> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Set up a Cursor connector
> C1 provides identity governance for Cursor. Integrate your Cursor instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.
The Cursor connector requires the Cursor **Enterprise** plan. The Admin API used by this connector is only available to Enterprise teams. Teams on the Business plan do not have access to the Admin API and cannot use this connector.
## Capabilities
The Cursor connector syncs the following resources:
| Resource | Sync | Provision |
| :------- | :------------------------------------------------------------ | :--------------------------------------------------------------------------------------- |
| Account | | Create and delete via SCIM |
| Role | | |
**Notes:**
* The connector syncs team members and their assigned roles (Owner, Member, Free Owner).
* Account provisioning (create and delete) is supported when SCIM is configured. New users are created in the identity provider and appear in Cursor after their first login. Deleting an account removes the user from the identity provider via SCIM, which triggers Cursor to deactivate the member on its next sync.
* Delete only works for SCIM-managed users. Members added directly in the Cursor dashboard (not through an IdP) cannot be removed by this connector.
* Role assignment provisioning is not supported. Cursor does not expose an API for changing user roles.
## Prerequisites
Before setting up the Cursor connector, confirm the following:
* Your Cursor team is on the **Enterprise** plan. The Admin API is not available on Business or other plans.
* You have the **administrator** role in your Cursor team. Only administrators can create API keys.
* **(Optional, for account provisioning)** SSO is enabled and SCIM is configured in your Cursor team. See the [Cursor SCIM documentation](https://cursor.com/docs/account/teams/scim) for setup guidance.
## Gather Cursor credentials
To configure the Cursor connector, you need **administrator** permissions in your Cursor team.
Log in to the [Cursor dashboard](https://cursor.com/dashboard).
Navigate to **Settings** > **Advanced** > **Admin API Keys**.
Click **Create New API Key** and provide a descriptive name (for example, `C1`).
Copy the generated API key and save it securely. The key follows the format `key_` followed by a 64-character string. You cannot retrieve the key after leaving the page.
For more information, see the [Cursor Admin API documentation](https://cursor.com/docs/account/teams/admin-api).
### SCIM credentials (optional, for account provisioning)
If you want to enable account provisioning (create and delete users), you also need SCIM credentials:
In the Cursor dashboard, navigate to **Settings** > **Advanced** > **SCIM**.
Copy the **SCIM endpoint URL** and **SCIM bearer token**. You need both to configure account provisioning in the connector.
For more information, see the [Cursor SCIM documentation](https://cursor.com/docs/account/teams/scim).
## Configure the Cursor connector
To complete this task, you need:
* The **Connector Administrator** or **Super Administrator** role in C1
* The Cursor API key gathered in the previous section
**Follow these instructions to use a built-in, no-code connector hosted by C1.**
In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
Search for **Cursor** and click **Add**.
Choose how to set up the new Cursor connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
Find the **Settings** area of the page and click **Edit**.
Enter your Cursor API key in the **API Key** field.
Click **Save**.
The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
**Done.** Your Cursor connector is now pulling access data into C1.
**Follow these instructions to use the Cursor connector, hosted and run in your own environment.**
When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals.
This data is immediately available in the C1 UI for access reviews and access requests.
### Step 1: Set up a new Cursor connector
In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
Search for **Baton** and click **Add**.
Choose how to set up the new Cursor connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
In the **Settings** area of the page, click **Edit**.
Click **Rotate** to generate a new Client ID and Secret.
Carefully copy and save these credentials. You need them in Step 2.
### Step 2: Create Kubernetes configuration files
Create two Kubernetes manifest files for your Cursor connector deployment:
#### Secrets configuration
```yaml theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-cursor-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: baton-cursor-secrets
type: Opaque
stringData:
# C1 credentials
BATON_CLIENT_ID:
BATON_CLIENT_SECRET:
# Cursor config
BATON_CURSOR_API_KEY:
# Optional: SCIM config (for account provisioning)
BATON_CURSOR_SCIM_ENDPOINT:
BATON_CURSOR_SCIM_TOKEN:
# Optional: include if you want C1 to provision access using this connector
BATON_PROVISIONING: true
```
See the connector's README or run `--help` to see all available configuration flags and environment variables.
#### Deployment configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-cursor.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: baton-cursor
labels:
app: baton-cursor
spec:
selector:
matchLabels:
app: baton-cursor
template:
metadata:
labels:
app: baton-cursor
baton: true
baton-app: cursor
spec:
containers:
- name: baton-cursor
image: ghcr.io/conductorone/baton-cursor:latest
imagePullPolicy: IfNotPresent
env:
- name: BATON_HOST_ID
value: baton-cursor
envFrom:
- secretRef:
name: baton-cursor-secrets
```
### Step 3: Deploy the connector
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Cursor connector to. Cursor data should be found on the **Entitlements** and **Accounts** tabs.
**Done.** Your Cursor connector is now pulling access data into C1.
## Known limitations
* **Enterprise plan required.** The Cursor Admin API is only available on Enterprise plans. Teams on the Business plan cannot use this connector.
* **No role management API.** Cursor does not expose an API for changing user roles. Role assignments are synced for visibility only.
* **SCIM requires Enterprise and SSO.** Account provisioning (create and delete) requires SCIM, which is only available on Enterprise plans with SSO enabled. Without SCIM credentials, the connector operates in sync-only mode.
* **Delete is SCIM-only.** Account deletion removes users from the identity provider via SCIM. Members added directly in the Cursor dashboard (not through an IdP) cannot be removed by this connector.