Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.base44.com/llms.txt

Use this file to discover all available pages before exploring further.

SCIM (System for Cross-domain Identity Management) lets your identity provider (IdP) automatically manage Base44 workspace members. When someone joins or leaves your organization in your IdP, Base44 is updated automatically, with no manual invites or removals needed.
SCIM provisioning is available on enterprise workspaces only.
Base44 supports SCIM 2.0 with the following identity providers:
  • Okta
  • Microsoft Entra ID (formerly Azure AD)
  • Custom IdP, any SCIM 2.0-compatible identity provider

Before you begin

Before setting up SCIM, make sure you have:
  • Owner or admin access to your Base44 workspace
  • A Workspace API key (found in SettingsSecrets)
  • Your SCIM Base URL (found in SettingsAuth and security)
SCIM settings in Base44 workspace

IdP setup

Select your identity provider below for step-by-step setup instructions.
Okta is a cloud-based identity provider. Use this setup if your organization manages users through Okta.

Step 1: Create a SCIM app in Okta

Okta OIDC apps do not support SCIM directly, so you need a separate SCIM app.To create a SCIM app:
  1. In Okta, go to ApplicationsBrowse App Catalog.
  2. Search for SCIM 2.0 Test App (Header Auth).
  3. Click Add Integration.
  4. Name the app (for example, Base44 - SCIM Provisioning).
  5. Click Done.
Okta App Catalog showing SCIM 2.0 Test App

Step 2: Connect the app to Base44

Point Okta to your Base44 workspace by entering your SCIM Base URL and Workspace API key.To configure the API integration:
  1. Open your new SCIM app and go to the Provisioning tab.
  2. Click Configure API Integration.
  3. Check Enable API integration.
  4. Set the SCIM 2.0 Base URL to the URL copied from SettingsAuth and security in your Base44 workspace.
  5. Set API Token to your Workspace API key.
  6. Click Test API Credentials. You should see a success confirmation.
  7. Click Save.
Okta SCIM Integration settings

Step 3: Enable provisioning actions

Choose which actions Okta can perform on Base44 workspace members.To enable provisioning:
  1. In the Provisioning tab, click To App.
  2. Enable:
    • Create Users
    • Update User Attributes
    • Deactivate Users
  3. Click Save.
Okta provisioning settings showing create, update, and deactivate toggles

Step 4: Set up custom attributes

Add Base44-specific attributes to your Okta profile and map them to your SCIM app.To add the role attribute:
  1. Go to DirectoryProfile Editor and find your SCIM app.
  2. Click Add Attribute.
  3. Fill in the settings:
    • Data type: String
    • Display name: Role
    • Variable name: role
    • External name: role
    • External namespace: urn:base44:params:scim:schemas:extension:user:2.0
    • Enum: Check Define enumerated list of values and add admin, editor, viewer
    • Attribute required: No
  4. Click Save.
To add the creditLimit attribute (optional):Skip this if you do not want per-member credit caps. The default is no cap.
  1. In the same Profile Editor, click Add Attribute.
  2. Fill in the settings:
    • Data type: Integer
    • Display name: Credit Limit
    • Variable name: creditLimit
    • External name: creditLimit
    • External namespace: urn:base44:params:scim:schemas:extension:user:2.0
    • Attribute required: No
  3. Click Save.
To map the attributes:
  1. Go to your SCIM app → ProvisioningTo AppAttribute Mappings.
  2. Set:
    • userNameuser.email
    • role"editor" (or map from your IdP’s role attribute)
    • creditLimit ← your preferred value or IdP attribute (if you added it)
  3. Remove any unsupported mappings (firstName, lastName, displayName).
  4. Click Save.

Step 5: Test provisioning

Assign a test user to confirm that provisioning and deactivation work as expected.
Each user must be assigned to both your Base44 SSO app and your Base44 SCIM Provisioning app in Okta. Assigning to SCIM only will provision the user but they will not be able to log in via SSO.User assigned to both Base44 SSO and SCIM apps in Okta
To test that provisioning works:
  1. In Okta, go to DirectoryPeople.
  2. Click on your test user.
  3. Go to the Applications tab.
  4. Click Assign Applications.
  5. Select Base44 - SSO Workspace and Base44 - SCIM Provisioning, then click Assign.
  6. Set role to editor, admin, or viewer. Optionally set creditLimit.
  7. Click Save and Go BackDone.
  8. Check your Base44 workspace members to confirm the user appeared.
To test deactivation:
  1. In the Assignments tab, click Unassign next to the test user.
  2. Confirm the removal.
  3. Check that the user no longer appears as an active member in Base44.
Okta showing user provisioned status

Managing your members

Once SCIM is set up, your IdP handles membership changes automatically. Here is what happens in Base44 for each action.

Adding members

When you assign a user to your SCIM app, Base44 creates their workspace membership automatically. The user can sign in to Base44 using SSO once they are provisioned.

Updating members

When you update a user’s attributes in your IdP (such as their role or credit limit), Base44 updates their workspace membership to match.
Workspace owners cannot be updated or deactivated via SCIM. Owners must be promoted or demoted from the workspace settings directly.

Removing members

When you unassign a user from your SCIM app, Base44 removes them from the workspace. Their platform-wide Base44 account is not deleted, and they retain access to any other workspaces they belong to. If you need to re-add a previously removed member, re-assign them in your IdP. Base44 will create a new workspace membership.

Roles

Base44 uses roles to control what each member can do. You assign a role when provisioning a user via SCIM, and you can update it at any time.
RoleWhat they can do
adminManage members, billing, and workspace settings
editorBuild, edit, and run apps; uses credits from the workspace pool
viewerRead-only access to apps; does not consume credits
owner, member, and guest roles cannot be assigned via SCIM. If your IdP has groups mapped to those roles, update the mapping to use admin, editor, or viewer instead.

Per-member credit limits

You can optionally cap how many credits a single member can use per month. Set creditLimit to a positive integer to apply a cap, or leave it empty for no limit. Credit limits only apply to admin and editor roles. Viewers cannot consume credits, so setting a credit limit on a viewer returns an error. Setting creditLimit to 0 is treated as no cap. You can also set credit limits directly from your workspace settings without going through SCIM. To set a credit limit for a member:
  1. Click your workspace name at the top left.
  2. Click Settings.
  3. Click Members.
  4. Click the More Actions icon ••• next to the relevant member.
  5. Click Set credit limit, enter the limit, and click Save.
Members settings showing Set credit limit option

Troubleshooting

If provisioning is not working as expected, the steps below cover the most common errors and how to fix them.
Check that your Workspace API key is correct. Verify the SCIM Base URL was copied from Settings → Auth and security and has not been modified.
Check your IdP’s provisioning logs for specific errors. Confirm role is set to admin, editor, or viewer.
This is by design. Workspace owners must be promoted or demoted from the Base44 dashboard. SCIM cannot modify owner memberships.
creditLimit can only be set on admin or editor roles. Either change the role to editor or admin, or remove the creditLimit value.