localskills.sh implements the SCIM 2.0 protocol for automated user lifecycle management through Better Auth. It works with Okta, Azure AD, OneLogin, and any other SCIM 2.0–compliant identity provider.

Configuring SCIM requires the team owner role.

SCIM base URL

https://localskills.sh/api/auth/scim/v2

Generate a Better Auth SCIM provider token from your team's SSO & Provisioning settings page. Tokens are scoped to the selected provider ID and displayed only once at creation time.

Configure the token as Bearer authentication in your identity provider's SCIM integration.

Your identity provider pushes create, update, and delete events to the SCIM endpoint. New users are assigned the member role by default. Deactivated users are automatically removed from the team.

Supported SCIM attributes:

• userName — email address
• name.formatted — display name
• externalId — IdP identifier
• active — account status

Your identity provider can push SCIM groups to localskills.sh. Better Auth handles SCIM group records and membership changes through the shared SCIM endpoint.

SCIM-provisioned users use Better Auth organization role behavior. The owner role remains protected from SCIM deactivation to prevent accidental lockout.