whoot.
FeaturesUse casesTrader voiceMartyn's lawPricing
Sign inStart free
Product Launch

Provision at scale.
Manage from code.

SCIM 2.0 provisioning and a Management API for programmatic user and room control. Connect your identity provider, automate onboarding, and manage your workspace from your own tools.

HomeBlogManagement API & SCIM Provisioning
WT
whoot. team
|
May 2026
|
5 min read
|

May 2026

Your IdP. Your tools. Your users, provisioned automatically.

Enterprise teams don't manually provision software. When a new analyst joins a trading desk, their access to every system in the stack — email, Bloomberg, compliance tooling, voice — should be live before their first morning. And when they leave, it should all be gone by end of day. That lifecycle is owned by your identity provider, and it should extend to whoot. without any manual steps in between.

Today, it does. whoot. now supports SCIM 2.0 provisioning — the industry standard that Okta, Azure Active Directory, JumpCloud, and every major IdP speaks natively. Connect your directory, map your groups to rooms, and user lifecycle management becomes fully automated. New starters get access. Leavers lose it. No tickets, no manual steps, no lag.

For teams who prefer direct API control, we've also launched the whoot. Management API — a REST interface that gives your ops tooling, internal platforms, and custom scripts direct programmatic access to user and room management. Same capabilities, simpler format, designed for integrations that don't speak SCIM.

Security is the foundation, not an afterthought. API keys carry granular scopes so each integration gets exactly the access it needs and nothing more. Tokens are shown once at creation — we never store the plaintext. Every request is logged. Rate limits are enforced per key. Revocation is instant. This is enterprise-grade access control designed for environments where the cost of a misconfigured credential is real.

Everything you need to automate your stack.

SCIM 2.0, a native REST API, granular scopes, and full audit logging — all in one.

SCIM 2.0 User Provisioning

Full SCIM 2.0 Users endpoint — create, list, retrieve, update, and deactivate
Filter support for userName, id, and externalId lookups
Paginated responses with up to 200 results per page

Group-to-Room Mapping

SCIM Groups map directly to whoot. rooms
Add and remove members via PATCH Operations — diffs applied automatically
Deactivated users are removed from all rooms immediately

Native Management API

Dedicated REST endpoints for user and room member management
Add or remove users from specific rooms with a single request
Control transmit permission per room member

Granular Token Scopes

Eight fine-grained scopes — read and write, separately, for users and rooms
SCIM and native API scopes are independent — mix and match per key
Least-privilege by design: grant only what each integration needs

Full Audit Logging

Every API request logged — method, path, status code, source IP, and user agent
Per-key activity dashboard in the admin portal
Rate-limited requests flagged separately for immediate visibility

Rate Limiting & Controls

600 requests per minute per API key — configurable per workspace
HTTP 429 responses include a Retry-After header
Seat capacity enforced at provisioning time — no silent overprovisioning

Connect your directory.
Users provision themselves.
You stay in control.

Security

API access that's locked down by default.

The Management API and SCIM endpoints are built for environments where credential security is non-negotiable. API keys carry only the scopes you grant them. Tokens are never stored in plaintext — they're shown once at creation and that's it. Every request is logged. Every rate limit is enforced. And revocation is instant, with no propagation delay. If a key is compromised, you kill it — and it's dead on the next request.

API tokens are shown once at creation and never retrievable again — only a secure hash is stored
Tokens can carry an expiry date — time-bound credentials by design
Revocation is immediate — a revoked key is rejected on the next request, no propagation delay
Eight granular scopes enforce least-privilege access at the API layer
Every request is logged with method, path, status, source IP, and user agent
Rate limiting is enforced per API key — 600 requests per minute with Retry-After headers
Seat capacity is checked at provisioning time — over-quota requests are rejected cleanly

More from the blog

Keep reading — here's what else we've been shipping.

Product Launch
April 2026

Dial-in to any room. From any phone.

Give every whoot. room a real phone number. PSTN callers dial in and join instantly — no app, no account, no friction. Flexible auth modes, real-time presence, and full usage visibility.

Dedicated phone number per room — UK geographic, national & toll-free
Open, PIN-protected, or caller allowlist authentication
Inbound callers appear as live participants alongside digital users
Inbound minutes share your existing PSTN allowance
Read More
Product Launch
April 2026

whoot. is now on iOS.

Push-to-talk in your pocket. The whoot. iOS app is live on the App Store — ultra-real-time voice, full room access, and instant notifications on the go.

Native SwiftUI with CallKit integration
<150ms end-to-end push-to-talk latency
Full room access & live presence
Instant push notifications
Read More

Available now

Automate provisioning.
Eliminate manual work.

SCIM provisioning and the Management API are available on whoot. Business and Enterprise plans.

end of page · start of conversation

whoot.

The fastest way to talk to your team. Period.

Start free — 90 secondsDownload for iOS↗
END-TO-END ENCRYPTEDAES-256TLS 1.3OPUS 48K · DTLS-SRTPGDPR · UK DPAMIFID II · MARTYN'S LAW

Product

  • Features
  • Use cases
  • Pricing
  • Roadmap
  • Documentation

Use cases

  • Remote teams
  • Incident response
  • Financial services
  • Operations teams
  • Trader voice
  • Martyn's law

Company

  • About
  • Investors
  • Contact
  • Security
  • Privacy
  • Terms
  • Blog
  • Acceptable use

© 2026 whoot. All rights reserved. whoot is a trading name of Eager Lobster Ltd. A company registered in England and Wales. Company Number 17038042. Registered Office: First Floor 1 Des Roches Sq, Witan Way, Witney, England, OX28 4BE. Prices shown on this website are exclusive of VAT, GST or other applicable taxes.

all systems operationaldesigned in london · always-on