Add CLI support for SCIM token management

[Amelia Dong (ameliadong97)]

Release Notes

New Features

• Added confluent organization scim-token commands to manage SCIM tokens for user provisioning via IdP.

Checklist

• I have successfully built and used a custom CLI binary, without linter issues from this PR.
• I have clearly specified in the What section below whether this PR applies to Confluent Cloud, Confluent Platform, or both.
• I have verified this PR in Confluent Cloud pre-prod or production environment, if applicable.
• I have verified this PR in Confluent Platform on-premises environment, if applicable.
• I have attached manual CLI verification results or screenshots in the Test & Review section below.
• I have added appropriate CLI integration or unit tests for any new or updated commands and functionality.
• I confirm that this PR introduces no breaking changes or backward compatibility issues.
• I have indicated the potential customer impact if something goes wrong in the Blast Radius section below.
• I have put checkmarks below confirming that the feature associated with this PR is enabled in:
  • Confluent Cloud prod
  • Confluent Cloud stag
  • Confluent Platform
  • Check this box if the feature is enabled for certain organizations only

What

Applies to: Confluent Cloud only

This PR adds CLI support for SCIM token lifecycle management, enabling customers to create, list, and delete SCIM tokens programmatically.

New Commands:

• confluent organization scim-token create [--expire-duration-mins <mins>] - Creates a new SCIM token with optional custom expiration (defaults to 6 months)
• confluent organization scim-token list - Lists all SCIM tokens for the current organization
• confluent organization scim-token delete <id> [--force] - Deletes a SCIM token by ID

Implementation:

• Uses public SCIM token endpoints from ccloud-sdk-go-v2-internal (should eventually switch to ccloud-sdk-go-v2)
• Follows standard CLI patterns for resource management (create/list/delete)
• Includes multi-delete confirmation pattern for delete command
• Supports human, JSON, and YAML output formats

Blast Radius

Low impact. This is a new feature with no changes to existing commands.

If something goes wrong:

• Only customers attempting to use the new confluent organization scim-token commands would be affected
• Existing SCIM integrations and token management via UI/API remain unaffected
• No impact on other CLI commands

References

• Jira: https://confluentinc.atlassian.net/browse/IDENTITY-6269

Test & Review

Testing completed:

• Integration tests added with golden file validation for all commands and scenarios
• Mock server handlers implemented for create/list/delete operations
• make test passes
• make lint passes
• Built locally and verified command help output

Manual verification: Pending testing in dev/stag environment

Local verification:

➜  cli git:(adong/identity-6269-cli) alias confluent='./dist/confluent_darwin_arm64_v8.0/confluent'

// help menu
➜  cli git:(adong/identity-6269-cli) confluent organization scim-token --help
Manage organization scim tokens.

Usage:
  confluent organization scim-token [command]

Aliases:
  scim-token, st

Available Commands:
  create      Create an organization scim token.
  delete      Delete one or more organization scim tokens.
  list        List organization scim tokens.

Global Flags:
  -h, --help            Show help for this command.
      --unsafe-trace    Equivalent to -vvvv, but also log HTTP requests and responses which might contain plaintext secrets.
  -v, --verbose count   Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).

Use "confluent organization scim-token [command] --help" for more information about a command.


// list scim tokens
➜  cli git:(adong/identity-6269-cli) ✗ confluent organization scim-token list
                   ID                  | Connection Name | Token |      Created At      |      Expires At       
---------------------------------------+-----------------+-------+----------------------+-----------------------
  1ca1d57a-b32c-48b5-9d6c-483d806c2edf | adong-sso-stag  |       | 2026-05-13T21:52:41Z | 2026-06-12T21:52:41Z  
  fdd7c637-cb96-4657-8368-949c69038872 | adong-sso-stag  |       | 2026-05-13T22:21:44Z | 2026-11-09T22:21:44Z  

// create with default expiry
➜  cli git:(adong/identity-6269-cli) ✗ confluent organization scim-token create
+-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| ID              | ddfcf6ff-aee8-4791-aa52-329dd9fb0ff8                                                                                                                                                                                                                                                                                               |
| Connection Name | adong-sso-stag                                                                                                                                                                                                                                                                                                                     |
| Token           | cflt-scim_djIQF1OV5TQHeATZuuHjxxi5Cfvhoi0-H1QQNLFvO_T6U1CokEzUJFMb-Tc2jhwNhALngHmmmVJo3TQqTolaKUjcsvByAEmkcVOwTnLkwqQ_HeaIVGZyGZcLSLHw3UvUzcj6AOgtbayFfSTSNp1546AGFMw8xxB4dd_GQlqhX2_Vs2IbqZ8e1y-HcXl84jwgN6RKwRHwe2Zbf-tMUf6der2KlEgYG0QF3xOexVR5NogR3aIKWj5yJsWXm9gywN7QcIasuNHfWZx_E4cncFLzz6eJSjJ7cG4DONGo9HlMeyJZIpct2lTKEhb6 |
| Created At      | 2026-05-24T00:35:54Z                                                                                                                                                                                                                                                                                                               |
| Expires At      | 2026-11-20T00:35:54Z                                                                                                                                                                                                                                                                                                               |
+-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
➜  cli git:(adong/identity-6269-cli) ✗ confluent organization scim-token create -o json
{
  "id": "0b3fad1f-aedf-44c9-bdf4-6b2091ca00a3",
  "connection_name": "adong-sso-stag",
  "token": "cflt-scim_djID9_ENA2aZg9_ZX5bjWGRINTYVcA2WVCaF2YiVGIPp_ZLAYVOLrV0A4QKH7DE3RG6nYdH5czAPe6QPtB5gEej5LkDtDaBCK0R1uq5Z1JmJJCeuHue1iZcScBDFbcl6hPQcBrjpcrafZprRGWU0Ygf701txduwOC7U6ZCfEJ_fhFRjZoxVAQnhdLc5HncDcI5drWmVgpt0yeOAauB2p_SI44xNx83z_cst3nwHKwkD_SXIzApLvjn4XHsa0HWD56SpSwgPhkyHZ12umUZceTNhT96ezp6HW1qg_lmbfmwysGz7_pr42YYv1",
  "created_at": "2026-05-24T00:36:02Z",
  "expires_at": "2026-11-20T00:36:02Z"
}
➜  cli git:(adong/identity-6269-cli) ✗ confluent organization scim-token create -o yaml
id: 2ff78dc5-6458-4202-9fb1-2a1fb8e389f0
connection_name: adong-sso-stag
token: cflt-scim_djKlCG54-e9ZSz2KNGzS_tub2bOUye5TUsZUJDfDa0DbDopQAHNCHxwJ6PIVDCUfOGQ9Io7EuPxQk0KeG1mJu5geqlEh3gYYXGQK8IbpCD16ZlhfXVn2AqTfRy3Wm5e5oOMepvUO3NtpP96UzSHi3hT_OJ0G9Sk6wInNhmM2Ru2Ud7C6K6vCNMGujsW0WWeMp88llwVPU_OSHfSJD7F6P5lxWOac9HZYVohMzQOSpMYEAdQAK_OPt7WSu_g2epmg_Hq9HZszWrVT4Ky7K6oWEnMCcbFOLfjCNe1u7za-1QTNko2jWFchzi2Z
created_at: "2026-05-24T00:36:09Z"
expires_at: "2026-11-20T00:36:09Z"

// create with quota error
➜  cli git:(adong/identity-6269-cli) ✗ confluent organization scim-token create
Error: Your SSO connection is currently limited to 2 SCIM tokens

Suggestions:
    Look up Confluent Cloud service quota limits with confluent service-quota list.

// delete without force
➜  cli git:(adong/identity-6269-cli) ✗ confluent organization scim-token delete 0b3fad1f-aedf-44c9-bdf4-6b2091ca00a3
Are you sure you want to delete organization scim token "0b3fad1f-aedf-44c9-bdf4-6b2091ca00a3"? (y/n): y
Deleted organization scim token "0b3fad1f-aedf-44c9-bdf4-6b2091ca00a3".

// delete with force
➜  cli git:(adong/identity-6269-cli) ✗ confluent organization scim-token delete --force 2ff78dc5-6458-4202-9fb1-2a1fb8e389f0
Deleted organization scim token "2ff78dc5-6458-4202-9fb1-2a1fb8e389f0".

// create with custom expiry
➜  cli git:(adong/identity-6269-cli) ✗ confluent organization scim-token create --expire-duration-mins 43201
+-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| ID              | aca4b4fb-7e37-4994-b265-b8cb144a6a03                                                                                                                                                                                                                                                                                               |
| Connection Name | adong-sso-stag                                                                                                                                                                                                                                                                                                                     |
| Token           | cflt-scim_djIrM2tLW0mriNLINN1eUin6T4exCbmF5HbsvGEI1mLvx5wWL1Y0vvPRokBuupnmis-8f1fM5ArOUNlbrH0JoPcKV5K04KrX8uUg1Whb4Ac_P6ZYGpte-OMo4s4HOhPvlZpT4CiCtmB3r6BHkC1_TjiqdvavEK-8JFzp5FKpAdBmpVZfCIrpLw4t3F8hFKQloDdXQa6vaJd_VEp8S3Dayi_5Zz03aOsZhf1L6oKVSsz6TVepk1EtVO4Q3PK9NF7f7EWb7RAczdGD0KvfpTSah2O3y8rH2SuB9eIhnQcHcJ0xVt-h2Mf7WRcW |
| Created At      | 2026-05-24T00:37:40Z                                                                                                                                                                                                                                                                                                               |
| Expires At      | 2026-06-23T00:38:40Z                                                                                                                                                                                                                                                                                                               |
+-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

// create with invalid expiry
➜  cli git:(adong/identity-6269-cli) ✗ confluent organization scim-token create --expire-duration-mins 60
Error: Expiration duration must be at least 43200 minutes
➜  cli git:(adong/identity-6269-cli) ✗ confluent organization scim-token create --expire-duration-mins 1000000000
Error: Expiration duration cannot exceed 1051200 minutes

// delete non existent token
➜  cli git:(adong/identity-6269-cli) ✗ confluent organization scim-token delete nonexistent
Are you sure you want to delete organization scim token "nonexistent"? (y/n): y
Error: failed to delete nonexistent: SCIM token not found

[confluent-cla-assistant]

🎉 All Contributor License Agreements have been signed. Ready to merge.
_{Please push an empty commit if you would like to re-run the checks to verify CLA status for all contributors.}

[Copilot]

Pull request overview

Adds a new confluent organization scim-token command group to manage SCIM tokens (create/list/delete) for Confluent Cloud orgs, wired through the ccloud org/v2 client and covered by integration + live tests.

Changes:

• Introduces organization scim-token CLI subcommands with output/autocomplete and corresponding ccloud org/v2 client methods.
• Adds mock server handlers + fixtures + golden tests for SCIM token create/list/delete flows.
• Updates module dependency for ccloud-sdk-go-v2/org (but currently includes a local replace, which must be removed).

Reviewed changes

Copilot reviewed 31 out of 36 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
test/test-server/scim_token_handler.go	Adds mock handlers for /org/v2/scim-tokens and /org/v2/scim-tokens/{id}.
test/test-server/ccloudv2_router.go	Registers SCIM token routes in the v2 test router.
test/scim_token_test.go	Adds integration tests for scim-token create/list/delete + autocomplete.
test/live/scim_token_live_test.go	Adds live CRUD coverage for scim-token commands.
test/fixtures/output/organization/update-help.golden	Updates help golden output (currently includes GOCOVERDIR warning noise).
test/fixtures/output/organization/scim-token/list-help.golden	Adds help golden for organization scim-token list.
test/fixtures/output/organization/scim-token/help.golden	Adds help golden for organization scim-token.
test/fixtures/output/organization/scim-token/delete-help.golden	Adds help golden for organization scim-token delete.
test/fixtures/output/organization/scim-token/create-help.golden	Adds help golden for organization scim-token create.
test/fixtures/output/organization/list-help.golden	Updates help golden output (currently includes GOCOVERDIR warning noise).
test/fixtures/output/organization/help.golden	Updates org help golden to include new scim-token command (also includes GOCOVERDIR warning noise).
test/fixtures/output/organization/describe-help.golden	Updates help golden output (currently includes GOCOVERDIR warning noise).
test/fixtures/output/org/scim-token/list.golden	Adds golden output for org scim-token list.
test/fixtures/output/org/scim-token/list-yaml.golden	Adds golden output for org scim-token list -o yaml.
test/fixtures/output/org/scim-token/list-json.golden	Adds golden output for org scim-token list -o json.
test/fixtures/output/org/scim-token/delete.golden	Adds golden output for org scim-token delete --force.
test/fixtures/output/org/scim-token/delete-no-force.golden	Adds golden output for interactive delete confirmation.
test/fixtures/output/org/scim-token/delete-multiple.golden	Adds golden output for multi-delete confirmation.
test/fixtures/output/org/scim-token/delete-invalid.golden	Adds golden output for invalid delete case (currently driven by missing test input).
test/fixtures/output/org/scim-token/create.golden	Adds golden output for org scim-token create.
test/fixtures/output/org/scim-token/create-expire-duration-mins.golden	Adds golden output for create with explicit expiry minutes.
test/fixtures/output/help.golden	Updates top-level help golden output (currently includes GOCOVERDIR warning noise).
test/fixtures/output/help-onprem.golden	Updates on-prem help golden output (currently includes GOCOVERDIR warning noise).
test/fixtures/input/org/scim_token/read_created_scim_token.json	Adds input fixture for listing tokens.
test/fixtures/input/org/scim_token/create_scim_token.json	Adds input fixture for create response.
pkg/ccloudv2/org.go	Adds Create/List/Delete SCIM token methods on the org v2 client.
internal/organization/command.go	Wires organization scim-token into the org command tree; updates constructor signature.
internal/organization/command_scim_token.go	Adds scim-token command root + shared output + autocomplete helpers.
internal/organization/command_scim_token_list.go	Implements organization scim-token list.
internal/organization/command_scim_token_delete.go	Implements organization scim-token delete using shared deletion helpers.
internal/organization/command_scim_token_create.go	Implements organization scim-token create with optional expiry minutes.
internal/command.go	Updates root command wiring for new organization command constructor signature.
go.mod	Bumps ccloud-sdk-go-v2/org version but currently adds an invalid local replace.
go.sum	Removes old org sums; missing the new version’s sums due to local replace.
cmd/lint/main.go	Adds Organization as a proper noun for linting.
.cli-generation-checksum	Updates generator checksum.

Files not reviewed (4)

• internal/organization/command_scim_token.go: Language not supported
• internal/organization/command_scim_token_create.go: Language not supported
• internal/organization/command_scim_token_delete.go: Language not supported
• internal/organization/command_scim_token_list.go: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Amelia Dong (ameliadong97)]

This is auto generated here: https://github.com/confluentinc/cli-terraform-generator/blob/f81301f0b9ec8f0153c8cd423b94a57bb2d493e0/internal/generator/generator_cli.go#L741