You can provision and manage users and groups in your Notion workspace with the System for Cross-domain Identity Management (SCIM) API standard.
Note: Notion's SCIM API is only available for workspaces on Notion's Enterprise Plan. Contact sales to learn more →
What you can do with Notion's SCIM APIHow to setup provisioning with SCIMRetrieving your SCIM API keySetting up Provisioning with OktaFeaturesRequirementsStep-by-Step Configuration InstructionsTroubleshootingNotion SCIM API EndpointsService Provider ConfigurationGET /ServiceProviderConfigGET /ResourceTypesUsersGET /UsersGET /Users/<id>POST /UsersPATCH /Users/<id>PUT /Users/<id>DELETE /Users/<id>GroupsGET /GroupsGET /Groups/<id>POST /GroupsPATCH /Groups/<id>PUT /Groups/<id>DELETE /Groups/<id>Related guides
What you can do with Notion's SCIM API
User provisioning and management:
- Create and remove members in your workspace.
- Update a member's profile information.
- Retrieve the members in your workspace.
- Find members by email or name.
Group provisioning and management:
- Create and remove groups in your workspace.
- Add and remove members in a group.
- Retrieve the groups in your workspace.
- Find groups by name.
Not supported:
- Managing workspace guests.
How to setup provisioning with SCIM
We currently support Okta, Rippling, and custom SCIM applications (see our SCIM API below for details). If you use another Identity Provider, please let us know.
Retrieving your SCIM API key
Please contact your Notion rep to generate an API key for the Notion workspace you want to provision.
You can then go to your Notion workspace, open Settings & Members, select the Security & SAML tab, and then under the SCIM configuration section choose View token. Only workspace admins can view the API key.
Setting up Provisioning with Okta
Features
Notion's Okta Integration supports the following provisioning features:
- Create Users
- Update User Attributes (if the user has an email domain belonging to your organization)
- Deactivate Users (Removes user from your Notion workspace)
- Push Groups
Requirements
Provisioning through Okta is available for workspaces on Notion's Enterprise Plan.
Please contact your Notion rep to generate an API key for the Notion workspace you want to provision.
Retrieve the SCIM API token for your Notion workspace:
- You need to be a workspace administrator to access the SCIM API token.
- Click on
Settings & Membersin your left sidebar. Then click on theSecurity & SAMLtab.
- Scroll down to the bottom to the
SCIM configurationsection and click onView Token.
Step-by-Step Configuration Instructions
When updating users/groups via an existing SCIM configuration, please do not delete the Notion App from Okta. Doing so will remove all provisioned users from the workspace.
Add the Notion app from Okta's Integrations Directory. Under the Provisioning tab, enable API integration. Enter the Notion SCIM API token from the previous step into the API Token field.
Select "Email" for the Application username format on the Sign On application tab.
Provisioning Groups
After setting up the API integration, open the Push Groups tab, and add the Okta groups you want to sync with Notion from the "Push Groups" button.
Troubleshooting
Please ensure the Okta username attribute is set to Email, and that the email address is lowercase.
You can only update a member's profile information if you have verified ownership of the user's email domain (this is typically the same as the email domains you have configured for SAML Single Sign-On with Notion). Please contact us to verify a new email domain.
If you run into any issues setting up provisioning with Okta, please contact us.
Notion SCIM API Endpoints
Notion's SCIM API adheres to the SCIM 2.0 protocol.
Service Provider Configuration
GET /ServiceProviderConfig
GET https://api.notion.com/scim/v2/ServiceProviderConfigRetrieve a description of the SCIM specification features available.
Defined in Section 5 of the SCIM Protocol Specification.
GET /ResourceTypes
GET https://api.notion.com/scim/v2/ResourceTypesRetrieve a list of the SCIM resource types available.
Defined in Section 6 of the SCIM Protocol Specification.
Users
The following table describes the mapping between SCIM user attributes and Notion user profile fields. Other user attributes will be ignored.
Copy of User Attributes
SCIM Attribute
Notion User Profile Field
Required
GET /Users
GET https://api.notion.com/scim/v2/UsersRetrieve a paginated list of workspace members.
You can paginate using the
startIndex and count parameters. Note that startIndex is 1-indexed.You can filter the results with the
filter parameter. Valid attributes to filter by are email, given_name, and family_name. E.g.
GET https://api.notion.com/scim/v2/Users?startIndex=1&count=50&filter=email eq [email protected]Note that
given_name and family_name are case sensitive. Email is converted to lowercase.GET /Users/<id>
GET https://api.notion.com/scim/v2/Users/<id>Retrieve a specific workspace member by its Notion user ID. This will be an UUID with 32 characters in the following format:
00000000-0000-0000-0000-000000000000.POST /Users
POST https://api.notion.com/scim/v2/UsersIf the user you are adding already has a Notion user account with the same email, then they will be added to your workspace.
If the user does not exist, calling this will create a new Notion user and then add that user to your workspace. The will be mapped to the Notion user profile that is created.
PATCH /Users/<id>
PATCH https://api.notion.com/scim/v2/Users/<id>Update through a series of operations, and returns the updated user record.
You can only update a member's profile information if you have verified ownership of the user's email domain (this is typically the same as the email domains you have configured for SAML Single Sign-On with Notion).
PUT /Users/<id>
PUT https://api.notion.com/scim/v2/Users/<id>Update , and returns the updated user record.
You can only update a member's profile information if you have verified ownership of the user's email domain (this is typically the same as the email domains you have configured for SAML Single Sign-On with Notion).
DELETE /Users/<id>
DELETE https://api.notion.com/scim/v2/Users/<id> Remove a user from your workspace. The user is logged out of all active sessions.
The user account cannot be deleted through SCIM. Account deletion must be done manually.
Groups
GET /Groups
GET https://api.notion.com/scim/v2/GroupsRetrieve a paginated list of workspace groups.
You can paginate using the
startIndex and count parameters. Note that startIndex is 1-indexed.E.g.
GET https://api.notion.com/scim/v2/Groups?startIndex=1&count=5You can filter the results with the
filter parameter. Groups can be filtered by their displayName attribute.E.g.
GET https://api.notion.com/scim/v2/Groups?filter=displayName eq DesignersGET /Groups/<id>
GET https://api.notion.com/scim/v2/Groups/<id>Retrieve a specific workspace group by its Notion group ID. This will be an UUID with 32 characters in the following format:
00000000-0000-0000-0000-000000000000.POST /Groups
POST https://api.notion.com/scim/v2/GroupsCreate a new workspace group.
PATCH /Groups/<id>
PATCH https://api.notion.com/scim/v2/Groups/<id>Update a workspace group through a series of operations.
PUT /Groups/<id>
PUT https://api.notion.com/scim/v2/Groups/<id>Update a workspace group.
DELETE /Groups/<id>
DELETE https://api.notion.com/scim/v2/Groups/<id> Delete a workspace group.
Group deletion will be forbidden if it is to result in no one having full access to one or more pages.
Related guides
