Managing Users
Auris provides a complete user lifecycle management system accessible through both the Admin Console and the REST API. Administrators can list, create, update, disable, soft-delete, and restore users without touching Keycloak’s native admin UI.
Listing Users
The user list supports pagination, full-text search, role filtering, and status filtering. Results are returned in the standard Auris pagination envelope.
/api/usersRequires: manage:usersReturns a paginated list of users for the current tenant. Supports query parameters: page, limit, search (matches email, username, firstName, lastName), role (filter by role name), status (active | disabled | deleted).
Response shape:
{
"data": [
{
"id": "usr_01HX...",
"email": "[email protected]",
"username": "alice",
"firstName": "Alice",
"lastName": "Rossi",
"enabled": true,
"roles": ["member"],
"createdAt": "2025-03-01T10:00:00Z",
"lastLogin": "2025-06-10T08:45:00Z",
"metadata": {}
}
],
"pagination": {
"page": 1,
"limit": 20,
"total": 142,
"totalPages": 8
}
}Console walkthrough: Navigate to Admin Console → Users. The table refreshes automatically when you change the search term or apply filters. Click any row to open the user detail sheet.
Creating Users
Users can be created directly with a password, or created without one to trigger an invitation email that prompts the user to set their own credentials.
/api/usersRequires: manage:usersCreates a new user in both the Auris database and the underlying Keycloak realm.
Request body:
{
"email": "[email protected]",
"username": "bob",
"name": "Bob",
"surname": "Marley",
"password": "SecurePass123!",
"sendInvite": false,
"roles": ["member"],
"metadata": {
"department": "engineering",
"employeeId": "EMP-4421"
}
}Field reference:
| Field | Type | Required | Notes |
|---|---|---|---|
email | string | Yes | Must be unique within the tenant |
username | string | No | Defaults to the local part of the email address |
name | string | No | First name (maps to firstName in Keycloak) |
surname | string | No | Last name (maps to lastName in Keycloak) |
password | string | No | Omit to send an invitation instead |
sendInvite | boolean | No | Send a setup email when password is omitted |
roles | string[] | No | Array of role names to assign on creation |
metadata | object | No | Arbitrary JSON stored on the user record |
If both password and sendInvite: true are provided, the password is set and no invitation email is sent. Set sendInvite: true with no password to require the user to define their own credentials on first access.
Console walkthrough: Click the “New User” button on the Users page. The dialog presents a tabbed form: General (name, email), Credentials (password or invite toggle), and Roles (multi-select).
Updating Users
/api/users/[id]Requires: manage:usersUpdates a user record. Only the fields included in the request body are modified.
Updatable fields:
{
"name": "Robert",
"surname": "Marley",
"enabled": true,
"roles": ["member", "billing-admin"],
"metadata": {
"department": "leadership"
}
}Updating roles replaces the user’s role set entirely — include all intended roles, not just the ones being added. To add a single role without affecting others, read the current role list first, append the new role, then submit the full set.
Updating enabled: false immediately disables the user in Keycloak, invalidating all active sessions.
Soft Delete and Restore
Auris uses soft deletion to preserve audit trails. Deleting a user marks the record with deletedAt rather than removing it from the database or Keycloak.
/api/users/[id]Requires: manage:usersSoft-deletes the user by setting deletedAt. The user is immediately disabled in Keycloak and cannot log in.
Restoring a user:
/api/users/deleted/[id]Requires: manage:usersClears deletedAt and re-enables the user in Keycloak.
Console walkthrough: The Users page has a “Deleted” filter tab that shows soft-deleted users. Each deleted user row has a “Restore” action in the dropdown menu.
Hard deletion (permanent removal of all user data including audit logs) is a separate operation available only to tenant owners via Console → Settings → Danger Zone. Hard deletion satisfies GDPR right-to-erasure requests.
User Sessions
Auris tracks active sessions per user. Administrators can view session details and revoke individual sessions to force re-authentication — useful when a user’s device is lost or compromised.
Session management is handled via the admin sessions endpoint, not per-user routes. Use the userId query parameter to filter sessions for a specific user.
/api/admin/sessionsRequires: manage:sessionsReturns the list of active sessions across all users. Pass ?userId=[id] to filter by a specific user. Each entry includes device information, IP address, and last activity timestamp.
/api/admin/sessions/[sessionId]Requires: manage:sessionsRevokes a single session. The user is logged out on the next token use.
Console walkthrough: Open a user detail sheet and select the “Sessions” tab. Each session shows browser/OS, IP address, login time, and a “Revoke” button.
User Metadata
Metadata allows you to store arbitrary JSON data on a user without modifying the Auris schema. It is returned on every user object and is accessible in the Management SDK.
Common use cases include:
- Application-specific preferences (
theme,language,timezone) - Internal identifiers (
employeeId,costCenter,managerId) - Feature flags or entitlement data
- Onboarding progress tracking
Metadata is stored as a flat or nested JSON object. There is no enforced schema — the structure is entirely application-defined.
{
"metadata": {
"department": "engineering",
"employeeId": "EMP-4421",
"onboarding": {
"completed": true,
"completedAt": "2025-04-15T09:00:00Z"
}
}
}Metadata is not included in the JWT by default. To inject metadata values into tokens, configure Custom JWT Claims in Console → Applications → [App] → Custom Claims.
Management SDK
Use the Management SDK for server-side user administration. The Management SDK authenticates via M2M client credentials — it is not intended for use in browser code.
JavaScript
import { AurisClient } from '@auris/js'
const auris = new AurisClient({
domain: 'https://auth.yourapp.com',
clientId: process.env.AURIS_CLIENT_ID,
clientSecret: process.env.AURIS_CLIENT_SECRET,
})
// Create a management client authenticated with M2M credentials
const mgmt = auris.createManagementClient({
clientId: process.env.AURIS_MGMT_CLIENT_ID,
clientSecret: process.env.AURIS_MGMT_CLIENT_SECRET,
})
// List users with pagination
const result = await mgmt.users.list({ page: 1, limit: 20 })
console.log(result.data) // User[]
console.log(result.pagination) // { page, limit, total, totalPages }
// Get a specific user
const user = await mgmt.users.get('usr_01HX...')
// Create a user
const newUser = await mgmt.users.create({
email: '[email protected]',
firstName: 'Carol',
roles: ['member'],
sendInvite: true,
})
// Update a user
await mgmt.users.update('usr_01HX...', {
metadata: { department: 'product' },
})
// Disable a user
await mgmt.users.update('usr_01HX...', { enabled: false })
// Delete a user (soft)
await mgmt.users.delete('usr_01HX...')Required Permissions
| Operation | Permission |
|---|---|
| List users | manage:users |
| Create user | manage:users |
| Update user | manage:users |
| Delete / restore user | manage:users |
| View sessions | manage:sessions |
| Revoke sessions | manage:sessions |
Related Pages
- Console: Users & Roles — Visual walkthrough of the Admin Console user management interface
- User Import & Export — Bulk import users from CSV or JSON
- SCIM 2.0 Provisioning — Automated provisioning from Okta, Azure AD, and similar IdPs
- Custom JWT Claims — Inject user metadata into access tokens