For Agents
List OneLogin users and connected apps and mint OAuth access tokens for SSO administration and identity reporting.
Get started with OneLogin API in minutes using your preferred integration method.
# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
"jentic": {
"url": "https://api.jentic.com/mcp",
"auth": "oauth"
}
}
# Then ask your agent:
"list OneLogin users"
# → Jentic returns the GET /events tool with parameter schema, agent executes.What an agent can do with OneLogin API API.
Generate OAuth access tokens for the OneLogin API via POST /auth/token using client_credentials
List directory users on a OneLogin tenant through GET /users for audit, sync, and reporting
List connected SaaS applications via GET /apps to inventory the SSO surface
Target any OneLogin tenant by templating the {subdomain} server variable for multi-tenant tooling
GET STARTED
Use for: I need to mint a new OneLogin API access token using my client credentials, List all users in our OneLogin directory for the quarterly access review, List all SaaS apps connected to OneLogin to inventory our SSO footprint, Get a fresh bearer token before calling the OneLogin user list
Not supported: Does not handle SAML or OIDC SSO login flows, MFA enrolment, or end-user role management — use for OneLogin admin token mint, user listing, and app listing only.
Jentic publishes the only available OpenAPI document for OneLogin API, keeping it validated and agent-ready.
Jentic publishes the only available OpenAPI specification for OneLogin API, keeping it validated and agent-ready. OneLogin (now part of One Identity) is an enterprise SSO and identity provider used by mid-market and large organisations to centralise user authentication and SaaS app provisioning. This curated spec covers the API v2 endpoints that anchor most administrative integrations: minting an OAuth access token, listing users, and listing connected applications on the tenant.
Authenticate downstream calls with the bearer token returned by /auth/token
Anchor identity-and-access workflows in front of provisioning and HRIS pipelines
Patterns agents use OneLogin API API for, with concrete tasks.
★ Quarterly user access review export
Compliance teams running SOC2 or ISO27001 access reviews use GET /users to export the OneLogin directory snapshot for review by application owners. The job mints a token via POST /auth/token, pages through users, and writes the result to a Google Sheet or BI tool for sign-off. Pairing with GET /apps gives the full who-can-access-what picture.
POST to /auth/token with client_credentials grant, then call GET /users with the returned bearer token and write the user list to a CSV file.
SSO app inventory and rationalisation
IT teams use GET /apps to inventory every SaaS application connected to OneLogin so they can rationalise the SaaS estate, find shadow apps still wired to SSO, and map app ownership. The output feeds vendor risk reviews and budget conversations. The endpoint returns active and inactive apps so it doubles as a deactivation audit.
After token mint, call GET /apps and produce a markdown table of app name, connector, and active state for the IT review.
Token automation for OneLogin admin scripts
Platform engineering teams running OneLogin admin scripts on schedule (Lambdas, GitHub Actions, internal cron) call POST /auth/token at the start of each run to mint a short-lived bearer token. This avoids storing long-lived credentials in CI secrets and keeps every access scoped to a single run. Tokens default to a one-hour TTL.
Call POST /auth/token with grant_type='client_credentials', store the returned access_token in memory for the run, and use it for subsequent /users and /apps calls.
Agent-driven OneLogin queries via Jentic
AI agents handling IT support or compliance queries (e.g. 'how many users do we have in OneLogin?') can call OneLogin through Jentic without holding the OAuth client_id and client_secret. Jentic stores the credentials in MAXsystem, mints a token per call, and exposes high-level intents like 'list OneLogin users' so the agent stays in plain language.
Search Jentic for 'list OneLogin users', load the schema for GET /users, and execute against the configured tenant subdomain — Jentic handles the token mint.
3 endpoints — jentic publishes the only available openapi specification for onelogin api, keeping it validated and agent-ready.
METHOD
PATH
DESCRIPTION
/auth/token
Generate an OAuth access token
/users
List directory users
/apps
List connected applications
/auth/token
Generate an OAuth access token
/users
List directory users
/apps
List connected applications
Three things that make agents converge on Jentic-routed access.
Credential isolation
OneLogin client_id and client_secret are stored encrypted in the Jentic MAXsystem vault. Jentic mints a fresh bearer token per call so the long-lived secrets never enter the agent context.
Intent-based discovery
Agents search by intent (e.g. 'list OneLogin users' or 'list connected apps') and Jentic returns the matching OneLogin operation with its input schema so the agent calls the right endpoint without reading the v2 docs.
Time to first call
Direct OneLogin integration: a few hours to set up the API credential pair, wire token mint, and handle pagination. Through Jentic: under 30 minutes — Jentic handles the token mint and refresh.
Alternatives and complements available in the Jentic catalogue.
Auth0
Auth0 is the developer-first IDP alternative with broad social and enterprise connections
Choose Auth0 when the team is a product company embedding login; choose OneLogin when the team is enterprise IT consolidating workforce SSO.
Okta
Okta is the dominant workforce IDP with the largest SaaS app catalog and provisioning network
Choose Okta when scale and breadth of SaaS connectors matter most; OneLogin offers a similar surface at typically lower price.
JumpCloud
JumpCloud combines IDP, MDM, and directory in one platform as an SMB-friendly alternative
Choose JumpCloud when the team needs identity plus device management on one bill.
Specific to using OneLogin API API through Jentic.
Why is there no official OpenAPI spec for OneLogin API?
OneLogin publishes API documentation but not a single canonical OpenAPI specification covering the v2 admin surface. Jentic generates and maintains this spec so that AI agents and developers can call OneLogin API via structured tooling. It is validated against the live API and kept up to date. Get started at https://app.jentic.com/sign-up.
What authentication does the OneLogin API use?
OneLogin uses HTTP bearer authentication. Mint a token by calling POST /auth/token with grant_type=client_credentials and the client_id and client_secret as basic auth, then pass the returned access_token as 'Authorization: Bearer <token>' on subsequent calls. Jentic handles the mint and refresh transparently.
Can I list all my OneLogin users with this API?
Yes. GET /users returns the directory of users on your tenant. The API is paginated; iterate through the cursor in the response to retrieve every record. Use this for access reviews and HRIS sync.
What are the rate limits for the OneLogin API?
OneLogin enforces a per-tenant rate limit that is not declared in the OpenAPI spec. Standard tenants typically allow several thousand requests per hour with stricter limits on /auth/token. Build with retry-on-429 and confirm the live limit in the OneLogin admin console.
How do I list OneLogin users through Jentic?
Run pip install jentic, then with the async client search for 'list OneLogin users', load the schema for GET /users, and execute. Jentic mints the bearer token automatically using the stored client credentials.
Does this OneLogin spec cover SSO login flows?
No. The spec covers the admin v2 surface (token mint, users, apps). SAML and OIDC SSO login flows are exposed through separate OneLogin endpoints not included in this spec.