User Management¶
PhyCloud supports first-class user accounts scoped under a tenant. A user can authenticate via password, SSO (future), or PATs, and every action performed under a user session is attributed to that user in audit logs.
Data Model¶
| Table | Description |
|---|---|
users | User identity: id, tenant_id, email, display_name, status |
user_credentials | Argon2id password hash (absent for SSO-only users) |
user_sessions | Active and revoked sessions |
user_invites | Single-use invite tokens |
Invite Flow¶
Admins create invites; users accept them and set a password.
# Admin invites a user
phyware users invite --email alice@example.com --scopes events:read,events:write
# User accepts invite (sets initial password)
curl -X POST https://cloud.phyware.io/api/v1/users/accept-invite \
-H "Content-Type: application/json" \
-d '{"token": "<invite-token>", "password": "StrongP@ssword12"}'
CLI Reference¶
phyware users invite¶
Creates an invite token for a new user. The token is shown once — share it with the user via a secure channel.
phyware users list¶
Lists all users for the current tenant.
phyware users get¶
Fetches the profile of a single user.
phyware users deactivate¶
Soft-deletes a user (status → deactivated). Existing sessions expire naturally.
API Reference¶
| Method | Path | Scope | Description |
|---|---|---|---|
POST | /api/v1/users/invite | admin:users | Create invite |
POST | /api/v1/users/accept-invite | — | Accept invite + set password |
GET | /api/v1/users/me | users:read | Current user profile |
GET | /api/v1/users | admin:users | List users |
GET | /api/v1/users/{id} | admin:users | Get user |
PUT | /api/v1/users/{id} | admin:users | Update user |
POST | /api/v1/users/{id}/deactivate | admin:users | Deactivate user |
Scopes¶
| Scope | Description |
|---|---|
admin:users | Full user management (invite, list, get, update, deactivate) |
users:read | Read own profile (/users/me) |