Send users an invitation.

post https://{tenanturl}/v1.0/usc/user/invitation

Entitlements required: inviteUser (Invite user).

This API is a public preview and is enabled for a tenant that includes invite user beta support.

Send users an invitation to onboard them to use an application. Upon accepting the invitation, the user is optionally created and added to the specified groups. Through the group membership, users are automatically given the roles and permissions that are assigned to those groups.

This API supports emailing invitations to multiple people in one request. Each invitation that is sent is given a transaction ID. The transaction ID is needed to validate and complete the invite user transaction. The email contains a link to accept the invitation. The email link includes the transaction ID and the OTP as query parameters. By default, the link takes you to ISV to process the invited user. You can override the link by specifying a baseVerificationUrl in the payload. When you override the link, the application is responsible for processing the invited user by calling the PUT on the invitation to complete the transaction.

The adopterId + email combination enables multiple invitations to be sent to the same user in different requests. This combination can onboard a user to different applications on the same tenant. For example, you can add a user to different groups as part of accepting the invitation. Only one invitation to the adopterId + email combination is active. When you resend the invitation, the existing invitation with that adopterId + email combination is replaced.

The assignment of groups requires the manageUserGroups (Manage users and groups) or the manageUserStandardGroups (Manage users and standard groups) permission. An admin can further scope the groups that can be assigned to invited users by creating a custom admin role and then scope the groups that the manageUserGroups permission applies to.

You can enable or disable user invitations in the identity provider that is associated with the realm.

A maximum of 100 invitations and 20 groups can be specified in the payload.

Notifications can be branded by passing in the themeId as a query parameter. The template for branding is located at "notifications/user_management/invite/invite_user_email.xml"

Query Params

themeId

string

The identifier of the theme that you want to apply.

Body Params

The body of the invite user operation.

invitations

array of objects

required

An array of email, name, and state ID for each invitation. For each invitation, a transaction ID is generated and returned in the response.

invitations*

realm

string

The realm name. If not present, it defaults to the cloudIdentityRealm.

expirationInDays

int32

The number of days before the invitation expires. The range is 1 to 30. If not specified, the default is 30.

groups

array of strings

The list of group IDs to add the user as a member.

groups

steps

array of objects

required

An array of MFA steps to perform. Only a single factor of type "emailLink" is supported

steps*

adopterId

string

An identifier that is used to make an invitation to an adopterId + email unique. When you resend the unique invitation, the existing unique invitation with that adopterId + email combination is replaced. If not present, defaults to "default".

Responses

Language

URL


xxxxxxxxxx
1
curl --request POST \
2
     --url https://tenant_url/v1.0/usc/user/invitation \
3
     --header 'accept: application/json' \
4
     --header 'content-type: application/json'

Choose an example:

application/json

207Multi-Status

400Bad Request.

403Not authorized.

409Conflict.

500Internal server error.