Implement the /Users and /Groups endpoints supporting at minimum GET (list + filter), POST (create), PUT (full replace), PATCH (partial update), and DELETE operations
Expose a /ServiceProviderConfig endpoint that declares which SCIM features your implementation supports (patch, bulk, filter, etc.)
Validate the Bearer token on every inbound request; the token is issued by your system and provided to the IdP during connector setup
Handle PATCH requests using the SCIM PATCH protocol with Operations array containing op, path, and value fields; map these to your internal user model atomically
Return appropriate SCIM error responses (with scimType and detail fields) for conflicts (409), not found (404), and invalid syntax (400)
Implement idempotent creates by checking for an existing user with the same userName or externalId before inserting
Known gotchas
SCIM filter syntax (e.g., userName eq 'alice') must be parsed correctly; a naive string search will mishandle complex filters
The externalId field is set by the IdP and is distinct from your internal id; store both and use externalId for deprovisioning lookups
Soft-delete (setting active=false) is preferred over hard-delete so that re-provisioning the same user does not create a duplicate record
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp