🍪 Cookie Notice

We use cookies to learn how you interact with our content, and show you relevant content and ads based on your browsing history. You can adjust your settings below. Here's our policy.

Cookie settings
Skip to main content

JoyConf 2026 is back. Content Confidence. Human Connection. Save your spot!

New

SCIM 2.0

  • Infrastructure
  • Security
Books and Storyblok Logo

Storyblok now supports SCIM 2.0, the standard protocol your identity provider uses to manage user accounts in connected applications. Connect Okta or Microsoft Entra ID, and Storyblok user access follows your IdP automatically.

Storyblok exposes a SCIM 2.0 server that your IdP calls whenever a user is added, changed, or removed. New users are provisioned with the right role based on their IdP group, role updates flow through on the next sync, and de-provisioned users lose access immediately, with active sessions terminated and content attribution preserved. Each connection is secured with an organization-scoped token, and every provisioning event is written to an audit log with timestamp, operation, and the user or group involved.

Key Benefits:

  • Off-boarded employees lose Storyblok access the moment they leave your IdP
  • IT teams stop running manual updates for every joiner, mover, and leaver
  • Permissions stay aligned with your identity source of truth instead of drifting over time
  • Audit log supports SOC 2 and ISO 27001 evidence requirements
  • One less blocker in enterprise procurement and security reviews

[Learn more]

Related Updates

New

Scoped Personal Access Tokens

  • Infrastructure
  • Security
  • Developer Experience

Personal access tokens for the Management API now support granular scopes and space restrictions. When you create a token, you choose which scopes it can use (stories, assets, components, webhooks, and more) on a read-write-publish hierarchy, and whether it applies to all spaces or only specific ones. Endpoints outside the standard content scopes — organization management, billing, SSO, user management, and others — are blocked by default. Until now, every personal access token had full read-write access to every space the user owned. A token built for a CI pipeline that publishes stories in one space could also delete components in any other space, change billing, or touch user management. The same risk applies to AI assistants calling the Management API through the Storyblok MCP server. Scoped tokens limit the blast radius of a compromised, leaked, or prompt-injected token. Existing unscoped tokens enter a six-month transition period and will be revoked on 30.11.2026. Key Benefits: Limit each token to only the scopes and spaces it actually needsEndpoints like organization, billing, SSO, and user management are blocked by defaultReduce the blast radius of a compromised or leaked tokenTighter control over AI assistants and MCP server integrationsToken rotation is explicit and audit-friendly — change scopes by revoking and creating a new token [Learn More]

Premium Plan

Support for mixing SSO and non-SSO user roles with re-login protection

  • Security

User roles can now be mixed between SSO and non-SSO groups, giving administrators more flexibility in how roles are assigned. Additionally, non-SSO assigned roles are now preserved on re-login, preventing them from being automatically removed during SSO authentication. This ensures that manually assigned roles remain intact alongside SSO-managed roles.