Registering the client

To use the SCIM API, the client must have an access token, which the client obtains through OAuth2.

About this task

Spotfire implements OAuth2 as documented for the Spotfire Library REST API.

Before you begin

You must have write access on the computer where Spotfire Server is installed.
You have created a SCIM-compliant app on OKTA or Azure. (This is required to get redirect URLs for the API client registration, if there are any.)

Procedure

Open a command line.
Issue the Spotfire command-line command register-api-client, passing in the appropriate options, including the two SCIM scopes.
- user.directory.read.all
- user.directory.write.all
Note: The grant to specify depends on the integrating service. For example, for OKTA, it should be "authorization code" (the most common OAuth2 grant).
Example
```
config.bat register-api-client -n "MyApp" 
--client-profile=WEB -G AUTHORIZATION_CODE -G REFRESH_TOKEN 
-S user-directory.read.all -S user-directory.write.all 
-t <password> -R <authorized redirect URI>…
```
On the SCIM client (OKTA or Azure AD), perform the following tasks.
1. Configure the base URI.
2. Set up the user and group schemas.
  For more information about the SCIM schema, see the RFC specification at https://datatracker.ietf.org/doc/html/rfc7643. For information about Spotfire schema attributes, see Supported attributes for user and group schemas.
3. Configure the OAuth2 details.

What to do next

You can grant or revoke access to the OAuth2 client using access tokens, directly from the Spotfire Server command line, with the following two CLI commands:

issue-access-token, for issuing an access token to a specified API client.
revoke-token, for revoking access or refresh token previously issued to an OAuth2 client.

Also, you might need to trigger a web-based authentication flow and grant the client consent to call the SCIM API. See the client documentation for more details.