diff --git a/config/initializers/scimitar.rb b/config/initializers/scimitar.rb
index 080f4f5..6bc1d92 100644
--- a/config/initializers/scimitar.rb
+++ b/config/initializers/scimitar.rb
@@ -3,7 +3,12 @@
 Rails.application.config.to_prepare do
   Scimitar.engine_configuration = Scimitar::EngineConfiguration.new({
     token_authenticator: Proc.new do | token, options |
-      true
+      api_key = ApiKey.active.with_key(token).first
+      allowed = false
+      if api_key
+        allowed = api_key.api_key_scopes.any? { |s| s.resource == "scim" || s.action == "access_scim_endpoints" }
+      end
+      allowed
     end
   })
 end
\ No newline at end of file
diff --git a/plugin.rb b/plugin.rb
index dc73a9e..32352b4 100644
--- a/plugin.rb
+++ b/plugin.rb
@@ -20,6 +20,18 @@ require "scimitar"
 
 enabled_site_setting :scim_enabled
 
+add_api_key_scope(
+    :scim,
+    {
+      access_scim_endpoints: {
+        actions: %w[scim_v2/users#index scim_v2/users#show scim_v2/users#create
+          scim_v2/users#replace scim_v2/users#update scim_v2/users#destroy
+          scim_v2/groups#index scim_v2/groups#show scim_v2/groups#create
+          scim_v2/groups#update],
+      },
+    },
+  )
+
 module ::DiscourseScimPlugin
   PLUGIN_NAME = "scim"