For Agents
Manage JumpCloud users, devices, groups, applications, policies, and directory bindings programmatically. Useful for agents that automate joiner/mover/leaver workflows or device fleet operations.
Get started with JumpCloud API in minutes using your preferred integration method.
# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
"jentic": {
"url": "https://api.jentic.com/mcp",
"auth": "oauth"
}
}
# Then ask your agent:
"create a jumpcloud user"
# → Jentic returns the GET /events tool with parameter schema, agent executes.What an agent can do with JumpCloud API API.
Provision a new user and bind them to user groups, applications, and systems
Manage user-to-system, user-to-group, and group-to-application associations through the JumpCloud Graph
Push policies to system groups (FDE, screen lock, password complexity) and inspect aggregated policy stats
Enroll and unenroll Apple MDM and Microsoft MDM devices and pull device inventory
GET STARTED
Use for: Create a new JumpCloud user for a new hire, Add a user to the engineering user group, Bind a user group to the GitHub SSO application, List all systems in the macOS-laptops system group
Not supported: Does not handle endpoint security telemetry, ticketing, or HRIS source-of-record changes — use for JumpCloud directory, device, and policy administration only.
Jentic publishes the only available OpenAPI document for JumpCloud API, keeping it validated and agent-ready.
The JumpCloud V2 API is the management interface for JumpCloud's open directory platform, used to administer users, devices (Mac/Windows/Linux/Apple MDM/Microsoft MDM), groups, applications, policies, and identity provider integrations from a single control plane. The 416 endpoints cover the JumpCloud Graph (objects, groupings, mappings, associations) plus targeted resources such as Active Directory bindings, RADIUS and LDAP servers, SSO applications, software apps, password manager, and SCIM/Workday/Office 365 imports. Use it to automate joiner/mover/leaver flows, device enrollment, and policy assignment.
Configure RADIUS and LDAP servers and bind users and user groups to them
Run SCIM, Workday, Office 365, or G Suite imports to seed or sync the directory
Process access requests with create, update, and revoke flows
Patterns agents use JumpCloud API API for, with concrete tasks.
★ Joiner Automation from HRIS
When a new hire is created in the HRIS, an agent calls POST to the users resource to provision a JumpCloud account, then uses the JumpCloud Graph association endpoints to bind the user to the appropriate user groups, system groups, and SSO applications based on department. The hire arrives day one with email, laptop policies, and SSO apps already wired up, and the entire flow is auditable through standard logs.
Create a JumpCloud user with email new.hire@example.com, then create an association from that user to the engineering user group via the JumpCloud Graph.
Leaver Automation
On termination, an agent runs a sequence: unbind the user from all groups, suspend or delete the user, revoke any open access requests, and lock or wipe MDM-enrolled devices. The full lifecycle stays inside JumpCloud rather than spread across discrete tools, which closes the audit gap that often exists between an HRIS event and SSO de-provisioning.
On termination of user 12345, list and remove their group associations via the JumpCloud Graph, call POST /accessrequests/{accessId}/revoke for any active requests, then delete the user.
Device Fleet Reporting
Pull a fleet inventory from JumpCloud and System Insights for compliance reporting. The agent enumerates systems and Apple/Microsoft MDM devices, joins by user assignment, and emits a CSV or pushes to a SIEM. This gives security and IT a current device-to-user mapping without screen-scraping the JumpCloud admin console.
Page through the systems and applemdms device endpoints, join with user bindings, and emit a fleet-2026-q2.csv with columns user_email, device_serial, os, last_contact.
AI Agent IT Operations via Jentic
Give a help-desk assistant the ability to look up users, reset access, and run small lifecycle changes in JumpCloud. The agent searches Jentic for create a jumpcloud user, loads the operation schema, and executes it with the x-api-key isolated in the Jentic vault. Because JumpCloud has 416 endpoints, intent-based discovery is the difference between a usable assistant and one that hallucinates resource names.
Through Jentic, search create a jumpcloud user, load the matching POST schema, and execute it for the new hire's name and email.
416 endpoints — the jumpcloud v2 api is the management interface for jumpcloud's open directory platform, used to administer users, devices (mac/windows/linux/apple mdm/microsoft mdm), groups, applications, policies, and identity provider integrations from a single control plane.
METHOD
PATH
DESCRIPTION
/accessrequests
Create an access request
/accessrequests/{accessId}/revoke
Revoke an access request
/activedirectories
List Active Directory integrations
/activedirectories/{activedirectory_id}/associations
Manage AD associations
/applemdms/{apple_mdm_id}/devices
List Apple MDM devices
/administrators/{id}/organizationlinks
Grant administrator access to an organization
/accessrequests
Create an access request
/accessrequests/{accessId}/revoke
Revoke an access request
/activedirectories
List Active Directory integrations
/activedirectories/{activedirectory_id}/associations
Manage AD associations
/applemdms/{apple_mdm_id}/devices
List Apple MDM devices
Three things that make agents converge on Jentic-routed access.
Credential isolation
JumpCloud x-api-key values are stored encrypted in the Jentic vault and added to the x-api-key header server-side. Agents call operations through scoped Jentic tokens; the raw key never enters the agent's context.
Intent-based discovery
Agents search Jentic by intent (for example, create a jumpcloud user) and Jentic returns the matching JumpCloud operation with its input schema — important given the 416-endpoint surface area.
Time to first call
Direct JumpCloud integration: 3-5 days to model the Graph associations and per-resource bindings. Through Jentic: under 1 hour for a single workflow — search, load schema, execute.
Alternatives and complements available in the Jentic catalogue.
Okta API
Okta is a hosted workforce and customer identity platform with deep SSO, lifecycle, and policy features
Pick Okta when the focus is enterprise SSO and identity governance; pick JumpCloud when device management, RADIUS, and LDAP are required from one platform.
OneLogin API
OneLogin is a unified access management platform competing in workforce SSO
Pick OneLogin for SSO-centric workforce identity; pick JumpCloud when device and directory features are part of the mandate.
Jamf API
Jamf is a dedicated Apple device management platform
Use Jamf alongside JumpCloud when Apple-fleet specifics need Jamf's depth while user identity stays in JumpCloud.
Specific to using JumpCloud API API through Jentic.
What authentication does the JumpCloud API use?
It uses an API key passed in the x-api-key header. Keys are issued from the JumpCloud admin console and scoped to the calling administrator's permissions. Through Jentic the key lives in the vault and is added server-side, so the raw key never enters the agent's prompt.
Can I bind a user to a group through the API?
Yes. JumpCloud models bindings as Graph associations. POST to /usergroups/{group_id}/members or use the JumpCloud Graph association endpoints under /v2 to attach and detach users from user groups, and the same pattern applies to system-to-group and group-to-application bindings.
How do I enroll an Apple device in JumpCloud MDM?
Configure the Apple MDM resource (POST to /applemdms-related setup endpoints) to upload the CSR and DEP key, then enroll devices via the standard Apple Business Manager flow. The API exposes /applemdms/{apple_mdm_id}/devices for listing and /applemdms/{apple_mdm_id}/devices/{device_id} (DELETE) to remove enrollment.
What are the rate limits for the JumpCloud API?
JumpCloud applies per-organization rate limits and recommends exponential backoff on HTTP 429 responses. The exact thresholds are documented in JumpCloud's Help Center; agents should respect Retry-After headers and retry idempotent calls only.
Can I revoke an access request via the API?
Yes. POST /accessrequests/{accessId}/revoke revokes a previously approved or pending access request. This is the supported path for offboarding flows that need to undo just-in-time access alongside disabling the user.
How do I provision a JumpCloud user through Jentic?
Run pip install jentic, then await client.search('create a jumpcloud user'), load the matching operation schema, and execute it. The underlying call creates the user and the follow-up search create a jumpcloud graph association covers binding them into groups.
/administrators/{id}/organizationlinks
Grant administrator access to an organization