user group.
group_creation_failed The request to create a user group has failed.
groups_invalid The groups attribute provided is invalid.
idp_group_linked_to_channels This IDP group is linked to one or more channels via admin.conversations.whitelist.add. You must call admin.conversations.whitelist.remove for each link before you can delete the group.
improper_enterprise_schema_format The urn:scim:schemas:extension:enterprise:1.0.manager sub-attribute is missing the required managerId sub-attribute.
incomplete_filter A malformed filter query has been specified. Please check that the filter are separated by a single space. filter=attribute eq "value"
invalid_attribute_format A singular or multi-valued attribute has been specified with the wrong type.
invalid_authentication There's a problem with the OAuth token. It may not have been granted the proper admin scope or may not have been installed by an administrator. The token may also be malformed or not properly sent via an Authorization header with a type of Bearer.
invalid_display_name The provided display name is not allowed.
invalid_emoji_not_allowed An attribute value contains an emoji.
invalid_filter_group The provided filter contains a group that is malformed.
invalid_name_specials The provided display name is not allowed because it is using invalid special characters such as @.
invalid_name_required Only a string containing spaces has been provided for both the givenName and familyName sub-attributes.
invalid_query There's a problem with the filter parameter. Please check that the entities and operators are valid.
invalid_reserved_word A reserved word has been specified in an attribute.
invalid_starts_with_at The displayName attribute value provided starts with an @
invalid_sort_order The sortOrder parameter is not equal to ascending or descending.
method_not_allowed Unsupported http method provided. Only GET, POST, PUT, PATCH and DELETE are supported.
missing_authentication The authentication token is missing.
missing_primary_email The request is attempting to remove the primary email without providing a replacement value.
missing_schema_element The schemas attribute is missing from the request.
missing_group_id The group ID has not been specified.
missing_user_id The user ID has not been specified.
no_filters The filter query parameter was provided but no filters were specified.
no_such_group The group provided does not exist.
no_such_group_members The group members provided do not exist.
no_such_user The user provided does not exist.
non_org_teams_only When using SCIM on an Enterprise Grid organization, the app must be installed on the organization, not individual workspaces. SCIM methods are called against the entire Grid organization.
query_building_failed The provided filter did not translate to a proper database query.
database_query_failure An error was encountered while executing a filter.
password_change_not_allowed Updates to the password attribute via SCIM is prohibited.
permission_denied The OAuth token has not been granted permission to perform the requested action.
phoneNumbers_invalid The phoneNumbers attribute provided is invalid.
photos_invalid The photos attribute provided is invalid.
plus_teams_only The SCIM APIs are only available for Plus and Enterprise Grid plans. SCIM access is not available for Free and Standard plans.
primary_owner_check_failure The primary owner of a Workspace within an organization can not be disabled. If this user needs to be disabled, please make another team member the primary owner first.
resource_locked The app is making too many requests over a short period of time for group update requests. Please make fewer requests to stay within Slack's rate limits.
roles_invalid The roles attribute provided is invalid.
too_many_requests The app is making too many requests over a short period of time. Please make fewer requests to stay within Slack's rate limits.
truncation_error The userName could not be truncated in an attempt to avoid a username conflict for the organization.
unable_to_create_team_profile_fields An error occurred during custom profile creation.
unknown_user The user provided does not exist.
unsupported_version The provided SCIM version is not supported.
user_creation_failed The specified user already exists or an error was encountered when attempting to create a user.
username_empty The userName attribute is empty when the user's endpoint is invoked via PUT or POST
username_invalid The userName attribute provided is invalid.
username_not_allowed The provided userName is reserved.
username_required This method requires a username parameter.
username_taken When provisioning a new user via SCIM, usernames must be unique.
username_too_long The specified username is too long (max length is 21 characters).

SCIM provisioning limitations

  • Users can not be permanently deleted from Slack, they can only be deactivated.
  • Attempts to provision a user with a duplicate email address (even if the existing user has been previously deactivated in Slack) will fail. The existing user email address must be updated manually in Slack to free up the email to be re-provisioned.
  • When creating a new user, if anything in custom profile is invalid, all profile fields will be dropped
  • Multi-Channel and Single-Channel Guests can not be fully provisioned via SCIM. You will first need to provision them as a full user, then restrict them via the Slack admin page.
  • Group mention handles (@group) can not be set via the SCIM provisioning API.
  • Subteams that are automatically generated by Slack, such as Team Admins, can not be updated via the SCIM API.
  • The SCIM API is rate limited. If your requests are being limited, an HTTP: 429 error will be returned.
  • Slack does not store type for addresses. The type field will be used to determine which address is the "primary address" if the request does not specify one, however the type is not stored.