Create users with:
\nPOST /scim/v2/Users
When emails is provided:
Email values are normalized to lowercase.
\nIf multiple emails are marked as primary, the last explicit primary email is used.
\nIf no email is marked primary, ScrambleID falls back to the first work email.
If no work email exists, ScrambleID falls back to the first email in the array.
Activation emails require a resolved primary email.
\nscrambleOpsscrambleOps is a request-only object used to trigger activation-code generation during create or replace operations. It is removed before the user is stored and is not returned in SCIM responses.
If sendActivation is true, ScrambleID generates and sends a mobile activation code, as long as mobile access is enabled for the user or organization.
If sendDesktopActivation is true, ScrambleID generates and sends a desktop activation code, as long as desktop access is enabled for the user or organization.
If scrambleOps is omitted, no activation code is generated or sent.
If the user has no primary email, activation is skipped.
\nExisting unused activation records may be reused instead of creating a new activation record.
\nScrambleID supports standard SCIM user attributes, the enterprise user extension, and organization-specific custom attributes.
\nCommon optional attributes include:
\nexternalId
displayName
nickName
title
preferredLanguage
locale
timezone
phoneNumbers
addresses
groups
roles
Enterprise extension attributes such as employeeNumber, department, and manager
ScrambleID extension attributes under scrambleAttributes
{\n \"schemas\": [\n \"urn:ietf:params:scim:schemas:core:2.0:User\",\n \"urn:ietf:params:scim:schemas:extension:scrambleid:acme:2.0:User\"\n ],\n \"userName\": \"john.doe\",\n \"name\": {\n \"givenName\": \"John\",\n \"familyName\": \"Doe\"\n },\n \"emails\": [\n {\n \"value\": \"john.doe@example.com\",\n \"type\": \"work\",\n \"primary\": true\n }\n ],\n \"active\": true,\n \"roles\": [\n {\n \"value\": \"USER\"\n }\n ],\n \"urn:ietf:params:scim:schemas:extension:scrambleid:acme:2.0:User\": {\n \"scrambleAttributes\": {\n \"desktopAppEnabled\": true,\n \"mobileAppEnabled\": true\n }\n },\n \"scrambleOps\": {\n \"sendActivation\": true,\n \"sendDesktopActivation\": true\n }\n}\n\nA successful create returns 201 Created with a SCIM User resource.
{\n \"schemas\": [\n \"urn:ietf:params:scim:schemas:core:2.0:User\",\n \"urn:ietf:params:scim:schemas:extension:scrambleid:acme:2.0:User\"\n ],\n \"id\": \"7f4b7c8e-8b8e-4f5d-9b4f-2f2d7c7f3a91\",\n \"userName\": \"john.doe\",\n \"name\": {\n \"givenName\": \"John\",\n \"familyName\": \"Doe\",\n \"formatted\": \"John Doe\"\n },\n \"emails\": [\n {\n \"value\": \"john.doe@example.com\",\n \"type\": \"work\",\n \"primary\": true\n }\n ],\n \"active\": true,\n \"roles\": [\n {\n \"value\": \"USER\"\n }\n ],\n \"urn:ietf:params:scim:schemas:extension:scrambleid:acme:2.0:User\": {\n \"scrambleAttributes\": {\n \"desktopAppEnabled\": true,\n \"mobileAppEnabled\": true,\n \"managerEmail\": \"jane.doe@example.com\"\n }\n },\n \"meta\": {\n \"resourceType\": \"User\",\n \"location\": \"https://api.example.com/scim/v2/Users/7f4b7c8e-8b8e-4f5d-9b4f-2f2d7c7f3a91\",\n \"created\": \"2026-05-05T14:30:00.000Z\",\n \"lastModified\": \"2026-05-05T14:30:00.000Z\"\n }\n}\n\nThe response is a SCIM resource, not the ScrambleID business API envelope.
\nscrambleOps is request-only and is not returned.
id is the SCIM resource identifier used for GET, PUT, PATCH, and DELETE requests.
meta.location contains the created user resource URL.
If a user already exists with the same userName, ScrambleID returns 409 Conflict with a SCIM error response.
POST /scim/v2/Users HTTP/1.1\nAuthorization: Bearer <access_token>\nContent-Type: application/scim+json\nAccept: application/scim+json\n\n{\n \"schemas\": [\n \"urn:ietf:params:scim:schemas:core:2.0:User\"\n ],\n \"userName\": \"john.doe\",\n \"name\": {\n \"givenName\": \"John\",\n \"familyName\": \"Doe\"\n },\n \"emails\": [\n {\n \"value\": \"john.doe@example.com\",\n \"type\": \"work\",\n \"primary\": true\n }\n ],\n \"active\": true\n}\n\nHTTP/1.1 409 Conflict\nContent-Type: application/scim+json\n\n{\n \"schemas\": [\n \"urn:ietf:params:scim:api:messages:2.0:Error\"\n ],\n \"status\": \"409\",\n \"detail\": \"User with userName 'john.doe' already exists.\",\n \"scimType\": \"uniqueness\"\n}\n\nDuplicate checks are case-insensitive for userName.
In legacy SCIM mode, ScrambleID also checks primary email uniqueness.
\nThe response is a SCIM error resource, not the ScrambleID business API envelope.
\nUse PUT when replacing an existing SCIM user resource.
PUT /scim/v2/Users/{id}
PUT replaces the user’s SCIM profile with the attributes provided in the request body.
Use this endpoint when the caller has the full desired user state. For partial updates, use PATCH.
PUT replaces the mutable SCIM profile fields with the values in the request body.
Mutable attributes omitted from the request may be removed from the existing profile.
\nServer-managed fields such as id, meta, created, lastModified, registration state, and device state are preserved or regenerated by ScrambleID.
scrambleOps is request-only. It can trigger activation-code generation but is not stored or returned.
If active is omitted, ScrambleID preserves the user’s existing active/paused status.
If active is false, the user is paused.
If active is true, the user is unpaused.
The {orgCode} in the ScrambleID extension URN must match the organization associated with the access token.
PUT /scim/v2/Users/7f4b7c8e-8b8e-4f5d-9b4f-2f2d7c7f3a91 HTTP/1.1\nAuthorization: Bearer <access_token>\nContent-Type: application/scim+json\nAccept: application/scim+json\n\n{\n \"schemas\": [\n \"urn:ietf:params:scim:schemas:core:2.0:User\",\n \"urn:ietf:params:scim:schemas:extension:scrambleid:acme:2.0:User\"\n ],\n \"userName\": \"john.doe\",\n \"name\": {\n \"givenName\": \"John\",\n \"familyName\": \"Doe\"\n },\n \"emails\": [\n {\n \"value\": \"john.doe@example.com\",\n \"type\": \"work\",\n \"primary\": true\n }\n ],\n \"active\": true,\n \"roles\": [\n {\n \"value\": \"USER\"\n }\n ],\n \"urn:ietf:params:scim:schemas:extension:scrambleid:acme:2.0:User\": {\n \"scrambleAttributes\": {\n \"desktopAppEnabled\": true,\n \"mobileAppEnabled\": false,\n \"managerEmail\": \"jane.doe@example.com\"\n }\n }\n}\n\nHTTP/1.1 200 OK\nContent-Type: application/scim+json\n\n{\n \"schemas\": [\n \"urn:ietf:params:scim:schemas:core:2.0:User\",\n \"urn:ietf:params:scim:schemas:extension:scrambleid:acme:2.0:User\"\n ],\n \"id\": \"7f4b7c8e-8b8e-4f5d-9b4f-2f2d7c7f3a91\",\n \"userName\": \"john.doe\",\n \"name\": {\n \"givenName\": \"John\",\n \"familyName\": \"Doe\",\n \"formatted\": \"John Doe\"\n },\n \"emails\": [\n {\n \"value\": \"john.doe@example.com\",\n \"type\": \"work\",\n \"primary\": true\n }\n ],\n \"active\": true,\n \"roles\": [\n {\n \"value\": \"USER\"\n }\n ],\n \"urn:ietf:params:scim:schemas:extension:scrambleid:acme:2.0:User\": {\n \"scrambleAttributes\": {\n \"desktopAppEnabled\": true,\n \"mobileAppEnabled\": false,\n \"managerEmail\": \"jane.doe@example.com\"\n }\n },\n \"meta\": {\n \"resourceType\": \"User\",\n \"location\": \"https://{env}.scrambleid.com/api/v1/scim/v2/Users/7f4b7c8e-8b8e-4f5d-9b4f-2f2d7c7f3a91\",\n \"created\": \"2026-05-05T14:30:00.000Z\",\n \"lastModified\": \"2026-05-05T15:10:00.000Z\"\n }\n}\n\nIf no user exists for the {id} in the URL, ScrambleID returns 404 Not Found.
PUT /scim/v2/Users/missing-user-id HTTP/1.1\nAuthorization: Bearer <access_token>\nContent-Type: application/scim+json\nAccept: application/scim+json\n\n{\n \"schemas\": [\n \"urn:ietf:params:scim:schemas:core:2.0:User\"\n ],\n \"userName\": \"john.doe\",\n \"active\": true\n}\n\nHTTP/1.1 404 Not Found\nContent-Type: application/scim+json\n\n{\n \"schemas\": [\n \"urn:ietf:params:scim:api:messages:2.0:Error\"\n ],\n \"status\": \"404\",\n \"detail\": \"User with id 'missing-user-id' not found.\"\n}\n\nUse GET to retrieve a single SCIM user resource.
GET /scim/v2/Users/{id}
This is a read-only operation and does not modify user data.
\n404 Not Found when no user exists for the requested {id}.{id} lookup is exact.GET /scim/v2/Users/7f4b7c8e-8b8e-4f5d-9b4f-2f2d7c7f3a91?includeDevices=true HTTP/1.1\nAuthorization: Bearer <access_token>\nAccept: application/scim+json\nHTTP/1.1 200 OK\nContent-Type: application/scim+json\n{\n \"schemas\": [\n \"urn:ietf:params:scim:schemas:core:2.0:User\",\n \"urn:ietf:params:scim:schemas:extension:scrambleid:acme:2.0:User\"\n ],\n \"id\": \"7f4b7c8e-8b8e-4f5d-9b4f-2f2d7c7f3a91\",\n \"userName\": \"john.doe\",\n \"name\": {\n \"givenName\": \"John\",\n \"familyName\": \"Doe\",\n \"formatted\": \"John Doe\"\n },\n \"emails\": [\n {\n \"value\": \"john.doe@example.com\",\n \"type\": \"work\",\n \"primary\": true\n }\n ],\n \"active\": true,\n \"roles\": [\n {\n \"value\": \"USER\"\n }\n ],\n \"urn:ietf:params:scim:schemas:extension:scrambleid:acme:2.0:User\": {\n \"scrambleAttributes\": {\n \"desktopAppEnabled\": true,\n \"mobileAppEnabled\": true,\n \"managerEmail\": \"jane.doe@example.com\"\n }\n },\n \"scrambleMeta\": {\n \"registered\": true,\n \"registeredAt\": 1777991400000,\n \"lastLogin\": 1777995000000,\n \"devices\": [\n {\n \"name\": \"John's iPhone\",\n \"registeredDate\": 1777991400000,\n \"zid\": \"zid_01HXAMPLE\",\n \"status\": \"active\",\n \"lastLogin\": 1777995000000,\n \"active\": true,\n \"type\": \"mobile\"\n }\n ]\n },\n \"meta\": {\n \"resourceType\": \"User\",\n \"location\": \"https://{env}.scrambleid.com/api/v1/scim/v2/Users/7f4b7c8e-8b8e-4f5d-9b4f-2f2d7c7f3a91\",\n \"created\": \"2026-05-05T14:30:00.000Z\",\n \"lastModified\": \"2026-05-05T15:10:00.000Z\"\n }\n}\nGET /scim/v2/Users/missing-user-id HTTP/1.1\nAuthorization: Bearer <access_token>\nAccept: application/scim+json\nHTTP/1.1 404 Not Found\nContent-Type: application/scim+json\n{\n \"schemas\": [\n \"urn:ietf:params:scim:api:messages:2.0:Error\"\n ],\n \"status\": \"404\",\n \"detail\": \"User with id 'missing-user-id' not found.\"\n}\nUse GET to retrieve a paginated list of SCIM user resources.
GET /scim/v2/Users
This is a read-only operation and does not modify user data.
\nReturns a SCIM ListResponse.
Results are paginated. A response may include lastEvaluatedKey; pass that value as lastItem to retrieve the next page.
totalResults is the total result count reported by the backing query.
itemsPerPage is the requested count, or 10 when count is omitted.
Resources contains the returned SCIM User resources.
The response is a SCIM response, not the ScrambleID business API envelope.
\nIn standard SCIM mode, filtering is supported only on userName with:
eq
sw
Examples:
\nfilter=userName eq \"john.doe\"\nfilter=userName sw \"john\"\n\nUnsupported filters return 400 Bad Request with scimType: invalidFilter.
GET /scim/v2/Users?count=2&filter=userName sw \"jo\" HTTP/1.1\nAuthorization: Bearer <access_token>\nAccept: application/scim+json\n\nHTTP/1.1 200 OK\nContent-Type: application/scim+json\n\n{\n \"schemas\": [\n \"urn:ietf:params:scim:api:messages:2.0:ListResponse\"\n ],\n \"totalResults\": 7,\n \"itemsPerPage\": 2,\n \"startIndex\": 1,\n \"Resources\": [\n {\n \"schemas\": [\n \"urn:ietf:params:scim:schemas:core:2.0:User\"\n ],\n \"id\": \"john.doe\",\n \"userName\": \"john.doe\",\n \"name\": {\n \"givenName\": \"John\",\n \"familyName\": \"Doe\",\n \"formatted\": \"John Doe\"\n },\n \"emails\": [\n {\n \"value\": \"john.doe@example.com\",\n \"type\": \"work\",\n \"primary\": true\n }\n ],\n \"active\": true,\n \"meta\": {\n \"resourceType\": \"User\",\n \"location\": \"https://{env}.scrambleid.com/api/v1/scim/v2/Users/john.doe\",\n \"created\": \"2026-05-05T14:30:00.000Z\",\n \"lastModified\": \"2026-05-05T15:10:00.000Z\"\n }\n },\n {\n \"schemas\": [\n \"urn:ietf:params:scim:schemas:core:2.0:User\"\n ],\n \"id\": \"jordan.smith\",\n \"userName\": \"jordan.smith\",\n \"name\": {\n \"givenName\": \"Jordan\",\n \"familyName\": \"Smith\",\n \"formatted\": \"Jordan Smith\"\n },\n \"emails\": [\n {\n \"value\": \"jordan.smith@example.com\",\n \"type\": \"work\",\n \"primary\": true\n }\n ],\n \"active\": true,\n \"meta\": {\n \"resourceType\": \"User\",\n \"location\": \"https://{env}.scrambleid.com/api/v1/scim/v2/Users/jordan.smith\",\n \"created\": \"2026-05-05T14:35:00.000Z\",\n \"lastModified\": \"2026-05-05T15:15:00.000Z\"\n }\n }\n ],\n \"lastEvaluatedKey\": \"eyJwcmltYXJ5QXR0ciI6ImpvcmRhbi5zbWl0aCJ9\"\n}\n\nUse the previous response’s lastEvaluatedKey as lastItem.
GET /scim/v2/Users?count=2&lastItem=eyJwcmltYXJ5QXR0ciI6ImpvcmRhbi5zbWl0aCJ9 HTTP/1.1\nAuthorization: Bearer <access_token>\nAccept: application/scim+json\n\nGET /scim/v2/Users?filter=displayName sw \"John\" HTTP/1.1\nAuthorization: Bearer <access_token>\nAccept: application/scim+json\n\nHTTP/1.1 400 Bad Request\nContent-Type: application/scim+json\n\n{\n \"schemas\": [\n \"urn:ietf:params:scim:api:messages:2.0:Error\"\n ],\n \"status\": \"400\",\n \"detail\": \"Filtering is only supported on userName with eq or sw.\",\n \"scimType\": \"invalidFilter\"\n}\n\nUse DELETE to remove a SCIM user resource.
DELETE /scim/v2/Users/{id}
This operation cannot be undone.
\nDeletes the organization user profile for the requested {id}.
If the user is registered to ScrambleID, deletion also unenrolls the user from the organization.
\nIf the user is not registered, ScrambleID directly removes the SCIM org-user record.
\nAny pending activation records for the user may also be removed.
\nA successful delete returns 204 No Content.
The response body is empty on success.
\nDELETE /scim/v2/Users/7f4b7c8e-8b8e-4f5d-9b4f-2f2d7c7f3a91 HTTP/1.1\nAuthorization: Bearer <access_token>\nAccept: application/scim+json\n\nHTTP/1.1 204 No Content\n\nIf no user exists for the {id} in the URL, ScrambleID returns 404 Not Found.
DELETE /scim/v2/Users/missing-user-id HTTP/1.1\nAuthorization: Bearer <access_token>\nAccept: application/scim+json\n\nHTTP/1.1 404 Not Found\nContent-Type: application/scim+json\n\n{\n \"schemas\": [\n \"urn:ietf:params:scim:api:messages:2.0:Error\"\n ],\n \"status\": \"404\",\n \"detail\": \"User with id 'missing-user-id' not found.\"\n}\n\nIf ScrambleID cannot complete the delete transaction, the API returns 500 Internal Server Error.
{\n \"schemas\": [\n \"urn:ietf:params:scim:api:messages:2.0:Error\"\n ],\n \"status\": \"500\",\n \"detail\": \"Transaction failed during SCIM user deletion\"\n}\n\nUse PATCH to add, remove, or replace specific attributes on an existing SCIM user resource without replacing the full user profile.
PATCH /scim/v2/Users/{id}
Use this endpoint when the caller only needs to update selected fields. For full profile replacement, use PUT.
Operations.id, meta, created, lastModified, registration state, and device state are preserved or regenerated by ScrambleID.active: false pauses the user.active: true unpauses the user.active is not patched, the existing active/paused status is preserved.displayName\nname.givenName\nactive\nemails\nemails[type eq \"work\"].value\nphoneNumbers[type eq \"mobile\"].value\nurn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.displayName\nPATCH /scim/v2/Users/7f4b7c8e-8b8e-4f5d-9b4f-2f2d7c7f3a91 HTTP/1.1\nAuthorization: Bearer <access_token>\nContent-Type: application/scim+json\nAccept: application/scim+json\n{\n \"schemas\": [\n \"urn:ietf:params:scim:api:messages:2.0:PatchOp\"\n ],\n \"Operations\": [\n {\n \"op\": \"replace\",\n \"path\": \"name.givenName\",\n \"value\": \"Jonathan\"\n },\n {\n \"op\": \"replace\",\n \"path\": \"displayName\",\n \"value\": \"Jonathan Doe\"\n },\n {\n \"op\": \"replace\",\n \"path\": \"emails[type eq \\\"work\\\"].value\",\n \"value\": \"jonathan.doe@example.com\"\n },\n {\n \"op\": \"replace\",\n \"path\": \"active\",\n \"value\": true\n }\n ]\n}\nHTTP/1.1 200 OK\nContent-Type: application/scim+json\n{\n \"schemas\": [\n \"urn:ietf:params:scim:schemas:core:2.0:User\"\n ],\n \"id\": \"7f4b7c8e-8b8e-4f5d-9b4f-2f2d7c7f3a91\",\n \"userName\": \"john.doe\",\n \"name\": {\n \"givenName\": \"Jonathan\",\n \"familyName\": \"Doe\",\n \"formatted\": \"Jonathan Doe\"\n },\n \"displayName\": \"Jonathan Doe\",\n \"emails\": [\n {\n \"value\": \"jonathan.doe@example.com\",\n \"type\": \"work\",\n \"primary\": true\n }\n ],\n \"active\": true,\n \"meta\": {\n \"resourceType\": \"User\",\n \"location\": \"https://{env}.scrambleid.com/api/v1/scim/v2/Users/7f4b7c8e-8b8e-4f5d-9b4f-2f2d7c7f3a91\",\n \"created\": \"2026-05-05T14:30:00.000Z\",\n \"lastModified\": \"2026-05-05T15:25:00.000Z\"\n }\n}\nPATCH /scim/v2/Users/missing-user-id HTTP/1.1\nAuthorization: Bearer <access_token>\nContent-Type: application/scim+json\nAccept: application/scim+json\n{\n \"schemas\": [\n \"urn:ietf:params:scim:api:messages:2.0:PatchOp\"\n ],\n \"Operations\": [\n {\n \"op\": \"replace\",\n \"path\": \"displayName\",\n \"value\": \"Jonathan Doe\"\n }\n ]\n}\nHTTP/1.1 404 Not Found\nContent-Type: application/scim+json\n{\n \"schemas\": [\n \"urn:ietf:params:scim:api:messages:2.0:Error\"\n ],\n \"status\": \"404\",\n \"detail\": \"User with id 'missing-user-id' not found.\"\n}\nStandard SCIM PATCH requests must include the PatchOp schema.
\n{\n \"schemas\": [\n \"urn:ietf:params:scim:api:messages:2.0:Error\"\n ],\n \"status\": \"400\",\n \"detail\": \"Request must include schema 'urn:ietf:params:scim:api:messages:2.0:PatchOp'.\"\n}\nIf a filtered path does not match an existing value, ScrambleID returns 400 Bad Request.
{\n \"schemas\": [\n \"urn:ietf:params:scim:api:messages:2.0:Error\"\n ],\n \"status\": \"400\",\n \"detail\": \"No matching emails found for filter\",\n \"scimType\": \"noTarget\"\n}\nScrambleID supports SCIM 2.0 user provisioning at:
\n/scim/v2/Users
SCIM endpoints return SCIM protocol responses, not the ScrambleID business API response envelope.
\n\n\n\n
x-orgis not required for SCIM provisioning. The organization is resolved from the authenticated access token. The{orgCode}value in the ScrambleID SCIM extension URN must match the organization associated with the token.
Required OAuth scopes are derived from the HTTP method:
\nPortal roles are provisioned through the SCIM roles attribute. Role values must match the configured portal role codes for the organization.
Default role codes include:
\nScrambleID-specific user flags are sent in the organization-specific SCIM extension:
\nurn:ietf:params:scim:schemas:extension:scrambleid:{orgCode}:2.0:User
Inside that extension, use the scrambleAttributes object.
desktopAppEnabled and mobileAppEnabled must be JSON booleans: true or false.\"true\", \"false\", 1, or 0 are ignored for app enablement flags.isManager, managerEmail, and userType are returned inside scrambleAttributes in SCIM responses, but are stored as first-class portal user metadata internally.isManager: true on the manager and set managerEmail on each direct report.If Jane Doe manages John Doe:
\nisManager to true.managerEmail to Jane’s email address.{\n \"schemas\": [\n \"urn:ietf:params:scim:schemas:core:2.0:User\",\n \"urn:ietf:params:scim:schemas:extension:scrambleid:acme:2.0:User\"\n ],\n \"userName\": \"john.doe\",\n \"name\": {\n \"givenName\": \"John\",\n \"familyName\": \"Doe\"\n },\n \"emails\": [\n {\n \"value\": \"john.doe@example.com\",\n \"type\": \"work\",\n \"primary\": true\n }\n ],\n \"active\": true,\n \"roles\": [\n {\n \"value\": \"USER\"\n }\n ],\n \"urn:ietf:params:scim:schemas:extension:scrambleid:acme:2.0:User\": {\n \"scrambleAttributes\": {\n \"desktopAppEnabled\": true,\n \"mobileAppEnabled\": true,\n \"managerEmail\": \"jane.doe@example.com\"\n }\n }\n}\nScrambleID Audit APIs provide read-only access to organization authentication activity for compliance review, security monitoring, and operational reporting.
\nUse GET to retrieve authentication activity metrics for an organization.
GET /analytics/metrics/auth
This endpoint returns aggregated authentication metrics for the organization associated with the authenticated token.
\nThe caller must be authenticated and must have the SUPER_ADMIN role.
startTime may be provided as an ISO 8601 string or Unix timestamp in seconds or milliseconds.startTime older than 90 days are rejected.endTime is before startTime are rejected.SUPER_ADMIN users can access this endpoint.GET /analytics/metrics/auth?appid=ALL&startTime=2026-05-05T09:00:00-04:00&endTime=2026-05-05T12:00:00-04:00&binSize=1h HTTP/1.1\nAuthorization: Bearer <access_token>\nAccept: application/json\nHTTP/1.1 200 OK\nContent-Type: application/json\n{\n \"orgCode\": \"acme\",\n \"appId\": \"ALL\",\n \"reportGeneratedAt\": \"2026-05-05T12:05:00-04:00\",\n \"timeRange\": {\n \"start\": \"2026-05-05T09:00:00-04:00\",\n \"end\": \"2026-05-05T12:00:00-04:00\"\n },\n \"totalCookieLogins\": 18,\n \"realUsers\": {\n \"totalLoginAttempts\": 142,\n \"successTimeline\": [\n {\n \"timestamp\": \"2026-05-05T09:00:00.000Z\",\n \"count\": 41\n },\n {\n \"timestamp\": \"2026-05-05T10:00:00.000Z\",\n \"count\": 48\n },\n {\n \"timestamp\": \"2026-05-05T11:00:00.000Z\",\n \"count\": 39\n }\n ],\n \"failureTimeline\": [\n {\n \"timestamp\": \"2026-05-05T09:00:00.000Z\",\n \"count\": 4\n },\n {\n \"timestamp\": \"2026-05-05T10:00:00.000Z\",\n \"count\": 6\n },\n {\n \"timestamp\": \"2026-05-05T11:00:00.000Z\",\n \"count\": 4\n }\n ],\n \"authenticatorTypeBreakdown\": [\n {\n \"category\": \"mobile\",\n \"count\": 91\n },\n {\n \"category\": \"webauthn\",\n \"count\": 37\n }\n ],\n \"loginMethodBreakdown\": {\n \"success\": [\n {\n \"category\": \"DID\",\n \"count\": 82\n },\n {\n \"category\": \"WebAuthn\",\n \"count\": 37\n }\n ],\n \"failure\": [\n {\n \"category\": \"DID\",\n \"count\": 9\n },\n {\n \"category\": \"QID\",\n \"count\": 5\n }\n ],\n \"successfulAuthenticationPlatform\": [\n {\n \"category\": \"ios\",\n \"count\": 58\n },\n {\n \"category\": \"android\",\n \"count\": 33\n },\n {\n \"category\": \"webauthn\",\n \"count\": 37\n }\n ]\n },\n \"uniqueUserLogins\": [\n {\n \"status\": \"success\",\n \"totalEvents\": 128,\n \"uniqueUsers\": 76\n },\n {\n \"status\": \"failed:INVALID_VALIDATION_CODE\",\n \"totalEvents\": 8,\n \"uniqueUsers\": 5\n }\n ]\n },\n \"bots\": {\n \"totalLoginAttempts\": 11\n }\n}\nHTTP/1.1 403 Forbidden\nContent-Type: application/json\n{\n \"error\": \"Forbidden\",\n \"message\": \"Only superadmin users can access this endpoint\"\n}\nHTTP/1.1 400 Bad Request\nContent-Type: application/json\n{\n \"error\": \"Bad Request\",\n \"message\": \"The 'startTime' cannot be older than 90 days.\"\n}\nScrambleID Audit APIs provide read-only access to security and authentication activity for an organization. These endpoints are intended for compliance reporting, operational monitoring, and investigation workflows.
\nAudit API responses may include authentication activity, IVR activity, bot activity, and related event metrics depending on the endpoint being used.
\nAccess to Audit APIs is restricted to authorized callers. Requests must include a valid bearer token, and the authenticated user must have the required organization-level permissions.
\n","auth":{"type":"noauth","isInherited":false},"event":[{"listen":"prerequest","script":{"id":"a4eb580a-abc3-4cc4-a867-314ce7142af3","type":"text/javascript","requests":{},"exec":[""]}},{"listen":"test","script":{"id":"445a07f3-a818-401f-95dc-adcb02b597ca","type":"text/javascript","requests":{},"exec":[""]}}],"_postman_id":"d1af79fb-5858-4db6-bd6b-1444feb3fd2e"},{"name":"OAuth","item":[{"name":"Generate Token","event":[{"listen":"test","script":{"id":"ee393891-d768-408b-abc2-923ed111936c","exec":["let json = pm.response.json();\r","pm.environment.set('accessToken', json.access_token)"],"type":"text/javascript","packages":{},"requests":{}}}],"id":"b7d94f4e-7fe9-42b6-96bc-2a9aa42710dd","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"auth":{"type":"noauth","isInherited":false},"method":"POST","header":[],"body":{"mode":"raw","raw":"","options":{"raw":{"language":"json"}}},"url":"","description":"Use POST to generate an OAuth access token with the Client Credentials grant.
POST /oauth/token
The returned access token is used to call protected ScrambleID APIs by sending it in the Authorization header as a bearer token.
Only the client_credentials grant type is supported on /oauth/token.
The client must exist and have status ACTIVE.
The token’s scopes are determined by the configured client credentials.
\nThe token’s organization context is determined by the configured client credentials.
\nSuccessful responses include Cache-Control: no-store and Pragma: no-cache.
POST /oauth/token HTTP/1.1\nContent-Type: application/json\nAccept: application/json\n\n{\n \"grant_type\": \"client_credentials\",\n \"client_id\": \"8f0c7d5a-2c8b-44a1-b62d-7d82f5e6b111\",\n \"client_secret\": \"client-secret-value\"\n}\n\nHTTP/1.1 200 OK\nContent-Type: application/json\nCache-Control: no-store\nPragma: no-cache\n\n{\n \"access_token\": \"<jwt_access_token>\",\n \"jti\": \"5e91848b-53a1-43de-9c44-7dc3d65ecf1b\",\n \"token_type\": \"Bearer\",\n \"expires_in\": 3600,\n \"scope\": \"scim.read scim.write scim.delete\"\n}\n\nHTTP/1.1 401 Unauthorized\nContent-Type: application/json\n\n{\n \"error\": \"invalid_client\",\n \"error_description\": \"Invalid client_id or client_secret\"\n}\n\nHTTP/1.1 400 Bad Request\nContent-Type: application/json\n\n{\n \"error\": \"unsupported_grant_type\",\n \"error_description\": \"Unsupported Grant Type\"\n}\n\nUse POST to validate an existing OAuth access token and return token metadata.
POST /oauth/introspect
This endpoint is useful when an integration needs to confirm whether a token is active before using it to call protected APIs.
\nactive: true and token metadata.active: false.orgCode.POST /oauth/introspect HTTP/1.1\nContent-Type: application/json\nAccept: application/json\n{\n \"token\": \"<jwt_access_token>\"\n}\nHTTP/1.1 200 OK\nContent-Type: application/json\n{\n \"active\": true,\n \"client_id\": \"8f0c7d5a-2c8b-44a1-b62d-7d82f5e6b111\",\n \"sub\": \"8f0c7d5a-2c8b-44a1-b62d-7d82f5e6b111\",\n \"scope\": \"scim.read scim.write scim.delete\",\n \"iss\": \"https://{env}.scrambleid.com\",\n \"gty\": \"client_credentials\",\n \"token_class\": \"scrambleid_managed\",\n \"grant_type\": \"client_credentials\",\n \"exp\": 1777998600,\n \"jti\": \"5e91848b-53a1-43de-9c44-7dc3d65ecf1b\"\n}\nAn invalid, expired, or unverifiable token returns active: false.
HTTP/1.1 200 OK\nContent-Type: application/json\n{\n \"active\": false\n}\nHTTP/1.1 400 Bad Request\nContent-Type: application/json\n{\n \"error\": \"invalid_request\",\n \"error_description\": \"token parameter is required\"\n}\nHTTP/1.1 400 Bad Request\nContent-Type: application/json\n{\n \"error\": \"invalid_token\",\n \"error_description\": \"The token format is invalid\"\n}\nScrambleID OAuth APIs issue and validate bearer tokens for protected API access.
\nBase URL:
\nhttps://{env}.scrambleid.com/api/v1
OAuth responses use OAuth-style response bodies, not the ScrambleID business API response envelope.
\nSend OAuth access tokens to protected APIs with:
\nAuthorization: Bearer <access_token>
The organization context and scopes are resolved from the token claims.
\nProtected APIs enforce the scope required by the endpoint or HTTP method.
\n","auth":{"type":"noauth","isInherited":false},"event":[{"listen":"prerequest","script":{"id":"f2f9c174-fc94-45ae-812f-d68c66ca24bf","type":"text/javascript","requests":{},"exec":[""]}},{"listen":"test","script":{"id":"2f83c8eb-1bb2-4457-83e1-e07132a56342","type":"text/javascript","requests":{},"exec":[""]}}],"_postman_id":"643d1b57-09ea-4cbe-b285-42ac68369464"},{"name":"IVR","item":[{"name":"Generate Code","id":"7f9e0463-c218-4325-8f03-a604358d53ff","protocolProfileBehavior":{"disableBodyPruning":true,"disabledSystemHeaders":{"content-type":true}},"request":{"method":"POST","header":[],"url":"","description":"Use POST to create a new IVR authentication session and return a short-lived IVR code.
POST /ivr/code
The IVR system can announce the returned code to the caller. The caller then confirms authentication through ScrambleID, and the IVR system checks the result with the validation endpoint.
\nIf stirShakenVerStat is omitted, ScrambleID treats it as No-TN-Validation.
ScrambleID sends an IVR push notification only when all of the following are true:
\nstirShakenVerStat is TN-Validation-Passed.
callerNumber is provided.
IVR push notifications are enabled for the organization.
\nThe caller number can be matched to an eligible user/device.
\nThe user has at least one device eligible to receive the notification.
\nIf push notification is skipped or fails, the IVR code may still be generated and returned.
\nGenerates a short-lived IVR code.
\nStores the IVR session for later validation.
\nReturns the generated code, expiry time, and tracking ID.
\nIf failIfAniNotFound is true, ScrambleID validates that the caller number belongs to a user in the authenticated organization before creating the code.
The organization context is resolved from the bearer token.
\nPOST /ivr/code HTTP/1.1\nAuthorization: Bearer <access_token>\nContent-Type: application/json\nAccept: application/json\n\n{\n \"callerNumber\": \"+14155550123\",\n \"calledNumber\": \"+18005550100\",\n \"callSessionId\": \"call-01HXAMPLE\",\n \"callStartTime\": \"2026-05-05T14:30:00.000Z\",\n \"stirShakenVerStat\": \"TN-Validation-Passed\",\n \"failIfAniNotFound\": false\n}\n\nHTTP/1.1 200 OK\nContent-Type: application/json\n\n{\n \"success\": true,\n \"data\": {\n \"ivrcode\": \"123456\",\n \"notifiedDeviceCount\": 1,\n \"codeExpiryTime\": 120,\n \"trackingId\": \"f3b8cb61-7f8f-4f12-9f9d-6232f66bb8c4\"\n },\n \"error\": null,\n \"meta\": {\n \"requestId\": \"0d29f4a9-ef9a-48c8-9441-44c7f52d3c5d\",\n \"timestamp\": \"2026-05-05T14:30:01.000Z\",\n \"schemaVersion\": \"1.0\"\n }\n}\n\nIf failIfAniNotFound is true and callerNumber does not match a user in the authenticated organization, ScrambleID returns an error.
{\n \"success\": false,\n \"data\": null,\n \"error\": {\n \"code\": \"NO_DATA_FOUND\",\n \"message\": \"No matching ANI found\",\n \"details\": null\n },\n \"meta\": {\n \"requestId\": \"9c7f2334-f53f-4219-9f70-23d91c51a76e\",\n \"timestamp\": \"2026-05-05T14:30:01.000Z\",\n \"schemaVersion\": \"1.0\"\n }\n}\n\nCaller numbers must use E.164 format.
\n{\n \"success\": false,\n \"data\": null,\n \"error\": {\n \"code\": \"INVALID_MOBILE_NUMBER\",\n \"message\": \"Invalid phone number format. Please follow the E.164 format.\",\n \"details\": null\n },\n \"meta\": {\n \"requestId\": \"b82b62d2-5c0b-43f7-8780-c13e5ab4d726\",\n \"timestamp\": \"2026-05-05T14:30:01.000Z\",\n \"schemaVersion\": \"1.0\"\n }\n}\n\nUse POST to check the status of an IVR authentication session.
POST /ivr/validate
The IVR system calls this endpoint with the code returned by /ivr/code. The response indicates whether the user has approved, rejected, or not yet completed the authentication request.
POST /ivr/validate HTTP/1.1\nAuthorization: Bearer <access_token>\nContent-Type: application/json\nAccept: application/json\n{\n \"code\": \"123456\"\n}\nHTTP/1.1 200 OK\nContent-Type: application/json\n{\n \"success\": true,\n \"data\": {\n \"ivrcode\": \"123456\",\n \"trackingId\": \"f3b8cb61-7f8f-4f12-9f9d-6232f66bb8c4\",\n \"status\": \"USER_VALIDATED\",\n \"authenticationMethod\": \"PUSH_NOTIFICATION\",\n \"user\": {\n \"primaryAttr\": \"john.doe\",\n \"ldapId\": \"john.doe\",\n \"lastName\": \"Doe\",\n \"userName\": \"john.doe\",\n \"firstName\": \"John\",\n \"primaryEmail\": \"john.doe@example.com\"\n }\n },\n \"error\": null,\n \"meta\": {\n \"requestId\": \"5a414256-4064-46f8-a6f8-8a28bb1d2d13\",\n \"timestamp\": \"2026-05-05T14:31:00.000Z\",\n \"schemaVersion\": \"1.0\"\n }\n}\n{\n \"success\": true,\n \"data\": {\n \"ivrcode\": \"123456\",\n \"trackingId\": \"f3b8cb61-7f8f-4f12-9f9d-6232f66bb8c4\",\n \"status\": \"NOT_VALIDATED_YET\"\n },\n \"error\": null,\n \"meta\": {\n \"requestId\": \"c8f8f1c7-3a2f-4c95-b4f1-8d9f53f8df91\",\n \"timestamp\": \"2026-05-05T14:30:20.000Z\",\n \"schemaVersion\": \"1.0\"\n }\n}\n{\n \"success\": true,\n \"data\": {\n \"ivrcode\": \"123456\",\n \"trackingId\": \"f3b8cb61-7f8f-4f12-9f9d-6232f66bb8c4\",\n \"status\": \"USER_CONSENT_REJECTED\"\n },\n \"error\": null,\n \"meta\": {\n \"requestId\": \"311e4356-5e89-4a47-92d4-77b4f868e031\",\n \"timestamp\": \"2026-05-05T14:30:45.000Z\",\n \"schemaVersion\": \"1.0\"\n }\n}\n{\n \"success\": false,\n \"data\": null,\n \"error\": {\n \"code\": \"CODE_NOT_FOUND\",\n \"message\": \"Requested code not found\",\n \"details\": [\n {\n \"field\": \"ivrcode\",\n \"issue\": \"Requested code not found\",\n \"value\": \"123456\"\n }\n ]\n },\n \"meta\": {\n \"requestId\": \"e74dd864-99de-4637-b9ff-44ee3fa93459\",\n \"timestamp\": \"2026-05-05T14:32:01.000Z\",\n \"schemaVersion\": \"1.0\"\n }\n}\nScrambleID IVR APIs support phone-based authentication flows where a caller proves identity by confirming a short-lived IVR code through ScrambleID.
\nThe IVR flow has two main steps:
\nThese APIs are intended for IVR systems and telephony integrations. Requests are scoped to the organization associated with the authenticated bearer token.
\nAll IVR API requests require:
\nAuthorization: Bearer <access_token>
The access token must include the scope required for the requested IVR operation.
\nOrganization Code
\n"},{"key":"Content-Type","value":"application/json"}],"body":{"mode":"raw","raw":"{\n \"userName\": \"bot_demo\",\n \"managerEmail\":\"test@manager.com\",\n \"userType\":\"bot\",\n \"ldapId\": \"abc123\",\n \"roles\": [\"USER\"],\n \"scrambleOps\": {\n \"sendActivation\":true\n }\n \n}"},"url":"{{baseUrl}}/scim/v2/users","auth":{"type":"bearer","bearer":{"basicConfig":[{"key":"token","value":"{{accessToken}}"}]},"isInherited":true,"source":{"_postman_id":"8c6cc3a2-198c-40af-b32f-4428516efc66","id":"8c6cc3a2-198c-40af-b32f-4428516efc66","name":"Bot Automation","type":"folder"}},"urlObject":{"path":["scim","v2","users"],"host":["{{baseUrl}}"],"query":[],"variable":[]}},"response":[{"id":"11078744-add3-4e14-ab09-e0b64de6f971","name":"Create Bot -success","originalRequest":{"method":"POST","header":[{"key":"x-org","value":"orgCode","description":"Organization Code"},{"key":"Content-Type","value":"application/json"}],"body":{"mode":"raw","raw":"{\n \"userName\": \"bot_demo\",\n \"managerEmail\":\"test@manager.com\",\n \"userType\":\"bot\",\n \"ldapId\": \"abc123\",\n \"roles\": [\"USER\"],\n \"scrambleOps\": {\n \"sendActivation\":true\n }\n \n}"},"url":"{{baseUrl}}/scim/v2/users"},"status":"Created","code":201,"_postman_previewlanguage":"json","header":[{"key":"Date","value":"Wed, 21 Aug 2024 16:23:05 GMT"},{"key":"Content-Type","value":"application/json"},{"key":"Content-Length","value":"453"},{"key":"Connection","value":"keep-alive"},{"key":"x-amzn-RequestId","value":"39e53387-9b17-43f5-9e18-67e26fc7b8f4"},{"key":"access-control-allow-origin","value":"*"},{"key":"access-control-allow-headers","value":"Content-Type, Origin, Authorization"},{"key":"x-amz-apigw-id","value":"c3ggjEKzoAMFaxA="},{"key":"X-Amzn-Trace-Id","value":"Root=1-66c61469-774ff6e95566efe878e29a3f;Parent=2d8955f52fa1c023;Sampled=0;lineage=09e8eb60:0"},{"key":"access-control-allow-credentials","value":"true"}],"cookie":[],"responseTime":null,"body":"{\n \"schemas\": [\n \"urn:ietf:params:scim:schemas:core:2.0:User\"\n ],\n \"id\": \"bot_demo\",\n \"userName\": \"bot_demo\",\n \"name\": {\n \"givenName\": \"bot_demo\"\n },\n \"scrambleMeta\": {\n \"registered\": false\n },\n \"active\": true,\n \"groups\": [],\n \"roles\": [\n \"USER\"\n ],\n \"managerEmail\": \"test@manager.com\",\n \"userType\": \"bot\",\n \"ldapId\": \"abc123\",\n \"unixLoginAttribs\": [\n \"bot_demo\"\n ],\n \"windowsLoginAttribs\": [\n \"bot_demo\"\n ],\n \"meta\": {\n \"resourceType\": \"User\",\n \"created\": \"2024-08-21T16:23:05.733Z\",\n \"lastModified\": \"2024-08-21T16:23:05.733Z\"\n }\n}"},{"id":"c856a1e6-8bb1-42a5-8d1c-c8fe679fea63","name":"Create Bot - user exists","originalRequest":{"method":"POST","header":[{"key":"x-org","value":"orgCode","description":"Organization Code"},{"key":"Content-Type","value":"application/json"}],"body":{"mode":"raw","raw":"{\n \"userName\": \"bot_demo\",\n \"managerEmail\":\"test@manager.com\",\n \"userType\":\"bot\",\n \"ldapId\": \"abc123\",\n \"roles\": [\"USER\"],\n \"scrambleOps\": {\n \"sendActivation\":true\n }\n \n}"},"url":"{{baseUrl}}/scim/v2/users"},"status":"Conflict","code":409,"_postman_previewlanguage":"json","header":[{"key":"Date","value":"Wed, 21 Aug 2024 16:26:00 GMT"},{"key":"Content-Type","value":"application/json"},{"key":"Content-Length","value":"103"},{"key":"Connection","value":"keep-alive"},{"key":"x-amzn-RequestId","value":"806e64f7-05a1-4df0-a12d-2607ecfeec17"},{"key":"access-control-allow-origin","value":"*"},{"key":"access-control-allow-headers","value":"Content-Type, Origin, Authorization"},{"key":"x-amz-apigw-id","value":"c3g72HbRoAMFoPA="},{"key":"X-Amzn-Trace-Id","value":"Root=1-66c61518-5f71c803510e1ae07afb7f41;Parent=1986150818779f0a;Sampled=0;lineage=09e8eb60:0"},{"key":"access-control-allow-credentials","value":"true"}],"cookie":[],"responseTime":null,"body":"{\n \"schemas\": [\n \"urn:ietf:params:scim:api:messages:2.0:Error\"\n ],\n \"detail\": \"user already exists\",\n \"status\": 409\n}"}],"_postman_id":"be98ece3-a3f8-4c51-b428-72c877b2a847"}],"id":"74b2ad55-1795-46da-8d24-58d7f70487be","description":"Bot Account Creation:
\nUser Type and Manager Email:
\nWhen creating a bot account, the userType attribute must be set to \"bot\".
The managerEmail attribute (e.g., \"test@manager.com\") is mandatory if the userType is \"bot\".
The emails attribute can be omitted when creating a bot account.
The name attribute will not be required when creating a bot account.
The sendActivationatribute set to truewill automatically send the activation code to the manager's email.
Registration Implementation for Bot Accounts
\nRegistration Requirements:
\n1. UserName and Email:
\n2. Additional Attributes:
\n\"orgCode\": The organization code associated with the user.
\n\"userType\": Specifies the type of user, which must be \"bot\".
\n","_postman_id":"dd21e379-f5d3-466b-ade1-ab4ea49b2b4d","auth":{"type":"bearer","bearer":{"basicConfig":[{"key":"token","value":"{{accessToken}}"}]},"isInherited":true,"source":{"_postman_id":"8c6cc3a2-198c-40af-b32f-4428516efc66","id":"8c6cc3a2-198c-40af-b32f-4428516efc66","name":"Bot Automation","type":"folder"}}},{"name":"Bot Authentication","item":[{"name":"DID (6-digit alphanumeric code)","item":[{"name":"Step 1 - Generate DID","event":[{"listen":"test","script":{"id":"578ff38b-0af1-452c-abd9-a125fe63e7c0","exec":["let responseData=pm.response.json();\r","pm.environment.set(\"uinqueid\", responseData.did);\r","pm.environment.set(\"orgCode\", responseData.code);"],"type":"text/javascript","packages":{}}}],"id":"3d8dbf5d-b699-4a82-9f16-b52239f585b7","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[],"url":"{{baseUrl}}/login/saml/{{orgAppID}}?SAMLRequest={{replaceWithSaml}}&format=json","auth":{"type":"bearer","bearer":{"basicConfig":[{"key":"token","value":"{{accessToken}}"}]},"isInherited":true,"source":{"_postman_id":"8c6cc3a2-198c-40af-b32f-4428516efc66","id":"8c6cc3a2-198c-40af-b32f-4428516efc66","name":"Bot Automation","type":"folder"}},"urlObject":{"path":["login","saml","{{orgAppID}}"],"host":["{{baseUrl}}"],"query":[{"key":"SAMLRequest","value":"{{replaceWithSaml}}"},{"key":"format","value":"json"}],"variable":[]}},"response":[{"id":"b3973a21-e89d-44ee-86f0-dd02877e4879","name":"Generate DID - Success","originalRequest":{"method":"GET","header":[],"url":{"raw":"{{baseUrl}}/login/saml/ZGVtfHxkZW1vZ3Vlc3QuY29t?SAMLRequest=fZJbbxoxEEb%2Fysrvu7b3AqwFSDSoDVKS0kCJwpvjHRKrvhCPl6b%2Fvs7SSulDeR3PGX9n7ClKa45i0ccXdw%2BvPWDM3qxxKIaDGemDE16iRuGkBRRRic3i9kaUBRPH4KNX3pAPyGVCIkKI2juSrZYzIhuo2lHb5KqrurxW3TiftNUkn4wZtKqBugFGsh0ETMiMpAmJQ%2Bxh5TBKF1OJlXXOWc7HW84FH4maFYzXe5Itk4p2Mg7kS4xHFJS%2BygJVkPbJgO4K5S2VR01PnBr%2FrB19F6D7L7t4uH77sX%2Fgp321M6r61j%2BWbSTZ%2Bo%2FvJ%2B067Z4vqz6dm1Bcb7frfP11syXZ4q%2F%2BlXfYWwgbCCet4Pv9zTljilhWRVsXLS%2F4qBQNY5wieioVkvn0PZ8YFhDmF9stRNnJKKf0IzI9P%2FZdyrparr3R6lf22Qcr4%2F9V0uChorv8MLQKsFKbRdcFQExKxvifVwFkhBk5SINA6Px87b%2Ffav4b&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha512&Signature=uw9h%2FU8KXTJbHt2LLpH33LJhs8D1enuO1966zbAEFUASZRu4zWXnfU2AR2SzUGhD4%2Fu2flxQo9ladF8CQ1hFz8rBhn8WSmHsfFgcSoibwLiH3CgKf0FcIvTMtMp2YtiyuFgx8N3eAnHIWwg30SP6VPDiWUilIsAsQEYarYneMPpJDBA7EsuK3grhvQzC%2FXsvolNwdx6DnWHDf578WN7ydfch97aXjJW6sgk0ieNI%2FWNo6xMTDFKC%2Bz5f%2Fn%2By0RhauS0edil2GQkT81AtlkqOydh13bUJeh3Ybtog9wTESzcrjzMeBj78c2cpTJvHjFpA5Fw4d7X9E%2FuPQoO9kKjqWQ%3D%3D&format=json","host":["{{baseUrl}}"],"path":["login","saml","ZGVtfHxkZW1vZ3Vlc3QuY29t"],"query":[{"key":"SAMLRequest","value":"fZJbbxoxEEb%2Fysrvu7b3AqwFSDSoDVKS0kCJwpvjHRKrvhCPl6b%2Fvs7SSulDeR3PGX9n7ClKa45i0ccXdw%2BvPWDM3qxxKIaDGemDE16iRuGkBRRRic3i9kaUBRPH4KNX3pAPyGVCIkKI2juSrZYzIhuo2lHb5KqrurxW3TiftNUkn4wZtKqBugFGsh0ETMiMpAmJQ%2Bxh5TBKF1OJlXXOWc7HW84FH4maFYzXe5Itk4p2Mg7kS4xHFJS%2BygJVkPbJgO4K5S2VR01PnBr%2FrB19F6D7L7t4uH77sX%2Fgp321M6r61j%2BWbSTZ%2Bo%2FvJ%2B067Z4vqz6dm1Bcb7frfP11syXZ4q%2F%2BlXfYWwgbCCet4Pv9zTljilhWRVsXLS%2F4qBQNY5wieioVkvn0PZ8YFhDmF9stRNnJKKf0IzI9P%2FZdyrparr3R6lf22Qcr4%2F9V0uChorv8MLQKsFKbRdcFQExKxvifVwFkhBk5SINA6Px87b%2Ffav4b"},{"key":"SigAlg","value":"http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha512"},{"key":"Signature","value":"uw9h%2FU8KXTJbHt2LLpH33LJhs8D1enuO1966zbAEFUASZRu4zWXnfU2AR2SzUGhD4%2Fu2flxQo9ladF8CQ1hFz8rBhn8WSmHsfFgcSoibwLiH3CgKf0FcIvTMtMp2YtiyuFgx8N3eAnHIWwg30SP6VPDiWUilIsAsQEYarYneMPpJDBA7EsuK3grhvQzC%2FXsvolNwdx6DnWHDf578WN7ydfch97aXjJW6sgk0ieNI%2FWNo6xMTDFKC%2Bz5f%2Fn%2By0RhauS0edil2GQkT81AtlkqOydh13bUJeh3Ybtog9wTESzcrjzMeBj78c2cpTJvHjFpA5Fw4d7X9E%2FuPQoO9kKjqWQ%3D%3D"},{"key":"format","value":"json"}]}},"status":"OK","code":200,"_postman_previewlanguage":"json","header":[{"key":"Date","value":"Wed, 23 Oct 2024 05:15:26 GMT"},{"key":"Content-Type","value":"application/json; charset=utf-8"},{"key":"Content-Length","value":"833"},{"key":"Connection","value":"keep-alive"},{"key":"x-amzn-RequestId","value":"e1c5522f-96e5-434c-8454-a680b3ceb1fb"},{"key":"access-control-allow-origin","value":"*"},{"key":"x-amzn-Remapped-Content-Length","value":"833"},{"key":"x-amzn-Remapped-Connection","value":"keep-alive"},{"key":"x-amz-apigw-id","value":"AFnxQGpRoAMFegA="},{"key":"x-amzn-Remapped-Date","value":"Wed, 23 Oct 2024 05:15:26 GMT"}],"cookie":[],"responseTime":null,"body":"{\n \"qid\": \"1ab2e09c-164b-4a0e-a801-3568435d320b\",\n \"did\": \"YXXWGZ\",\n \"code\": \"dem\",\n \"orgName\": \"dem\",\n \"didEnabled\": true,\n \"source\": \"SAML\",\n \"appName\": \"HR Portal\",\n \"url\": \"wss://wsp.qa.scrambleid.com/v1\",\n \"idTimeout\": 60,\n \"browserTimeout\": 900,\n \"confirmationTimeout\": 60,\n \"redirectUrl\": \"https://demoguest.com/qa/hr\",\n \"webAuthnEnabled\": true,\n \"webAuthnRegisterUrl\": \"/register/webauthn/ZGVtfHxkZW1vZ3Vlc3QuY29t\",\n \"forceAuthnEnabled\": true,\n \"org\": {\n \"name\": \"dem\",\n \"color\": \"#005A8C\",\n \"logo\": \"https://logos.qa.scrambleid.com/logos/dem.png\",\n \"logoSize\": {\n \"width\": 275,\n \"height\": 69.75\n },\n \"title\": \"\",\n \"bannerText\": \"We eliminate your greatest weakness: static credentials. All of them. There is nothing to store, nothing to steal.\"\n },\n \"disallowMultiValuedAttributes\": false,\n \"webAuthnRoamingAuthenticatorEnabled\": true,\n \"webAuthnRegistrationEnabled\": true,\n \"tapToLoginForWindowsEnabled\": false\n}"}],"_postman_id":"3d8dbf5d-b699-4a82-9f16-b52239f585b7"},{"name":"Step 2 - Verify DID (Login)","id":"94a59367-a4f0-408e-8936-2f506f7d7fbe","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"Content-Type","value":"application/json"}],"body":{"mode":"raw","raw":"{\r\n \"uniqueId\": \"{{uinqueid}}\",\r\n \"suid\": \"{{suid}}\",\r\n \"zid\": \"{{zid}}\",\r\n \"timestamp\": 1780211003,\r\n \"signature\": \"{{signature}}\"\r\n}","options":{"raw":{"language":"json"}}},"url":"{{baseUrl}}/verify/did","auth":{"type":"bearer","bearer":{"basicConfig":[{"key":"token","value":"{{accessToken}}"}]},"isInherited":true,"source":{"_postman_id":"8c6cc3a2-198c-40af-b32f-4428516efc66","id":"8c6cc3a2-198c-40af-b32f-4428516efc66","name":"Bot Automation","type":"folder"}},"urlObject":{"path":["verify","did"],"host":["{{baseUrl}}"],"query":[],"variable":[]}},"response":[{"id":"2ef074e9-af1a-4811-97e8-5780d480723c","name":"Step 3 - Verify DID (Login) Success","originalRequest":{"method":"POST","header":[{"key":"Content-Type","value":"application/json"}],"body":{"mode":"raw","raw":"{\r\n \"uniqueId\": \"{{uinqueid}}\",\r\n \"suid\": \"{{suid}}\",\r\n \"zid\": \"{{zid}}\",\r\n \"timestamp\": 1780211003,\r\n \"signature\": \"{{signature}}\"\r\n}","options":{"raw":{"language":"json"}}},"url":"{{baseUrl}}/verify/did"},"status":"OK","code":200,"_postman_previewlanguage":"json","header":[{"key":"Date","value":"Wed, 23 Oct 2024 05:12:21 GMT","uuid":"e59ff82f-727d-4a77-b442-41923f76d11f"},{"key":"Content-Type","value":"application/json; charset=utf-8","uuid":"221c8f10-3a08-4c71-9cac-80869394fa81"},{"key":"Content-Length","value":"56","uuid":"2acdd6af-9be5-4da7-b0a4-69d1e8dc29e6"},{"key":"Connection","value":"keep-alive","uuid":"6fcf5ef2-d827-466b-bec4-268d3f0155bd"},{"key":"x-amzn-RequestId","value":"004ebf3f-20e4-426d-9f09-f7fe490f3059","uuid":"3299df75-2eee-4105-8f6f-f9453d69e176"},{"key":"access-control-allow-origin","value":"*","uuid":"4b117359-15f9-45bc-911d-0f641f2148cb"},{"key":"x-amzn-Remapped-Content-Length","value":"56","uuid":"8c36f3da-4545-4477-87a6-d996570d01df"},{"key":"x-amzn-Remapped-Connection","value":"keep-alive","uuid":"86b68f59-3349-49e8-9299-c5607d772fda"},{"key":"x-amz-apigw-id","value":"AFnUaGInIAMF3BA=","uuid":"e845c29e-1c01-484d-9ff5-c9b2e3860406"},{"key":"x-amzn-Remapped-Date","value":"Wed, 23 Oct 2024 05:12:21 GMT","uuid":"02470a04-2454-4352-9c64-0e343b47d4cc"}],"cookie":[],"responseTime":null,"body":"{\n \"resultCode\": 0,\n \"errorCode\": 0,\n \"timestamp\": 1729660341745\n}"}],"_postman_id":"94a59367-a4f0-408e-8936-2f506f7d7fbe"}],"id":"418d490a-198b-47d5-8733-25e711077878","_postman_id":"418d490a-198b-47d5-8733-25e711077878","description":"","auth":{"type":"bearer","bearer":{"basicConfig":[{"key":"token","value":"{{accessToken}}"}]},"isInherited":true,"source":{"_postman_id":"8c6cc3a2-198c-40af-b32f-4428516efc66","id":"8c6cc3a2-198c-40af-b32f-4428516efc66","name":"Bot Automation","type":"folder"}}},{"name":"QID","item":[{"name":"Step 1 - Generate QID","event":[{"listen":"test","script":{"id":"578ff38b-0af1-452c-abd9-a125fe63e7c0","exec":["let responseData=pm.response.json();\r","pm.environment.set(\"uinqueid\", responseData.did);\r","pm.environment.set(\"orgCode\", responseData.code);"],"type":"text/javascript","packages":{}}}],"id":"e8912e3a-dbe4-4a5b-b76d-36f6093bd207","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[],"url":"{{baseUrl}}/login/saml/{{orgAppID}}?SAMLRequest={{replaceWithSaml}}&format=json","auth":{"type":"bearer","bearer":{"basicConfig":[{"key":"token","value":"{{accessToken}}"}]},"isInherited":true,"source":{"_postman_id":"8c6cc3a2-198c-40af-b32f-4428516efc66","id":"8c6cc3a2-198c-40af-b32f-4428516efc66","name":"Bot Automation","type":"folder"}},"urlObject":{"path":["login","saml","{{orgAppID}}"],"host":["{{baseUrl}}"],"query":[{"key":"SAMLRequest","value":"{{replaceWithSaml}}"},{"key":"format","value":"json"}],"variable":[]}},"response":[{"id":"db7088b7-0d3f-4a5e-a0bf-9733a0af3ff1","name":"Generate DID - Success","originalRequest":{"method":"GET","header":[],"url":{"raw":"{{baseUrl}}/login/saml/ZGVtfHxkZW1vZ3Vlc3QuY29t?SAMLRequest=fZJbbxoxEEb%2Fysrvu7b3AqwFSDSoDVKS0kCJwpvjHRKrvhCPl6b%2Fvs7SSulDeR3PGX9n7ClKa45i0ccXdw%2BvPWDM3qxxKIaDGemDE16iRuGkBRRRic3i9kaUBRPH4KNX3pAPyGVCIkKI2juSrZYzIhuo2lHb5KqrurxW3TiftNUkn4wZtKqBugFGsh0ETMiMpAmJQ%2Bxh5TBKF1OJlXXOWc7HW84FH4maFYzXe5Itk4p2Mg7kS4xHFJS%2BygJVkPbJgO4K5S2VR01PnBr%2FrB19F6D7L7t4uH77sX%2Fgp321M6r61j%2BWbSTZ%2Bo%2FvJ%2B067Z4vqz6dm1Bcb7frfP11syXZ4q%2F%2BlXfYWwgbCCet4Pv9zTljilhWRVsXLS%2F4qBQNY5wieioVkvn0PZ8YFhDmF9stRNnJKKf0IzI9P%2FZdyrparr3R6lf22Qcr4%2F9V0uChorv8MLQKsFKbRdcFQExKxvifVwFkhBk5SINA6Px87b%2Ffav4b&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha512&Signature=uw9h%2FU8KXTJbHt2LLpH33LJhs8D1enuO1966zbAEFUASZRu4zWXnfU2AR2SzUGhD4%2Fu2flxQo9ladF8CQ1hFz8rBhn8WSmHsfFgcSoibwLiH3CgKf0FcIvTMtMp2YtiyuFgx8N3eAnHIWwg30SP6VPDiWUilIsAsQEYarYneMPpJDBA7EsuK3grhvQzC%2FXsvolNwdx6DnWHDf578WN7ydfch97aXjJW6sgk0ieNI%2FWNo6xMTDFKC%2Bz5f%2Fn%2By0RhauS0edil2GQkT81AtlkqOydh13bUJeh3Ybtog9wTESzcrjzMeBj78c2cpTJvHjFpA5Fw4d7X9E%2FuPQoO9kKjqWQ%3D%3D&format=json","host":["{{baseUrl}}"],"path":["login","saml","ZGVtfHxkZW1vZ3Vlc3QuY29t"],"query":[{"key":"SAMLRequest","value":"fZJbbxoxEEb%2Fysrvu7b3AqwFSDSoDVKS0kCJwpvjHRKrvhCPl6b%2Fvs7SSulDeR3PGX9n7ClKa45i0ccXdw%2BvPWDM3qxxKIaDGemDE16iRuGkBRRRic3i9kaUBRPH4KNX3pAPyGVCIkKI2juSrZYzIhuo2lHb5KqrurxW3TiftNUkn4wZtKqBugFGsh0ETMiMpAmJQ%2Bxh5TBKF1OJlXXOWc7HW84FH4maFYzXe5Itk4p2Mg7kS4xHFJS%2BygJVkPbJgO4K5S2VR01PnBr%2FrB19F6D7L7t4uH77sX%2Fgp321M6r61j%2BWbSTZ%2Bo%2FvJ%2B067Z4vqz6dm1Bcb7frfP11syXZ4q%2F%2BlXfYWwgbCCet4Pv9zTljilhWRVsXLS%2F4qBQNY5wieioVkvn0PZ8YFhDmF9stRNnJKKf0IzI9P%2FZdyrparr3R6lf22Qcr4%2F9V0uChorv8MLQKsFKbRdcFQExKxvifVwFkhBk5SINA6Px87b%2Ffav4b"},{"key":"SigAlg","value":"http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha512"},{"key":"Signature","value":"uw9h%2FU8KXTJbHt2LLpH33LJhs8D1enuO1966zbAEFUASZRu4zWXnfU2AR2SzUGhD4%2Fu2flxQo9ladF8CQ1hFz8rBhn8WSmHsfFgcSoibwLiH3CgKf0FcIvTMtMp2YtiyuFgx8N3eAnHIWwg30SP6VPDiWUilIsAsQEYarYneMPpJDBA7EsuK3grhvQzC%2FXsvolNwdx6DnWHDf578WN7ydfch97aXjJW6sgk0ieNI%2FWNo6xMTDFKC%2Bz5f%2Fn%2By0RhauS0edil2GQkT81AtlkqOydh13bUJeh3Ybtog9wTESzcrjzMeBj78c2cpTJvHjFpA5Fw4d7X9E%2FuPQoO9kKjqWQ%3D%3D"},{"key":"format","value":"json"}]}},"status":"OK","code":200,"_postman_previewlanguage":"json","header":[{"key":"Date","value":"Wed, 23 Oct 2024 05:15:26 GMT"},{"key":"Content-Type","value":"application/json; charset=utf-8"},{"key":"Content-Length","value":"833"},{"key":"Connection","value":"keep-alive"},{"key":"x-amzn-RequestId","value":"e1c5522f-96e5-434c-8454-a680b3ceb1fb"},{"key":"access-control-allow-origin","value":"*"},{"key":"x-amzn-Remapped-Content-Length","value":"833"},{"key":"x-amzn-Remapped-Connection","value":"keep-alive"},{"key":"x-amz-apigw-id","value":"AFnxQGpRoAMFegA="},{"key":"x-amzn-Remapped-Date","value":"Wed, 23 Oct 2024 05:15:26 GMT"}],"cookie":[],"responseTime":null,"body":"{\n \"qid\": \"1ab2e09c-164b-4a0e-a801-3568435d320b\",\n \"did\": \"YXXWGZ\",\n \"code\": \"dem\",\n \"orgName\": \"dem\",\n \"didEnabled\": true,\n \"source\": \"SAML\",\n \"appName\": \"HR Portal\",\n \"url\": \"wss://wsp.qa.scrambleid.com/v1\",\n \"idTimeout\": 60,\n \"browserTimeout\": 900,\n \"confirmationTimeout\": 60,\n \"redirectUrl\": \"https://demoguest.com/qa/hr\",\n \"webAuthnEnabled\": true,\n \"webAuthnRegisterUrl\": \"/register/webauthn/ZGVtfHxkZW1vZ3Vlc3QuY29t\",\n \"forceAuthnEnabled\": true,\n \"org\": {\n \"name\": \"dem\",\n \"color\": \"#005A8C\",\n \"logo\": \"https://logos.qa.scrambleid.com/logos/dem.png\",\n \"logoSize\": {\n \"width\": 275,\n \"height\": 69.75\n },\n \"title\": \"\",\n \"bannerText\": \"We eliminate your greatest weakness: static credentials. All of them. There is nothing to store, nothing to steal.\"\n },\n \"disallowMultiValuedAttributes\": false,\n \"webAuthnRoamingAuthenticatorEnabled\": true,\n \"webAuthnRegistrationEnabled\": true,\n \"tapToLoginForWindowsEnabled\": false\n}"}],"_postman_id":"e8912e3a-dbe4-4a5b-b76d-36f6093bd207"},{"name":"Step 2 - Verify QID (Login) Test","id":"75aa0a51-bbc5-4be6-b632-d28a05a69768","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"Content-Type","value":"application/json"}],"body":{"mode":"raw","raw":"{\r\n \"uniqueId\": \"{{uinqueid}}\",\r\n \"suid\": \"{{suid}}\",\r\n \"zid\": \"{{zid}}\",\r\n \"org\": \"orgCode\",\r\n \"timestamp\": 1780211003,\r\n \"signature\": \"{{signature}}\"\r\n}","options":{"raw":{"language":"json"}}},"url":"{{baseUrl}}/verify/did","auth":{"type":"bearer","bearer":{"basicConfig":[{"key":"token","value":"{{accessToken}}"}]},"isInherited":true,"source":{"_postman_id":"8c6cc3a2-198c-40af-b32f-4428516efc66","id":"8c6cc3a2-198c-40af-b32f-4428516efc66","name":"Bot Automation","type":"folder"}},"urlObject":{"path":["verify","did"],"host":["{{baseUrl}}"],"query":[],"variable":[]}},"response":[{"id":"177c616c-cede-4b5f-8b20-0956d1473158","name":"Step 3 - Verify DID (Login) Success","originalRequest":{"method":"POST","header":[{"key":"Content-Type","value":"application/json"}],"body":{"mode":"raw","raw":"{\r\n \"uniqueId\": \"{{uinqueid}}\",\r\n \"suid\": \"{{suid}}\",\r\n \"zid\": \"{{zid}}\",\r\n \"timestamp\": 1780211003,\r\n \"signature\": \"{{signature}}\"\r\n}","options":{"raw":{"language":"json"}}},"url":"{{baseUrl}}/verify/did"},"status":"OK","code":200,"_postman_previewlanguage":"json","header":[{"key":"Date","value":"Wed, 23 Oct 2024 05:12:21 GMT","uuid":"e59ff82f-727d-4a77-b442-41923f76d11f"},{"key":"Content-Type","value":"application/json; charset=utf-8","uuid":"221c8f10-3a08-4c71-9cac-80869394fa81"},{"key":"Content-Length","value":"56","uuid":"2acdd6af-9be5-4da7-b0a4-69d1e8dc29e6"},{"key":"Connection","value":"keep-alive","uuid":"6fcf5ef2-d827-466b-bec4-268d3f0155bd"},{"key":"x-amzn-RequestId","value":"004ebf3f-20e4-426d-9f09-f7fe490f3059","uuid":"3299df75-2eee-4105-8f6f-f9453d69e176"},{"key":"access-control-allow-origin","value":"*","uuid":"4b117359-15f9-45bc-911d-0f641f2148cb"},{"key":"x-amzn-Remapped-Content-Length","value":"56","uuid":"8c36f3da-4545-4477-87a6-d996570d01df"},{"key":"x-amzn-Remapped-Connection","value":"keep-alive","uuid":"86b68f59-3349-49e8-9299-c5607d772fda"},{"key":"x-amz-apigw-id","value":"AFnUaGInIAMF3BA=","uuid":"e845c29e-1c01-484d-9ff5-c9b2e3860406"},{"key":"x-amzn-Remapped-Date","value":"Wed, 23 Oct 2024 05:12:21 GMT","uuid":"02470a04-2454-4352-9c64-0e343b47d4cc"}],"cookie":[],"responseTime":null,"body":"{\n \"resultCode\": 0,\n \"errorCode\": 0,\n \"timestamp\": 1729660341745\n}"}],"_postman_id":"75aa0a51-bbc5-4be6-b632-d28a05a69768"}],"id":"2c1f8815-3457-46b8-ad7c-3467ad8857ad","_postman_id":"2c1f8815-3457-46b8-ad7c-3467ad8857ad","description":"","auth":{"type":"bearer","bearer":{"basicConfig":[{"key":"token","value":"{{accessToken}}"}]},"isInherited":true,"source":{"_postman_id":"8c6cc3a2-198c-40af-b32f-4428516efc66","id":"8c6cc3a2-198c-40af-b32f-4428516efc66","name":"Bot Automation","type":"folder"}}}],"id":"57079219-723d-4a5a-8101-21fef21d0485","description":"Authentication begins with a call to the login page to obtain the DID or QID values.
\nStep 2 involves the HTTP call that completes the login process. This step requires a specific signature, and the proper format must be followed to generate the signature using the private key.
\nContains
\nBot Account creation
\nBot Registration
\nBot Authentication
\nBot Operations
\n