SCIM 1.1 API reference
We're still building and not all features are available quite yet. Enjoy this peek into the future!
Not ready for the future? Return to the past at api.slack.com.
The SCIM API is RESTful and the endpoint URLs are different than other Slack API endpoints.
| Endpoint | Description |
|---|---|
GET /ServiceProviderConfigs | Returns Slack's configuration details for our SCIM API |
GET /Schemas/Users | Returns Slack's configuration details for how users are formatted |
GET /Schemas/Groups | Returns Slack's configuration details for how groups are formatted |
GET /Users | Returns a paginated list of users |
GET /Users/<id> | Retrieves a single user resource |
POST /Users | Creates a user |
PATCH /Users/<id> | Updates an existing user resource, overwriting specified values |
PUT /Users/<id> | Updates an existing user resource, overwriting all values |
DELETE /Users/<id> | Sets a Slack user to deactivated |
GET /Groups/ | Returns a paginated list of groups |
GET /Groups/<id> | Retrieves a single group resource |
POST /Groups | Creates a new group |
PATCH /Groups/<id> | Updates an existing group resource |
PUT /Groups/<id> | Updates an existing group resource, overwriting all values |
DELETE /Groups/<id> | Permanently removes a group |
Service Provider Configuration
| Endpoint | Description |
|---|---|
GET /ServiceProviderConfigs | Returns Slack's configuration details for our SCIM API |
GET /ServiceProviderConfigs
Returns Slack's configuration details for our SCIM API, including which operations are supported.
Schemas
Slack currently supports schemas for users and groups. Querying the schemas will provide the most up-to-date rendering of the supported SCIM attributes.
| Endpoint | Description |
|---|---|
GET /Schemas/Users | Returns Slack's configuration details for how users are formatted |
GET /Schemas/Groups | Returns Slack's configuration details for how groups are formatted |
GET /Schemas/Users
Returns Slack's configuration details for how users are formatted.
Multi-channel guest user schema
Slack also supports a custom extension, called urn:scim:schemas:extension:slack:guest:1.0, that can be used to designate a user as a multi-channel guest. The details of this schema are also returned as part of the GET /scim/v1/Schemas/Users payload.
GET /Schemas/Groups
Returns Slack's configuration details for how groups are formatted.
Users
Users map to the individuals of your team across a workspace or Grid organization. Each user contains properties called attributes, like userName and title. You can list users, filter by attribute, add new users, update a user's profile information, or remove a user entirely.
| Endpoint | Description |
|---|---|
GET /Users | Returns a paginated list of users |
GET /Users/<id> | Retrieves a single user resource |
POST /Users | Creates a user |
PATCH /Users/<id> | Updates an existing user resource, overwriting specified values |
PUT /Users/<id> | Updates an existing user resource, overwriting all values |
DELETE /Users/<id> | Sets a Slack user to deactivated |
User attributes
Attributes are the details associated with a user's account. These are the details that someone would typically set in their profile (for example, by clicking the Edit Profile button in the Slack application).
The following tables map SCIM attributes to the profile fields that Slack uses. Most of these profile fields are exposed directly in a person's profile in the Slack UI. Sometimes, multiple SCIM attributes map to a single Slack profile field. For example, Slack's Display name field will populate from either the displayName or the userName SCIM attribute, depending on which is set. If both are set, it will use displayName.
When you sync some user attributes to Slack via SCIM, these fields become locked in Slack and you can no longer delete them or edit them. However, you may choose to hide them from user profiles.
Attribute values will vary by identity provider. For example, some may use a single field for a user's full name, others may provide sub-attributes such as givenName and familyName, still others may provide both. Either is acceptable, but they should only describe the same name (i.e. sub-attributes should not contain additional or optional information, such as a nickname).
Not every attribute will be displayed in a user's profile. For example, active does not appear as a field but can be used to determine if a user's account is active.
| Slack Profile Field | SCIM Attribute | Attribute Type | Notes |
|---|---|---|---|
| Username | userName | Singular | Required Max of 21 characters. Support periods ., underscores _, and hyphens -. All other special characters are converted to underscores. |
| Full Name | name, familyName | Singular | |
| Nickname | nickName | Singular | |
| Display Name | displayName, userName | Singular | Support periods ., underscores _, and hyphens -. All other special characters are converted to underscores. Max of 80 characters. |
emails[0]['value'] | Multi-Valued | Required | |
| Profile URL | profileUrl | Singular | |
| Profile Photo | photos[0]['values'] | Multi-Valued | |
| Groups | groups | Multi-Valued | |
| Title | title | Singular | |
| Timezone | timezone | Singular | |
| Active | active | Singular | |
| Password | password | Singular | Never returned but can be used to set the initial password for a user if the team is not using an identity manager. |
| Start Date | profile.startDate | Singular | Date should be in the ISO 8601 format, such as 2024-04-10T00:00:00+0000. Must provide the urn:scim:schemas:extension:slack:profile:1.0 schema in request body. |
Slack will also create profile fields if the following SCIM attributes are present:
| Custom Profile Field | SCIM Attribute | Attribute Type |
|---|---|---|
| Addresses | addresses | Multi-Valued |
| City | addresses[primary]['locality'] | Singular |
| Cost Center | enterprise.costCenter | Singular |
| Country | addresses[primary]['country'] | Singular |
| Department | enterprise.department | Singular |
| Division | enterprise.division | Singular |
| Employee ID | enterprise.employeeNumber | Singular |
| Honorific Prefix | name.honorificPrefix | Singular |
| Locale | locale | Singular |
| Manager | enterprise.manager.managerId | Singular |
| Organization | enterprise.organization | Singular |
| Phone | phoneNumbers[0]['values'] | Multi-Valued |
| Preferred Language | preferredLanguage | Singular |
| Roles | roles | Multi-Valued |
| Title | title | Singular |
| UserType | userType | Singular |
| Zip Code | addresses[primary]['postalCode'] | Singular |
GET /Users
Returns a paginated list of users, ten users per page by default.
When querying larger Slack instances, reduce the count parameter to 1,000 or less, and use the startIndex parameter to paginate through users. Pagination will be required for large lists of users as of August 30, 2019.
It's possible to return a list of specific types of users with the filter parameter.
GET /scim/v1/Users?startIndex=4&count=500 HTTP/1.1
Host: api.slack.com
Accept: application/json
Authorization: Bearer xoxp-4956040672-4956040692-6476208902-xxxxxx
GET /Users/<id>
Retrieves a single user resource.
The value of the <id> should be the user's corresponding Slack ID, beginning with either U or W.
GET /scim/v1/Users/U1A23BC4D HTTP/1.1
Host: api.slack.com
Accept: application/json
Authorization: Bearer xoxp-4956040672-4956040692-6476208902-xxxxxx
POST /Users
Creates a user.
Must include the userName attribute and at least one email address. You may provide an email address in the userName field, but it will be automatically converted to a Slack-appropriate username.
The value sub-attribute for photos can either be a publicly accessible URL e.g. "https://photos.example.com/profilephoto.jpg", or a Data URL containing raw image data, e.g. "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA...".
This example request body provides a detailed example of which attributes Slack uses, especially for the multi-valued attributes.
{
"schemas": [
"urn:scim:schemas:core:1.0",
"urn:scim:schemas:extension:enterprise:1.0",
"urn:scim:schemas:extension:slack:profile:1.0"
],
"userName": "other_username",
"nickName": "slack_username",
"name": {
"familyName": "Last",
"givenName": "First",
"honorificPrefix": "Ms."
},
"displayName": "First Last",
"profileUrl": "https://login.example.com/slack_username",
"emails": [
{
"value": "some@email.com",
"type": "work",
"primary": true
},
{
"value": "some_other@email.com",
"type": "home"
}
],
"addresses": [
{
"streetAddress": "1060 W Addison St",
"locality": "Chicago",
"region": "IL",
"postalCode": "60613",
"country": "USA",
"primary": true
}
],
"phoneNumbers": [
{
"value": "555-555-5555",
"type": "work"
},
{
"value": "555-555-4444",
"type": "mobile"
}
],
"photos": [
{
"value": "https://photos.example.com/profilephoto.jpg",
"type": "photo"
}
],
"roles": [
{
"value": "Tech Lead",
"primary": "true"
}
],
"userType": "Employee",
"title": "Tour Guide",
"preferredLanguage": "en_US",
"locale": "en_US",
"timezone": "America/Chicago",
"active": true,
"password": "Cub$winCub$win!!",
"urn:scim:schemas:extension:enterprise:1.0": {
"employeeNumber": "701984",
"costCenter": "4130",
"organization": "Chicago Cubs",
"division": "Wrigley Field",
"department": "Tour Operations",
"manager": {
"managerId": "U123ABC456"
}
},
"urn:scim:schemas:extension:slack:profile:1.0": {
"startDate": "2024-04-10T00:00:00+0000"
}
}
POST /Users (Multi-Channel Guests)
You can create a multi-channel guest user using the urn:scim:schemas:extension:slack:guest:1.0 attribute. Within that attribute:
- The
typesub attribute is mandatory. - The optional
expirationsub attribute must be an ISO 8601 date time string. - The only valid value for the
typesub-attribute is"multi"string.
Be sure to include the urn:scim:schemas:extension:slack:guest:1.0 URI in the schemas attribute.
Here are two ways to create a multi-channel guest user:
Option 1
Specifies a multi-channel guest user account that expires on "11/30/2020 23:59:59 UTC".
"urn:scim:schemas:extension:slack:guest:1.0": {
"type": "multi",
"expiration": "2020-11-30T23:59:59Z"
}
Option 2
Specifies a multi-channel guest user account with no expiration date.
"urn:scim:schemas:extension:slack:guest:1.0": {
"type": "multi"
}
Full example
{
"schemas": [
"urn:scim:schemas:core:1.0",
"urn:scim:schemas:extension:enterprise:1.0",
"urn:scim:schemas:extension:slack:guest:1.0"
],
"userName": "other_username",
"nickName": "slack_username",
"name": {
"familyName": "Last",
"givenName": "First",
"honorificPrefix": "Ms."
},
"displayName": "First Last",
"profileUrl": "https://login.example.com/slack_username",
"emails": [
{
"value": "some@email.com",
"type": "work",
"primary": true
},
{
"value": "some_other@email.com",
"type": "home"
}
],
"addresses": [
{
"streetAddress": "1060 W Addison St",
"locality": "Chicago",
"region": "IL",
"postalCode": "60613",
"country": "USA",
"primary": true
}
],
"phoneNumbers": [
{
"value": "555-555-5555",
"type": "work"
},
{
"value": "555-555-4444",
"type": "mobile"
}
],
"photos": [
{
"value": "https://photos.example.com/profilephoto.jpg",
"type": "photo"
}
],
"roles": [
{
"value": "Tech Lead",
"primary": "true"
}
],
"userType": "Employee",
"title": "Tour Guide",
"preferredLanguage": "en_US",
"locale": "en_US",
"timezone": "America/Chicago",
"active": true,
"password": "Cub$winCub$win!!",
"urn:scim:schemas:extension:enterprise:1.0": {
"employeeNumber": "701984",
"costCenter": "4130",
"organization": "Chicago Cubs",
"division": "Wrigley Field",
"department": "Tour Operations",
"manager": {
"managerId": "U123ABC456"
}
},
"urn:scim:schemas:extension:slack:guest:1.0": {
"type": "multi",
"expiration": "2020-11-30T23:59:59Z"
}
}
PATCH /Users/<id>
Updates an existing user resource, overwriting values for specified attributes.
The value of the <id> should be the user's corresponding Slack ID, beginning with either U or W. Attributes that are not provided in the request will remain unchanged. Updating a value to " " will clear and remove the field from the user's profile.
:::info[Updates to the password, externalId, and profileUrl attributes are not supported.
:::
active
Deactivate activated users by setting the active attribute equal to false. Alternatively, re-enable deactivated users by setting the active attribute equal to true.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"active": true
}
userName
Updates to the userName attribute will also update the nickName attribute and vice versa.
The userName attribute cannot be empty.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"userName": "other_username"
}
nickName
Updates to the nickName attribute will also update the userName attribute and vice versa.
The nickName attribute cannot be empty.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"nickName": "slack_username"
}
displayName
Updates a user's Slack display name profile field. The following request will update the user's handle to @First Last.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"displayName": "First Last"
}
title
Updates a user's title profile field.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"title": "Tour Guide"
}
userType
Updates a user's userType profile field.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"userType": "Employee"
}
preferredLanguage
Updates the user's preferred language profile field.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"preferredLanguage":"en_US"
}
locale
Updates the user's locale profile field.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"locale": "en_US"
}
timezone
Updates the user's timezone profile field.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"timezone": "America/Chicago"
}
emails
Only two user emails are stored; the primary and secondary email. The primary email may be specified by setting the primary sub-attribute to true. If the primary sub-attribute is omitted, the type sub-attribute may be specified and set to "work". Otherwise, if both the primary and type sub-attributes are omitted, the primary and secondary emails will be selected in the order they appear.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"emails": [
{
"value": "some@email.com",
"type": "work",
"primary": true
},
{
"value": "some_other@email.com",
"type": "home"
}
]
}
A user's primary email cannot be deleted, only updates are supported. Attempts to delete the primary email without providing a replacement value will result in a missing_primary_email error. However, the secondary email may be modified at will. For example, the following request will remove the secondary email.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"emails": [
{
"value": "some_other@email.com",
"operation": "delete"
}
]
}
The following request will only remove the secondary email.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"meta": {
"attributes": [
"emails"
]
}
}
phoneNumbers
Only two user phone numbers are stored: the primaryPhone and mobilePhone. Updating numbers is done by setting one of the primary or type fields for each updated number.
type field means different things depending on whether it's in the request or in the responseIn the request, the "type": "mobile" field specifies the primaryPhone. In the response, "type": "mobile" is assigned to the mobilePhone.
Only update primaryPhone
| Option | primary value | type value |
|---|---|---|
| Option 1 | ||
| Option 2 | true | |
| Option 3 | false | |
| Option 4 | "mobile" |
Example request (option 2)
In this example, 123-333-3333 is set as the primaryPhone.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"phoneNumbers": [
{
"value": "123-333-3333",
"primary": true
}
]
}
Only update mobilePhone
primary value | type value |
|---|---|
"work" |
Example request
In this example, 123-333-3333 is set as the mobilePhone.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"phoneNumbers": [
{
"value": "123-333-3333",
"type": "work"
}
]
}
Update both primaryPhone and mobilePhone with different values
| Option | primaryPhone primary value | primaryPhone type value | mobilePhone primary value | mobilePhone type value |
|---|---|---|---|---|
| Option 1 | true | false | ||
| Option 2 | "mobile" | "work" | ||
| Option 3 | true |
Example Request (option 1)
In this example, 222-222-2222 is set as the mobilePhone and 333-333-3333 is set as the primaryPhone.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"phoneNumbers": [
{
"value": "222-222-2222",
"primary": false
},
{
"value": "333-333-3333",
"primary": true
}
]
}
Delete phone numbers
The primary or secondary phone numbers may be deleted by specifying their respective values and setting the operation sub-attribute to "delete". The following requests are equivalent; they will delete all of the user's phone numbers.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"phoneNumbers": [
{
"value": "555-555-5555",
"operation": "delete"
},
{
"value": "555-555-4444",
"operation": "delete"
}
]
}
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"meta": {
"attributes": [
"phoneNumbers"
]
}
}
photos
Only one user photo is stored and used as the user's profile photo. The photo may be specified by setting the primary sub-attribute to true. If the primary sub-attribute is omitted, the first element in the photos array will be selected. The value sub-attribute for photos can either be a publicly accessible URL e.g. "https://photos.example.com/profilephoto.jpg", or a Data URL containing raw image data, e.g. "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA...".
After a successful PATCH request, the response will not reflect the updated value immediately. It takes a few moments for the URL to be generated and propagated to the Slack client.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"photos": [
{
"value": "https://photos.example.com/profilephoto.jpg",
"primary": true
}
]
}
addresses
Only one user address is stored. The address may be specified by setting the primary sub-attribute to true. If the primary sub-attribute is omitted, the first element in the addresses array will be selected. Only the streetAddress, locality, region, postalCode and country sub-attributes are supported.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"addresses": [
{
"streetAddress": "1060 W Addison St",
"locality": "Chicago",
"region": "IL",
"postalCode": "60613",
"country": "USA",
"primary": true
}
]
}
To remove a user address, provide the operation sub-attribute set to "delete". An address is only deleted if the streetAddress, locality, region, postalCode and country sub-attribute values all match the current value.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"addresses": [
{
"streetAddress": "1060 W Addison St",
"locality": "Chicago",
"region": "IL",
"postalCode": "60613",
"country": "USA",
"operation": "delete"
}
]
}
roles
Only one user role is stored. The SCIM spec does not specify a canonical type for the roles attribute so both of the following variations are accepted. The role may be specified by setting the primary sub-attribute to true. If the primary sub-attribute is omitted, the first element in the roles array will be selected.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"roles": [
{
"value": "Tech Lead",
"primary": true
}
]
}
or
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"roles": [
"Tech Lead"
]
}
To remove a user's role, provide the operation sub-attribute and set it to "delete".
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"roles": [
{
"value": "Tech Lead",
"operation": "delete"
}
]
}
name
Updates the user's name profile fields. Only the familyName, givenName and honorificPrefix sub-attributes are supported. To update all of the name sub-attributes in one request, use the following request:
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"name": {
"familyName": "Last",
"givenName": "First",
"honorificPrefix": "Ms."
}
}
Otherwise, specify only the sub-attributes to update.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"name": {
"givenName": "First"
}
}
To remove a specific name sub-attribute, use:
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"meta": {
"attributes": [
"name.honorificPrefix"
]
}
}
To remove all of the name sub-attributes, use:
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"meta": {
"attributes": [
"name"
]
}
}
urn:scim:schemas:extension:enterprises:1.0
Updates a user's enterprise profile fields.
managerId sub-attributeIf the manager sub-attribute is specified, the managerId sub-attribute must be specified as well. The value for the managerId sub-attribute can be their valid Slack id, their primary email, or their userName attribute. Each request can use a different type of value for the managerId sub-attribute.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"urn:scim:schemas:extension:enterprise:1.0": {
"employeeNumber": "701984",
"costCenter": "4130",
"organization": "Chicago Cubs",
"division": "Wrigley Field",
"department": "Tour Operations",
"manager": {
"managerId": "U123ABC456"
}
}
}
Otherwise, specify only the sub-attributes to update.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"urn:scim:schemas:extension:enterprise:1.0": {
"manager": {
"managerId": "ernie@example.com"
}
}
}
To remove a specific urn:scim:schemas:extension:enterprise:1.0 sub-attribute, use:
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"meta": {
"attributes": [
"urn:scim:schemas:extension:enterprise:1.0.manager.managerId"
]
}
}
To remove all of the urn:scim:schemas:extension:enterprise:1.0 sub-attributes, use:
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"meta": {
"attributes": [
"urn:scim:schemas:extension:enterprise:1.0"
]
}
}
urn:scim:schemas:extension:slack:guest:1.0
Converts a full member to a multi-channel guest, or converts a multi-channel guest to a full member.
Converting a full member to a multi-channel guest
If the full member is deactivated, this method will reactivate them on conversion.
To convert a full member to a multi-channel guest with an expiration date, use:
{
"schemas": [
"urn:scim:schemas:core:1.0",
"urn:scim:schemas:extension:slack:guest:1.0"
],
"urn:scim:schemas:extension:slack:guest:1.0": {
"type": "multi",
"expiration": "2020-11-30T23:59:59Z"
}
}
To convert a full member to a multi-channel guest without an expiration date, use:
{
"schemas": [
"urn:scim:schemas:core:1.0",
"urn:scim:schemas:extension:slack:guest:1.0"
],
"urn:scim:schemas:extension:slack:guest:1.0": {
"type": "multi"
}
}
To remove the expiration date from a multi-channel guest, use:
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"meta": {
"attributes": [
"urn:scim:schemas:extension:slack:guest:1.0.expiration"
]
}
}
Converting a multi-channel guest to a full member
If the multi-channel guest is deactivated, this method will reactivate them on conversion.
To convert a multi-channel guest to a full member, use:
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"meta": {
"attributes": [
"urn:scim:schemas:extension:slack:guest:1.0"
]
}
}
urn:scim:schemas:extension:slack:profile:1.0
Updates the user's start date profile field.
{
"schemas": [
"urn:scim:schemas:extension:slack:profile:1.0"
],
"urn:scim:schemas:extension:slack:profile:1.0": {
"startDate": "2024-04-10T00:00:00+0000"
},
}
meta
To remove a specific attribute or sub-attributes, use the meta.attributes request.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"meta": {
"attributes": [
"roles",
"name.familyName",
"urn:scim:schemas:extension:enterprise:1.0.department"
]
}
}
PUT /Users/<id>
Updates an existing user resource, overwriting all values for a user even if an attribute is empty or not provided.
If an attribute that had been set previously is left blank during a PUT operation, the new value will be blank in accordance with the data type of the attribute and the storage provider.
Deactivated users can be re-enabled by setting the active attribute to true. The value of the <id> should be the user's corresponding Slack ID, beginning with either U or W.
:::info[Updates to the externalId attribute are not supported.
:::
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"id": "U123ABC456",
"active": false,
"userName": "other_username",
"nickName": "slack_username",
"name": {
"givenName": "First",
"familyName": "Last"
},
"title": "Ms.",
"emails": [
{
"value": "some@email.com",
"primary": true
}
],
"photos": [
{
"value": "https://some.image/url",
"type": "photo"
}
]
}
DELETE /Users/<id>
Sets a Slack user to deactivated.
The value of the <id> should be the user's corresponding Slack ID, beginning with either U or W.
DELETE /scim/v1/Users/42 HTTP/1.1
Host: api.slack.com
Accept: application/json
Authorization: Bearer xoxp-4956040672-4956040692-6476208902-xxxxxx
Groups
Groups are for organizing users in logical divisions across a workspace, such as by team or affinity.
| Endpoint | Description |
|---|---|
GET /Groups/ | Returns a paginated list of groups |
GET /Groups/<id> | Retrieves a single group resource |
POST /Groups | Creates a new group |
PATCH /Groups/<id> | Updates an existing group resource |
PUT /Groups/<id> | Updates an existing group resource, overwriting all values |
DELETE /Groups/<id> | Permanently removes a group |
Group attributes
Attributes are the details associated with a group.
| Slack Group Field | SCIM Attribute | Attribute Type | Required |
|---|---|---|---|
| Name | displayName | String | Required |
| Members | members | Multi-valued | Required |
GET /Groups
Returns a paginated list of groups, ten groups per page by default.
Use the startIndex and count (max 1000) query parameters to paginate long lists of groups. Pagination will be required as of August 30, 2019.
GET /scim/v1/Groups?startIndex=4&count=500 HTTP/1.1
Host: api.slack.com
Accept: application/json
Authorization: Bearer xoxp-4956040672-4956040692-6476208902-xxxxxx
GET /Groups/<id>
Retrieves a single group resource.
GET /scim/v1/Groups/42 HTTP/1.1
Host: api.slack.com
Accept: application/json
Authorization: Bearer xoxp-4956040672-4956040692-6476208902-xxxxxx
POST /Groups
Creates a new group.
Must include the displayName attribute (as defined in the schema specification). Users (regular and/or multi-channel guest users) can be added to the group during creation by supplying the Slack user ID values in the members array attribute.
Although 15,000 users can be added per call, we recommend a batch size of no more than 5,000 users.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"displayName": "Group Name",
"members": [
{
"value": "U111AAA111"
},
{
"value": "U222BBB222"
}
]
}
PATCH /Groups/<id>
Updates an existing group resource, allowing individual (or groups of) users (regular and/or multi-channel guest users) to be added or removed from the group with a single operation.
Setting the operation attribute of a member object to delete will remove members from a group; add is the default operation for PATCH. More details on editing a resource with PATCH.
Although 15,000 users can be modified per call, we recommend a batch size of no more than 5,000 users.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"members": [
{
"value": "U111AAA111"
},
{
"value": "U222BBB222",
"operation": "delete"
},
{
"value": "U333CCC333"
}
]
}
PUT /Groups/<id>
Updates an existing group resource, overwriting all values for a group even if an attribute is empty or not provided.
PUT will replace all members of a group with those members provided via the members attribute. If an attribute that had been set previously is left blank during a PUT operation, the new value will be blank in accordance with the data type of the attribute and the storage provider.
Although 15,000 users can be modified per call, we recommend a batch size of no more than 5,000 users.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"displayName": "New Group Name",
"members": [
{
"value": "U111AAA111"
}
]
}
DELETE /Groups/<id>
Permanently removes a group (members are not deleted, only the group).
DELETE /scim/v1/Groups/42 HTTP/1.1
Host: api.slack.com
Accept: application/json
Authorization: Bearer xoxp-4956040672-4956040692-6476208902-xxxxxx
Filter
For methods that return a list, such as GET /Users, it's possible to filter the list by the username, email, restricted, and ultra_restricted attributes, and return only the values matching that filter. The following rules apply:
- The filter parameter must contain one valid boolean operator
- Each expression must contain an attribute name followed by an attribute operator, (also supports an optional value)
- Multiple expressions may be combined using two logical operators.
- Expressions can be grouped together using "( )"
- Expressions must be evaluated using standard order of operations
- String literals must be valid JSON strings
The following is a list of valid operators:
| Operator | Description |
|---|---|
| eq | equal |
| co | contains |
| sw | starts with |
| pr | present value |
| gt | greater than |
| ge | greater than or equal |
| lt | less than |
| le | less than or equal |
| and | logical And |
| or | logical Or |
Attribute name and attribute operator are case insensitive. For example, the following two expressions will evaluate to the same logical value:
filter=userName Eq "Carly"
filter=username eq "carly"
Filters may be applied to the username and email user attributes, with the addition of two membership filters:
| Attribute Name | SCIM Attribute | Attribute Type |
|---|---|---|
| Multi-Channel-Guest | restricted | Singular |
| Single-Channel-Guest | ultra_restricted | Singular |
The following would return a list of all multi-channel guests of a workspace:
GET /scim/v1/Users?filter=restricted eq '1' HTTP/1.1
Host: api.slack.com
Accept: application/json
Authorization: Bearer xoxp-4956040672-4956040692-6476208902-xxxxxx
Errors
Occasionally, interacting with our APIs will result in an error instead of the result you're expecting. Slack will make every attempt to respond with a descriptive error message that will help you figure out what went wrong and how to fix it.
| Error | Description |
|---|---|
addresses_invalid | The addresses attribute provided is invalid. |
bad_email_address | The email address provided does not exist or was poorly formatted. |
bad_endpoint | The endpoint URL does not exist. |
cannot_make_user_guest | Admins, Owners and Primary owners cannot be made guests via SCIM. |
cannot_decode_user_id | The given user ID cannot be decoded. |
cannot_modify_owner | A Workspace's ownership can not be modified via SCIM, please use the Slack admin. |
cannot_modify_gdpr | Users who have had their personal information forgotten under GDPR can not be modified. |
cannot_disable_bot_user_with_scim | The SCIM API can not be used to deactivate a bot user, this must be done via the bot admin. |
cannot_disable_primary_owner | The primary owner of a Workspace can not be deactivated. If this user needs to be deactivated, please make another team member the primary owner first. |
email_empty | The user's primary email is missing from the request. |
email_invalid | The provided user email values are invalid. |
email_taken | The provided user email value already exists. |
emails_invalid | The emails attribute provided is invalid. |
failed_to_remove_users_for_linked_subteam | An error occurred when removing users from this IDP group. |
group_members_create_failed | An error occurred during an update to a user group. |
group_member_max_exceeded | 15k is the recommended limit for IDP groups, The maximum is 4k for user groups. Additional users cannot be added unless some are removed. |
group_creation_failed | The request to create a user group has failed. |
groups_invalid | The groups attribute provided is invalid. |
idp_group_linked_to_channels | This IDP group is linked to one or more channels via admin.conversations.restrictAccess.addGroup. You must call admin.conversations.restrictAccess.removeGroup for each link before you can delete the group. |
improper_enterprise_schema_format | The urn:scim:schemas:extension:enterprise:1.0.manager sub-attribute is missing the required managerId sub-attribute. |
incomplete_filter | A malformed filter query has been specified. Please check that the filter are separated by a single space. filter=attribute eq "value" |
invalid_attribute_format | A singular or multi-valued attribute has been specified with the wrong type. |
invalid_authentication | There's a problem with the OAuth token. It may not have been granted the proper admin scope or may not have been installed by an administrator. The token may also be malformed or not properly sent via an Authorization header with a type of Bearer. |
invalid_display_name | The provided display name is not allowed. Only send the display name from your IDP upon account creation (not upon subsequent updates or to sync to a Slack account), or disable the Allow users to change their display name setting. |
invalid_emoji_not_allowed | An attribute value contains an emoji. |
invalid_filter_group | The provided filter contains a group that is malformed. |
invalid_name_maxlength | The provided display name is not allowed because it exceeds the maximum allowable characters. |
invalid_name_specials | The provided display name is not allowed because it is using invalid special characters such as @. |
invalid_name_required | Only a string containing spaces has been provided for both the givenName and familyName sub-attributes. |
invalid_query | There's a problem with the filter parameter. Please check that the entities and operators are valid. |
invalid_request_payload | The provided request payload may contain unsupported attributes or properties. |
invalid_reserved_word | A reserved word has been specified in an attribute. |
invalid_starts_with_at | The displayName attribute value provided starts with an @ |
invalid_sort_order | The sortOrder parameter is not equal to ascending or descending. |
long_nickname | The nickName parameter is longer than we allow. Max length is 21 characters. |
method_not_allowed | Unsupported http method provided. Only GET, POST, PUT, PATCH and DELETE are supported. |
missing_authentication | The authentication token is missing. |
missing_primary_email | The request is attempting to remove the primary email without providing a replacement value. |
missing_schema_element | The schemas attribute is missing from the request. |
missing_group_id | The group ID has not been specified. |
missing_user_id | The user ID has not been specified. |
no_filters | The filter query parameter was provided but no filters were specified. |
no_such_group | The group provided does not exist. |
no_such_group_members | The group members provided do not exist. |
no_such_user | The user provided does not exist. |
non_org_teams_only | When using SCIM on an Enterprise Grid organization, the app must be installed on the organization, not individual workspaces. SCIM methods are called against the entire Grid organization. |
query_building_failed | The provided filter did not translate to a proper database query. |
database_query_failure | An error was encountered while executing a filter. |
password_change_not_allowed | Updates to the password attribute via SCIM is prohibited. |
permission_denied | The OAuth token has not been granted permission to perform the requested action. |
phoneNumbers_invalid | The phoneNumbers attribute provided is invalid. |
photos_invalid | The photos attribute provided is invalid. |
plus_teams_only | The SCIM APIs are only available for Business+ and Enterprise Grid plans. SCIM access is not available for Free and Pro plans. |
primary_owner_check_failure | The primary owner of a Workspace within an organization can not deactivated. If this user needs to be deactivated, please make another team member the primary owner first. |
resource_locked | The app is making too many requests over a short period of time for group update requests. Please make fewer requests to stay within Slack's rate limits. |
roles_invalid | The roles attribute provided is invalid. |
too_many_requests | The app is making too many requests over a short period of time. Please make fewer requests to stay within Slack's rate limits. |
too_many_users | The request to update a Group contains more than 15,000 users. Please make the request with smaller batches of users. |
truncation_error | The userName could not be truncated in an attempt to avoid a username conflict for the organization. |
unable_to_add_deleted_or_guest_to_group | Deleted or guest users cannot be added to the Group. |
unable_to_create_team_profile_fields | An error occurred during custom profile creation. |
unknown_user | The user provided does not exist. |
unsupported_version | The provided SCIM version is not supported. |
user_creation_failed | The specified user already exists or an error was encountered when attempting to create a user. |
username_empty | The userName attribute is empty when the user's endpoint is invoked via PUT or POST |
username_invalid | The userName attribute provided is invalid. |
username_not_allowed | The provided userName is reserved. |
username_required | This method requires a username parameter. |
username_taken | When provisioning a new user via SCIM, usernames must be unique and must also be unique from channel names. |
username_too_long | The specified username is too long (max length is 21 characters). |
Concurrency
The SCIM API only allows one update to a user or group at a time (by locking the user or group while the update is in progress). Locking prevents overlapping requests, which can cause unpredictable results.
As a consequence, if you attempt to send multiple non-GET requests to the same user or group, and that user or group is still being updated from a previous request, you'll see a 429 HTTP response code. The 429 code will be returned with a retry-after header—wait for the time specified in that header to resend the request.