Cloud Identity API

Name: Cloud Identity API API
Brand: Cloud Identity API
Availability: InStock

✓ Official Vendor SpecIdentity AuthDirectory Servicesoauth236 EndpointsREST

For Agents

Provision and manage users, groups, devices, and inbound SAML SSO profiles in a Google Cloud Identity or Workspace tenancy. Useful for directory automation, group lifecycle, and SSO configuration.

Quickstart

Get started with Cloud Identity API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"create a google cloud identity group"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Cloud Identity API API.

Create, list, search, and delete groups in the directory

Add or remove members from a group with specified roles

Look up a group by group key (email or external ID)

Enroll, list, and manage company-owned and BYOD devices

Configure inbound SAML SSO profiles for federated authentication

GET STARTED

Start building with Cloud Identity API API

Explore with Jentic

View OpenAPI Document

Google Cloud Identity is the directory service that backs Google Workspace and standalone Cloud Identity tenancies. The API provisions and manages users, groups, group memberships, devices, inbound SAML SSO profiles, and policies. Agents can create groups, search the directory, lookup group keys, manage device enrollment, and configure inbound SSO assignments that delegate authentication to an external identity provider. It is the surface to use when an organisation needs to script directory operations rather than going through the Admin Console.

Use Cases

Patterns agents use Cloud Identity API API for, with concrete tasks.

★ Group Lifecycle Automation

Identity teams use the Cloud Identity API to create and decommission groups in bulk based on HR system events. The flow creates a group, adds initial members with specified roles, and tags the group with labels that downstream IAM bindings reference. Removal cascades through Workspace, Calendar resource access, and Drive shared drives.

Call POST /v1/groups with the group key and labels, then POST on the memberships sub-collection to add initial members

SAML SSO Onboarding

Security teams configure inbound SAML SSO so that authentication is delegated to an external IdP such as Okta or Entra ID. The flow creates an inboundSamlSsoProfile with the IdP metadata, then creates inboundSsoAssignments that scope the profile to specific org units or groups. Setup is one-off but precise and benefits from API automation across multiple tenancies.

Call POST /v1/inboundSamlSsoProfiles with the IdP metadata, then POST /v1/inboundSsoAssignments to scope it to an org unit

Device Compliance Enforcement

Endpoint security teams use the devices endpoints to list enrolled devices, surface non-compliant ones, and trigger administrative actions such as wipe or block. The API supports both company-owned and BYOD enrollment models and integrates with Cloud Identity's device policies.

Call GET /v1/devices with a filter on complianceState and trigger administrative actions on each non-compliant device

AI Agent Directory Operator via Jentic

An agent invoked by an IT helpdesk searches Jentic for the right Cloud Identity operation, creates groups or adds members based on a ticket, and reports back. Through Jentic, the agent never holds the underlying admin OAuth credential — Jentic injects a scoped token at execution time.

Search Jentic for 'create google group', execute against POST /v1/groups with the requested groupKey, and add the requested members via the memberships sub-resource

Key Endpoints

36 endpoints — google cloud identity is the directory service that backs google workspace and standalone cloud identity tenancies.

METHOD

PATH

DESCRIPTION

POST

/v1/groups

Create a new directory group

GET

/v1/groups

List groups in the directory

GET

/v1/groups:lookup

Look up a group by group key

GET

/v1/groups:search

Search for groups by query

GET

/v1/devices

List enrolled devices

POST

/v1/inboundSamlSsoProfiles

Create an inbound SAML SSO profile

POST

/v1/inboundSsoAssignments

Assign an SSO profile to an org unit or group

GET

/v1/policies

List identity policies

POST

/v1/groups

Create a new directory group

GET

/v1/groups

List groups in the directory

GET

/v1/groups:lookup

Look up a group by group key

GET

/v1/groups:search

Search for groups by query

GET

/v1/devices

List enrolled devices

POST

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

Google Cloud Identity OAuth 2.0 credentials and admin service account keys are stored encrypted in the Jentic vault. Agents receive short-lived access tokens scoped to the relevant cloud-identity scopes — raw credentials never enter the agent context.

Intent-based discovery

Agents search Jentic by intent (e.g. 'create google group' or 'configure saml sso') and Jentic returns the matching Cloud Identity operation with its parameter schema, so the agent can call the right endpoint without reading Discovery docs.

Time to first call

Direct Cloud Identity integration: 2-5 days for admin OAuth, scope selection, and resource-key handling. Through Jentic: under an hour — search, load schema, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Google Workspace Admin SDK

Older directory and reporting API that overlaps with Cloud Identity for users and groups

Use Cloud Identity for new development and SSO/device flows; use Admin SDK when an integration depends on its specific reports or legacy resources

Complementary

Identity and Access Management (IAM) API

Grants Google Cloud roles to the users and groups that Cloud Identity provisions

Use Cloud Identity to manage who exists in the directory; use IAM to grant those identities roles on GCP resources

Complementary

Cloud Channel API

Provisions the Cloud Identity tenancy that this API then manages

Use Cloud Channel to create the tenancy for a reseller customer; use Cloud Identity for ongoing user, group, and SSO management

FAQs

Specific to using Cloud Identity API API through Jentic.

What authentication does the Cloud Identity API use?

The Cloud Identity API uses OAuth 2.0 with cloud-identity scopes such as cloud-identity.groups and cloud-identity.devices. Tokens are issued for a Google admin user with delegated authority. Through Jentic, the OAuth credential lives in the Jentic vault and the agent receives a short-lived access token only — the underlying credential never enters agent context.

Can I create and manage Google Groups with this API?

Yes. POST /v1/groups creates a new group with a groupKey (typically an email address) and labels that define the group type. Use the memberships sub-collection on the group resource to add or remove members. The lookup and search endpoints find existing groups by key or query.

What are the rate limits for the Cloud Identity API?

Cloud Identity API quotas are published per-method in the Google Cloud console under the Cloud Identity API quota page; typical defaults are several thousand read requests per minute per project, with lower limits on group and membership writes and stricter caps on device administrative actions.

How do I configure SAML SSO through Jentic?

Search Jentic for 'create cloud identity saml sso profile' and execute against POST /v1/inboundSamlSsoProfiles with the IdP metadata. Then call POST /v1/inboundSsoAssignments to scope the profile to the desired org units or groups. Cloud Identity then delegates authentication for those scopes to the configured IdP.

Can I enroll and manage devices with this API?

Yes. The devices collection supports listing, getting, and administrative actions like wipe and block on enrolled devices. Both company-owned and BYOD enrollment models are supported and behave as separate device categories with different policies.

Is the Cloud Identity API free?

The Cloud Identity API itself has no per-call charge. Cloud Identity Free and Cloud Identity Premium pricing is per-user per-month and is documented on the Cloud Identity pricing page; Workspace customers already include Cloud Identity in their subscription.