nproxy/Documentation
Dashboard

SCIM Provisioning

nproxy supports SCIM 2.0 for automatic user provisioning and deprovisioning through your identity provider (IdP). When employees join or leave your organization, their nproxy access is automatically updated -- including API token creation and revocation.

Requires the Enterprise plan.

How it works

  1. You generate a SCIM bearer token in the nproxy dashboard
  2. You configure nproxy as a SCIM application in your IdP (Okta, Azure AD, etc.)
  3. When you assign a user to the nproxy application in your IdP, the IdP sends a SCIM request to nproxy
  4. nproxy creates the user account, adds them to your organization as a member, and generates an API token
  5. When you unassign or deactivate a user, their membership is removed and all API tokens are revoked

SCIM endpoint

https://nproxy.app/api/scim/v2

All SCIM requests must include the bearer token in the Authorization header:

Authorization: Bearer scim_<your_token>

Supported operations

Create user (POST /Users)

When your IdP provisions a new user:

  1. nproxy finds or creates a user account by email
  2. Adds the user to your organization with the member role
  3. Generates an nproxy_ API token with proxy scope
  4. Returns the SCIM user resource with a custom extension containing the API token

The response includes a custom schema extension urn:nproxy:scim:1.0:User with the apiToken field. IdPs that support custom attributes can map this back to the user for MDM distribution.

List users (GET /Users)

Returns all users in your organization. Supports:

  • Pagination -- startIndex and count query parameters (SCIM RFC 7644 compliant, 1-based indexing)
  • Filtering -- filter=userName eq "user@example.com" to find a specific user by email

Get user (GET /Users/:id)

Returns a single user by their nproxy user ID.

Update user (PATCH /Users/:id)

Supports the replace operation on the active path:

{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [
    { "op": "replace", "path": "active", "value": false }
  ]
}
  • Deactivating a user (active: false) revokes all their API tokens and deactivates their org membership
  • Reactivating a user (active: true) re-enables their membership and creates a new API token if they have none

Replace user (PUT /Users/:id)

Full replace of the user resource. Updates name, email, externalId, and active status. If active is set to false, all tokens are revoked.

Delete user (DELETE /Users/:id)

Hard deprovision:

  1. Revokes all API tokens for the user in your organization
  2. Deactivates the user account
  3. Removes the org membership

Generating a SCIM token

  1. Go to the nproxy dashboard
  2. Navigate to your organization settings
  3. Click Generate SCIM Token
  4. Copy the token -- it is shown only once

The token is stored as a SHA-256 hash. Only org owners and admins can generate or revoke SCIM tokens.

To revoke a SCIM token, click Revoke SCIM Token in the dashboard. This immediately invalidates all SCIM requests using that token.

Setting up Okta

  1. In the Okta admin console, go to Applications > Create App Integration
  2. Select SCIM 2.0 Test App (Header Auth)
  3. Set the SCIM connector base URL to https://nproxy.app/api/scim/v2
  4. Set the Unique identifier field for users to userName
  5. Under Authentication Mode, select HTTP Header and paste your SCIM bearer token
  6. Enable Push New Users, Push Profile Updates, and Push Groups (if desired)
  7. Assign users or groups to the application

Setting up Azure AD (Microsoft Entra ID)

  1. In the Azure portal, go to Enterprise Applications > New Application
  2. Create a non-gallery application
  3. Go to Provisioning and set the mode to Automatic
  4. Set the Tenant URL to https://nproxy.app/api/scim/v2
  5. Set the Secret Token to your SCIM bearer token
  6. Click Test Connection to verify
  7. Configure attribute mappings (userName maps to email)
  8. Assign users and groups, then start provisioning

SCIM user resource format

nproxy returns SCIM 2.0 User resources in this format:

{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "id": "user-uuid",
  "userName": "jane@acme.com",
  "name": {
    "givenName": "Jane",
    "familyName": "Doe"
  },
  "emails": [{ "primary": true, "value": "jane@acme.com" }],
  "externalId": "okta-external-id",
  "active": true,
  "meta": {
    "resourceType": "User"
  }
}

Token lifecycle

SCIM provisioning integrates with the nproxy token system:

EventToken action
User provisioned (POST /Users)New nproxy_ token created with proxy scope
User deactivated (PATCH active=false)All tokens revoked
User reactivated (PATCH active=true)New token created if user has no tokens for the org
User deprovisioned (DELETE /Users/:id)All tokens revoked, user deactivated, membership removed

Token revocation takes effect immediately — deprovisioned users lose proxy access within seconds.