Skip to content

User Management

PhyCloud supports first-class user accounts scoped under a tenant. A user can authenticate via password, SSO (future), or PATs, and every action performed under a user session is attributed to that user in audit logs.

Data Model

Table Description
users User identity: id, tenant_id, email, display_name, status
user_credentials Argon2id password hash (absent for SSO-only users)
user_sessions Active and revoked sessions
user_invites Single-use invite tokens

Invite Flow

Admins create invites; users accept them and set a password.

# Admin invites a user
phyware users invite --email alice@example.com --scopes events:read,events:write

# User accepts invite (sets initial password)
curl -X POST https://cloud.phyware.io/api/v1/users/accept-invite \
  -H "Content-Type: application/json" \
  -d '{"token": "<invite-token>", "password": "StrongP@ssword12"}'

CLI Reference

phyware users invite

phyware users invite --email <email> [--display-name <name>] [--scopes <scope,...>]

Creates an invite token for a new user. The token is shown once — share it with the user via a secure channel.

phyware users list

phyware users list [--output table|json|yaml|tsv]

Lists all users for the current tenant.

phyware users get

phyware users get <user-id>

Fetches the profile of a single user.

phyware users deactivate

phyware users deactivate <user-id>

Soft-deletes a user (status → deactivated). Existing sessions expire naturally.

API Reference

Method Path Scope Description
POST /api/v1/users/invite admin:users Create invite
POST /api/v1/users/accept-invite Accept invite + set password
GET /api/v1/users/me users:read Current user profile
GET /api/v1/users admin:users List users
GET /api/v1/users/{id} admin:users Get user
PUT /api/v1/users/{id} admin:users Update user
POST /api/v1/users/{id}/deactivate admin:users Deactivate user

Scopes

Scope Description
admin:users Full user management (invite, list, get, update, deactivate)
users:read Read own profile (/users/me)