Create user in organization
Create a new user within a specific organization.
This endpoint creates a user account in the platform database and authentication system. The user receives an email invitation to set their password and activate their account. This ensures proper multi-tenant isolation.
Context: - Creates user in platform database and authentication system - Sends email invitation to user with password setup link - User starts in inactive status until they accept invitation - Email must be unique within the organization - Organization ID from path parameter overrides request body - User role determines permission level (admin, member, viewer) - Authentication synchronization ensures consistency
Behavior: 1. Validates organization exists and is active 2. Checks email is not already used in this organization 3. Creates user record in platform database 4. Creates user in authentication system 5. Sends email invitation to user with password setup link 6. Returns user details (user must accept invitation separately) Side Effects: - User created in platform database - User created in authentication system (pending invitation acceptance) - Email invitation sent to user's email address - User appears in organization user lists immediately - User cannot log in until they accept invitation and set password
Use Cases: - Onboard new team member to organization - Provision user accounts during organization setup - Create admin users for customer organizations - Add temporary contractors or guests to organization
Related Endpoints: - GET /admin/organizations/{id}/users - List all organization users - POST /admin/users - Create user without organization context - GET /admin/users/{user_id} - View created user details - DELETE /admin/users/{user_id} - Remove user if created by mistake
Header Parameters
Path Parameters
Organization to create user in. Overrides organization_id in request body if both provided. Organization must exist and be active.
Body Parameters
User's email address. Required, must be valid email format. Used for login, authentication, and invitation emails. Must be unique within the organization. Email invitation automatically sent to this address upon user creation.
User's first name. Required. Used in UI displays and email communications. Constraints: 1-100 characters, cannot be empty.
Whether user account is active. Optional, defaults to True. Inactive users cannot log in or access the system. Note: User must still accept email invitation to log in, even if is_active is True. Default: True (user created in active state pending invitation acceptance)
User's last name. Required. Used in UI displays and email communications. Constraints: 1-100 characters, cannot be empty.
User's role within the organization. Required. Determines permission level and feature access. Valid values: 'org_admin', 'backoffice', 'app_user', 'integration'.
Role permissions:
- 'org_admin': Full access to organization resources and user management
- 'backoffice': Super admin with platform-level access
- 'app_user': Can create and manage own flows and executions
- 'integration': Service account for integrations and automated workflows
Response
Response Attributes
Timestamp when user was created. Format: ISO 8601 UTC (e.g., '2025-01-23T15:30:00Z').
User's email address. Must be unique within organization. Used for login, authentication, and notifications. Synchronized with authentication system. Can be updated after user creation.
User's first name. Used in UI displays, emails, and user identification. Can be updated after user creation.
Unique identifier for the user. Format: UUID v4. Synchronized with authentication system user ID.
User's last name. Used in UI displays, emails, and user identification. Can be updated after user creation.
Identifier of the user or system that last modified this user. Can be user UUID or system identifier (e.g., 'system', 'admin'). Used for audit trail and change attribution.
UUID of the organization this user belongs to. Users are scoped to a single organization (no cross-org access). Organization must exist and determines user's data access scope.
User's role within the organization. Determines permission level. Valid values: 'org_admin', 'backoffice', 'app_user', 'integration'.
Role permissions:
- 'org_admin': Full organization access and user management
- 'backoffice': Super admin with platform-level access
- 'app_user': Regular user who can create and manage own flows and executions
- 'integration': Service account for integrations and automated workflows
User's current account status. Valid values: 'active', 'inactive'.
'active': User can log in and access the system. 'inactive': User cannot log in; account is disabled. Note: Even active users must accept email invitation to log in initially.
Timestamp when user was last modified. Updated automatically on any field change. Format: ISO 8601 UTC (e.g., '2025-01-24T10:45:00Z'). Used for change tracking and audit logs.
Response Attributes
Standard error detail structure.
This model matches the error format returned by the centralized exception handlers in app/api/errors/handlers.py.
Show child attributes
Response Attributes
Standard error detail structure.
This model matches the error format returned by the centralized exception handlers in app/api/errors/handlers.py.
Show child attributes
Response Attributes
Standard error detail structure.
This model matches the error format returned by the centralized exception handlers in app/api/errors/handlers.py.
Show child attributes
Response Attributes
Standard error detail structure.
This model matches the error format returned by the centralized exception handlers in app/api/errors/handlers.py.
Show child attributes
Response Attributes
Show child attributes
Response Attributes
Standard error detail structure.
This model matches the error format returned by the centralized exception handlers in app/api/errors/handlers.py.