Users & Organizations
Current-user identity, the organization-role model used for access gating, organization switching, and enterprise provisioning of managed users and client-managed service accounts (including minting their API tokens).
📄️ Get the authenticated user
Returns the currently authenticated user, hydrated with their current-organization context and the full list of role assignments (each role carries the `organizationId` it applies to).
📄️ Get the authenticated user's abilities
Inspection endpoint returning the authenticated user's effective grant abilities plus their bypass scope. `abilities` is the flat list of `resource:accessType` grant strings the user holds; `hasGrants` is a convenience flag for a non-empty list. The bypass fields describe scope under which grant checks are short-circuited (e.g. organization-role-based bypass).
📄️ Resolve a batch of ability checks for the authenticated user
Resolves a named batch of capability checks against the current user. Each entry names a resource `path`, an `accessType`, an optional `organizationId` to scope the check, and an optional `requiredOrgRoleForBypass`. Returns a boolean result per key under `results`.
📄️ Switch the active organization
Sets the authenticated user's `currentOrganizationId` to the given organization. The body is empty. The caller must be a member of the target organization; non-members and non-existent organizations both return `404` (to prevent ID enumeration).
📄️ List an enterprise organization's managed users
Lists the users provisioned into an enterprise organization that hold the `org-client` role in it — i.e. both `client-managed` service accounts and `human` managed users created through this provisioning surface. Regular members/admins/owners who joined via OAuth are NOT returned here.
📄️ Provision a user or service account in an enterprise organization
Provisions a user into an enterprise organization, assigning them the base `user` role plus the org-scoped `org-client` role. Two `userType`s are supported:
📄️ List a service account's API tokens
Lists the API tokens issued to a `client-managed` service account. The raw token value is NEVER returned here — only on creation. The target user must be `client-managed`; a `human` target returns `401`.
📄️ Mint an API token for a service account
Issues an `oat_…` API token for a `client-managed` service account. **The secret token value is returned exactly once, in this response** (`data.token`) — it cannot be retrieved later.