Descope

aid: descope
url: https://raw.githubusercontent.com/api-evangelist/descope/refs/heads/main/apis.yml
apis:
- aid: descope:descope-authentication-api
  name: Descope Authentication API
  tags:
  - Authentication
  - Passwordless
  - OAuth
  - OIDC
  - SAML
  - WebAuthn
  - Passkeys
  - MFA
  humanURL: https://docs.descope.com/api
  baseURL: https://api.descope.com
  properties:
  - url: https://docs.descope.com/api
    type: Documentation
  - url: https://docs.descope.com/auth-methods
    type: Documentation
    name: Authentication Methods
  - url: https://docs.descope.com/api/openapi-spec
    type: APIReference
  - url: openapi/descope-openapi.yml
    type: OpenAPI
  description: Public, end-user-facing authentication API covering every Descope login experience — One-Time
    Passwords (email/SMS/voice/IM), Magic Link, Enchanted Link, OAuth/Social, One-Tap, nOTP, TOTP authenticator
    apps, WebAuthn/Passkeys, password authentication, security questions, recovery codes, SSO/SAML, access keys,
    session refresh, tenant selection, and IdP-initiated logout. All flows expose `signup`, `signin`, `signup-in`,
    `verify`, and `update` endpoints where applicable so frontends and mobile SDKs can compose any journey
    Descope Flows can render.
- aid: descope:descope-management-api
  name: Descope Management API
  tags:
  - Management
  - Administration
  - Users
  - Tenants
  - Roles
  - Permissions
  - SSO
  - SCIM
  - Audit
  humanURL: https://docs.descope.com/manage
  baseURL: https://api.descope.com
  properties:
  - url: https://docs.descope.com/manage
    type: Documentation
  - url: https://docs.descope.com/api
    type: APIReference
  - url: openapi/descope-openapi.yml
    type: OpenAPI
  description: Server-side administrative API for managing every resource in a Descope project — users,
    access keys, tenants, roles, permissions, groups, SSO/SAML/OIDC configuration, password policies,
    JWT customization, flows, widgets, localization, custom attributes, fine-grained authorization (FGA)
    schemas and relations, audit logs, analytics, third-party (inbound) applications, outbound
    connectors, project import/export, and impersonation. Authentication uses a Management Key
    (`sk_…`) and is required for any backend automation, CI/CD, migration, or admin tooling.
- aid: descope:descope-oauth-applications-api
  name: Descope OAuth Applications API
  tags:
  - OAuth
  - OIDC
  - Inbound Apps
  - Third-Party
  - Federation
  - MCP
  humanURL: https://docs.descope.com/inbound-apps
  baseURL: https://api.descope.com
  properties:
  - url: https://docs.descope.com/inbound-apps
    type: Documentation
  - url: openapi/descope-openapi.yml
    type: OpenAPI
  description: Standards-compliant OAuth 2.1 / OIDC authorization server endpoints that let Descope act as an
    identity provider for inbound third-party applications and agentic clients. Covers the full
    `/oauth2/v1/...` surface — authorize, token, revoke, userinfo, device authorization, CIBA backchannel
    authorization, and dedicated agentic / MCP-server registration paths
    (`/oauth2/v1/apps/agentic/{project_id}/{mcp_server_id}/authorize|token`) for AI agents that need
    delegated user credentials. Supports PKCE, JAR (RFC 9101) request objects, DPoP, and dynamic client
    registration via SCIM v2.
- aid: descope:descope-scim-api
  name: Descope SCIM 2.0 API
  tags:
  - SCIM
  - Provisioning
  - Identity
  - Users
  - Groups
  humanURL: https://docs.descope.com/scim
  baseURL: https://api.descope.com
  properties:
  - url: https://docs.descope.com/scim
    type: Documentation
  - url: openapi/descope-openapi.yml
    type: OpenAPI
  description: System for Cross-domain Identity Management (SCIM) 2.0 endpoints under `/scim/v2/` for
    automated user and group lifecycle provisioning from upstream IdPs (Okta, Entra ID, Google
    Workspace, JumpCloud, etc.) into Descope tenants. Implements the standard Users, Groups, ResourceTypes,
    Schemas, and ServiceProviderConfig resources required for enterprise self-service SSO.
- aid: descope:descope-jwks-api
  name: Descope JWKS and Discovery API
  tags:
  - JWKS
  - Discovery
  - OIDC
  - Keys
  humanURL: https://docs.descope.com/jwks
  baseURL: https://api.descope.com
  properties:
  - url: https://docs.descope.com/jwks
    type: Documentation
  - url: openapi/descope-openapi.yml
    type: OpenAPI
  description: Public key and discovery endpoints used by any RP that needs to validate Descope-issued
    session JWTs without calling the API. Includes the project JWKS endpoints (`/v1/keys`, `/v2/keys`),
    OIDC discovery (`/.well-known/oauth-authorization-server`, `/{projectId}/.well-known/...`), and
    project configuration metadata. These are unauthenticated and cache-friendly.
name: Descope
tags:
- Authentication
- Identity
- CIAM
- Passwordless
- Passkeys
- MFA
- SSO
- OAuth
- OIDC
- SAML
- SCIM
- Authorization
- FGA
- Agentic Identity
- MCP
kind: contract
image: https://kinlane-productions2.s3.amazonaws.com/apis-json/apis-json-logo.jpg
access: 3rd-Party
common:
- url: https://www.descope.com
  type: Portal
- url: https://docs.descope.com
  type: Documentation
- url: https://docs.descope.com/getting-started
  type: GettingStarted
- url: https://docs.descope.com/api/openapi-spec
  type: APIReference
- url: https://app.descope.com
  type: Console
- url: https://www.descope.com/sign-up
  type: SignUp
- url: https://www.descope.com/pricing
  data:
  - id: free
    name: Free Forever
    entries:
    - geo: Global
      unit: 7500
      label: Monthly Active Users
      limit: 7500
      price: 0
      metric: mau
      timeFrame: month
      description: No-cost tier with 7,500 MAUs. No overages allowed — upgrade required to exceed limits.
    elements:
    - name: All authentication methods (OTP, magic link, passkeys, social, SSO, MFA)
    - name: Drag-and-drop Descope Flows
    - name: Role-based access control
    - name: Multi-factor authentication
    - name: Community support
    description: Free tier for development, prototypes, and small applications.
  - id: pro
    name: Pro
    entries:
    - geo: Global
      unit: 1
      label: Starting Price
      price: 249
      metric: month
      timeFrame: month
      description: Annual billing. Includes 10,000 MAUs; usage-based overages apply.
    - geo: Global
      unit: 10000
      label: Included MAUs
      limit: 10000
      metric: mau
      timeFrame: month
      description: Monthly active users included in the Pro tier.
    elements:
    - name: Everything in Free
    - name: Custom domain
    - name: Google One Tap
    - name: CI/CD integration
    - name: Web and Slack support
    description: Production-ready tier for growing applications.
  - id: growth
    name: Growth
    entries:
    - geo: Global
      unit: 1
      label: Starting Price
      price: 799
      metric: month
      timeFrame: month
      description: Annual billing. Includes 25,000 MAUs; usage-based overages apply.
    - geo: Global
      unit: 25000
      label: Included MAUs
      limit: 25000
      metric: mau
      timeFrame: month
      description: Monthly active users included in the Growth tier.
    elements:
    - name: Everything in Pro
    - name: Bot protection
    - name: 1M included anonymous users
    - name: SCIM provisioning
    - name: Fine-grained authorization (FGA)
    description: For scaling B2B and B2C applications needing enterprise auth features.
  - id: enterprise
    name: Enterprise
    entries:
    - geo: Global
      unit: 1
      label: Custom
      price: Call
      metric: contract
      timeFrame: year
      description: Custom MAU limits and tiered volume discounts.
    elements:
    - name: Everything in Growth
    - name: Tiered volume discounts
    - name: Dedicated customer success engineer
    - name: Custom deployments (single-tenant, private cloud, on-prem)
    - name: Unlimited test users
    - name: Unlimited anonymous users
    - name: Premium support
    description: For large enterprises with custom deployment and compliance requirements.
  name: Plans
  type: Plans
- url: https://www.descope.com/pricing
  name: Pricing
  type: Pricing
- url: https://www.descope.com/terms
  type: TermsOfService
- url: https://www.descope.com/privacy
  type: PrivacyPolicy
- url: https://descopestatus.com
  type: StatusPage
- url: https://www.descope.com/blog
  type: Blog
- url: https://www.descope.com/contact
  type: Support
- url: https://www.descope.com/customers
  type: CaseStudies
- url: https://www.descope.com/learn
  type: Training
  name: Learning Center
- url: https://www.descope.com/learn/post/agentic-identity-hub
  type: Documentation
  name: Agentic Identity Hub
- url: https://github.com/descope
  type: GitHubOrganization
- url: https://github.com/descope/node-sdk
  name: Node.js SDK
  type: SDK
- url: https://github.com/descope/python-sdk
  name: Python SDK
  type: SDK
- url: https://github.com/descope/go-sdk
  name: Go SDK
  type: SDK
- url: https://github.com/descope/descope-java
  name: Java SDK
  type: SDK
- url: https://github.com/descope/descope-dotnet
  name: .NET SDK
  type: SDK
- url: https://github.com/descope/descope-php
  name: PHP SDK
  type: SDK
- url: https://github.com/descope/descope-ruby-sdk
  name: Ruby SDK
  type: SDK
- url: https://github.com/descope/descope-swift
  name: Swift (iOS) SDK
  type: SDK
- url: https://github.com/descope/descope-kotlin
  name: Kotlin (Android) SDK
  type: SDK
- url: https://github.com/descope/descope-react-native
  name: React Native SDK
  type: SDK
- url: https://github.com/descope/descope-flutter
  name: Flutter SDK
  type: SDK
- url: https://github.com/descope/descope-js
  name: JavaScript / React / Next.js / Vue / Angular / Web Components
  type: SDK
- url: https://github.com/descope/django-descope
  name: Django Plugin
  type: SDK
- url: https://github.com/descope/passport-descope
  name: Passport.js Strategy
  type: SDK
- url: https://github.com/descope/descope-wordpress
  name: WordPress Plugin
  type: Plugins
- url: https://github.com/descope/descopecli
  name: descopecli
  type: CLI
- url: https://github.com/descope/terraform-provider-descope
  name: Terraform Provider
  type: Tools
- url: https://github.com/descope/pulumi-descope
  name: Pulumi Provider
  type: Tools
- url: https://github.com/descope/auth-hosting
  name: Auth Hosting (self-hostable Flows UI)
  type: Tools
- url: https://github.com/descope/virtualwebauthn
  name: VirtualWebAuthn (WebAuthn test tool)
  type: Tools
- url: https://github.com/descope/mcp-express
  name: MCP Express
  type: Tools
- url: https://github.com/descope/mcp-go
  name: MCP Go
  type: Tools
- url: https://github.com/descope/descope-mcp
  name: Descope MCP SDKs
  type: Tools
- url: https://github.com/descope/skills
  name: Descope Authentication Skills for AI Agents
  type: Tools
- url: https://github.com/descope/ai
  name: Descope Official AI Repository
  type: Tools
- url: https://github.com/descope/descope-migration
  name: Generic Migration Tool
  type: Tools
- url: https://github.com/descope/descope-auth0-migration
  name: Auth0 Migration Tool
  type: Tools
- url: https://github.com/descope/descope-cognito-migration
  name: Amazon Cognito Migration Tool
  type: Tools
- url: https://github.com/descope/descope-firebase-migration
  name: Firebase Migration Tool
  type: Tools
- url: https://github.com/descope/descope-keycloak-migration
  name: Keycloak Migration Tool
  type: Tools
- url: https://github.com/descope/project-cicd-template
  name: Project CI/CD Template (GitHub Actions)
  type: Tools
- url: https://github.com/descope/project-gitlab-cicd-pipeline
  name: Project CI/CD Template (GitLab)
  type: Tools
- url: https://github.com/descope/sbt-aws-descope
  name: AWS SaaS Builder Toolkit Integration
  type: Tools
- url: https://www.linkedin.com/company/descope
  type: LinkedIn
- url: https://twitter.com/descopeinc
  type: Twitter
- url: https://www.youtube.com/@descopeinc
  type: YouTube
- url: https://authtown.unstructured.chat
  type: Forum
  name: AuthTown Community
- type: Features
  data:
  - Drag-and-drop Descope Flows for designing authentication, signup, MFA, step-up, and account-recovery
    journeys with no code
  - Passwordless authentication — magic links, enchanted links, passkeys/WebAuthn, OTP (email/SMS/voice/IM),
    nOTP push, TOTP authenticator apps, and Google One Tap
  - Social login and OIDC federation with 30+ providers
  - SAML 2.0 inbound and outbound SSO with self-service IdP configuration for B2B customers
  - WS-Federation IdP support for Microsoft enterprise tenants
  - SCIM 2.0 user and group provisioning
  - Fine-grained authorization (FGA / ReBAC) modeled after Google Zanzibar with schema, relation, and policy APIs
  - Role-based access control with company/project/tag-scoped management keys
  - Multi-tenant architecture with delegated admin widgets for B2B customer self-service
  - Risk-based / adaptive MFA via flow conditional logic and connectors (reCAPTCHA, Fingerprint, ipQualityScore)
  - Step-up authentication for sensitive transactions
  - 50+ outbound connectors (HTTP, audit, AWS, Segment, Salesforce, HubSpot, Twilio, SendGrid, Slack, etc.)
  - Inbound third-party app OAuth — Descope as an OIDC/OAuth 2.1 authorization server
  - Agentic Identity Hub with MCP server registration, per-agent OAuth scopes, and token vaulting for
    AI agents (Claude, ChatGPT, Cursor, etc.)
  - OAuth 2.1, PKCE, JAR (RFC 9101), DPoP, CIBA, and device authorization flows
  - Anonymous-to-known user merging
  - Account takeover prevention with disposable-email/burner detection (go-free-email-providers)
  - Custom domains for hosted authentication pages
  - Hosted Flow app (React) with full source available for self-hosting
  - Terraform and Pulumi providers for declarative project management
  - CLI (`descopecli`) for project snapshot, import, export, and CI/CD pipelines
  - Audit log API and analytics API
  - Free 7,500 MAU forever tier
  sources:
  - https://www.descope.com
  - https://docs.descope.com
  - https://docs.descope.com/api/openapi-spec
  - https://www.descope.com/pricing
  - https://github.com/descope
  updated: '2026-05-25'
- type: UseCases
  data:
  - name: B2C Customer Authentication
    description: Add passwordless sign-up/sign-in (passkeys, magic link, social) to consumer apps with adaptive
      MFA and account-takeover protection.
  - name: B2B Enterprise SSO
    description: Let business customers self-serve SAML/OIDC SSO and SCIM provisioning without per-tenant
      engineering work, using delegated admin widgets.
  - name: Auth Migration
    description: Migrate users from Auth0, Cognito, Firebase, Keycloak, and other IdPs with prebuilt
      Python-based migration tools that preserve password hashes where possible.
  - name: Agentic Identity for AI Agents
    description: Issue scoped OAuth tokens to AI agents and MCP servers using progressive scoping, token
      vaulting, and per-agent audit trails via the Agentic Identity Hub.
  - name: Multi-Tenant SaaS
    description: Model tenant hierarchies, delegated admin, per-tenant SSO, and tenant-scoped RBAC/FGA
      from a single Descope project.
  - name: Fine-Grained Authorization
    description: Replace homegrown permission systems with a Zanzibar-style schema, relations, and policies
      via the FGA Management API.
  - name: Mobile Authentication
    description: Native passkey, biometric, and social login in iOS, Android, React Native, and Flutter
      apps using Descope's mobile SDKs.
  - name: Compliance-Driven Auth
    description: Use audit logs, custom message templates, MFA enforcement, and SOC 2 / GDPR controls to
      satisfy regulated-industry requirements.
- type: Integrations
  data:
  - name: AWS
    description: SaaS Builder Toolkit integration, Cognito migration, and IAM role assumption from GCP via
      OIDC GitHub Action.
  - name: Cloudflare
    description: Workers-based redirect worker for tenant-level SSO migration.
  - name: Terraform
    description: "Official `terraform-provider-descope` for managing projects, flows, tenants, and SSO declaratively."
  - name: Pulumi
    description: "Official `pulumi-descope` provider."
  - name: WordPress
    description: Descope auth plugin replacing native WordPress login.
  - name: Django
    description: "`django-descope` plugin for first-class Django auth integration."
  - name: Passport.js
    description: "`passport-descope` strategy for Node.js apps using Passport."
  - name: Next.js / React / Vue / Angular / SvelteKit
    description: "Client SDKs and Flow web components shipped under `descope-js`."
  - name: Salesforce / HubSpot / Segment / Twilio / SendGrid / Slack / S3 / Snowflake
    description: 50+ outbound connectors invoked from inside Flows to enrich users, send messages, and
      stream events.
  - name: Anthropic Claude / OpenAI / Cursor / MCP Clients
    description: Agentic Identity Hub issues short-lived, scoped tokens to AI agents via MCP server
      registration and per-agent OAuth.
- type: Solutions
  data:
  - name: Customer Identity (CIAM)
    description: Drop-in B2C authentication with Flows, passwordless methods, and progressive profiling.
  - name: Workforce-Adjacent B2B Identity
    description: SAML SSO, SCIM, delegated admin, and tenant management for SaaS vendors selling to
      enterprises.
  - name: Agentic Identity
    description: OAuth issuance, MCP server registration, and credential vaulting for AI agents and
      autonomous workflows.
  - name: Migration & Modernization
    description: Tooling to lift users off legacy IdPs (Auth0, Cognito, Firebase, Keycloak) onto a
      modern, passwordless-first platform.
- type: Portal
  url: https://www.descope.com
- type: Documentation
  url: https://docs.descope.com
created: '2026-05-25T00:00:00.000Z'
modified: '2026-05-25'
position: Consuming
description: Descope is a customer and agentic identity access management (CIAM) platform founded in 2022
  by veterans of Sentrigo and Demisto (acquired by Palo Alto Networks). Its signature is drag-and-drop
  Descope Flows — a visual authentication-flow builder — paired with passwordless methods (passkeys, magic
  link, OTP, social, biometric), risk-based MFA, SSO/SAML/SCIM, fine-grained authorization, and a growing
  Agentic Identity Hub that issues scoped OAuth tokens to AI agents and MCP servers. Descope ships SDKs for
  every mainstream language and framework, a CLI, Terraform/Pulumi providers, self-hostable hosted-auth
  app, and prebuilt migration tools from Auth0, Cognito, Firebase, and Keycloak. Free tier covers 7,500
  MAUs forever; paid tiers start at $249/month.
maintainers:
- FN: Kin Lane
  email: [email protected]
  X: apievangelist
  url: https://apievangelist.com
specificationVersion: '0.16'