> ## Documentation Index
> Fetch the complete documentation index at: https://openworklabs.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Run organization SCIM drift reconciliation

> Checks local SCIM-managed identities for inconsistent organization membership or provider-account state and records unresolved drift for retry or manual review.



## OpenAPI

````yaml /openapi.json post /v1/scim/reconcile
openapi: 3.1.0
info:
  title: Den API
  description: >-
    OpenAPI spec for the Den control plane API.


    Authentication:

    - Use `Authorization: Bearer <session-token>` for user-authenticated routes
    that require a Den session.

    - Use `x-api-key: <den-api-key>` for API-key-authenticated routes that
    accept organization API keys.

    - Public routes like health and documentation do not require authentication.


    Swagger tip: use the security schemes in the Authorize dialog to set either
    `bearerAuth` or `denApiKey` before trying protected endpoints.
  version: dev
servers: []
security: []
tags:
  - name: System
    description: Service health and operational routes.
  - name: Organizations
    description: Top-level organization creation and context routes.
  - name: Invitations
    description: Invitation preview, acceptance, creation, and cancellation routes.
  - name: API Keys
    description: Organization API key management routes.
  - name: SCIM
    description: Organization SCIM connector management routes.
  - name: SSO
    description: Organization single sign-on connector management routes.
  - name: Members
    description: Organization member management routes.
  - name: Roles
    description: Organization custom role management routes.
  - name: Teams
    description: Organization team management routes.
  - name: Templates
    description: Organization shared template routes.
  - name: LLM Providers
    description: Organization LLM provider catalog, configuration, and access routes.
  - name: Skills
    description: Organization skill authoring and sharing routes.
  - name: Skill Hubs
    description: Organization skill hub management and access routes.
  - name: Workers
    description: Worker lifecycle, billing, and runtime routes.
  - name: Worker Runtime
    description: Worker runtime inspection and upgrade routes.
  - name: Worker Activity
    description: Worker heartbeat and activity reporting routes.
  - name: Telemetry
    description: Telemetry event ingestion and adoption analytics.
  - name: Admin
    description: Administrative reporting routes.
  - name: Users
    description: Current user and membership routes.
  - name: Bootstrap
    description: Agent-first provisional workspace setup routes.
paths:
  /v1/scim/reconcile:
    post:
      tags:
        - SCIM
      summary: Run organization SCIM drift reconciliation
      description: >-
        Checks local SCIM-managed identities for inconsistent organization
        membership or provider-account state and records unresolved drift for
        retry or manual review.
      operationId: postV1ScimReconcile
      responses:
        '200':
          description: SCIM reconciliation completed.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OrganizationScimReconciliationResponse'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ScimUnauthorizedError'
        '403':
          description: >-
            Only workspace owners or members with security configuration
            permission can manage SCIM.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ScimForbiddenError'
        '404':
          description: Organization not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ScimOrganizationNotFoundError'
      security:
        - bearerAuth: []
components:
  schemas:
    OrganizationScimReconciliationResponse:
      type: object
      properties:
        checked:
          type: integer
          minimum: 0
          maximum: 9007199254740991
        repaired:
          type: integer
          minimum: 0
          maximum: 9007199254740991
        failures:
          type: integer
          minimum: 0
          maximum: 9007199254740991
      required:
        - checked
        - repaired
        - failures
    ScimUnauthorizedError:
      type: object
      properties:
        error:
          type: string
          const: unauthorized
      required:
        - error
    ScimForbiddenError:
      type: object
      properties:
        error:
          type: string
          enum:
            - forbidden
            - reauth
        reason:
          type: string
        message:
          type: string
      required:
        - error
        - message
    ScimOrganizationNotFoundError:
      type: object
      properties:
        error:
          type: string
          const: organization_not_found
      required:
        - error
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: session-token
      description: >-
        Session token passed as `Authorization: Bearer <session-token>` for
        user-authenticated Den routes.

````