Skip to main content
POST
/
auth
/
users
Create User
curl --request POST \
  --url https://api.dfns.io/auth/users \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --header 'X-DFNS-USERACTION: <api-key>' \
  --data '
{
  "email": "jsmith@example.com",
  "kind": "CustomerEmployee",
  "publicKey": "<string>",
  "externalId": "<string>",
  "isSSORequired": false
}
'
{
  "username": "<string>",
  "name": "<string>",
  "userId": "us-6b58p-r53sr-rlrd3l5cj3uc4ome",
  "credentialUuid": "<string>",
  "isActive": true,
  "isServiceAccount": true,
  "isRegistered": true,
  "isSSORequired": true,
  "permissionAssignments": [
    {
      "permissionName": "<string>",
      "permissionId": "pm-37vj4-jkr4l-lc9945spfftkne57",
      "assignmentId": "as-1vcmc-qrek0-6b4vii9pln60907e",
      "operations": [
        "<string>"
      ]
    }
  ],
  "orgId": "or-30tnh-itmjs-s235s5ontr3r23h2",
  "accountId": "acct-24hka-dhili-9hgvdlvr1ohpibp4",
  "permissions": [
    "<string>"
  ]
}

Authentication

✅ Organization User (CustomerEmployee)
❌ Delegated User (EndUser)
❌ Personal Access Token not allowed
✅ Service Account

Required Permissions

Auth:Users:Create: Always required.

Authorizations

Authorization
string
header
required

Bearer Token: Used to authenticate API requests. More details how to generate the token: Authentication flows

X-DFNS-USERACTION
string
header
required

User Action Signature: Used to sign the change-inducing API requests. More details how to generate the token: User Action Signing flows

Body

application/json
email
string<email>
required

The email address of the new user.

kind
enum<string>
required

The kind of user being created. In this endpoint it can only be "CustomerEmployee" (creating an "EndUser" is done through the Delegated Registration endpoint)

Available options:
CustomerEmployee
publicKey
string

Optional public key in PEM format associated with the user.

externalId
string

Value that can be used to correlate the entity with an external system.

isSSORequired
boolean
default:false

If set to true, the user will have to authenticate via SSO

Response

200 - application/json

Success

username
string
required

Username/identifier of the user (any unique string accepted, e.g. your internal user ID or email).

name
string
required

Display name of the user.

userId
string
required

User id.

Required string length: 1 - 64
Pattern: ^us-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$
Example:

"us-6b58p-r53sr-rlrd3l5cj3uc4ome"

kind
enum<string>
required

User kind.

Available options:
CustomerEmployee,
EndUser
credentialUuid
string
required

UUID of the user's primary credential.

isActive
boolean
required

Whether the user is active.

isServiceAccount
boolean
required

Whether the user is a service account.

isRegistered
boolean
required

Whether the user has completed registration.

isSSORequired
boolean
required

Whether the user must authenticate via SSO.

permissionAssignments
object[]
required

Permissions (roles) assigned to the user.

orgId
string

Organization id.

Required string length: 1 - 64
Pattern: ^or-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$
Example:

"or-30tnh-itmjs-s235s5ontr3r23h2"

accountId
string

Account id.

Required string length: 1 - 64
Pattern: ^acct-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$
Example:

"acct-24hka-dhili-9hgvdlvr1ohpibp4"

permissions
string[]

@deprecated - Flat list of API operations the user has access to.

Last modified on June 18, 2026