Users & RBAC
The Users API manages team members and their roles within an organisation. Datafly Signal uses role-based access control (RBAC) with four roles that determine what each user can view and modify.
User Object
{
"id": "usr_abc123",
"email": "admin@example.com",
"name": "Jane Smith",
"role": "admin",
"status": "active",
"last_login_at": "2026-02-25T09:30:00Z",
"created_at": "2026-01-01T00:00:00Z",
"updated_at": "2026-02-25T09:30:00Z"
}| Field | Type | Description |
|---|---|---|
id | string | Unique user identifier |
email | string | User’s email address |
name | string | Display name |
role | string | Assigned role: owner, admin, editor, or viewer |
status | string | Account status: active, invited, or disabled |
last_login_at | string | ISO 8601 timestamp of last login (null if never logged in) |
created_at | string | ISO 8601 creation timestamp |
updated_at | string | ISO 8601 last-updated timestamp |
Roles
| Role | Description |
|---|---|
owner | Full access. Can manage billing, delete the organisation, and perform all admin actions. One owner per organisation. |
admin | Can manage sources, integrations, transformations, users, and view audit logs. Cannot manage billing or delete the organisation. |
editor | Can manage sources, integrations, and transformations. Cannot manage users or view audit logs. |
viewer | Read-only access to all resources. Can use the real-time event debugger. |
Permissions Matrix
| Action | Owner | Admin | Editor | Viewer |
|---|---|---|---|---|
| View sources | Yes | Yes | Yes | Yes |
| Create/edit sources | Yes | Yes | Yes | — |
| Delete sources | Yes | Yes | — | — |
| View integrations | Yes | Yes | Yes | Yes |
| Create/edit integrations | Yes | Yes | Yes | — |
| Delete integrations | Yes | Yes | — | — |
| View transformations | Yes | Yes | Yes | Yes |
| Create/edit transformations | Yes | Yes | Yes | — |
| Delete transformations | Yes | Yes | Yes | — |
| View data layer | Yes | Yes | Yes | Yes |
| Edit data layer | Yes | Yes | — | — |
| View users | Yes | Yes | — | — |
| Invite/edit/remove users | Yes | Yes | — | — |
| View audit logs | Yes | Yes | — | — |
| Real-time debugger | Yes | Yes | Yes | Yes |
| Manage billing | Yes | — | — | — |
| Delete organisation | Yes | — | — | — |
List Users
GET /v1/admin/users
Returns a paginated list of users in the current organisation.
Query parameters:
| Parameter | Type | Default | Description |
|---|---|---|---|
role | string | — | Filter by role |
status | string | — | Filter by status |
cursor | string | — | Pagination cursor |
limit | integer | 50 | Items per page (max 100) |
Request:
curl -X GET "http://localhost:8084/v1/admin/users?limit=25" \
-H "Authorization: Bearer {access_token}"Response:
{
"data": [
{
"id": "usr_abc123",
"email": "admin@example.com",
"name": "Jane Smith",
"role": "admin",
"status": "active",
"last_login_at": "2026-02-25T09:30:00Z",
"created_at": "2026-01-01T00:00:00Z",
"updated_at": "2026-02-25T09:30:00Z"
}
],
"next_cursor": null,
"has_more": false
}Required role: admin or above.
Invite User
POST /v1/admin/users
Invite a new user to the organisation by email. An invitation email is sent with a link to set their password.
Request:
{
"email": "new-member@example.com",
"role": "editor"
}Response (201 Created):
{
"id": "usr_new789",
"email": "new-member@example.com",
"name": null,
"role": "editor",
"status": "invited",
"last_login_at": null,
"created_at": "2026-02-25T10:00:00Z",
"updated_at": "2026-02-25T10:00:00Z"
}Required role: admin or above.
Invited users remain in "invited" status until they accept the invitation and set their password. Invitations expire after 7 days. Resend an invitation by deleting and re-creating the user.
Update User Role
PUT /v1/admin/users/{id}
Update a user’s role.
Request:
{
"role": "admin"
}Response: Updated user object.
Required role: admin or above.
You cannot change your own role. The owner role can only be transferred by the current owner — contact support if the owner account is inaccessible.
Remove User
DELETE /v1/admin/users/{id}
Remove a user from the organisation. This immediately revokes all their tokens and access.
Request:
curl -X DELETE http://localhost:8084/v1/admin/users/usr_new789 \
-H "Authorization: Bearer {access_token}"Response: 204 No Content
Required role: admin or above.
The organisation owner cannot be removed. To transfer ownership, the current owner must first assign the owner role to another user.