Manage the organization user membership lifecycle - add, update, and remove members, resend invitations, and create and list organization roles and permissions.
openapi: 3.0.1
info:
title: Scalekit API
description: >-
Scalekit is the authentication platform for B2B SaaS and AI agents. The
REST API provides programmatic access to enterprise Single Sign-On (SAML /
OIDC connections), SCIM directory provisioning, organizations, users and
memberships, organization roles, machine-to-machine (M2M) authentication,
and agent / MCP connected accounts and tool execution. The API base URL is
per-environment; access tokens are obtained via the OAuth 2.0 client
credentials grant and passed as Bearer tokens.
termsOfService: https://www.scalekit.com/legal/terms-of-service
contact:
name: Scalekit Support
url: https://www.scalekit.com
email: support@scalekit.com
version: '1.0'
servers:
- url: https://{environment}.scalekit.com
description: Production environment (per-tenant subdomain)
variables:
environment:
default: your-subdomain
description: Your Scalekit environment subdomain.
- url: https://{environment}.scalekit.dev
description: Development environment (per-tenant subdomain)
variables:
environment:
default: your-subdomain
description: Your Scalekit development environment subdomain.
security:
- bearerAuth: []
tags:
- name: Authentication
description: OAuth 2.0 client credentials token issuance.
- name: Organizations
description: Create and manage tenant organizations.
- name: Organization Settings
description: Toggle feature settings on an organization.
- name: Admin Portal
description: Generate self-service admin portal links.
- name: Connections
description: Enterprise SSO connections (SAML / OIDC).
- name: Directories
description: SCIM directories and synced directory users and groups.
- name: Users & Memberships
description: Organization user membership lifecycle and invitations.
- name: Roles
description: Organization roles and permissions.
- name: M2M Clients
description: Machine-to-machine API auth clients and tokens.
- name: Connected Accounts
description: Agent / MCP connected accounts and tool execution.
paths:
/oauth/token:
post:
operationId: createToken
tags:
- Authentication
summary: Issue an access token (client credentials)
description: >-
Exchange a client_id and client_secret for a short-lived Bearer access
token using the OAuth 2.0 client credentials grant. The returned token
authorizes all subsequent management API calls.
security: []
requestBody:
required: true
content:
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/TokenRequest'
responses:
'200':
description: Access token issued.
content:
application/json:
schema:
$ref: '#/components/schemas/TokenResponse'
'401':
$ref: '#/components/responses/Unauthorized'
/api/v1/organizations:
get:
operationId: listOrganizations
tags:
- Organizations
summary: List organizations
parameters:
- $ref: '#/components/parameters/PageSize'
- $ref: '#/components/parameters/PageToken'
responses:
'200':
description: A list of organizations.
content:
application/json:
schema:
$ref: '#/components/schemas/ListOrganizationsResponse'
'401':
$ref: '#/components/responses/Unauthorized'
post:
operationId: createOrganization
tags:
- Organizations
summary: Create an organization
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateOrganizationRequest'
responses:
'201':
description: Organization created.
content:
application/json:
schema:
$ref: '#/components/schemas/OrganizationResponse'
'401':
$ref: '#/components/responses/Unauthorized'
/api/v1/organizations/{id}:
parameters:
- $ref: '#/components/parameters/OrganizationId'
get:
operationId: getOrganization
tags:
- Organizations
summary: Get an organization
responses:
'200':
description: The organization.
content:
application/json:
schema:
$ref: '#/components/schemas/OrganizationResponse'
'404':
$ref: '#/components/responses/NotFound'
patch:
operationId: updateOrganization
tags:
- Organizations
summary: Update an organization
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/UpdateOrganizationRequest'
responses:
'200':
description: Organization updated.
content:
application/json:
schema:
$ref: '#/components/schemas/OrganizationResponse'
'404':
$ref: '#/components/responses/NotFound'
delete:
operationId: deleteOrganization
tags:
- Organizations
summary: Delete an organization
responses:
'204':
description: Organization deleted.
'404':
$ref: '#/components/responses/NotFound'
/api/v1/organizations/{id}/settings:
parameters:
- $ref: '#/components/parameters/OrganizationId'
patch:
operationId: updateOrganizationSettings
tags:
- Organization Settings
summary: Update organization settings
description: Toggle feature settings (e.g. sso, scim, directory_sync) on an organization.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/OrganizationSettings'
responses:
'200':
description: Settings updated.
content:
application/json:
schema:
$ref: '#/components/schemas/OrganizationResponse'
'404':
$ref: '#/components/responses/NotFound'
/api/v1/organizations/{id}/portal_links:
parameters:
- $ref: '#/components/parameters/OrganizationId'
put:
operationId: createPortalLink
tags:
- Admin Portal
summary: Generate an admin portal link
description: >-
Generate a self-service admin portal link that an organization
administrator can use to configure SSO and SCIM without leaving your
application.
responses:
'200':
description: Portal link generated.
content:
application/json:
schema:
$ref: '#/components/schemas/PortalLink'
'404':
$ref: '#/components/responses/NotFound'
/api/v1/connections:
get:
operationId: listConnections
tags:
- Connections
summary: List connections
description: Retrieve a list of SSO connections in the environment.
parameters:
- $ref: '#/components/parameters/PageSize'
- $ref: '#/components/parameters/PageToken'
- name: organization_id
in: query
required: false
description: Filter connections by organization.
schema:
type: string
responses:
'200':
description: A list of connections.
content:
application/json:
schema:
$ref: '#/components/schemas/ListConnectionsResponse'
'401':
$ref: '#/components/responses/Unauthorized'
/api/v1/organizations/{organization_id}/connections:
parameters:
- $ref: '#/components/parameters/OrganizationIdPath'
get:
operationId: listOrganizationConnections
tags:
- Connections
summary: List an organization's connections
responses:
'200':
description: A list of the organization's SSO connections.
content:
application/json:
schema:
$ref: '#/components/schemas/ListConnectionsResponse'
'404':
$ref: '#/components/responses/NotFound'
/api/v1/organizations/{organization_id}/connections/{id}:
parameters:
- $ref: '#/components/parameters/OrganizationIdPath'
- $ref: '#/components/parameters/ConnectionId'
get:
operationId: getConnection
tags:
- Connections
summary: Get a connection
description: Retrieve configuration and status details for a specific SSO connection.
responses:
'200':
description: The connection.
content:
application/json:
schema:
$ref: '#/components/schemas/Connection'
'404':
$ref: '#/components/responses/NotFound'
/api/v1/organizations/{organization_id}/directories:
parameters:
- $ref: '#/components/parameters/OrganizationIdPath'
get:
operationId: listDirectories
tags:
- Directories
summary: List directories
description: List SCIM directories configured for an organization.
responses:
'200':
description: A list of directories.
content:
application/json:
schema:
$ref: '#/components/schemas/ListDirectoriesResponse'
'404':
$ref: '#/components/responses/NotFound'
/api/v1/organizations/{organization_id}/directories/{directory_id}:
parameters:
- $ref: '#/components/parameters/OrganizationIdPath'
- $ref: '#/components/parameters/DirectoryId'
get:
operationId: getDirectory
tags:
- Directories
summary: Get a directory
responses:
'200':
description: The directory.
content:
application/json:
schema:
$ref: '#/components/schemas/Directory'
'404':
$ref: '#/components/responses/NotFound'
/api/v1/organizations/{organization_id}/directories/{directory_id}/users:
parameters:
- $ref: '#/components/parameters/OrganizationIdPath'
- $ref: '#/components/parameters/DirectoryId'
get:
operationId: listDirectoryUsers
tags:
- Directories
summary: List directory users
description: Fetch users provisioned via SCIM into a directory on demand.
parameters:
- $ref: '#/components/parameters/PageSize'
- $ref: '#/components/parameters/PageToken'
responses:
'200':
description: A list of directory users.
content:
application/json:
schema:
$ref: '#/components/schemas/ListDirectoryUsersResponse'
'404':
$ref: '#/components/responses/NotFound'
/api/v1/organizations/{organization_id}/directories/{directory_id}/groups:
parameters:
- $ref: '#/components/parameters/OrganizationIdPath'
- $ref: '#/components/parameters/DirectoryId'
get:
operationId: listDirectoryGroups
tags:
- Directories
summary: List directory groups
description: Fetch groups provisioned via SCIM into a directory on demand.
parameters:
- $ref: '#/components/parameters/PageSize'
- $ref: '#/components/parameters/PageToken'
responses:
'200':
description: A list of directory groups.
content:
application/json:
schema:
$ref: '#/components/schemas/ListDirectoryGroupsResponse'
'404':
$ref: '#/components/responses/NotFound'
/api/v1/memberships/organizations/{organization_id}/users/{id}:
parameters:
- $ref: '#/components/parameters/OrganizationIdPath'
- $ref: '#/components/parameters/UserId'
post:
operationId: addMembership
tags:
- Users & Memberships
summary: Add a user to an organization
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/MembershipRequest'
responses:
'201':
description: User added to organization.
content:
application/json:
schema:
$ref: '#/components/schemas/Membership'
'404':
$ref: '#/components/responses/NotFound'
patch:
operationId: updateMembership
tags:
- Users & Memberships
summary: Update a membership
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/MembershipRequest'
responses:
'200':
description: Membership updated.
content:
application/json:
schema:
$ref: '#/components/schemas/Membership'
'404':
$ref: '#/components/responses/NotFound'
delete:
operationId: removeMembership
tags:
- Users & Memberships
summary: Remove a user from an organization
responses:
'204':
description: User removed.
'404':
$ref: '#/components/responses/NotFound'
/api/v1/invites/organizations/{organization_id}/users/{id}/resend:
parameters:
- $ref: '#/components/parameters/OrganizationIdPath'
- $ref: '#/components/parameters/UserId'
patch:
operationId: resendInvite
tags:
- Users & Memberships
summary: Resend a user invitation
responses:
'200':
description: Invitation resent.
content:
application/json:
schema:
$ref: '#/components/schemas/Membership'
'404':
$ref: '#/components/responses/NotFound'
/api/v1/organizations/{org_id}/roles:
parameters:
- name: org_id
in: path
required: true
schema:
type: string
get:
operationId: listRoles
tags:
- Roles
summary: List organization roles
responses:
'200':
description: A list of roles.
content:
application/json:
schema:
$ref: '#/components/schemas/ListRolesResponse'
'404':
$ref: '#/components/responses/NotFound'
post:
operationId: createRole
tags:
- Roles
summary: Create an organization role
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/RoleRequest'
responses:
'201':
description: Role created.
content:
application/json:
schema:
$ref: '#/components/schemas/Role'
'404':
$ref: '#/components/responses/NotFound'
/api/v1/connected_accounts:
get:
operationId: listConnectedAccounts
tags:
- Connected Accounts
summary: List connected accounts
description: List agent connected accounts (authorized third-party connectors).
parameters:
- $ref: '#/components/parameters/PageSize'
- $ref: '#/components/parameters/PageToken'
responses:
'200':
description: A list of connected accounts.
content:
application/json:
schema:
$ref: '#/components/schemas/ListConnectedAccountsResponse'
'401':
$ref: '#/components/responses/Unauthorized'
post:
operationId: createConnectedAccount
tags:
- Connected Accounts
summary: Create a connected account
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectedAccountRequest'
responses:
'201':
description: Connected account created.
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectedAccount'
'401':
$ref: '#/components/responses/Unauthorized'
put:
operationId: updateConnectedAccountCredentials
tags:
- Connected Accounts
summary: Update connected account credentials
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectedAccountRequest'
responses:
'200':
description: Credentials updated.
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectedAccount'
'401':
$ref: '#/components/responses/Unauthorized'
/api/v1/connected_accounts/magic_link:
post:
operationId: createConnectedAccountMagicLink
tags:
- Connected Accounts
summary: Generate an authorization magic link
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/MagicLinkRequest'
responses:
'200':
description: Magic link generated.
content:
application/json:
schema:
$ref: '#/components/schemas/MagicLink'
'401':
$ref: '#/components/responses/Unauthorized'
/api/v1/execute_tool:
post:
operationId: executeTool
tags:
- Connected Accounts
summary: Execute a tool
description: >-
Execute a tool action on behalf of a user through a connected account
(e.g. fetch emails, create a CRM record). Core of the agent / MCP auth
product.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ExecuteToolRequest'
responses:
'200':
description: Tool executed.
content:
application/json:
schema:
$ref: '#/components/schemas/ExecuteToolResponse'
'401':
$ref: '#/components/responses/Unauthorized'
components:
securitySchemes:
bearerAuth:
type: http
scheme: bearer
description: OAuth 2.0 client-credentials access token passed as a Bearer token.
oauth2ClientCredentials:
type: oauth2
flows:
clientCredentials:
tokenUrl: https://{environment}.scalekit.com/oauth/token
scopes: {}
parameters:
PageSize:
name: page_size
in: query
required: false
description: Maximum number of results per page.
schema:
type: integer
default: 20
PageToken:
name: page_token
in: query
required: false
description: Opaque token for the next page of results.
schema:
type: string
OrganizationId:
name: id
in: path
required: true
description: Organization identifier.
schema:
type: string
OrganizationIdPath:
name: organization_id
in: path
required: true
description: Organization identifier.
schema:
type: string
ConnectionId:
name: id
in: path
required: true
description: Connection identifier.
schema:
type: string
DirectoryId:
name: directory_id
in: path
required: true
description: Directory identifier.
schema:
type: string
UserId:
name: id
in: path
required: true
description: User identifier.
schema:
type: string
responses:
Unauthorized:
description: Authentication failed or access token missing/expired.
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
NotFound:
description: The requested resource was not found.
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
schemas:
Error:
type: object
properties:
code:
type: string
message:
type: string
details:
type: array
items:
type: object
TokenRequest:
type: object
required:
- grant_type
- client_id
- client_secret
properties:
grant_type:
type: string
enum:
- client_credentials
client_id:
type: string
client_secret:
type: string
TokenResponse:
type: object
properties:
access_token:
type: string
token_type:
type: string
example: Bearer
expires_in:
type: integer
description: Lifetime in seconds.
Organization:
type: object
properties:
id:
type: string
external_id:
type: string
display_name:
type: string
region_code:
type: string
metadata:
type: object
additionalProperties:
type: string
settings:
$ref: '#/components/schemas/OrganizationSettings'
create_time:
type: string
format: date-time
update_time:
type: string
format: date-time
OrganizationResponse:
type: object
properties:
organization:
$ref: '#/components/schemas/Organization'
ListOrganizationsResponse:
type: object
properties:
organizations:
type: array
items:
$ref: '#/components/schemas/Organization'
next_page_token:
type: string
total_size:
type: integer
CreateOrganizationRequest:
type: object
required:
- display_name
properties:
display_name:
type: string
external_id:
type: string
metadata:
type: object
additionalProperties:
type: string
UpdateOrganizationRequest:
type: object
properties:
display_name:
type: string
external_id:
type: string
metadata:
type: object
additionalProperties:
type: string
OrganizationSettings:
type: object
properties:
features:
type: array
items:
type: object
properties:
name:
type: string
example: sso
enabled:
type: boolean
PortalLink:
type: object
properties:
location:
type: string
format: uri
description: The admin portal URL.
expire_time:
type: string
format: date-time
Connection:
type: object
properties:
id:
type: string
organization_id:
type: string
provider:
type: string
example: okta
type:
type: string
enum:
- SSO_SAML
- SSO_OIDC
status:
type: string
enum:
- DRAFT
- PENDING
- ACTIVE
- INACTIVE
enabled:
type: boolean
create_time:
type: string
format: date-time
ListConnectionsResponse:
type: object
properties:
connections:
type: array
items:
$ref: '#/components/schemas/Connection'
next_page_token:
type: string
Directory:
type: object
properties:
id:
type: string
organization_id:
type: string
directory_type:
type: string
example: SCIM
directory_provider:
type: string
example: okta
status:
type: string
enum:
- PENDING
- ACTIVE
- INACTIVE
enabled:
type: boolean
last_sync_time:
type: string
format: date-time
ListDirectoriesResponse:
type: object
properties:
directories:
type: array
items:
$ref: '#/components/schemas/Directory'
next_page_token:
type: string
DirectoryUser:
type: object
properties:
id:
type: string
email:
type: string
preferred_username:
type: string
given_name:
type: string
family_name:
type: string
active:
type: boolean
roles:
type: array
items:
type: string
ListDirectoryUsersResponse:
type: object
properties:
users:
type: array
items:
$ref: '#/components/schemas/DirectoryUser'
next_page_token:
type: string
total_size:
type: integer
DirectoryGroup:
type: object
properties:
id:
type: string
display_name:
type: string
external_id:
type: string
ListDirectoryGroupsResponse:
type: object
properties:
groups:
type: array
items:
$ref: '#/components/schemas/DirectoryGroup'
next_page_token:
type: string
Membership:
type: object
properties:
user_id:
type: string
organization_id:
type: string
roles:
type: array
items:
type: string
membership_status:
type: string
enum:
- PENDING_INVITE
- ACTIVE
MembershipRequest:
type: object
properties:
roles:
type: array
items:
type: string
metadata:
type: object
additionalProperties:
type: string
Role:
type: object
properties:
id:
type: string
name:
type: string
display_name:
type: string
description:
type: string
permissions:
type: array
items:
type: string
ListRolesResponse:
type: object
properties:
roles:
type: array
items:
$ref: '#/components/schemas/Role'
RoleRequest:
type: object
required:
- name
properties:
name:
type: string
display_name:
type: string
description:
type: string
permissions:
type: array
items:
type: string
ConnectedAccount:
type: object
properties:
id:
type: string
connector:
type: string
example: gmail
identifier:
type: string
status:
type: string
enum:
- PENDING
- ACTIVE
- REVOKED
authorization_type:
type: string
enum:
- OAUTH2
- API_KEY
create_time:
type: string
format: date-time
ListConnectedAccountsResponse:
type: object
properties:
connected_accounts:
type: array
items:
$ref: '#/components/schemas/ConnectedAccount'
next_page_token:
type: string
ConnectedAccountRequest:
type: object
required:
- connector
- identifier
properties:
connector:
type: string
identifier:
type: string
authorization_details:
type: object
additionalProperties: true
MagicLinkRequest:
type: object
required:
- connector
- identifier
properties:
connector:
type: string
identifier:
type: string
MagicLink:
type: object
properties:
link:
type: string
format: uri
expire_time:
type: string
format: date-time
ExecuteToolRequest:
type: object
required:
- tool_name
- identifier
properties:
tool_name:
type: string
connection_name:
type: string
identifier:
type: string
description: The connected account identifier to act on behalf of.
tool_input:
type: object
additionalProperties: true
ExecuteToolResponse:
type: object
properties:
data:
type: object
additionalProperties: true
execution_id:
type: string