Add CLI support for SCIM token management

[Amelia Dong (ameliadong97)]

Release Notes

New Features

• Added confluent organization scim-token commands to manage SCIM tokens for user provisioning via IdP.

Checklist

• I have successfully built and used a custom CLI binary, without linter issues from this PR.
• I have clearly specified in the What section below whether this PR applies to Confluent Cloud, Confluent Platform, or both.
• I have verified this PR in Confluent Cloud pre-prod or production environment, if applicable.
• I have verified this PR in Confluent Platform on-premises environment, if applicable.
• I have attached manual CLI verification results or screenshots in the Test & Review section below.
• I have added appropriate CLI integration or unit tests for any new or updated commands and functionality.
• I confirm that this PR introduces no breaking changes or backward compatibility issues.
• I have indicated the potential customer impact if something goes wrong in the Blast Radius section below.
• I have put checkmarks below confirming that the feature associated with this PR is enabled in:
  • Confluent Cloud prod
  • Confluent Cloud stag
  • Confluent Platform
  • Check this box if the feature is enabled for certain organizations only

What

Applies to: Confluent Cloud only

This PR adds CLI support for SCIM token lifecycle management, enabling customers to create, list, and delete SCIM tokens programmatically.

New Commands:

• confluent organization scim-token create [--expire-duration-mins <mins>] - Creates a new SCIM token with optional custom expiration (defaults to 6 months)
• confluent organization scim-token list - Lists all SCIM tokens for the current organization
• confluent organization scim-token delete <id> [--force] - Deletes a SCIM token by ID

Implementation:

• Uses public SCIM token endpoints from ccloud-sdk-go-v2-internal (should eventually switch to ccloud-sdk-go-v2)
• Follows standard CLI patterns for resource management (create/list/delete)
• Includes multi-delete confirmation pattern for delete command
• Supports human, JSON, and YAML output formats

Blast Radius

Low impact. This is a new feature with no changes to existing commands.

If something goes wrong:

• Only customers attempting to use the new confluent organization scim-token commands would be affected
• Existing SCIM integrations and token management via UI/API remain unaffected
• No impact on other CLI commands

References

• Jira: https://confluentinc.atlassian.net/browse/IDENTITY-6269

Test & Review

Testing completed:

• Integration tests added with golden file validation for all commands and scenarios
• Mock server handlers implemented for create/list/delete operations
• make test passes
• make lint passes
• Built locally and verified command help output

Manual verification: Pending testing in dev/stag environment

Local verification:

➜  cli git:(adong/identity-6269-cli) alias confluent='./dist/confluent_darwin_arm64_v8.0/confluent'

// help menu
➜  cli git:(adong/identity-6269-cli) confluent organization scim-token --help
Manage organization scim tokens.

Usage:
  confluent organization scim-token [command]

Aliases:
  scim-token, st

Available Commands:
  create      Create an organization scim token.
  delete      Delete one or more organization scim tokens.
  list        List organization scim tokens.

Global Flags:
  -h, --help            Show help for this command.
      --unsafe-trace    Equivalent to -vvvv, but also log HTTP requests and responses which might contain plaintext secrets.
  -v, --verbose count   Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).

Use "confluent organization scim-token [command] --help" for more information about a command.

// help menu with alias
➜  cli git:(adong/identity-6269-cli) confluent organization st --help        
Manage organization scim tokens.

Usage:
  confluent organization scim-token [command]

Aliases:
  scim-token, st

Available Commands:
  create      Create an organization scim token.
  delete      Delete one or more organization scim tokens.
  list        List organization scim tokens.

Global Flags:
  -h, --help            Show help for this command.
      --unsafe-trace    Equivalent to -vvvv, but also log HTTP requests and responses which might contain plaintext secrets.
  -v, --verbose count   Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).

Use "confluent organization scim-token [command] --help" for more information about a command.


// create with default expiry and different output formats
➜  cli git:(adong/identity-6269-cli) confluent organization scim-token create
+-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| ID              | cbb0d189-f3b6-43a1-be1b-1b15d040cc55                                                                                                                                                                                                                                                                                               |
| Connection Name | adong-sso-stag                                                                                                                                                                                                                                                                                                                     |
| Token           | cflt-scim_djIsyDZ2zcjZR_S4H3cf3nZIemlgQIBzSldmEUCo1oOSeCtOraPeAIFzxPoOhNppD9KDulXf9sDg8PWyeznfNcxbRq4M27J0BjqbDMFJhgiymKXsb5yx629tLc49zFKd8LohFv0C3dV78elEcdR80BodrERN2Y8rBZDfXankfstt2xaqOIumE4ltLFbLK-bNHbf3EfuAtK2TQU_h4sqtcoVqlvfD5kMqYCGiLrwYWmbsJRznMDiZz3_-GoEBy4GO9vt0z4GIDcYg2mfbCg6CTUqvZIPjT71Vuo71qOxA2bdiuou0cBUllTkt |
| Created At      | 2026-05-29T22:07:39Z                                                                                                                                                                                                                                                                                                               |
| Expires At      | 2026-11-25T22:07:39Z                                                                                                                                                                                                                                                                                                               |
+-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
➜  cli git:(adong/identity-6269-cli) confluent organization scim-token create -o json
{
  "id": "b8c70a78-9385-4d9f-a4be-81bd93ac6050",
  "connection_name": "adong-sso-stag",
  "token": "cflt-scim_djIA-KzsLgauaEKhaCFO86TfxXuyrsa6Gi1XT3uY-USR16RU3G5DHahOKcteuDcXxe7-2m2_xSqracWBsDCEX_CaQjNyRGiMk4QRQMp4k-4wPc_VxElAvbhhjk76i8MU2YSBuw25xJWIKhLOKFiPDySVSRWom2u-dxOOHIUltLdb15O9Dr4CSvPByqsFaITqOpCcRbnx0cz79gt5icW4pKEtRswX5lgGAoprB2p732-U4nFXPNI5ZxMCk4JELsybZu47EP_WcKUJbt956ILxwacklAtQa-IgmnQKenRmUDmwMUMxQ0HTLfhh",
  "created_at": "2026-05-29T22:08:10Z",
  "expires_at": "2026-11-25T22:08:10Z"
}
➜  cli git:(adong/identity-6269-cli) confluent organization scim-token create -o yaml                             
id: 5d012af8-e20f-4e8f-9ff6-ecbc355c1a37
connection_name: adong-sso-stag
token: cflt-scim_djLN4ARPANQBM8rp4que_PHbkLe4_c_nw1LzoRvrWhImXitrxAEqjvbspZaXmZM64tolmVJYklBsSsTMj4l_ddKBnfZMmVm8_OJRzZdzQ2hwG6dYL5o03VA_jJ4gy9zx0vW8QnxN3R6TDTAwwMIftWsP3Ix1RlpCxI-IarGWb4bw6kHleBCc3wKOc0G4N_iOFT57v-DmH1tOHaYCmuBLPEqe4ikqBdb2Es9vo1NZNXUE9CVyJwKOgvkUe6PiqOt8zUlfwAOTEPFkTHl2LWudJMdZtDesQvN2Xa0nRDpJWUf0cXHqtmG9buQu
created_at: "2026-05-29T22:08:51Z"
expires_at: "2026-11-25T22:08:51Z"

// list scim tokens
➜  cli git:(adong/identity-6269-cli) confluent organization scim-token list          
                   ID                  | Connection Name | Token |      Created At      |      Expires At       
---------------------------------------+-----------------+-------+----------------------+-----------------------
  1ca1d57a-b32c-48b5-9d6c-483d806c2edf | adong-sso-stag  |       | 2026-05-13T21:52:41Z | 2026-06-12T21:52:41Z  
  5d012af8-e20f-4e8f-9ff6-ecbc355c1a37 | adong-sso-stag  |       | 2026-05-29T22:08:51Z | 2026-11-25T22:08:51Z  
  b8c70a78-9385-4d9f-a4be-81bd93ac6050 | adong-sso-stag  |       | 2026-05-29T22:08:10Z | 2026-11-25T22:08:10Z  
  cbb0d189-f3b6-43a1-be1b-1b15d040cc55 | adong-sso-stag  |       | 2026-05-29T22:07:39Z | 2026-11-25T22:07:39Z  
  fdd7c637-cb96-4657-8368-949c69038872 | adong-sso-stag  |       | 2026-05-13T22:21:44Z | 2026-11-09T22:21:44Z  

// create with quota error
➜  cli git:(adong/identity-6269-cli) ✗ confluent organization scim-token create
Error: Your SSO connection is currently limited to 2 SCIM tokens

Suggestions:
    Look up Confluent Cloud service quota limits with confluent service-quota list.

// delete without force
➜  cli git:(adong/identity-6269-cli) confluent organization scim-token delete 5d012af8-e20f-4e8f-9ff6-ecbc355c1a37
Are you sure you want to delete organization scim token "5d012af8-e20f-4e8f-9ff6-ecbc355c1a37"? (y/n): y
Deleted organization scim token "5d012af8-e20f-4e8f-9ff6-ecbc355c1a37".

// delete with force
➜  cli git:(adong/identity-6269-cli) confluent organization scim-token delete --force b8c70a78-9385-4d9f-a4be-81bd93ac6050
Deleted organization scim token "b8c70a78-9385-4d9f-a4be-81bd93ac6050".

// create with custom expiry
➜  cli git:(adong/identity-6269-cli) confluent organization scim-token create --expire-duration-mins 43201 -o yaml
id: 68914253-e066-481b-9530-c0d25a39a716
connection_name: adong-sso-stag
token: cflt-scim_djL2KuX6qL0WU_BMwOZzrOl0br2uVZxYK1c_4XABsrugbedlgaWu-9fJGWY2pAC7_8YEyCx7L9EdEQo0pVoqC_oeqVsKj4n_1SJbLTp81AmI_HdN4AH8U5B-AOgKNqMqYcvA0_uHISakkdkwmJkwio9ZbueL0vBY87eEdgDZTUSCzU2oQX9V1BqkAFbEwoDtM3F0wRjWK1ekQTE8p-lg-SzQ95z6eZ94pXBQSy2SuEcKVvKbLSzOyfkfoYzJU9gB4xII_0W1_s_4OIBcUB3oQ7e5EWwLoFSaSsbGqA1yqU8FHwUje09E4b1Q
created_at: "2026-05-29T22:10:51Z"
expires_at: "2026-06-28T22:11:51Z"

// create with invalid expiry
➜  cli git:(adong/identity-6269-cli) ✗ confluent organization scim-token create --expire-duration-mins 60
Error: Expiration duration must be at least 43200 minutes
➜  cli git:(adong/identity-6269-cli) ✗ confluent organization scim-token create --expire-duration-mins 1000000000
Error: Expiration duration cannot exceed 1051200 minutes

// delete non existent token
➜  cli git:(adong/identity-6269-cli) ✗ confluent organization scim-token delete nonexistent
Are you sure you want to delete organization scim token "nonexistent"? (y/n): y
Error: failed to delete nonexistent: SCIM token not found

[confluent-cla-assistant]

🎉 All Contributor License Agreements have been signed. Ready to merge.
_{Please push an empty commit if you would like to re-run the checks to verify CLA status for all contributors.}

[Copilot]

Pull request overview

Adds CLI support for organization SCIM token management, wiring new organization scim-token / org scim-token create, list, and delete commands into the existing authenticated Confluent Cloud command tree.

Changes:

• Adds SCIM token create/list/delete command implementations backed by Org v2 SDK calls.
• Adds test-server routes, integration/live tests, and golden fixtures for the new commands.
• Bumps the Org SDK module and updates generator/lint metadata.

Reviewed changes

Copilot reviewed 24 out of 31 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
.cli-generation-checksum	Updates generated-code checksum.
cmd/lint/main.go	Adds vocabulary/proper noun entries for generated command text.
go.mod	Bumps ccloud-sdk-go-v2/org to include SCIM token APIs.
go.sum	Updates checksums for the bumped Org SDK.
internal/command.go	Passes config into the organization command constructor.
internal/organization/command.go	Registers the new SCIM token subcommand.
internal/organization/command_scim_token.go	Defines shared SCIM token command/output/autocomplete logic.
internal/organization/command_scim_token_create.go	Adds SCIM token creation command.
internal/organization/command_scim_token_delete.go	Adds SCIM token deletion command.
internal/organization/command_scim_token_list.go	Adds SCIM token listing command.
pkg/ccloudv2/org.go	Adds Org v2 SCIM token client wrapper methods.
test/fixtures/input/org/scim_token/create_scim_token.json	Adds fake create response fixture.
test/fixtures/input/org/scim_token/read_created_scim_token.json	Adds fake list response fixture.
test/fixtures/output/org/scim-token/create-expire-duration-mins.golden	Adds expected output for create with expiration flag.
test/fixtures/output/org/scim-token/create.golden	Adds expected output for default create.
test/fixtures/output/org/scim-token/delete-invalid.golden	Adds expected output for invalid delete case.
test/fixtures/output/org/scim-token/delete-multiple.golden	Adds expected output for multi-delete confirmation.
test/fixtures/output/org/scim-token/delete-no-force.golden	Adds expected output for prompted delete.
test/fixtures/output/org/scim-token/delete.golden	Adds expected output for forced delete.
test/fixtures/output/org/scim-token/list-json.golden	Adds expected JSON list output.
test/fixtures/output/org/scim-token/list-yaml.golden	Adds expected YAML list output.
test/fixtures/output/org/scim-token/list.golden	Adds expected human list output.
test/fixtures/output/organization/help.golden	Updates organization help to include SCIM token command.
test/fixtures/output/organization/scim-token/create-help.golden	Adds create help output.
test/fixtures/output/organization/scim-token/delete-help.golden	Adds delete help output.
test/fixtures/output/organization/scim-token/help.golden	Adds SCIM token help output.
test/fixtures/output/organization/scim-token/list-help.golden	Adds list help output.
test/live/scim_token_live_test.go	Adds live CRUD coverage for SCIM tokens.
test/scim_token_test.go	Adds integration tests for create/delete/list/autocomplete.
test/test-server/ccloudv2_router.go	Registers fake SCIM token API routes.
test/test-server/scim_token_handler.go	Adds fake SCIM token API handlers.

Files not reviewed (6)

• internal/organization/command_scim_token.go: Language not supported
• internal/organization/command_scim_token_create.go: Language not supported
• internal/organization/command_scim_token_delete.go: Language not supported
• internal/organization/command_scim_token_list.go: Language not supported
• test/live/scim_token_live_test.go: Language not supported
• test/scim_token_test.go: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.