Implement the PATCH endpoint accepting Content-Type: application/scim+json with a body containing {schemas: ['urn:ietf:params:scim:api:messages:2.0:PatchOp'], Operations: [{op, path, value}]}
For op=add without a path, merge each attribute in the value object into the resource; for op=add with a path pointing to a multi-valued attribute, append the value items
For op=remove with a filter path (e.g. path: 'members[value eq "user-id"]'), parse the AttrPath + ValueFilter and remove matching items from the multi-valued attribute; do not interpret the filter as a simple string match
For op=replace, replace the targeted attribute entirely; if the path is absent, treat the value object as a merge overwriting each named attribute
After applying all operations in sequence, if any operation modifies the schemas attribute, subsequent operations in the same PATCH body must use the updated schemas list
Return 200 with the updated resource body, or 204 with no body; return 400 invalidSyntax for malformed filter expressions and 400 noTarget if the path targets a non-existent attribute on a required-field basis
Known gotchas
Microsoft Entra's SCIM provisioning client sends PATCH requests that may not strictly conform to RFC 7644 — specifically, it has been reported to send remove operations with the value in the body rather than encoded in the path filter; implement tolerant parsing if targeting Entra compatibility
The path filter in members[value eq "id"] uses the sub-attribute 'value' which is the standard SCIM member reference attribute; confusing it with a literal attribute named 'value' is a common implementation mistake
PATCH operations must be applied atomically from the server's perspective — if any operation fails, none should be persisted; returning a partial success is non-conformant
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp