The JumpCloud integration syncs users, groups, group memberships, and the SaaS apps your team actually signs into via JumpCloud SSO — the foundation of license true-up and offboarding workflows in Layer.Documentation Index
Fetch the complete documentation index at: https://docs.axiomancer.io/llms.txt
Use this file to discover all available pages before exploring further.
What you’ll need
- JumpCloud Administrator access.
- The ability to create an API key in your JumpCloud tenant.
- Three minutes.
Set it up
Create an API key in JumpCloud
In the JumpCloud Admin Console, click your initials in the top right and choose My API Key. Click Generate New API Key and copy the value — you won’t be able to see it again.
Paste it into Layer
In Layer, go to Integrations, find JumpCloud, and click Connect. Paste your API key, then click Connect.The default JumpCloud API base URL is
https://console.jumpcloud.com/api. Override it only if your tenant uses a custom region.What gets synced
| Object | Fields | Refresh cadence |
|---|---|---|
| Users | username, email, status, department, title | Every 6 hours |
| Groups | name, description, member count | Every 6 hours |
| Group memberships | user → group links | Every 6 hours |
| SaaS apps (from SSO) | app name, event count | Every 6 hours |
| App usage | user → app links with last SSO timestamp | Every 6 hours |
SaaS apps from SSO events
Layer reads the last 30 days of JumpCloud SSO events from the Insights API and creates one SaaS app asset per distinct application your users signed into. No additional API calls or integrations are required — the apps appear automatically once you connect JumpCloud. For every successful SSO event, Layer also creates a Uses relationship from the user to the app, keeping the most recent sign-in timestamp aslast_sso metadata. Duplicate sign-ins are deduplicated to one edge per user → app pair, so the graph stays clean even for power users.
These edges are what powers license true-up and offboarding checks against your JumpCloud-managed SaaS apps. The SaaS app assets are tagged with source: sso_events and a confidence of 0.75 — they’re signal-derived, so they may not exactly match the SSO connector list configured in JumpCloud.
Group memberships
For every JumpCloud user group, Layer fetches the member list from/v2/usergroups/{id}/members and creates a MemberOf relationship from each user to the group. If your API key doesn’t have scope to read group members, Layer skips this step without failing the sync — users and groups still sync as separate assets.
Required key permissions
A standard JumpCloud Administrator API key is sufficient. Layer reads from:/systemusers— user directory/v2/usergroupsand/v2/usergroups/{id}/members— groups and memberships/insights/directory/v1/events?service=sso— last 30 days of SSO events
Troubleshooting
401 Unauthorized on first sync
401 Unauthorized on first sync
No SaaS apps showing up
No SaaS apps showing up
SaaS apps are derived from the last 30 days of SSO events. If your tenant hasn’t logged any SSO sign-ins in that window, or if the Insights API isn’t enabled on your plan, no apps will appear. Users and groups still sync normally.
Group memberships missing
Group memberships missing
The
/v2/usergroups/{id}/members endpoint requires the API key to have read access to user groups. Layer treats this call as non-fatal — the rest of the sync completes even when memberships can’t be fetched.