> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dfns.co/llms.txt
> Use this file to discover all available pages before exploring further.
# Create User
> Invite a new user in the caller's org. This will create the user and send a registration email to the created User's email, with a registration code, and pointing him to complete his registration on Dfns Dashboard. The user is created without any permissions.
If you want the created User to not know about about Dfns, and don't want him to
receive the registration email from Dfns, you should rather use the Delegated Registration
endpoint.
#### Authentication
✅ Organization User (`CustomerEmployee`)\
❌ Delegated User (`EndUser`)\
❌ Personal Access Token not allowed\
✅ Service Account
#### Required Permissions
`Auth:Users:Create`: Always required.
## OpenAPI
````yaml /openapi.yaml post /auth/users
openapi: 3.1.0
info:
version: 1.880.1
title: Dfns
servers:
- url: https://api.dfns.io
description: Default - Europe
- url: https://api.uae.dfns.io
description: UAE
- url: https://api.dfns.ninja
description: Staging
security: []
paths:
/auth/users:
post:
tags:
- Auth
summary: Create User
description: >-
Invite a new user in the caller's org. This will create the user and
send a registration email to the created User's email, with a
registration code, and pointing him to complete his registration on Dfns
Dashboard. The user is created without any permissions.
If you want the created User to not know about about Dfns, and don't want him to
receive the registration email from Dfns, you should rather use the Delegated Registration
endpoint.
requestBody:
content:
application/json:
schema:
type: object
properties:
email:
type: string
format: email
description: The email address of the new user.
kind:
type: string
enum:
- CustomerEmployee
description: |-
The kind of user being created.
In this endpoint it can only be "`CustomerEmployee`" (creating an "`EndUser`" is done through the [Delegated Registration](https://docs.dfns.co/api-reference/auth/registration-flows#delegated-users-registration-flow) endpoint)
publicKey:
type: string
description: Optional public key in PEM format associated with the user.
externalId:
type: string
description: >-
Value that can be used to correlate the entity with an
external system.
isSSORequired:
type: boolean
default: false
description: If set to true, the user will have to authenticate via SSO
required:
- email
- kind
additionalProperties: false
responses:
'200':
description: Success
content:
application/json:
schema:
$ref: '#/components/schemas/User'
security:
- authenticationToken: []
userActionSignature: []
components:
schemas:
User:
type: object
properties:
username:
type: string
description: >-
Username/identifier of the user (any unique string accepted, e.g.
your internal user ID or email).
name:
type: string
description: Display name of the user.
userId:
type: string
minLength: 1
maxLength: 64
pattern: ^us-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$
description: User id.
example: us-6b58p-r53sr-rlrd3l5cj3uc4ome
kind:
type: string
enum:
- CustomerEmployee
- EndUser
description: User kind.
credentialUuid:
type: string
description: UUID of the user's primary credential.
orgId:
type: string
minLength: 1
maxLength: 64
pattern: ^or-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$
description: Organization id.
example: or-30tnh-itmjs-s235s5ontr3r23h2
tenantId:
type: string
minLength: 1
maxLength: 64
pattern: ^acct-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$
description: Tenant id.
example: acct-24hka-dhili-9hgvdlvr1ohpibp4
permissions:
type: array
items:
type: string
description: '@deprecated - Flat list of API operations the user has access to.'
isActive:
type: boolean
description: Whether the user is active.
isServiceAccount:
type: boolean
description: Whether the user is a service account.
isRegistered:
type: boolean
description: Whether the user has completed registration.
isSSORequired:
type: boolean
description: Whether the user must authenticate via SSO.
permissionAssignments:
type: array
items:
type: object
properties:
permissionName:
type: string
description: Human-readable name of the permission (role).
permissionId:
type: string
minLength: 1
maxLength: 64
pattern: ^pm-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$
description: >-
ID of the permission (also referred to as "role" in the
dashboard).
example: pm-37vj4-jkr4l-lc9945spfftkne57
assignmentId:
type: string
minLength: 1
maxLength: 64
pattern: ^as-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$
description: ID of the permission assignment.
example: as-1vcmc-qrek0-6b4vii9pln60907e
operations:
type: array
items:
type: string
description: List of API operations granted by this permission.
required:
- permissionName
- permissionId
- assignmentId
description: Permissions (roles) assigned to the user.
required:
- username
- name
- userId
- kind
- credentialUuid
- isActive
- isServiceAccount
- isRegistered
- isSSORequired
- permissionAssignments
securitySchemes:
authenticationToken:
type: http
scheme: bearer
bearerFormat: JWT
description: >-
**Bearer Token:** Used to authenticate API requests.
More details how to generate the token: [Authentication
flows](https://docs.dfns.co/api-reference/auth/login-flows)
userActionSignature:
type: apiKey
in: header
name: X-DFNS-USERACTION
description: >-
**User Action Signature:** Used to sign the change-inducing API
requests.
More details how to generate the token: [User Action Signing
flows](https://docs.dfns.co/api-reference/auth/signing-flows)
````