diff --git a/app/forms/anti-affinity-group-member-add.tsx b/app/forms/anti-affinity-group-member-add.tsx
index bc0eec6e1..3aeee4089 100644
--- a/app/forms/anti-affinity-group-member-add.tsx
+++ b/app/forms/anti-affinity-group-member-add.tsx
@@ -63,9 +63,9 @@ export default function AddAntiAffinityGroupMemberForm({ instances, onDismiss }:
     <Modal isOpen onDismiss={onDismiss} title="Add instance to group">
       <Modal.Body>
         <Modal.Section>
-          <p className="text-sm text-gray-500">
+          <p>
             Select an instance to add to the anti-affinity group{' '}
-            <HL>{antiAffinityGroup}</HL>. Only stopped instances can be added to the group.
+            <HL>{antiAffinityGroup}</HL>.
           </p>
           <form id={formId} onSubmit={onSubmit}>
             <ComboboxField
diff --git a/app/forms/silo-create.tsx b/app/forms/silo-create.tsx
index 95da46ec0..7f05938bb 100644
--- a/app/forms/silo-create.tsx
+++ b/app/forms/silo-create.tsx
@@ -8,6 +8,7 @@
 import { useEffect } from 'react'
 import { useForm } from 'react-hook-form'
 import { useNavigate } from 'react-router'
+import { match } from 'ts-pattern'
 
 import { useApiMutation, useApiQueryClient, type SiloCreate } from '@oxide/api'
 
@@ -146,15 +147,20 @@ export default function CreateSiloSideModalForm() {
         column
         control={form.control}
         items={[
-          { value: 'saml_jit', label: 'SAML' },
+          { value: 'saml_jit', label: 'SAML + JIT' },
+          { value: 'saml_scim', label: 'SAML + SCIM' },
           { value: 'local_only', label: 'Local only' },
         ]}
       />
-      {identityMode === 'saml_jit' && (
+      {match(identityMode)
+        .with('saml_jit', () => true)
+        .with('saml_scim', () => true)
+        .with('local_only', () => false)
+        .exhaustive() && (
         <TextField
           name="adminGroupName"
           label="Admin group name"
-          description="This group will be created and granted the Silo Admin role."
+          description="This group will be created and granted the admin role on the silo."
           control={form.control}
         />
       )}
diff --git a/app/pages/system/silos/SiloPage.tsx b/app/pages/system/silos/SiloPage.tsx
index 1088509fc..b23597e63 100644
--- a/app/pages/system/silos/SiloPage.tsx
+++ b/app/pages/system/silos/SiloPage.tsx
@@ -61,6 +61,7 @@ export default function SiloPage() {
         <Tab to={pb.siloIpPools(siloSelector)}>IP Pools</Tab>
         <Tab to={pb.siloQuotas(siloSelector)}>Quotas</Tab>
         <Tab to={pb.siloFleetRoles(siloSelector)}>Fleet roles</Tab>
+        <Tab to={pb.siloScim(siloSelector)}>SCIM</Tab>
       </RouteTabs>
     </>
   )
diff --git a/app/pages/system/silos/SiloScimTab.tsx b/app/pages/system/silos/SiloScimTab.tsx
new file mode 100644
index 000000000..e23333745
--- /dev/null
+++ b/app/pages/system/silos/SiloScimTab.tsx
@@ -0,0 +1,264 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * Copyright Oxide Computer Company
+ */
+
+import { createColumnHelper, getCoreRowModel, useReactTable } from '@tanstack/react-table'
+import { useCallback, useMemo, useState } from 'react'
+import { type LoaderFunctionArgs } from 'react-router'
+
+import { AccessToken24Icon } from '@oxide/design-system/icons/react'
+import { Badge } from '@oxide/design-system/ui'
+
+import {
+  apiQueryClient,
+  useApiMutation,
+  usePrefetchedApiQuery,
+  type ScimClientBearerToken,
+} from '~/api'
+import { getSiloSelector, useSiloSelector } from '~/hooks/use-params'
+import { confirmDelete } from '~/stores/confirm-delete'
+import { addToast } from '~/stores/toast'
+import { useColsWithActions, type MenuAction } from '~/table/columns/action-col'
+import { Columns } from '~/table/columns/common'
+import { Table } from '~/table/Table'
+import { CardBlock } from '~/ui/lib/CardBlock'
+import { CopyToClipboard } from '~/ui/lib/CopyToClipboard'
+import { CreateButton } from '~/ui/lib/CreateButton'
+import { DateTime } from '~/ui/lib/DateTime'
+import { EmptyMessage } from '~/ui/lib/EmptyMessage'
+import { Message } from '~/ui/lib/Message'
+import { Modal } from '~/ui/lib/Modal'
+import { TableEmptyBox } from '~/ui/lib/Table'
+import { Truncate } from '~/ui/lib/Truncate'
+
+const colHelper = createColumnHelper<ScimClientBearerToken>()
+
+const EmptyState = () => (
+  <TableEmptyBox border={false}>
+    <EmptyMessage
+      icon={<AccessToken24Icon />}
+      title="No SCIM tokens"
+      body="Create a token to see it here"
+    />
+  </TableEmptyBox>
+)
+
+export async function clientLoader({ params }: LoaderFunctionArgs) {
+  const { silo } = getSiloSelector(params)
+  await apiQueryClient.prefetchQuery('scimTokenList', { query: { silo } })
+  return null
+}
+
+export default function SiloScimTab() {
+  const siloSelector = useSiloSelector()
+  const { data } = usePrefetchedApiQuery('scimTokenList', {
+    query: { silo: siloSelector.silo },
+  })
+
+  // Order tokens by creation date, oldest first
+  const tokens = useMemo(
+    () => [...data].sort((a, b) => a.timeCreated.getTime() - b.timeCreated.getTime()),
+    [data]
+  )
+
+  const [showCreateModal, setShowCreateModal] = useState(false)
+  const [createdToken, setCreatedToken] = useState<{
+    id: string
+    bearerToken: string
+    timeCreated: Date
+    timeExpires?: Date | null
+  } | null>(null)
+
+  const deleteToken = useApiMutation('scimTokenDelete', {
+    onSuccess() {
+      apiQueryClient.invalidateQueries('scimTokenList')
+    },
+  })
+
+  const makeActions = useCallback(
+    (token: ScimClientBearerToken): MenuAction[] => [
+      {
+        label: 'Delete',
+        onActivate: confirmDelete({
+          doDelete: () =>
+            deleteToken.mutateAsync({
+              path: { tokenId: token.id },
+              query: { silo: siloSelector.silo },
+            }),
+          label: token.id,
+        }),
+      },
+    ],
+    [deleteToken, siloSelector.silo]
+  )
+
+  const staticColumns = useMemo(
+    () => [
+      colHelper.accessor('id', {
+        header: 'ID',
+        cell: (info) => (
+          <Truncate text={info.getValue()} position="middle" maxLength={18} />
+        ),
+      }),
+      colHelper.accessor('timeCreated', Columns.timeCreated),
+      colHelper.accessor('timeExpires', {
+        header: 'Expires',
+        cell: (info) => {
+          const expires = info.getValue()
+          return expires ? (
+            <DateTime date={expires} />
+          ) : (
+            <Badge color="neutral">Never</Badge>
+          )
+        },
+        meta: { thClassName: 'lg:w-1/4' },
+      }),
+    ],
+    []
+  )
+
+  const columns = useColsWithActions(staticColumns, makeActions, 'Copy token ID')
+
+  const table = useReactTable({
+    data: tokens,
+    columns,
+    getCoreRowModel: getCoreRowModel(),
+  })
+  // const { href, linkText } = docLinks.scim
+  return (
+    <>
+      <CardBlock>
+        <CardBlock.Header
+          title="SCIM Tokens"
+          titleId="scim-tokens-label"
+          description="Tokens for authenticating requests to SCIM endpoints"
+        >
+          <CreateButton onClick={() => setShowCreateModal(true)}>Create token</CreateButton>
+        </CardBlock.Header>
+        <CardBlock.Body>
+          {tokens.length === 0 ? (
+            <EmptyState />
+          ) : (
+            <Table
+              aria-labelledby="scim-tokens-label"
+              table={table}
+              className="table-inline"
+            />
+          )}
+        </CardBlock.Body>
+        {/* TODO: put this back!
+        <CardBlock.Footer>
+          <LearnMore href={links.scimDocs} text="SCIM" />
+        </CardBlock.Footer> */}
+      </CardBlock>
+
+      {showCreateModal && (
+        <CreateTokenModal
+          siloSelector={siloSelector}
+          onDismiss={() => setShowCreateModal(false)}
+          onSuccess={(token) => {
+            setShowCreateModal(false)
+            setCreatedToken(token)
+          }}
+        />
+      )}
+
+      {createdToken && (
+        <TokenCreatedModal token={createdToken} onDismiss={() => setCreatedToken(null)} />
+      )}
+    </>
+  )
+}
+
+function CreateTokenModal({
+  siloSelector,
+  onDismiss,
+  onSuccess,
+}: {
+  siloSelector: { silo: string }
+  onDismiss: () => void
+  onSuccess: (token: {
+    id: string
+    bearerToken: string
+    timeCreated: Date
+    timeExpires?: Date | null
+  }) => void
+}) {
+  const createToken = useApiMutation('scimTokenCreate', {
+    onSuccess(token) {
+      apiQueryClient.invalidateQueries('scimTokenList')
+      onSuccess(token)
+    },
+    onError(err) {
+      addToast({ variant: 'error', title: 'Failed to create token', content: err.message })
+    },
+  })
+
+  return (
+    <Modal isOpen onDismiss={onDismiss} title="Create SCIM token">
+      <Modal.Section>
+        Anyone with this token can manage users and groups in this silo via SCIM. Since
+        group membership grants roles, this token can be used to give a user admin
+        privileges. Store it securely and never share it publicly.
+      </Modal.Section>
+
+      <Modal.Footer
+        onDismiss={onDismiss}
+        onAction={() => {
+          createToken.mutate({ query: { silo: siloSelector.silo } })
+        }}
+        actionText="Create"
+        actionLoading={createToken.isPending}
+      />
+    </Modal>
+  )
+}
+
+function TokenCreatedModal({
+  token,
+  onDismiss,
+}: {
+  token: {
+    id: string
+    bearerToken: string
+    timeCreated: Date
+    timeExpires?: Date | null
+  }
+  onDismiss: () => void
+}) {
+  return (
+    <Modal isOpen onDismiss={onDismiss} title="SCIM token created">
+      <Modal.Section>
+        <Message
+          variant="notice"
+          content=<>
+            This is the only time you’ll see this token. Copy it now and store it securely.
+          </>
+        />
+
+        <div className="mt-4">
+          <div className="text-sans-md text-raise mb-2">Bearer Token</div>
+          <div className="text-sans-md text-raise bg-default border-default flex items-stretch rounded border">
+            <div className="flex-1 overflow-hidden px-3 py-2.75 text-ellipsis">
+              {token.bearerToken}
+            </div>
+            <div className="border-default flex w-8 items-center justify-center border-l">
+              <CopyToClipboard text={token.bearerToken} />
+            </div>
+          </div>
+        </div>
+      </Modal.Section>
+
+      <Modal.Footer
+        onDismiss={onDismiss}
+        actionText="Done"
+        onAction={onDismiss}
+        showCancel={false}
+      />
+    </Modal>
+  )
+}
diff --git a/app/routes.tsx b/app/routes.tsx
index 112e3c623..8a16d50b5 100644
--- a/app/routes.tsx
+++ b/app/routes.tsx
@@ -154,6 +154,10 @@ export const routes = createRoutesFromElements(
               path="fleet-roles"
               lazy={() => import('./pages/system/silos/SiloFleetRolesTab').then(convert)}
             />
+            <Route
+              path="scim"
+              lazy={() => import('./pages/system/silos/SiloScimTab').then(convert)}
+            />
           </Route>
         </Route>
         <Route path="issues" element={null} />
diff --git a/app/ui/lib/Message.tsx b/app/ui/lib/Message.tsx
index 5971caeef..81eb6198b 100644
--- a/app/ui/lib/Message.tsx
+++ b/app/ui/lib/Message.tsx
@@ -38,17 +38,17 @@ const defaultIcon: Record<Variant, ReactElement> = {
 }
 
 const color: Record<Variant, string> = {
-  success: 'bg-accent-secondary',
-  error: 'bg-error-secondary',
-  notice: 'bg-notice-secondary',
-  info: 'bg-info-secondary',
+  success: 'bg-accent-secondary border-accent/10',
+  error: 'bg-error-secondary border-destructive/10',
+  notice: 'bg-notice-secondary border-notice/10',
+  info: 'bg-info-secondary border-blue-800/10',
 }
 
 const textColor: Record<Variant, string> = {
-  success: 'text-accent *:text-accent',
-  error: 'text-error *:text-error',
-  notice: 'text-notice *:text-notice',
-  info: 'text-info *:text-info',
+  success: 'text-accent',
+  error: 'text-error',
+  notice: 'text-notice',
+  info: 'text-info',
 }
 
 const secondaryTextColor: Record<Variant, string> = {
@@ -77,22 +77,26 @@ export const Message = ({
   return (
     <div
       className={cn(
-        'elevation-1 relative flex items-start gap-2.5 overflow-hidden rounded-lg p-4',
+        'elevation-1 relative flex items-start gap-2 overflow-hidden rounded-lg border p-3 pr-5',
         color[variant],
         textColor[variant],
         className
       )}
     >
       {showIcon && (
-        <div className="mt-[2px] flex [&>svg]:h-3 [&>svg]:w-3">{defaultIcon[variant]}</div>
+        <div
+          className={cn(
+            'mt-[2px] flex [&>svg]:h-3 [&>svg]:w-3',
+            `[&>svg]:${textColor[variant]}`
+          )}
+        >
+          {defaultIcon[variant]}
+        </div>
       )}
       <div className="flex-1">
         {title && <div className="text-sans-semi-md">{title}</div>}
         <div
-          className={cn(
-            'text-sans-md [&>a]:underline',
-            title ? secondaryTextColor[variant] : textColor[variant]
-          )}
+          className={cn('text-sans-md [&>a]:tint-underline', secondaryTextColor[variant])}
         >
           {content}
         </div>
diff --git a/app/ui/lib/Modal.tsx b/app/ui/lib/Modal.tsx
index b80877b50..0f90eb8b9 100644
--- a/app/ui/lib/Modal.tsx
+++ b/app/ui/lib/Modal.tsx
@@ -113,6 +113,7 @@ type FooterProps = {
   actionLoading?: boolean
   cancelText?: string
   disabled?: boolean
+  showCancel?: boolean
 } & MergeExclusive<{ formId: string }, { onAction: () => void }>
 
 Modal.Footer = ({
@@ -125,13 +126,16 @@ Modal.Footer = ({
   cancelText,
   disabled,
   formId,
+  showCancel = true,
 }: FooterProps) => (
   <footer className="border-secondary flex items-center justify-between border-t px-4 py-3">
     <div className="mr-4">{children}</div>
     <div className="space-x-2">
-      <Button variant="secondary" size="sm" onClick={onDismiss}>
-        {cancelText || 'Cancel'}
-      </Button>
+      {showCancel && (
+        <Button variant="secondary" size="sm" onClick={onDismiss}>
+          {cancelText || 'Cancel'}
+        </Button>
+      )}
       <Button
         type={formId ? 'submit' : 'button'}
         form={formId}
diff --git a/app/ui/styles/index.css b/app/ui/styles/index.css
index 2de1c5e6e..d20340c26 100644
--- a/app/ui/styles/index.css
+++ b/app/ui/styles/index.css
@@ -91,6 +91,15 @@
   }
 }
 
+@utility tint-underline {
+  text-decoration: underline;
+  text-decoration-color: color-mix(in srgb, currentColor 50%, transparent);
+
+  &:hover {
+    text-decoration-color: color-mix(in srgb, currentColor 80%, transparent);
+  }
+}
+
 @layer utilities {
   :root {
     --content-gutter: 2.5rem;
diff --git a/app/util/__snapshots__/path-builder.spec.ts.snap b/app/util/__snapshots__/path-builder.spec.ts.snap
index d2b4a4373..069c7927d 100644
--- a/app/util/__snapshots__/path-builder.spec.ts.snap
+++ b/app/util/__snapshots__/path-builder.spec.ts.snap
@@ -615,6 +615,16 @@ exports[`breadcrumbs 2`] = `
       "path": "/system/silos/s",
     },
   ],
+  "siloScim (/system/silos/s/scim)": [
+    {
+      "label": "Silos",
+      "path": "/system/silos",
+    },
+    {
+      "label": "s",
+      "path": "/system/silos/s",
+    },
+  ],
   "siloUtilization (/utilization)": [
     {
       "label": "Utilization",
diff --git a/app/util/links.ts b/app/util/links.ts
index 698ecc3c1..3ffcf344e 100644
--- a/app/util/links.ts
+++ b/app/util/links.ts
@@ -43,6 +43,8 @@ export const links = {
   quickStart: 'https://docs.oxide.computer/guides/quickstart',
   routersDocs:
     'https://docs.oxide.computer/guides/configuring-guest-networking#_custom_routers',
+  // TODO: make sure this is right
+  scimDocs: 'https://docs.oxide.computer/guides/operator/scim',
   siloQuotasDocs:
     'https://docs.oxide.computer/guides/operator/silo-management#_silo_resource_quota_management',
   sledDocs:
diff --git a/app/util/path-builder.spec.ts b/app/util/path-builder.spec.ts
index af24b74b3..35aefaab2 100644
--- a/app/util/path-builder.spec.ts
+++ b/app/util/path-builder.spec.ts
@@ -88,6 +88,7 @@ test('path builder', () => {
         "siloImages": "/images",
         "siloIpPools": "/system/silos/s/ip-pools",
         "siloQuotas": "/system/silos/s/quotas",
+        "siloScim": "/system/silos/s/scim",
         "siloUtilization": "/utilization",
         "silos": "/system/silos",
         "silosNew": "/system/silos-new",
diff --git a/app/util/path-builder.ts b/app/util/path-builder.ts
index 7fc304dc7..da7e04c69 100644
--- a/app/util/path-builder.ts
+++ b/app/util/path-builder.ts
@@ -130,6 +130,7 @@ export const pb = {
   siloIpPools: (params: PP.Silo) => `${siloBase(params)}/ip-pools`,
   siloQuotas: (params: PP.Silo) => `${siloBase(params)}/quotas`,
   siloFleetRoles: (params: PP.Silo) => `${siloBase(params)}/fleet-roles`,
+  siloScim: (params: PP.Silo) => `${siloBase(params)}/scim`,
   samlIdp: (params: PP.IdentityProvider) =>
     `${siloBase(params)}/idps/saml/${params.provider}`,
 
diff --git a/mock-api/msw/db.ts b/mock-api/msw/db.ts
index 34bb516cc..95ce6718d 100644
--- a/mock-api/msw/db.ts
+++ b/mock-api/msw/db.ts
@@ -504,6 +504,7 @@ const initDb = {
   projects: [...mock.projects],
   racks: [...mock.racks],
   roleAssignments: [...mock.roleAssignments],
+  scimTokens: [...mock.scimTokens],
   silos: [...mock.silos],
   siloQuotas: [...mock.siloQuotas],
   siloProvisioned: [...mock.siloProvisioned],
diff --git a/mock-api/msw/handlers.ts b/mock-api/msw/handlers.ts
index 42561f72b..ae69335bc 100644
--- a/mock-api/msw/handlers.ts
+++ b/mock-api/msw/handlers.ts
@@ -1889,6 +1889,49 @@ export const handlers = makeHandlers({
     return paginated(query, affinityGroups)
   },
 
+  // SCIM token endpoints
+  scimTokenList({ query, cookies }) {
+    requireFleetViewer(cookies)
+    const silo = lookup.silo({ silo: query.silo })
+    // Filter by silo and strip out the siloId before returning
+    const tokens = db.scimTokens
+      .filter((t) => t.siloId === silo.id)
+      .map(({ siloId: _siloId, ...token }) => token)
+    return tokens
+  },
+  scimTokenCreate({ query, cookies }) {
+    requireFleetCollab(cookies)
+    const silo = lookup.silo({ silo: query.silo })
+
+    // Generate a 20-character hex string
+    const hexString = uuid().replace(/-/g, '').slice(0, 20)
+
+    const newToken: Json<Api.ScimClientBearerTokenValue> = {
+      id: uuid(),
+      bearer_token: `oxide-scim-${hexString}`,
+      time_created: new Date().toISOString(),
+    }
+
+    // Store without the bearer_token but with siloId for filtering
+    const { bearer_token: _bearerToken, ...tokenWithoutBearer } = newToken
+    db.scimTokens.push({ ...tokenWithoutBearer, siloId: silo.id })
+
+    return json(newToken, { status: 201 })
+  },
+  scimTokenView({ path, cookies }) {
+    requireFleetViewer(cookies)
+    const token = lookupById(db.scimTokens, path.tokenId)
+    // Strip out siloId before returning
+    const { siloId: _siloId, ...tokenResponse } = token
+    return tokenResponse
+  },
+  scimTokenDelete({ path, cookies }) {
+    requireFleetCollab(cookies)
+    const token = lookupById(db.scimTokens, path.tokenId)
+    db.scimTokens = db.scimTokens.filter((t) => t.id !== token.id)
+    return 204
+  },
+
   // Misc endpoints we're not using yet in the console
   affinityGroupCreate: NotImplemented,
   affinityGroupDelete: NotImplemented,
@@ -1997,10 +2040,6 @@ export const handlers = makeHandlers({
   systemUpdateTrustRootDelete: NotImplemented,
   systemUpdateTrustRootList: NotImplemented,
   systemUpdateTrustRootView: NotImplemented,
-  scimTokenList: NotImplemented,
-  scimTokenCreate: NotImplemented,
-  scimTokenView: NotImplemented,
-  scimTokenDelete: NotImplemented,
   userBuiltinList: NotImplemented,
   userBuiltinView: NotImplemented,
   userLogout: NotImplemented,
diff --git a/mock-api/silo.ts b/mock-api/silo.ts
index 48fd8a551..e607c3399 100644
--- a/mock-api/silo.ts
+++ b/mock-api/silo.ts
@@ -10,6 +10,7 @@ import * as R from 'remeda'
 import type {
   IdentityProvider,
   SamlIdentityProvider,
+  ScimClientBearerToken,
   Silo,
   SiloAuthSettings,
   SiloQuotas,
@@ -128,3 +129,27 @@ export const siloSettings: Json<SiloAuthSettings>[] = [
     device_token_max_ttl_seconds: 7200, // 2 hours in seconds
   },
 ]
+
+// SCIM tokens are stored with siloId for filtering, similar to identity providers
+type DbScimToken = Json<ScimClientBearerToken> & { siloId: string }
+
+export const scimTokens: DbScimToken[] = [
+  {
+    id: 'a1b2c3d4-e5f6-7890-abcd-ef1234567890',
+    time_created: new Date(2025, 8, 15).toISOString(),
+    time_expires: null,
+    siloId: defaultSilo.id,
+  },
+  {
+    id: 'b2c3d4e5-f6a7-8901-bcde-f12345678901',
+    time_created: new Date(2025, 8, 20).toISOString(),
+    time_expires: null,
+    siloId: defaultSilo.id,
+  },
+  {
+    id: 'c3d4e5f6-a7b8-9012-cdef-123456789012',
+    time_created: new Date(2025, 8, 10).toISOString(),
+    time_expires: null,
+    siloId: silos[1].id,
+  },
+]
diff --git a/test/e2e/scim-tokens.e2e.ts b/test/e2e/scim-tokens.e2e.ts
new file mode 100644
index 000000000..708f1d754
--- /dev/null
+++ b/test/e2e/scim-tokens.e2e.ts
@@ -0,0 +1,103 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * Copyright Oxide Computer Company
+ */
+import { expect, test } from '@playwright/test'
+
+import { clickRowAction, expectNotVisible, expectRowVisible, expectVisible } from './utils'
+
+test('SCIM tokens tab', async ({ page }) => {
+  await page.goto('/system/silos/maze-war/scim')
+
+  await expect(page.getByText('SCIM Tokens')).toBeVisible()
+
+  const table = page.getByRole('table', { name: 'SCIM Tokens' })
+
+  // Check that existing tokens are visible
+  await expectRowVisible(table, { ID: 'a1b2c3d4…34567890' })
+  await expectRowVisible(table, { ID: 'b2c3d4e5…45678901' })
+})
+
+test('Create SCIM token', async ({ page }) => {
+  await page.goto('/system/silos/maze-war/scim')
+
+  // Open create modal
+  await page.getByRole('button', { name: 'Create token' }).click()
+
+  const createModal = page.getByRole('dialog', { name: 'Create SCIM token' })
+  await expect(createModal).toBeVisible()
+
+  // Create the token
+  await createModal.getByRole('button', { name: 'Create' }).click()
+
+  // Creation modal should go away
+  await expect(createModal).toBeHidden()
+
+  // Now we have a new modal with the token in it
+  const tokenCreatedModal = page.getByRole('dialog', { name: 'SCIM token created' })
+  await expect(tokenCreatedModal).toBeVisible()
+
+  // Check that the bearer token is visible and starts with oxide-scim-
+  const bearerTokenDiv = tokenCreatedModal.getByText(/^oxide-scim-[a-f0-9]{20}$/)
+  await expect(bearerTokenDiv).toBeVisible()
+  const warning = tokenCreatedModal.getByText('This is the only')
+  await expect(warning).toBeVisible()
+
+  // Check that copy button is visible
+  const copyButton = tokenCreatedModal.getByRole('button', { name: 'Click to copy' })
+  await expect(copyButton).toBeVisible()
+
+  // Dismiss the modal
+  await tokenCreatedModal.getByRole('button', { name: 'Done' }).click()
+  await expect(tokenCreatedModal).toBeHidden()
+
+  // The token should NOT be visible in the table (bearer token is not shown
+  // after creation), but a new row should exist. Check the table has 3 rows now
+  // (header + 2 original + 1 new)
+  const table = page.getByRole('table', { name: 'SCIM Tokens' })
+  await expect(table.getByRole('row')).toHaveCount(4) // header + 3 tokens
+})
+
+test('Delete SCIM token', async ({ page }) => {
+  await page.goto('/system/silos/maze-war/scim')
+
+  const table = page.getByRole('table', { name: 'SCIM Tokens' })
+
+  // Verify initial state - should have 2 tokens
+  await expect(table.getByRole('row')).toHaveCount(3) // header + 2 tokens
+
+  // Delete the first token
+  await clickRowAction(page, 'a1b2c3d4', 'Delete')
+
+  // Confirm deletion modal should appear
+  const confirmModal = page.getByRole('dialog', { name: 'Confirm delete' })
+  await expect(confirmModal).toBeVisible()
+  await expect(confirmModal.getByText('Are you sure you want to delete')).toBeVisible()
+
+  await confirmModal.getByRole('button', { name: 'Confirm' }).click()
+
+  // Modal should close
+  await expect(confirmModal).toBeHidden()
+
+  // Table should now only have 1 row
+  await expect(table.getByRole('row')).toHaveCount(2) // header + 1 token
+
+  // The deleted token should not be visible
+  await expectNotVisible(page, [page.getByText('a1b2c3d4…34567890')])
+
+  // The other token should still be visible
+  await expectRowVisible(table, { ID: 'b2c3d4e5…45678901' })
+
+  // Delete the second token
+  await clickRowAction(page, 'b2c3d4e5', 'Delete')
+  await confirmModal.getByRole('button', { name: 'Confirm' }).click()
+
+  // Empty state should be visible
+  await expectVisible(page, [
+    page.getByText('No SCIM tokens'),
+    page.getByText('Create a token to see it here'),
+  ])
+})
diff --git a/test/e2e/silos.e2e.ts b/test/e2e/silos.e2e.ts
index a7d1885fd..4260e0a09 100644
--- a/test/e2e/silos.e2e.ts
+++ b/test/e2e/silos.e2e.ts
@@ -50,7 +50,7 @@ test('Create silo', async ({ page }) => {
   await expect(page.getByRole('checkbox', { name: 'Grant fleet admin' })).toBeChecked()
   await page.getByRole('radio', { name: 'Local only' }).click()
   await expect(page.getByRole('textbox', { name: 'Admin group name' })).toBeHidden()
-  await page.getByRole('radio', { name: 'SAML' }).click()
+  await page.getByRole('radio', { name: 'SAML + JIT' }).click()
   await expect(page.getByRole('textbox', { name: 'Admin group name' })).toHaveValue('')
   await expect(page.getByRole('checkbox', { name: 'Grant fleet admin' })).toBeChecked()
   await page.getByRole('textbox', { name: 'Admin group name' }).fill('admins')