Manages organization members — invitations (single and bulk), profiles, role assignments, activation state, and user settings. All methods operate within the caller’s organization.
| Method |
Description |
InviteUser |
Invite a user to the organization |
BulkInviteUsers |
Invite up to 100 users in a single call |
RevokeInvite |
Revoke a pending invitation |
GetUser |
Get a user by ID |
ListUsers |
List organization members |
UpdateUserRole |
Change a user’s role |
DeactivateUser |
Deactivate a user |
ReactivateUser |
Reactivate a deactivated user |
UpdateUserProfile |
Update a user’s profile |
GetUserSettings |
Get the caller’s settings |
UpdateUserSettings |
Update the caller’s settings |
ConfirmPasskeyEnrollment |
Confirm passkey enrollment after registration |
UpdateUserRegion |
Change a user’s data governance region |
Invite a new user to the organization. The user is created with INVITED status, and the invitee receives a branded invitation email localized to the organization’s default locale. Email delivery is best-effort — the invitation succeeds even if the email cannot be sent.
Authorization: Requires PERMISSION_MEMBERS_INVITE permission
| Field |
Type |
Description |
email |
string |
Email address to send the invitation to. Max 254 characters. |
name |
string |
Display name for the invited user. Max 200 characters. |
role_id |
string |
Role to assign. Defaults to the organization’s employee role if empty. |
profile |
UserProfile |
Optional profile attributes to pre-fill at invitation time. |
data_governance_region |
string |
Optional data governance region (EU, LATAM, BR, APAC, US). Empty inherits the organization default. |
| Field |
Type |
Description |
user |
User |
The invited user (status: INVITED). |
Invite multiple users in a single call. Emails are deduplicated before processing, and each email is processed independently — individual failures do not abort the batch. Each successfully invited address receives the same invitation email as InviteUser (best-effort; an email failure never changes a result’s reported success).
Authorization: Requires PERMISSION_MEMBERS_INVITE permission
| Field |
Type |
Description |
emails |
string[] |
Email addresses to invite. Min 1, max 100. Duplicates are deduplicated. |
role_id |
string |
Role to assign to all invitees. Defaults to the organization’s employee role if empty. |
| Field |
Type |
Description |
results |
BulkInviteResult[] |
Per-email results in the same order as the deduplicated input. |
invited_count |
int32 |
Number of users successfully invited. |
failed_count |
int32 |
Number of emails that failed. |
| Field |
Type |
Description |
email |
string |
The email address that was processed. |
success |
bool |
Whether the invitation succeeded. |
error |
string |
Error message if the invitation failed (e.g. “user already exists”). Empty on success. |
user |
User |
The created user. Only set on success. |
Revoke an invitation for a user who has not yet completed registration. The pending INVITED membership is removed.
Authorization: Requires PERMISSION_MEMBERS_MANAGE permission
| Field |
Type |
Description |
user_id |
string |
ID of the invited user to remove. UUID format. |
Empty response on success.
Retrieve a user by ID. Self-lookup (empty user_id) is allowed for any authenticated user.
Authorization: Requires PERMISSION_MEMBERS_READ permission for other users; self-lookup needs no special permission
| Field |
Type |
Description |
user_id |
string |
User ID. Empty returns the caller’s own user. |
| Field |
Type |
Description |
user |
User |
The user. |
Authorization: Requires PERMISSION_MEMBERS_READ permission
| Field |
Type |
Description |
pagination |
Pagination |
Pagination parameters. |
| Field |
Type |
Description |
users |
User[] |
List of users. |
pagination_meta |
PaginationMeta |
Pagination metadata. |
Authorization: Requires PERMISSION_MEMBERS_MANAGE permission
| Field |
Type |
Description |
user_id |
string |
User ID. |
role_id |
string |
New role ID. |
| Field |
Type |
Description |
user |
User |
The updated user. |
Authorization: Requires PERMISSION_MEMBERS_MANAGE permission
| Field |
Type |
Description |
user_id |
string |
User ID to deactivate. |
| Field |
Type |
Description |
user |
User |
The deactivated user (status: DEACTIVATED). |
Reactivate a deactivated user, restoring their status to INVITED. The user must complete the invite flow again to become ACTIVE.
Authorization: Requires PERMISSION_MEMBERS_MANAGE permission
| Field |
Type |
Description |
user_id |
string |
User ID to reactivate. |
| Field |
Type |
Description |
user |
User |
The reactivated user (status: INVITED). |
Update a user’s profile attributes (department, title, etc.). All provided fields overwrite existing values.
Authorization: Self-update (empty user_id or the caller’s own ID) requires no special permission; updating another user requires PERMISSION_MEMBERS_MANAGE permission
| Field |
Type |
Description |
user_id |
string |
ID of the user whose profile to update. Empty means the caller’s own profile. |
profile |
UserProfile |
Profile attributes to set. |
| Field |
Type |
Description |
user |
User |
The updated user with the new profile. |
Authorization: Authenticated user (own settings only)
Empty request.
| Field |
Type |
Description |
settings |
UserSettings |
The caller’s settings. |
Update the caller’s settings. Only fields with non-default values are applied; default-valued fields are left unchanged.
Authorization: Authenticated user (own settings only)
| Field |
Type |
Description |
settings |
UserSettings |
Settings to update. |
| Field |
Type |
Description |
settings |
UserSettings |
The full settings after the update. |
Confirm passkey enrollment after client-side WebAuthn registration. The server verifies the caller has at least one registered credential before marking the user as passkey-enrolled.
Authorization: Authenticated user (self only, no permission required)
Empty request.
| Field |
Type |
Description |
confirmed |
bool |
Whether enrollment was confirmed. |
Update a user’s data governance region. Triggers a data migration workflow if the region changed.
Authorization: Requires PERMISSION_MEMBERS_MANAGE permission
| Field |
Type |
Description |
user_id |
string |
ID of the user whose region to update. Required. |
data_governance_region |
string |
New governance region (EU, LATAM, BR, APAC, US), or empty to inherit the organization default. |
| Field |
Type |
Description |
user |
User |
The updated user. |
migration_workflow_id |
string |
ID of the region migration workflow, if one was triggered. Empty if the region didn’t change. |
| Field |
Type |
Description |
theme_preference |
ThemePreference |
Preferred color scheme (SYSTEM, LIGHT, DARK). |
preferred_locale |
string |
Preferred language for the UI and notifications (en, es, pt-BR, zh, ja). Empty means organization default or auto-detect. |
| Field |
Type |
Description |
first_name |
string |
Given name. Max 200 characters. |
last_name |
string |
Family name. Max 200 characters. |
department |
string |
Department or team. Max 200 characters. |
title |
string |
Job title. Max 200 characters. |
phone |
string |
Phone number. Max 200 characters. |
location |
string |
Office or geographic location. Max 200 characters. |
employee_id |
string |
Organization-specific employee identifier. Max 200 characters. |
manager_name |
string |
Display name of the user’s direct manager. Max 200 characters. |
start_date |
string |
Employment start date (ISO 8601, YYYY-MM-DD). |
custom_attributes |
map<string, string> |
Organization-defined custom attributes. Max 50 entries. |