---
title: Amplitude SCIM API Integration on Truto
slug: amplitudescim
category: Analytics
canonical: "https://truto.one/integrations/detail/amplitudescim/"
---

# Amplitude SCIM API Integration on Truto



**Category:** Analytics  
**Status:** Beta

## Unified APIs

### Unified User Directory API

- **Groups** — Groups are a collection of users in the source application. In some applications, they might also be called Teams.
- **Users** — The User object represents a User.

## How it works

1. **Link your customer's Amplitude SCIM account.** Use Truto's frontend SDK; we handle every OAuth and API key flow so you don't need to create the OAuth app.
2. **Authentication is automatic.** Truto refreshes tokens, stores credentials securely, and injects them into every API request.
3. **Call Truto's API to reach Amplitude SCIM.** The Proxy API is a 1-to-1 mapping of the Amplitude SCIM API.
4. **Get a unified response format.** Every response uses a single shape, with cursor-based pagination and data in the `result` field.

## Use cases

- **Automate employee provisioning into Amplitude on day one** — HR and identity platforms can automatically create Amplitude users and assign them to the correct permission groups the moment an employee is onboarded, eliminating manual invite workflows and ensuring immediate access to the right analytics dashboards.
- **Instant access revocation on employee offboarding** — Security and IT automation tools can deactivate Amplitude users in real time when an employee is terminated or changes roles, closing a critical gap where sensitive product analytics data could be exposed to former employees.
- **Reconcile Amplitude access against your source of truth** — SaaS management and compliance platforms can pull the full list of Amplitude users and groups to detect shadow access, orphaned accounts, or permission drift compared to the company's HR directory or identity provider.
- **Reclaim unused Amplitude Enterprise licenses** — SaaS spend management tools can identify inactive Amplitude users by cross-referencing SCIM user data with login activity, then programmatically deactivate stale seats to reduce software costs.
- **Enable time-bound, just-in-time access to sensitive analytics** — Access governance platforms can temporarily add users to privileged Amplitude groups for debugging or ad-hoc analysis, then automatically remove them after a set window to enforce zero standing privileges.

## What you can build

- **One-click Amplitude user deprovisioning** — Let IT admins deactivate Amplitude users directly from your platform by toggling the SCIM active flag to false, instantly revoking access to all organization data.
- **Automated group-based permission mapping** — Sync departmental roles from an HR system or IdP into Amplitude permission groups so new hires land in the correct access tier — Viewer, Manager, or Admin — without manual configuration.
- **Shadow access detection dashboard** — Surface a real-time view of all active Amplitude users and their group memberships, flagged against your customer's canonical directory to highlight unmanaged or unauthorized accounts.
- **SOC 2 access review evidence export** — Generate auditor-ready reports mapping every Amplitude user to their permission groups, with historical snapshots proving that access is reviewed and terminated on a defined schedule.
- **Idle license reclamation workflow** — Automatically identify Amplitude users who haven't logged in within a configurable window and offer a one-click flow to deactivate their seats and reclaim Enterprise licenses.
- **Time-bound privileged access grants** — Allow approved users to be added to sensitive Amplitude groups for a fixed duration, with automatic removal enforced by a scheduled job — no standing privileges required.

## FAQs

### What authentication method does Amplitude SCIM use?

Amplitude SCIM uses static Bearer token authentication. An organization admin generates a SCIM API token from the Amplitude settings page, and all requests are authenticated by passing this token in the Authorization header.

### What are the rate limits for the Amplitude SCIM API?

Amplitude enforces a strict limit of 100 requests per minute per organization. If you're syncing a large directory, you'll need robust pagination and backoff strategies — something Truto's unified API layer can help abstract away.

### Does creating a user via SCIM immediately grant them access to Amplitude?

No. A POST to the Users endpoint triggers an invitation email. The user remains in a pending state until they accept the invite and log in. Your integration should account for this intermediate state.

### Can I update a user's group membership through the Users endpoint?

No. Amplitude's Users endpoint ignores the groups array on updates. You must use the Groups endpoint to add or remove users from permission groups. This is a common gotcha when building against this API.

### Which Amplitude plans support SCIM?

SCIM provisioning is only available on Amplitude's Enterprise plan. Your end users will need an active Enterprise subscription and org-admin privileges to generate a SCIM token.

### What Unified APIs does Truto provide for Amplitude SCIM?

Amplitude SCIM is supported through Truto's Unified User Directory API, which exposes standardized Users and Groups resources. This lets you read, create, update, and deactivate users and manage group memberships through a single consistent interface.