Skip to main content

Provision a user or service account in an enterprise organization

POST 

/organizations/:organization_id/users

Provisions a user into an enterprise organization, assigning them the base user role plus the org-scoped org-client role. Two userTypes are supported:

  • human — a managed end-user. Requires firstName and lastName. An Authentik identity is created (if absent) and a password-recovery / welcome email is sent. description is ignored.
  • client-managed — a service account with no external IdP identity. Requires email (and accepts description); firstName/lastName are ignored. This is the only user type for which an oat_ API token can subsequently be minted (see POST .../users/{user_id}/tokens).

If a user with the given email already exists on the platform, they are attached to the organization (granted org-client) instead of being recreated; an existing member of this org returns 400.

The response data.id is the new (or attached) user / service-account ID. Requires user:write, an enterprise organization, and at least the org-admin role.

Request

Responses

The created (or attached) managed user / service account