DocsAdministrationSCIM and Org API

SCIM & Organization-Key Scoped API Routes

Where is this feature available?
  • Hobby
  • Core
  • Pro
    (Team)
  • Enterprise
  • Self Hosted
    (Enterprise)

Via organization-scoped API keys, you can administer projects, users, and project/organization memberships (see RBAC docs).

Langfuse is open and meant to be extended via custom workflows and integrations. You can use these endpoints to automate project and user management on your Langfuse organization.

This documentation covers organization management APIs, SCIM-compliant user provisioning endpoints, and includes a comprehensive guide for setting up Okta authentication and user provisioning with Langfuse.

Authentication

Authenticate with the API using Basic Auth. Organization scoped API keys can be created via the Organization Management API or in the Organization Settings within the Langfuse UI.

Example:

curl -u public-key:secret-key https://cloud.langfuse.com/api/public/projects/{projectId}/apiKeys

Organization Management

All applicable endpoints are marked with (requires organization-scoped API key). Those include the following routes:

  • POST /api/public/projects
  • PUT /api/public/projects/{projectId}
  • DELETE /api/public/projects/{projectId}
  • GET /api/public/projects/{projectId}/apiKeys
  • POST /api/public/projects/{projectId}/apiKeys
  • DELETE /api/public/projects/{projectId}/apiKeys/{apiKeyId}
  • PUT /api/public/organizations/memberships
  • GET /api/public/organizations/memberships
  • PUT /api/public/projects/{projectId}/memberships
  • DELETE /api/public/projects/{projectId}/memberships

User Management via SCIM

In addition, we implement the following SCIM compliant endpoints. Use /api/public/scim as the base URI for them.

To create a new user within Langfuse, you can use the SCIM-style endpoints and POST /Users. This will create a new user if the email does not exist yet. Then it will add the user to the organization with role NONE.

Afterward, the role can be updated using the membership endpoints either on an organization or a project level (see above).

To remove a user from an organization, call the DELETE /Users/{id} endpoint. This will not delete the user itself, only its membership with the organization.

You can either supply an initial password for users via the API and share it with them, or use Single Sign-On (SSO) to authenticate users. In the latter case, you need to:

  • Langfuse Cloud: configure an Enterprise SSO provider (docs).
  • Self-hosted: configure AUTH_<PROVIDER>_ALLOW_ACCOUNT_LINKING for your SSO provider to ensure that the user accounts are linked correctly SSO Docs.

The following SCIM endpoints are available:

  • GET /ServiceProviderConfig
  • GET /ResourceTypes
  • GET /Schemas
  • GET /Users
  • POST /Users
  • GET /Users/{id}
  • DELETE /Users/{id}

Okta Setup Guide

This guide will cover how to setup Okta authentication and user provisioning for Langfuse. Authentication and provisioning are two separate steps in Okta. Follow the one that is applicable to your use case.

Authentication

For authentication, Langfuse supports the OpenID Connect (OIDC) protocol. This allows you to use Okta as an identity provider for Langfuse. To set up Okta authentication, follow these steps:

  1. Create an Okta Application:
    • Log in to your Okta admin console.
    • Navigate to Applications > Create App Integration.
    • Choose OIDC - OpenID Connect as the sign-in method and click Next.
    • Choose Web Application as the application type and click Next.
    • Fill in the application settings. Use your self-hosted domain or one of the Langfuse Cloud domains.
      • App name: Langfuse
      • Login redirect URIs: https://your-langfuse-domain.com/api/auth/callback/okta
      • Logout redirect URIs: https://your-langfuse-domain.com/
    • Click Save.
  2. Setup Langfuse (Cloud):
    • Please reach out to the Langfuse support team at [email protected] to configure Okta SSO.
    • Once the SSO is configured, you can type in your email on the sign-in page and are automatically redirected to Okta.
  3. Setup Langfuse (Self-Hosted):
    • Follow the Langfuse SSO guide to configure Okta as an identity provider.
    • Once the environment variables are set, you will see an “Okta” button on your sign-in page.
  4. Test the Integration:
    • Assign users to your Okta application and test the login flow.
    • For any issues, please create an issue on GitHub or contact support.

User Provisioning

For user provisioning, Langfuse supports the SCIM 2.0 protocol. To setup user provisioning in Okta, follow these steps:

  1. Create a SAML/SCIM Application:
    • Log in to your Okta admin console.
    • Navigate to Applications > Create App Integration.
    • Choose SAML 2.0 as the sign-in method and click Next.
    • Fill in the application settings. Use your self-hosted domain or one of the Langfuse Cloud domains.
      • App name: Langfuse SCIM
      • Single sign-on URL: https://your-langfuse-domain.com/api/auth/callback/okta
      • Audience URI: langfuse
    • Click Next and then Finish.
  2. Configure SCIM Settings:
    • In the General tab, set Provisioning to SCIM.
    • In the Provisioning tab, edit your SCIM Connection.
    • Enter your credentials:
      • SCIM connector base URL: https://your-langfuse-domain.com/api/public/scim
      • Unique identifier field for users: userName
      • Supported provisioning actions: Import new Users and Profile Updates, Push New Users, Push Profile Updates
      • Basic Auth - Username: Use a public key from your Organization settings.
      • Basic Auth - Password: Use a private key from your Organization settings.
    • Test the API credentials and press Save.
  3. Configure Provisioning:
    • In the Provisioning tab, enable the following options:
      • Create Users
      • Update User Attributes
      • Deactivate Users
    • Click Save.
  4. Add Default User Permissions (Optional):
    • In the Provisioning tab, go to the Profile Editor and add a new roles attribute:
      • Data type: string array
      • Display Name: Langfuse Roles
      • Variable Name: roles
      • External Name: roles
      • External Namespace: urn:ietf:params:scim:schemas:core:2.0:User
      • Attribute members: NONE, VIEWER, MEMBER, ADMIN
      • Attribute type: Personal
    • In the Provisioning tab, modify the roles attribute to set default permissions for new users.
    • You can set it for all users of the application to provide a default. Set it to “NONE”, “VIEWER”, “MEMBER”, or “ADMIN”.
  5. Assign Users:
    • Navigate to the Assignments tab.
    • Click Assign > Assign to People.
    • Select the users you want to assign to the Langfuse SCIM application. You can overwrite the role here.
    • Click Done and then Save.
    • Users should appear as Member within your Langfuse Organization.
LLM ConnectionsUsage Alerts
Was this page helpful?
Support