Production path: User provisioning uses Clerk Directory Sync configured in Clerk and reflected in PromptPal via webhooks and OrganizationIdentityConfig (scimEnabled, scimProvider: clerk).
Legacy PromptPal SCIM API (/api/organizations/:id/identity/scim/Users, etc.) returns HTTP 410 Gone unless scimProvider === "legacy_promptpal". Do not point a modern IdP at legacy routes unless explicitly migrated.
Admin APIs that exist today:
- Rotate SCIM token (legacy path)
- SCIM sync log
- Group role mappings
- Directory assignment rules
- Provisioning rules
Audit events record actorType: scim for automated changes.