openapi: 3.0.1 info: title: Scalekit API description: >- Scalekit is the authentication platform for B2B SaaS and AI agents. The REST API provides programmatic access to enterprise Single Sign-On (SAML / OIDC connections), SCIM directory provisioning, organizations, users and memberships, organization roles, machine-to-machine (M2M) authentication, and agent / MCP connected accounts and tool execution. The API base URL is per-environment; access tokens are obtained via the OAuth 2.0 client credentials grant and passed as Bearer tokens. termsOfService: https://www.scalekit.com/legal/terms-of-service contact: name: Scalekit Support url: https://www.scalekit.com email: support@scalekit.com version: '1.0' servers: - url: https://{environment}.scalekit.com description: Production environment (per-tenant subdomain) variables: environment: default: your-subdomain description: Your Scalekit environment subdomain. - url: https://{environment}.scalekit.dev description: Development environment (per-tenant subdomain) variables: environment: default: your-subdomain description: Your Scalekit development environment subdomain. security: - bearerAuth: [] tags: - name: Authentication description: OAuth 2.0 client credentials token issuance. - name: Organizations description: Create and manage tenant organizations. - name: Organization Settings description: Toggle feature settings on an organization. - name: Admin Portal description: Generate self-service admin portal links. - name: Connections description: Enterprise SSO connections (SAML / OIDC). - name: Directories description: SCIM directories and synced directory users and groups. - name: Users & Memberships description: Organization user membership lifecycle and invitations. - name: Roles description: Organization roles and permissions. - name: M2M Clients description: Machine-to-machine API auth clients and tokens. - name: Connected Accounts description: Agent / MCP connected accounts and tool execution. paths: /oauth/token: post: operationId: createToken tags: - Authentication summary: Issue an access token (client credentials) description: >- Exchange a client_id and client_secret for a short-lived Bearer access token using the OAuth 2.0 client credentials grant. The returned token authorizes all subsequent management API calls. security: [] requestBody: required: true content: application/x-www-form-urlencoded: schema: $ref: '#/components/schemas/TokenRequest' responses: '200': description: Access token issued. content: application/json: schema: $ref: '#/components/schemas/TokenResponse' '401': $ref: '#/components/responses/Unauthorized' /api/v1/organizations: get: operationId: listOrganizations tags: - Organizations summary: List organizations parameters: - $ref: '#/components/parameters/PageSize' - $ref: '#/components/parameters/PageToken' responses: '200': description: A list of organizations. content: application/json: schema: $ref: '#/components/schemas/ListOrganizationsResponse' '401': $ref: '#/components/responses/Unauthorized' post: operationId: createOrganization tags: - Organizations summary: Create an organization requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateOrganizationRequest' responses: '201': description: Organization created. content: application/json: schema: $ref: '#/components/schemas/OrganizationResponse' '401': $ref: '#/components/responses/Unauthorized' /api/v1/organizations/{id}: parameters: - $ref: '#/components/parameters/OrganizationId' get: operationId: getOrganization tags: - Organizations summary: Get an organization responses: '200': description: The organization. content: application/json: schema: $ref: '#/components/schemas/OrganizationResponse' '404': $ref: '#/components/responses/NotFound' patch: operationId: updateOrganization tags: - Organizations summary: Update an organization requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateOrganizationRequest' responses: '200': description: Organization updated. content: application/json: schema: $ref: '#/components/schemas/OrganizationResponse' '404': $ref: '#/components/responses/NotFound' delete: operationId: deleteOrganization tags: - Organizations summary: Delete an organization responses: '204': description: Organization deleted. '404': $ref: '#/components/responses/NotFound' /api/v1/organizations/{id}/settings: parameters: - $ref: '#/components/parameters/OrganizationId' patch: operationId: updateOrganizationSettings tags: - Organization Settings summary: Update organization settings description: Toggle feature settings (e.g. sso, scim, directory_sync) on an organization. requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/OrganizationSettings' responses: '200': description: Settings updated. content: application/json: schema: $ref: '#/components/schemas/OrganizationResponse' '404': $ref: '#/components/responses/NotFound' /api/v1/organizations/{id}/portal_links: parameters: - $ref: '#/components/parameters/OrganizationId' put: operationId: createPortalLink tags: - Admin Portal summary: Generate an admin portal link description: >- Generate a self-service admin portal link that an organization administrator can use to configure SSO and SCIM without leaving your application. responses: '200': description: Portal link generated. content: application/json: schema: $ref: '#/components/schemas/PortalLink' '404': $ref: '#/components/responses/NotFound' /api/v1/connections: get: operationId: listConnections tags: - Connections summary: List connections description: Retrieve a list of SSO connections in the environment. parameters: - $ref: '#/components/parameters/PageSize' - $ref: '#/components/parameters/PageToken' - name: organization_id in: query required: false description: Filter connections by organization. schema: type: string responses: '200': description: A list of connections. content: application/json: schema: $ref: '#/components/schemas/ListConnectionsResponse' '401': $ref: '#/components/responses/Unauthorized' /api/v1/organizations/{organization_id}/connections: parameters: - $ref: '#/components/parameters/OrganizationIdPath' get: operationId: listOrganizationConnections tags: - Connections summary: List an organization's connections responses: '200': description: A list of the organization's SSO connections. content: application/json: schema: $ref: '#/components/schemas/ListConnectionsResponse' '404': $ref: '#/components/responses/NotFound' /api/v1/organizations/{organization_id}/connections/{id}: parameters: - $ref: '#/components/parameters/OrganizationIdPath' - $ref: '#/components/parameters/ConnectionId' get: operationId: getConnection tags: - Connections summary: Get a connection description: Retrieve configuration and status details for a specific SSO connection. responses: '200': description: The connection. content: application/json: schema: $ref: '#/components/schemas/Connection' '404': $ref: '#/components/responses/NotFound' /api/v1/organizations/{organization_id}/directories: parameters: - $ref: '#/components/parameters/OrganizationIdPath' get: operationId: listDirectories tags: - Directories summary: List directories description: List SCIM directories configured for an organization. responses: '200': description: A list of directories. content: application/json: schema: $ref: '#/components/schemas/ListDirectoriesResponse' '404': $ref: '#/components/responses/NotFound' /api/v1/organizations/{organization_id}/directories/{directory_id}: parameters: - $ref: '#/components/parameters/OrganizationIdPath' - $ref: '#/components/parameters/DirectoryId' get: operationId: getDirectory tags: - Directories summary: Get a directory responses: '200': description: The directory. content: application/json: schema: $ref: '#/components/schemas/Directory' '404': $ref: '#/components/responses/NotFound' /api/v1/organizations/{organization_id}/directories/{directory_id}/users: parameters: - $ref: '#/components/parameters/OrganizationIdPath' - $ref: '#/components/parameters/DirectoryId' get: operationId: listDirectoryUsers tags: - Directories summary: List directory users description: Fetch users provisioned via SCIM into a directory on demand. parameters: - $ref: '#/components/parameters/PageSize' - $ref: '#/components/parameters/PageToken' responses: '200': description: A list of directory users. content: application/json: schema: $ref: '#/components/schemas/ListDirectoryUsersResponse' '404': $ref: '#/components/responses/NotFound' /api/v1/organizations/{organization_id}/directories/{directory_id}/groups: parameters: - $ref: '#/components/parameters/OrganizationIdPath' - $ref: '#/components/parameters/DirectoryId' get: operationId: listDirectoryGroups tags: - Directories summary: List directory groups description: Fetch groups provisioned via SCIM into a directory on demand. parameters: - $ref: '#/components/parameters/PageSize' - $ref: '#/components/parameters/PageToken' responses: '200': description: A list of directory groups. content: application/json: schema: $ref: '#/components/schemas/ListDirectoryGroupsResponse' '404': $ref: '#/components/responses/NotFound' /api/v1/memberships/organizations/{organization_id}/users/{id}: parameters: - $ref: '#/components/parameters/OrganizationIdPath' - $ref: '#/components/parameters/UserId' post: operationId: addMembership tags: - Users & Memberships summary: Add a user to an organization requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/MembershipRequest' responses: '201': description: User added to organization. content: application/json: schema: $ref: '#/components/schemas/Membership' '404': $ref: '#/components/responses/NotFound' patch: operationId: updateMembership tags: - Users & Memberships summary: Update a membership requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/MembershipRequest' responses: '200': description: Membership updated. content: application/json: schema: $ref: '#/components/schemas/Membership' '404': $ref: '#/components/responses/NotFound' delete: operationId: removeMembership tags: - Users & Memberships summary: Remove a user from an organization responses: '204': description: User removed. '404': $ref: '#/components/responses/NotFound' /api/v1/invites/organizations/{organization_id}/users/{id}/resend: parameters: - $ref: '#/components/parameters/OrganizationIdPath' - $ref: '#/components/parameters/UserId' patch: operationId: resendInvite tags: - Users & Memberships summary: Resend a user invitation responses: '200': description: Invitation resent. content: application/json: schema: $ref: '#/components/schemas/Membership' '404': $ref: '#/components/responses/NotFound' /api/v1/organizations/{org_id}/roles: parameters: - name: org_id in: path required: true schema: type: string get: operationId: listRoles tags: - Roles summary: List organization roles responses: '200': description: A list of roles. content: application/json: schema: $ref: '#/components/schemas/ListRolesResponse' '404': $ref: '#/components/responses/NotFound' post: operationId: createRole tags: - Roles summary: Create an organization role requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/RoleRequest' responses: '201': description: Role created. content: application/json: schema: $ref: '#/components/schemas/Role' '404': $ref: '#/components/responses/NotFound' /api/v1/connected_accounts: get: operationId: listConnectedAccounts tags: - Connected Accounts summary: List connected accounts description: List agent connected accounts (authorized third-party connectors). parameters: - $ref: '#/components/parameters/PageSize' - $ref: '#/components/parameters/PageToken' responses: '200': description: A list of connected accounts. content: application/json: schema: $ref: '#/components/schemas/ListConnectedAccountsResponse' '401': $ref: '#/components/responses/Unauthorized' post: operationId: createConnectedAccount tags: - Connected Accounts summary: Create a connected account requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ConnectedAccountRequest' responses: '201': description: Connected account created. content: application/json: schema: $ref: '#/components/schemas/ConnectedAccount' '401': $ref: '#/components/responses/Unauthorized' put: operationId: updateConnectedAccountCredentials tags: - Connected Accounts summary: Update connected account credentials requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ConnectedAccountRequest' responses: '200': description: Credentials updated. content: application/json: schema: $ref: '#/components/schemas/ConnectedAccount' '401': $ref: '#/components/responses/Unauthorized' /api/v1/connected_accounts/magic_link: post: operationId: createConnectedAccountMagicLink tags: - Connected Accounts summary: Generate an authorization magic link requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/MagicLinkRequest' responses: '200': description: Magic link generated. content: application/json: schema: $ref: '#/components/schemas/MagicLink' '401': $ref: '#/components/responses/Unauthorized' /api/v1/execute_tool: post: operationId: executeTool tags: - Connected Accounts summary: Execute a tool description: >- Execute a tool action on behalf of a user through a connected account (e.g. fetch emails, create a CRM record). Core of the agent / MCP auth product. requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ExecuteToolRequest' responses: '200': description: Tool executed. content: application/json: schema: $ref: '#/components/schemas/ExecuteToolResponse' '401': $ref: '#/components/responses/Unauthorized' components: securitySchemes: bearerAuth: type: http scheme: bearer description: OAuth 2.0 client-credentials access token passed as a Bearer token. oauth2ClientCredentials: type: oauth2 flows: clientCredentials: tokenUrl: https://{environment}.scalekit.com/oauth/token scopes: {} parameters: PageSize: name: page_size in: query required: false description: Maximum number of results per page. schema: type: integer default: 20 PageToken: name: page_token in: query required: false description: Opaque token for the next page of results. schema: type: string OrganizationId: name: id in: path required: true description: Organization identifier. schema: type: string OrganizationIdPath: name: organization_id in: path required: true description: Organization identifier. schema: type: string ConnectionId: name: id in: path required: true description: Connection identifier. schema: type: string DirectoryId: name: directory_id in: path required: true description: Directory identifier. schema: type: string UserId: name: id in: path required: true description: User identifier. schema: type: string responses: Unauthorized: description: Authentication failed or access token missing/expired. content: application/json: schema: $ref: '#/components/schemas/Error' NotFound: description: The requested resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' schemas: Error: type: object properties: code: type: string message: type: string details: type: array items: type: object TokenRequest: type: object required: - grant_type - client_id - client_secret properties: grant_type: type: string enum: - client_credentials client_id: type: string client_secret: type: string TokenResponse: type: object properties: access_token: type: string token_type: type: string example: Bearer expires_in: type: integer description: Lifetime in seconds. Organization: type: object properties: id: type: string external_id: type: string display_name: type: string region_code: type: string metadata: type: object additionalProperties: type: string settings: $ref: '#/components/schemas/OrganizationSettings' create_time: type: string format: date-time update_time: type: string format: date-time OrganizationResponse: type: object properties: organization: $ref: '#/components/schemas/Organization' ListOrganizationsResponse: type: object properties: organizations: type: array items: $ref: '#/components/schemas/Organization' next_page_token: type: string total_size: type: integer CreateOrganizationRequest: type: object required: - display_name properties: display_name: type: string external_id: type: string metadata: type: object additionalProperties: type: string UpdateOrganizationRequest: type: object properties: display_name: type: string external_id: type: string metadata: type: object additionalProperties: type: string OrganizationSettings: type: object properties: features: type: array items: type: object properties: name: type: string example: sso enabled: type: boolean PortalLink: type: object properties: location: type: string format: uri description: The admin portal URL. expire_time: type: string format: date-time Connection: type: object properties: id: type: string organization_id: type: string provider: type: string example: okta type: type: string enum: - SSO_SAML - SSO_OIDC status: type: string enum: - DRAFT - PENDING - ACTIVE - INACTIVE enabled: type: boolean create_time: type: string format: date-time ListConnectionsResponse: type: object properties: connections: type: array items: $ref: '#/components/schemas/Connection' next_page_token: type: string Directory: type: object properties: id: type: string organization_id: type: string directory_type: type: string example: SCIM directory_provider: type: string example: okta status: type: string enum: - PENDING - ACTIVE - INACTIVE enabled: type: boolean last_sync_time: type: string format: date-time ListDirectoriesResponse: type: object properties: directories: type: array items: $ref: '#/components/schemas/Directory' next_page_token: type: string DirectoryUser: type: object properties: id: type: string email: type: string preferred_username: type: string given_name: type: string family_name: type: string active: type: boolean roles: type: array items: type: string ListDirectoryUsersResponse: type: object properties: users: type: array items: $ref: '#/components/schemas/DirectoryUser' next_page_token: type: string total_size: type: integer DirectoryGroup: type: object properties: id: type: string display_name: type: string external_id: type: string ListDirectoryGroupsResponse: type: object properties: groups: type: array items: $ref: '#/components/schemas/DirectoryGroup' next_page_token: type: string Membership: type: object properties: user_id: type: string organization_id: type: string roles: type: array items: type: string membership_status: type: string enum: - PENDING_INVITE - ACTIVE MembershipRequest: type: object properties: roles: type: array items: type: string metadata: type: object additionalProperties: type: string Role: type: object properties: id: type: string name: type: string display_name: type: string description: type: string permissions: type: array items: type: string ListRolesResponse: type: object properties: roles: type: array items: $ref: '#/components/schemas/Role' RoleRequest: type: object required: - name properties: name: type: string display_name: type: string description: type: string permissions: type: array items: type: string ConnectedAccount: type: object properties: id: type: string connector: type: string example: gmail identifier: type: string status: type: string enum: - PENDING - ACTIVE - REVOKED authorization_type: type: string enum: - OAUTH2 - API_KEY create_time: type: string format: date-time ListConnectedAccountsResponse: type: object properties: connected_accounts: type: array items: $ref: '#/components/schemas/ConnectedAccount' next_page_token: type: string ConnectedAccountRequest: type: object required: - connector - identifier properties: connector: type: string identifier: type: string authorization_details: type: object additionalProperties: true MagicLinkRequest: type: object required: - connector - identifier properties: connector: type: string identifier: type: string MagicLink: type: object properties: link: type: string format: uri expire_time: type: string format: date-time ExecuteToolRequest: type: object required: - tool_name - identifier properties: tool_name: type: string connection_name: type: string identifier: type: string description: The connected account identifier to act on behalf of. tool_input: type: object additionalProperties: true ExecuteToolResponse: type: object properties: data: type: object additionalProperties: true execution_id: type: string