Dental PMS

Auth & IAM

52 endpoints

Auth

4 endpoints

get/api/v1/auth/me/orgs

List My Org Memberships

List org memberships for the authenticated user. This endpoint does NOT require an org_id — it is used during initial login to discover which organizations the user belongs to before an org is selected.

Responses

200Successful Response
is_platform_adminboolean

Whether the current user has a platform admin role.

orgsobject[]required

Organization memberships for the current user.

curl
curl -X GET "https://api.example.com/api/v1/auth/me/orgs" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
post/api/v1/auth/change-password

Change Password

Change password for authenticated actor.

Request Body

current_passwordstringrequired
new_passwordstringrequired

Responses

200Successful Response
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/auth/change-password" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "current_password": "string",
    "new_password": "string"
  }'
post/api/v1/auth/forgot-password

Send Password Reset Email

Request a reset email. Always succeeds to avoid enumeration.

Request Body

emailstringrequired

Responses

200Successful Response
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/auth/forgot-password" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "string"
  }'
post/api/v1/auth/resend-verification

Resend Verification Email

Resend verification email for authenticated actor.

Responses

200Successful Response
curl
curl -X POST "https://api.example.com/api/v1/auth/resend-verification" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"

Iam

47 endpoints

get/api/v1/{org_id}/iam/approvals

List Approvals

List approvals with optional status filter. When status is omitted, returns all approvals. When status is 'pending', auto-expires stale approvals first.

Parameters

Path Parameters
org_idstringrequired
Query Parameters
status"approved" | "expired" | "pending" | "rejected"
pageinteger

Default: 1

page_sizeinteger

Default: 50

Responses

200Successful Response
itemsobject[]required
pageintegerrequired
page_sizeintegerrequired
totalintegerrequired
422Validation Error
detailobject[]
curl
curl -X GET "https://api.example.com/api/v1/{org_id}/iam/approvals" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
get/api/v1/{org_id}/iam/approvals/{approval_uuid}

Get Approval

Get an approval by ID.

Parameters

Path Parameters
approval_uuidstringrequired
org_idstringrequired

Responses

200Successful Response
contains_phiboolean
expires_atstring (date-time)required
idstring (uuid)required
operation_payloadobjectrequired
operation_typestringrequired
org_idstring (uuid)required
pinned_group_versionsobjectrequired
pinned_scope_node_idstring (uuid)
pinned_scope_node_pathstring
requested_atstring (date-time)required
requested_bystring (uuid)required
review_notestring
reviewed_atstring (date-time)
reviewed_bystring (uuid)
statusenumrequired
approvedexpiredpendingrejected
422Validation Error
detailobject[]
curl
curl -X GET "https://api.example.com/api/v1/{org_id}/iam/approvals/{approval_uuid}" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
get/api/v1/{org_id}/iam/assignments

List Iam Assignments

List assignments with optional filters.

Parameters

Path Parameters
org_idstringrequired
Query Parameters
user_idstring
group_uuidstring
scope_node_uuidstring
status"active" | "expired" | "pending_activation" | "suspended"
limitinteger

Default: 100

offsetinteger

Default: 0

Responses

200Successful Response
itemsobject[]required
totalintegerrequired
422Validation Error
detailobject[]
curl
curl -X GET "https://api.example.com/api/v1/{org_id}/iam/assignments" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
get/api/v1/{org_id}/iam/effective-permissions

Get Effective Permissions

Get effective permissions for a user at a given scope/context.

Parameters

Path Parameters
org_idstringrequired
Query Parameters
user_idstringrequired
scope_node_uuidstring
context"all" | "location" | "org" | "provider" | "self"

Evaluation context: 'all' (default) returns permissions across every scope/context; 'org', 'location', 'self', 'provider' filter to a specific context.

alllocationorgproviderself

Default: "all"

Responses

200Successful Response
cache_versionintegerrequired

Cache version for staleness detection.

permissionsstring[]required

Granted permission keys.

registry_versionintegerrequired

Permission registry version for staleness detection.

scope_tree_versionintegerrequired

Scope tree version for staleness detection.

422Validation Error
detailobject[]
curl
curl -X GET "https://api.example.com/api/v1/{org_id}/iam/effective-permissions" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
get/api/v1/{org_id}/iam/effective-permissions/compare

Compare effective permissions across locations

Compare a user's effective permissions across all accessible locations. Returns org-level permissions that apply everywhere, per-location permission sets, and a ``varies`` list of permission keys that differ across locations. Raises 404 if the user is not found.

Parameters

Path Parameters
org_idstringrequired
Query Parameters
user_idstringrequired

Public UUID of the target user.

Responses

200Successful Response
locationsobject[]required

Per-location permission sets.

org_permissionsstring[]required

Permission keys granted at org level (apply everywhere).

variesstring[]required

Permission keys that are granted at some locations but not others.

422Validation Error
detailobject[]
curl
curl -X GET "https://api.example.com/api/v1/{org_id}/iam/effective-permissions/compare" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
get/api/v1/{org_id}/iam/effective-permissions/diagnostic

Get Effective Permissions Diagnostic

Get effective permissions with provenance for diagnostic/admin workflows.

Parameters

Path Parameters
org_idstringrequired
Query Parameters
user_idstringrequired
scope_node_uuidstring
context"all" | "location" | "org" | "provider" | "self"

Evaluation context: 'all' (default) returns permissions across every scope/context; 'org', 'location', 'self', 'provider' filter to a specific context.

alllocationorgproviderself

Default: "all"

Responses

200Successful Response
cache_versionintegerrequired

Cache version for staleness detection.

permissionsobject[]required

Permissions with grant chain details.

registry_versionintegerrequired

Permission registry version for staleness detection.

scope_tree_versionintegerrequired

Scope tree version for staleness detection.

422Validation Error
detailobject[]
curl
curl -X GET "https://api.example.com/api/v1/{org_id}/iam/effective-permissions/diagnostic" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
get/api/v1/{org_id}/iam/groups

List Groups

List permission groups for the organization.

Parameters

Path Parameters
org_idstringrequired
Query Parameters
pageinteger

Default: 1

page_sizeinteger

Default: 50

status"active" | "archived"

Responses

200Successful Response
itemsobject[]required
pageintegerrequired
page_sizeintegerrequired
totalintegerrequired
422Validation Error
detailobject[]
curl
curl -X GET "https://api.example.com/api/v1/{org_id}/iam/groups" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
get/api/v1/{org_id}/iam/groups/{group_uuid}

Get Group

Get a permission group by ID.

Parameters

Path Parameters
group_uuidstringrequired
org_idstringrequired

Responses

200Successful Response
contains_phibooleanrequired
context_typesstring[]required
created_atstring (date-time)required
created_bystring (uuid)
descriptionstringrequired
idstring (uuid)required
is_org_adminbooleanrequired
is_systembooleanrequired
namestringrequired
org_idstring (uuid)required
scope_applicabilitystring[]required
statusenumrequired
activearchived
updated_atstring (date-time)required
updated_bystring (uuid)
versionintegerrequired
422Validation Error
detailobject[]
curl
curl -X GET "https://api.example.com/api/v1/{org_id}/iam/groups/{group_uuid}" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
get/api/v1/{org_id}/iam/groups/{group_uuid}/permission-ids

Get Group Permission Ids

Get the permission IDs for a group.

Parameters

Path Parameters
group_uuidstringrequired
org_idstringrequired

Responses

200Successful Response
422Validation Error
detailobject[]
curl
curl -X GET "https://api.example.com/api/v1/{org_id}/iam/groups/{group_uuid}/permission-ids" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
get/api/v1/{org_id}/iam/location-access/{location_uuid}

Get Location Access

Get all users with access to a location.

Parameters

Path Parameters
location_uuidstringrequired
org_idstringrequired

Responses

200Successful Response
usersobject[]required

Users with access at this location.

422Validation Error
detailobject[]
curl
curl -X GET "https://api.example.com/api/v1/{org_id}/iam/location-access/{location_uuid}" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
get/api/v1/{org_id}/iam/permission-keys

Get Permission Keys

Return all non-retired permission keys and current registry version. Used by frontend for TypeScript codegen of permission constants.

Parameters

Path Parameters
org_idstringrequired

Responses

200Successful Response
keysstring[]required
registry_versionintegerrequired
422Validation Error
detailobject[]
curl
curl -X GET "https://api.example.com/api/v1/{org_id}/iam/permission-keys" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
get/api/v1/{org_id}/iam/permission-registry

Get Permission Registry

Return all non-retired permissions with full details and registry version.

Parameters

Path Parameters
org_idstringrequired

Responses

200Successful Response
permissionsobject[]required
registry_versionintegerrequired
422Validation Error
detailobject[]
curl
curl -X GET "https://api.example.com/api/v1/{org_id}/iam/permission-registry" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
get/api/v1/{org_id}/iam/scope-tree

Get Scope Tree

Return flat scope tree nodes with resolved entity names.

Parameters

Path Parameters
org_idstringrequired

Responses

200Successful Response
nodesobject[]required
scope_tree_versionintegerrequired
422Validation Error
detailobject[]
curl
curl -X GET "https://api.example.com/api/v1/{org_id}/iam/scope-tree" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
get/api/v1/{org_id}/iam/user-access/{user_id}

Get User Access

Get all assignments for a user.

Parameters

Path Parameters
user_idstringrequired
org_idstringrequired

Responses

200Successful Response
assignmentsobject[]required

List of assignment details.

422Validation Error
detailobject[]
curl
curl -X GET "https://api.example.com/api/v1/{org_id}/iam/user-access/{user_id}" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
get/api/v1/{org_id}/iam/users

List users

List organization members with search, sort, and pagination. Raises 422 if sort_by is not a valid column or sort_order is invalid.

Parameters

Path Parameters
org_idstringrequired
Query Parameters
pageinteger

Page number (1-based).

Default: 1

page_sizeinteger

Number of items per page.

Default: 50

status"active" | "invited" | "removed" | "suspended"

Filter by membership status.

searchstring

Search by email or display name (ILIKE).

sort_by"display_name" | "email" | "joined_at" | "last_login_at" | "membership_status"

Sort column. One of: display_name, email, joined_at, last_login_at, membership_status.

display_nameemailjoined_atlast_login_atmembership_status

Default: "display_name"

sort_order"asc" | "desc"

Sort direction. One of: asc, desc.

ascdesc

Default: "asc"

Responses

200Successful Response
itemsobject[]required
pageintegerrequired
page_sizeintegerrequired
totalintegerrequired
422Validation Error
detailobject[]
curl
curl -X GET "https://api.example.com/api/v1/{org_id}/iam/users" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
get/api/v1/{org_id}/iam/users/{user_id}

Get user detail

Get detailed user information for the user detail page. Returns user profile, membership status, provider link, and assignment counts. Raises 404 if the user is not a member of this organization.

Parameters

Path Parameters
user_idstringrequired
org_idstringrequired

Responses

200Successful Response
accepted_atstring (date-time)
assignment_countinteger
avatar_urlstring
display_namestringrequired

Display name.

emailstringrequired

User email address.

email_verifiedboolean

Whether the user's email is verified.

group_countinteger
invited_atstring (date-time)
invited_bystring (uuid)
joined_atstring (date-time)required

Timestamp when membership was created.

last_activity_atstring (date-time)
last_login_atstring (date-time)
membership_statusstringrequired

Membership status in this organization.

phonestring
provider_idstring (uuid)
role_hintstring
suspended_atstring (date-time)
user_idstring (uuid)required

User UUID.

user_statusstringrequired

Global user status (active, suspended, deactivated).

422Validation Error
detailobject[]
curl
curl -X GET "https://api.example.com/api/v1/{org_id}/iam/users/{user_id}" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
get/api/v1/{org_id}/iam/users/export

Export Users

Export users list as CSV.

Parameters

Path Parameters
org_idstringrequired

Responses

200Successful Response
422Validation Error
detailobject[]
curl
curl -X GET "https://api.example.com/api/v1/{org_id}/iam/users/export" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
post/api/v1/{org_id}/iam/approvals/{approval_uuid}/review

Review Approval

Review a pending approval (approve or reject).

Parameters

Path Parameters
approval_uuidstringrequired
org_idstringrequired

Request Body

actionenumrequired
approvereject
notestring
phi_acknowledgedboolean

Responses

200Successful Response
created_atstring (date-time)required
effective_fromstring (date-time)
effective_tostring (date-time)
granted_atstring (date-time)required
granted_bystring (uuid)required
idstring (uuid)required
org_idstring (uuid)required
permission_group_idstring (uuid)required
provider_idstring (uuid)
reasonstringrequired
scope_node_idstring (uuid)required
statusenumrequired
activeexpiredpending_activationsuspended
suspended_atstring (date-time)
suspended_bystring (uuid)
updated_atstring (date-time)required
user_idstring (uuid)required
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/approvals/{approval_uuid}/review" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "action": "approve",
    "note": "",
    "phi_acknowledged": false
  }'
post/api/v1/{org_id}/iam/assignments

Grant Assignment

Grant a permission assignment. Returns 201 with assignment on success, or 202 with pending approval if two-person control is triggered.

Parameters

Path Parameters
org_idstringrequired

Request Body

effective_fromstring (date-time)
effective_tostring (date-time)
permission_group_uuidstring (uuid)required
provider_uuidstring (uuid)
reasonstring
scope_node_uuidstring (uuid)required
user_uuidstring (uuid)required

Responses

201Successful Response
created_atstring (date-time)required
effective_fromstring (date-time)
effective_tostring (date-time)
granted_atstring (date-time)required
granted_bystring (uuid)required
idstring (uuid)required
org_idstring (uuid)required
permission_group_idstring (uuid)required
provider_idstring (uuid)
reasonstringrequired
scope_node_idstring (uuid)required
statusenumrequired
activeexpiredpending_activationsuspended
suspended_atstring (date-time)
suspended_bystring (uuid)
updated_atstring (date-time)required
user_idstring (uuid)required
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/assignments" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "effective_from": "string",
    "effective_to": "string",
    "permission_group_uuid": "00000000-0000-0000-0000-000000000000",
    "provider_uuid": "string",
    "reason": "",
    "scope_node_uuid": "00000000-0000-0000-0000-000000000000",
    "user_uuid": "00000000-0000-0000-0000-000000000000"
  }'
post/api/v1/{org_id}/iam/assignments/bulk

Bulk Assignments

Bulk grant assignments for multiple users.

Parameters

Path Parameters
org_idstringrequired

Request Body

effective_fromstring (date-time)
effective_tostring (date-time)
permission_group_uuidstring (uuid)required
provider_idstring (uuid)
reasonstring
scope_node_uuidstring (uuid)required
user_emailsstring[]required

Responses

200Successful Response
failedintegerrequired
pendinginteger
resultsobject[]required
skippedintegerrequired
succeededintegerrequired
totalintegerrequired
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/assignments/bulk" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "effective_from": "string",
    "effective_to": "string",
    "permission_group_uuid": "00000000-0000-0000-0000-000000000000",
    "provider_id": "string",
    "reason": "",
    "scope_node_uuid": "00000000-0000-0000-0000-000000000000",
    "user_emails": []
  }'
post/api/v1/{org_id}/iam/assignments/bulk-revoke

Bulk Revoke Assignments

Bulk revoke assignments for multiple users.

Parameters

Path Parameters
org_idstringrequired

Request Body

permission_group_uuidstring (uuid)required
user_emailsstring[]required

Responses

200Successful Response
failedintegerrequired
pendinginteger
resultsobject[]required
skippedintegerrequired
succeededintegerrequired
totalintegerrequired
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/assignments/bulk-revoke" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "permission_group_uuid": "00000000-0000-0000-0000-000000000000",
    "user_emails": []
  }'
post/api/v1/{org_id}/iam/assignments/bulk-upload

Bulk Assignments Upload

Bulk grant/revoke assignments from CSV-parsed rows.

Parameters

Path Parameters
org_idstringrequired

Request Body

rowsobject[]required

Responses

200Successful Response
failedintegerrequired
pendinginteger
resultsobject[]required
skippedintegerrequired
succeededintegerrequired
totalintegerrequired
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/assignments/bulk-upload" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "rows": []
  }'
post/api/v1/{org_id}/iam/assignments/copy

Copy Assignments

Copy assignments from one user to another.

Parameters

Path Parameters
org_idstringrequired

Request Body

assignment_uuidsstring (uuid)[]
source_user_emailstringrequired
target_user_emailstringrequired

Responses

200Successful Response
failedintegerrequired
pendinginteger
resultsobject[]required
skippedintegerrequired
succeededintegerrequired
totalintegerrequired
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/assignments/copy" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "assignment_uuids": null,
    "source_user_email": "string",
    "target_user_email": "string"
  }'
post/api/v1/{org_id}/iam/groups

Create Group

Create a new permission group.

Parameters

Path Parameters
org_idstringrequired

Request Body

context_typesenum[]
descriptionstring
namestringrequired
permission_idsinteger[]
scope_applicabilityenum[]

Responses

201Successful Response
contains_phibooleanrequired
context_typesstring[]required
created_atstring (date-time)required
created_bystring (uuid)
descriptionstringrequired
idstring (uuid)required
is_org_adminbooleanrequired
is_systembooleanrequired
namestringrequired
org_idstring (uuid)required
scope_applicabilitystring[]required
statusenumrequired
activearchived
updated_atstring (date-time)required
updated_bystring (uuid)
versionintegerrequired
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/groups" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "context_types": null,
    "description": "",
    "name": "string",
    "permission_ids": null,
    "scope_applicability": null
  }'
post/api/v1/{org_id}/iam/groups/import-standard

Import Standard Groups

Import missing standard permission groups for the organization.

Parameters

Path Parameters
org_idstringrequired

Responses

200Successful Response
created_countintegerrequired
created_groupsobject[]required
skipped_countintegerrequired
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/groups/import-standard" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
post/api/v1/{org_id}/iam/preview/assignment

Preview Assignment

Preview the effect of granting an assignment.

Parameters

Path Parameters
org_idstringrequired

Request Body

permission_group_uuidstring (uuid)required
scope_node_uuidstring (uuid)required
user_uuidstring (uuid)required

Responses

200Successful Response
affected_locationsstring[]required
contains_phi_additionsbooleanrequired
new_permissionsstring[]required
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/preview/assignment" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "permission_group_uuid": "00000000-0000-0000-0000-000000000000",
    "scope_node_uuid": "00000000-0000-0000-0000-000000000000",
    "user_uuid": "00000000-0000-0000-0000-000000000000"
  }'
post/api/v1/{org_id}/iam/preview/group-edit

Preview Group Edit

Preview the effect of editing a permission group.

Parameters

Path Parameters
org_idstringrequired

Request Body

add_permissionsinteger[]
group_uuidstring (uuid)required
remove_permissionsinteger[]

Responses

200Successful Response
affected_location_countintegerrequired
affected_user_countintegerrequired
permissions_gainedstring[]required
permissions_loststring[]required
phi_impactstringrequired
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/preview/group-edit" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "add_permissions": null,
    "group_uuid": "00000000-0000-0000-0000-000000000000",
    "remove_permissions": null
  }'
post/api/v1/{org_id}/iam/preview/hierarchy-move

Preview Hierarchy Move

Preview the effect of moving a scope node in the hierarchy.

Parameters

Path Parameters
org_idstringrequired

Request Body

new_parent_uuidstring (uuid)required
scope_node_uuidstring (uuid)required

Responses

200Successful Response
unaffected_usersobject[]required
users_gaining_accessobject[]required
users_losing_accessobject[]required
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/preview/hierarchy-move" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "new_parent_uuid": "00000000-0000-0000-0000-000000000000",
    "scope_node_uuid": "00000000-0000-0000-0000-000000000000"
  }'
post/api/v1/{org_id}/iam/preview/revoke

Preview Revoke

Preview the effect of revoking an assignment.

Parameters

Path Parameters
org_idstringrequired

Request Body

assignment_uuidstring (uuid)required

Responses

200Successful Response
affected_locationsintegerrequired
assignment_idstring (uuid)required
group_namestringrequired
permissions_loststring[]required
phi_permissions_lostintegerrequired
scope_namestringrequired
user_idstring (uuid)required
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/preview/revoke" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "assignment_uuid": "00000000-0000-0000-0000-000000000000"
  }'
post/api/v1/{org_id}/iam/scope-tree/rebuild

Rebuild Scope Tree

Rebuild the scope tree hierarchy from org structure M2M relationships.

Parameters

Path Parameters
org_idstringrequired

Responses

200Successful Response
nodes_updatedintegerrequired
scope_tree_versionintegerrequired
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/scope-tree/rebuild" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
post/api/v1/{org_id}/iam/users/{user_id}/deactivate

Deactivate User

Deactivate a user in the organization.

Parameters

Path Parameters
user_idstringrequired
org_idstringrequired

Responses

204Successful Response
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/users/{user_id}/deactivate" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
post/api/v1/{org_id}/iam/users/{user_id}/provider-link

Link User To Provider

Link a user to a provider (required for self-context permissions).

Parameters

Path Parameters
user_idstringrequired
org_idstringrequired

Request Body

base_versioninteger
provider_uuidstring (uuid)required

Provider UUID to link to this user.

Responses

200Successful Response
is_primarybooleanrequired
org_idstring (uuid)required
provider_idstring (uuid)required
user_idstring (uuid)required
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/users/{user_id}/provider-link" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "base_version": 1,
    "provider_uuid": "00000000-0000-0000-0000-000000000000"
  }'
post/api/v1/{org_id}/iam/users/{user_id}/remove

Remove user

Remove a user from the organization. Works on active or suspended memberships. Sets membership to removed, suspends all assignments, and clears permission cache. Raises 404 if the user is not a member. Raises 400 if the user is not in active or suspended status.

Parameters

Path Parameters
user_idstringrequired
org_idstringrequired

Responses

204Successful Response
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/users/{user_id}/remove" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
post/api/v1/{org_id}/iam/users/{user_id}/resend-invite

Resend Invite

Resend invite email for a pending user.

Parameters

Path Parameters
user_idstringrequired
org_idstringrequired

Responses

204Successful Response
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/users/{user_id}/resend-invite" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
post/api/v1/{org_id}/iam/users/{user_id}/restore

Restore user

Restore a suspended or removed user in the organization. SUSPENDED -> ACTIVE (does not restore assignments). REMOVED -> INVITED (re-sends invite). Raises 404 if the user is not a member. Raises 400 if the user is not in suspended or removed status.

Parameters

Path Parameters
user_idstringrequired
org_idstringrequired

Responses

204Successful Response
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/users/{user_id}/restore" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
post/api/v1/{org_id}/iam/users/{user_id}/revoke-invite

Revoke invite

Revoke a pending invitation for a user. Only works on memberships with status=invited. Sets membership to removed. Raises 404 if the user is not a member. Raises 400 if the user is not in invited status.

Parameters

Path Parameters
user_idstringrequired
org_idstringrequired

Responses

204Successful Response
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/users/{user_id}/revoke-invite" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
post/api/v1/{org_id}/iam/users/{user_id}/suspend

Suspend user

Suspend an active user in the organization. Sets membership to suspended, suspends all assignments, and invalidates permission cache. Blocks auth if no other active memberships remain. Raises 404 if the user is not a member. Raises 400 if the user is not active.

Parameters

Path Parameters
user_idstringrequired
org_idstringrequired

Responses

204Successful Response
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/users/{user_id}/suspend" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
post/api/v1/{org_id}/iam/users/bulk

Bulk User Action

Bulk user actions (suspend, restore, resend_invite) by email.

Parameters

Path Parameters
org_idstringrequired

Request Body

actionenumrequired
resend_inviterestoresuspend
user_emailsstring[]
user_uuidsstring (uuid)[]

Responses

200Successful Response
failedintegerrequired
pendinginteger
resultsobject[]required
skippedintegerrequired
succeededintegerrequired
totalintegerrequired
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/users/bulk" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "action": "resend_invite",
    "user_emails": null,
    "user_uuids": null
  }'
post/api/v1/{org_id}/iam/users/bulk-invite

Bulk Invite

Bulk invite users from CSV-parsed rows.

Parameters

Path Parameters
org_idstringrequired

Request Body

rowsobject[]
usersobject[]

Responses

200Successful Response
failedintegerrequired
pendinginteger
resultsobject[]required
skippedintegerrequired
succeededintegerrequired
totalintegerrequired
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/users/bulk-invite" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "rows": null,
    "users": null
  }'
post/api/v1/{org_id}/iam/users/bulk-restore

Bulk Restore

Bulk restore users from CSV-parsed rows.

Parameters

Path Parameters
org_idstringrequired

Request Body

rowsobject[]required

Responses

200Successful Response
failedintegerrequired
pendinginteger
resultsobject[]required
skippedintegerrequired
succeededintegerrequired
totalintegerrequired
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/users/bulk-restore" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "rows": []
  }'
post/api/v1/{org_id}/iam/users/bulk-suspend

Bulk Suspend

Bulk suspend users from CSV-parsed rows.

Parameters

Path Parameters
org_idstringrequired

Request Body

rowsobject[]required

Responses

200Successful Response
failedintegerrequired
pendinginteger
resultsobject[]required
skippedintegerrequired
succeededintegerrequired
totalintegerrequired
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/users/bulk-suspend" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "rows": []
  }'
post/api/v1/{org_id}/iam/users/exists

Users Exist

Check which emails already exist in the organization.

Parameters

Path Parameters
org_idstringrequired

Request Body

emailsstring[]required

Responses

200Successful Response
existing_emailsstring[]required
missing_emailsstring[]required
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/users/exists" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "emails": []
  }'
post/api/v1/{org_id}/iam/users/invite

Invite user

Invite a user to the organization. Creates the user in the auth provider if they don't exist, then creates an org membership with status=invited. Optionally accepts a role_hint for UI display. Raises 400 if the user is already an active member. Raises 403 if the user is globally deactivated.

Parameters

Path Parameters
org_idstringrequired

Request Body

display_namestringrequired

Display name for the invited user.

emailstringrequired

Email address of the user to invite.

role_hintstring

Responses

201Successful Response
created_atstring (date-time)required
display_namestringrequired
emailstringrequired
idstring (uuid)required
statusstringrequired
updated_atstring (date-time)required
422Validation Error
detailobject[]
curl
curl -X POST "https://api.example.com/api/v1/{org_id}/iam/users/invite" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "display_name": "string",
    "email": "string",
    "role_hint": "string"
  }'
patch/api/v1/{org_id}/iam/groups/{group_uuid}

Edit Group

Edit a permission group.

Parameters

Path Parameters
group_uuidstringrequired
org_idstringrequired

Request Body

add_permissionsinteger[]
base_versionintegerrequired
change_reasonstring
descriptionstring
namestring
remove_permissionsinteger[]

Responses

200Successful Response
contains_phibooleanrequired
context_typesstring[]required
created_atstring (date-time)required
created_bystring (uuid)
descriptionstringrequired
idstring (uuid)required
is_org_adminbooleanrequired
is_systembooleanrequired
namestringrequired
org_idstring (uuid)required
scope_applicabilitystring[]required
statusenumrequired
activearchived
updated_atstring (date-time)required
updated_bystring (uuid)
versionintegerrequired
422Validation Error
detailobject[]
curl
curl -X PATCH "https://api.example.com/api/v1/{org_id}/iam/groups/{group_uuid}" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "add_permissions": null,
    "base_version": 1,
    "change_reason": "",
    "description": "string",
    "name": "string"
  }'
patch/api/v1/{org_id}/iam/users/{user_id}

Update User Profile

Update user profile fields (display name; email updates may be blocked).

Parameters

Path Parameters
user_idstringrequired
org_idstringrequired

Request Body

avatar_urlstring
display_namestring
emailstring
phonestring
role_hintstring

Responses

200Successful Response
display_namestringrequired
emailstringrequired
updated_atstring (date-time)required
user_idstring (uuid)required
422Validation Error
detailobject[]
curl
curl -X PATCH "https://api.example.com/api/v1/{org_id}/iam/users/{user_id}" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "avatar_url": "string",
    "display_name": "string",
    "email": "string",
    "phone": "string",
    "role_hint": "string"
  }'
delete/api/v1/{org_id}/iam/assignments/{assignment_uuid}

Revoke Assignment

Revoke (suspend) a permission assignment.

Parameters

Path Parameters
assignment_uuidstringrequired
org_idstringrequired

Responses

204Successful Response
422Validation Error
detailobject[]
curl
curl -X DELETE "https://api.example.com/api/v1/{org_id}/iam/assignments/{assignment_uuid}" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"
delete/api/v1/{org_id}/iam/groups/{group_uuid}

Archive Group

Archive a permission group.

Parameters

Path Parameters
group_uuidstringrequired
org_idstringrequired

Responses

204Successful Response
422Validation Error
detailobject[]
curl
curl -X DELETE "https://api.example.com/api/v1/{org_id}/iam/groups/{group_uuid}" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"

Session

1 endpoint

get/api/v1/{org_id}/session/bootstrap

Session Bootstrap

Bootstrap session data for frontend app startup.

Parameters

Path Parameters
org_idstringrequired

Responses

200Successful Response
accessible_locationsobject[]required
cache_versionintegerrequired
is_org_adminbooleanrequired
is_platform_adminboolean
is_providerbooleanrequired
membershipobjectrequired
orgobjectrequired
org_permissionsstring[]required
orgsobject[]
preferencesobject
provider_idstring
registry_versionintegerrequired
scope_tree_versionintegerrequired
userobjectrequired
422Validation Error
detailobject[]
curl
curl -X GET "https://api.example.com/api/v1/{org_id}/session/bootstrap" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json"