You can use SCIM (System for Cross-domain Identity Management) to manage your workspace’s members in Zeplin through an Identity Provider of your choice.

☝️ This feature is currently only available to teams on the Enterprise Plan.

What can you do with SCIM?

When you set up SCIM provisioning, the Enterprise workspace owner or admins will be able to automate critical features of member management in Zeplin.

Inviting a new member into your Zeplin workspace

Provisioning new user access to the Zeplin app in your identity provider will automatically create a user account in Zeplin. This new user will also be invited to your workspace with the role details you’ve already set up through a settings page in Zeplin (see Enabling User Provisioning section below for more information).

Removing members from your Zeplin workspace

If a user leaves your organization, de-provisioning the user from the Zeplin app in your identity provider will automatically trigger an action to remove the user from your workspace in Zeplin.

⚠️ Even though users will lose access to your workspace, they can still use their Zeplin account with their personal workspaces and other team workspaces.

Enabling User Provisioning

To enable user provisioning with SCIM, Enterprise workspace admins should complete the following steps in Zeplin.

  • Login to your Enterprise workspace and navigate to the “Workspace Settings” page.

  • On the workspace settings page, click the “User Provisioning” tab.

  • Click the “Create SCIM token” button then copy the generated token into your clipboard. You’ll use this token and Zeplin’s SCIM API URL ( while configuring your identity provider to allow SCIM provisioning for your Zeplin workspace.

    • The SCIM token is displayed only once to protect the security of your account.

    • You can always delete an existing token and generate a new one. Do not forget to update your identity provider to use the new token after such an action.

  • Go through the SCIM configuration details.

    • You can enable/disable SCIM provisioning anytime without revoking your SCIM token entirely.

    • While provisioning a new user into your workspace, Zeplin uses the role details decided in these settings. Make sure you choose the right option for your team.

  • Configure your identity provider with the provided information (URL and token) and start automating your member management actions.

⚠️ If you own multiple workspaces in Zeplin, you need to repeat these steps for each of your workspaces.

Disabling User Provisioning

You can disable user provisioning by clicking the Settings button at the top of your Workspace Members page and going to the “User provisioning” tab. There, you’ll see two options:

  • To disable SCIM provisioning temporarily, uncheck the option box for “Enable user provisioning with SCIM”.

  • To disable SCIM provisioning entirely, delete the existing token.

☝️ Deleting the token will cause authentication between your identity provider and Zeplin’s SCIM API to fail, which means SCIM actions will also fail. You may also need to remove the Zeplin app from your identity provider after this action.

Configuring Your Identity Provider to Allow User Provisioning

This process depends on your choice of an identity provider. You can use SCIM provisioning by following these simple steps with any identity provider supporting SCIM protocol.

  • Create a custom application for your Zeplin workspace in your identity provider.

  • Enable the SCIM API integration for the custom Zeplin app you’ve just created. You need to use Zeplin’s SCIM API URL ( as the base URL and the SCIM token you’ve generated in Zeplin’s “User Provisioning” page.

  • Under the provisioning settings, you need to allow these two actions for Zeplin:

    • Create Users

    • Deactivate Users

  • Save all the changes to finish setting up the custom app, and you can now assign people to your Zeplin workspace.

⚠️ If you own multiple workspaces in Zeplin, you need to repeat these steps for each of your workspaces. Each workspace in Zeplin should be represented as a different application in your identity provider.

Did this answer your question?