# Users

## List all users attached to the tenant

> Returns all back-office users with access to this tenant.\
>             \
> \## Authorization\
> Requires \`tenant.access:read\` scope.

```json
{"openapi":"3.1.1","info":{"title":"Neostore internal API","version":"v1"},"tags":[{"name":"Users"}],"servers":[{"url":"https://app.neostore.cloud","description":"Production Server"},{"url":"https://app-qa.neostore.cloud","description":"Staging Server"}],"security":[{"admin-bearer":["ScopedAuthorizeRequirement"]},{"apiKey":["ScopedAuthorizeRequirement"]}],"components":{"securitySchemes":{"admin-bearer":{"type":"oauth2","flows":{"implicit":{"authorizationUrl":"https://auth.neostore.cloud/authorize?audience=https://app.neostore.cloud/api/","scopes":{}}}},"apiKey":{"type":"apiKey","name":"X-API-KEY","in":"header"}},"schemas":{"TenantUser":{"required":["email","id"],"type":"object","properties":{"id":{"minLength":1,"type":"string","description":"User identifier."},"email":{"minLength":1,"type":"string","description":"User email address."},"name":{"type":["null","string"],"description":"Display name."},"blocked":{"type":"boolean","description":"True when the account is blocked."},"lastLogin":{"type":["null","string"],"description":"Last login timestamp.","format":"date-time"},"tenantRole":{"type":["null","string"],"description":"Tenant role assigned to the user."}},"additionalProperties":false,"description":"Tenant-scoped user representation."}}},"paths":{"/api/{tenantId}/admin/users":{"get":{"tags":["Users"],"summary":"List all users attached to the tenant","description":"Returns all back-office users with access to this tenant.\n            \n## Authorization\nRequires `tenant.access:read` scope.","parameters":[{"name":"tenantId","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Users returned.","content":{"text/plain":{"schema":{"type":"array","items":{"description":"Tenant-scoped user representation.","$ref":"#/components/schemas/TenantUser"}}},"application/json":{"schema":{"type":"array","items":{"description":"Tenant-scoped user representation.","$ref":"#/components/schemas/TenantUser"}}},"text/json":{"schema":{"type":"array","items":{"description":"Tenant-scoped user representation.","$ref":"#/components/schemas/TenantUser"}}}}}}}}}}
```

## Create a new user or attach an existing user to the tenant, unless already attached

> Creates a new Auth0 user or attaches an existing one to this tenant. If the user already has access to the tenant (a valid role), returns HTTP 409 Conflict.\
>             \
> \## Authorization\
> Requires \`tenant.access:write\` scope.

```json
{"openapi":"3.1.1","info":{"title":"Neostore internal API","version":"v1"},"tags":[{"name":"Users"}],"servers":[{"url":"https://app.neostore.cloud","description":"Production Server"},{"url":"https://app-qa.neostore.cloud","description":"Staging Server"}],"security":[{"admin-bearer":["ScopedAuthorizeRequirement"]},{"apiKey":["ScopedAuthorizeRequirement"]}],"components":{"securitySchemes":{"admin-bearer":{"type":"oauth2","flows":{"implicit":{"authorizationUrl":"https://auth.neostore.cloud/authorize?audience=https://app.neostore.cloud/api/","scopes":{}}}},"apiKey":{"type":"apiKey","name":"X-API-KEY","in":"header"}},"schemas":{"CreateTenantUserRequest":{"required":["email","role"],"type":"object","properties":{"email":{"minLength":1,"type":"string","description":"User email address."},"name":{"type":["null","string"],"description":"Display name."},"role":{"minLength":1,"type":"string","description":"Tenant role to assign."}},"additionalProperties":false,"description":"Request payload for creating a tenant user."},"TenantUser":{"required":["email","id"],"type":"object","properties":{"id":{"minLength":1,"type":"string","description":"User identifier."},"email":{"minLength":1,"type":"string","description":"User email address."},"name":{"type":["null","string"],"description":"Display name."},"blocked":{"type":"boolean","description":"True when the account is blocked."},"lastLogin":{"type":["null","string"],"description":"Last login timestamp.","format":"date-time"},"tenantRole":{"type":["null","string"],"description":"Tenant role assigned to the user."}},"additionalProperties":false,"description":"Tenant-scoped user representation."},"ProblemDetails":{"type":"object","properties":{"type":{"type":["null","string"]},"title":{"type":["null","string"]},"status":{"type":["null","integer"],"format":"int32"},"detail":{"type":["null","string"]},"instance":{"type":["null","string"]}},"additionalProperties":{}},"HttpValidationProblemDetails":{"type":"object","allOf":[{"$ref":"#/components/schemas/ProblemDetails"}],"properties":{"errors":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}}},"additionalProperties":{}}}},"paths":{"/api/{tenantId}/admin/users":{"post":{"tags":["Users"],"summary":"Create a new user or attach an existing user to the tenant, unless already attached","description":"Creates a new Auth0 user or attaches an existing one to this tenant. If the user already has access to the tenant (a valid role), returns HTTP 409 Conflict.\n            \n## Authorization\nRequires `tenant.access:write` scope.","parameters":[{"name":"tenantId","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request payload for creating a tenant user.","$ref":"#/components/schemas/CreateTenantUserRequest"}},"text/json":{"schema":{"description":"Request payload for creating a tenant user.","$ref":"#/components/schemas/CreateTenantUserRequest"}},"application/*+json":{"schema":{"description":"Request payload for creating a tenant user.","$ref":"#/components/schemas/CreateTenantUserRequest"}}}},"responses":{"201":{"description":"User created or attached.","content":{"text/plain":{"schema":{"description":"Tenant-scoped user representation.","$ref":"#/components/schemas/TenantUser"}},"application/json":{"schema":{"description":"Tenant-scoped user representation.","$ref":"#/components/schemas/TenantUser"}},"text/json":{"schema":{"description":"Tenant-scoped user representation.","$ref":"#/components/schemas/TenantUser"}}}},"409":{"description":"User already has access to tenant.","content":{"text/plain":{"schema":{"oneOf":[{"$ref":"#/components/schemas/ProblemDetails"},{"$ref":"#/components/schemas/HttpValidationProblemDetails"}]}},"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/ProblemDetails"},{"$ref":"#/components/schemas/HttpValidationProblemDetails"}]}},"text/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/ProblemDetails"},{"$ref":"#/components/schemas/HttpValidationProblemDetails"}]}}}}}}}}}
```

## Get a user attached to the tenant

> Returns the back-office user details for the requested tenant.\
>             \
> \## Authorization\
> Requires \`tenant.access:read\` scope.

```json
{"openapi":"3.1.1","info":{"title":"Neostore internal API","version":"v1"},"tags":[{"name":"Users"}],"servers":[{"url":"https://app.neostore.cloud","description":"Production Server"},{"url":"https://app-qa.neostore.cloud","description":"Staging Server"}],"security":[{"admin-bearer":["ScopedAuthorizeRequirement"]},{"apiKey":["ScopedAuthorizeRequirement"]}],"components":{"securitySchemes":{"admin-bearer":{"type":"oauth2","flows":{"implicit":{"authorizationUrl":"https://auth.neostore.cloud/authorize?audience=https://app.neostore.cloud/api/","scopes":{}}}},"apiKey":{"type":"apiKey","name":"X-API-KEY","in":"header"}},"schemas":{"TenantUser":{"required":["email","id"],"type":"object","properties":{"id":{"minLength":1,"type":"string","description":"User identifier."},"email":{"minLength":1,"type":"string","description":"User email address."},"name":{"type":["null","string"],"description":"Display name."},"blocked":{"type":"boolean","description":"True when the account is blocked."},"lastLogin":{"type":["null","string"],"description":"Last login timestamp.","format":"date-time"},"tenantRole":{"type":["null","string"],"description":"Tenant role assigned to the user."}},"additionalProperties":false,"description":"Tenant-scoped user representation."},"ProblemDetails":{"type":"object","properties":{"type":{"type":["null","string"]},"title":{"type":["null","string"]},"status":{"type":["null","integer"],"format":"int32"},"detail":{"type":["null","string"]},"instance":{"type":["null","string"]}},"additionalProperties":{}},"HttpValidationProblemDetails":{"type":"object","allOf":[{"$ref":"#/components/schemas/ProblemDetails"}],"properties":{"errors":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}}},"additionalProperties":{}}}},"paths":{"/api/{tenantId}/admin/users/{userId}":{"get":{"tags":["Users"],"summary":"Get a user attached to the tenant","description":"Returns the back-office user details for the requested tenant.\n            \n## Authorization\nRequires `tenant.access:read` scope.","parameters":[{"name":"userId","in":"path","required":true,"schema":{"type":"string"}},{"name":"tenantId","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"User returned.","content":{"text/plain":{"schema":{"description":"Tenant-scoped user representation.","$ref":"#/components/schemas/TenantUser"}},"application/json":{"schema":{"description":"Tenant-scoped user representation.","$ref":"#/components/schemas/TenantUser"}},"text/json":{"schema":{"description":"Tenant-scoped user representation.","$ref":"#/components/schemas/TenantUser"}}}},"404":{"description":"User not found for tenant.","content":{"text/plain":{"schema":{"oneOf":[{"$ref":"#/components/schemas/ProblemDetails"},{"$ref":"#/components/schemas/HttpValidationProblemDetails"}]}},"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/ProblemDetails"},{"$ref":"#/components/schemas/HttpValidationProblemDetails"}]}},"text/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/ProblemDetails"},{"$ref":"#/components/schemas/HttpValidationProblemDetails"}]}}}}}}}}}
```

## Update a user attached to the tenant

> Updates the tenant role and/or display name for a back-office user.\
>             \
> \## Authorization\
> Requires \`tenant.access:write\` scope.

```json
{"openapi":"3.1.1","info":{"title":"Neostore internal API","version":"v1"},"tags":[{"name":"Users"}],"servers":[{"url":"https://app.neostore.cloud","description":"Production Server"},{"url":"https://app-qa.neostore.cloud","description":"Staging Server"}],"security":[{"admin-bearer":["ScopedAuthorizeRequirement"]},{"apiKey":["ScopedAuthorizeRequirement"]}],"components":{"securitySchemes":{"admin-bearer":{"type":"oauth2","flows":{"implicit":{"authorizationUrl":"https://auth.neostore.cloud/authorize?audience=https://app.neostore.cloud/api/","scopes":{}}}},"apiKey":{"type":"apiKey","name":"X-API-KEY","in":"header"}},"schemas":{"UpdateTenantUserRequest":{"required":["role"],"type":"object","properties":{"name":{"type":["null","string"],"description":"Updated display name."},"role":{"minLength":1,"type":"string","description":"Updated tenant role."}},"additionalProperties":false,"description":"Request payload for updating a tenant user."},"TenantUser":{"required":["email","id"],"type":"object","properties":{"id":{"minLength":1,"type":"string","description":"User identifier."},"email":{"minLength":1,"type":"string","description":"User email address."},"name":{"type":["null","string"],"description":"Display name."},"blocked":{"type":"boolean","description":"True when the account is blocked."},"lastLogin":{"type":["null","string"],"description":"Last login timestamp.","format":"date-time"},"tenantRole":{"type":["null","string"],"description":"Tenant role assigned to the user."}},"additionalProperties":false,"description":"Tenant-scoped user representation."},"ProblemDetails":{"type":"object","properties":{"type":{"type":["null","string"]},"title":{"type":["null","string"]},"status":{"type":["null","integer"],"format":"int32"},"detail":{"type":["null","string"]},"instance":{"type":["null","string"]}},"additionalProperties":{}},"HttpValidationProblemDetails":{"type":"object","allOf":[{"$ref":"#/components/schemas/ProblemDetails"}],"properties":{"errors":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}}},"additionalProperties":{}}}},"paths":{"/api/{tenantId}/admin/users/{userId}":{"put":{"tags":["Users"],"summary":"Update a user attached to the tenant","description":"Updates the tenant role and/or display name for a back-office user.\n            \n## Authorization\nRequires `tenant.access:write` scope.","parameters":[{"name":"userId","in":"path","required":true,"schema":{"type":"string"}},{"name":"tenantId","in":"path","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"description":"Request payload for updating a tenant user.","$ref":"#/components/schemas/UpdateTenantUserRequest"}},"text/json":{"schema":{"description":"Request payload for updating a tenant user.","$ref":"#/components/schemas/UpdateTenantUserRequest"}},"application/*+json":{"schema":{"description":"Request payload for updating a tenant user.","$ref":"#/components/schemas/UpdateTenantUserRequest"}}}},"responses":{"200":{"description":"User updated.","content":{"text/plain":{"schema":{"description":"Tenant-scoped user representation.","$ref":"#/components/schemas/TenantUser"}},"application/json":{"schema":{"description":"Tenant-scoped user representation.","$ref":"#/components/schemas/TenantUser"}},"text/json":{"schema":{"description":"Tenant-scoped user representation.","$ref":"#/components/schemas/TenantUser"}}}},"404":{"description":"User not found for tenant.","content":{"text/plain":{"schema":{"oneOf":[{"$ref":"#/components/schemas/ProblemDetails"},{"$ref":"#/components/schemas/HttpValidationProblemDetails"}]}},"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/ProblemDetails"},{"$ref":"#/components/schemas/HttpValidationProblemDetails"}]}},"text/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/ProblemDetails"},{"$ref":"#/components/schemas/HttpValidationProblemDetails"}]}}}}}}}}}
```

## Remove a user from the tenant

> Removes the tenant access from the user but keeps the Auth0 account.\
>             \
> \## Authorization\
> Requires \`tenant.access:write\` scope.

```json
{"openapi":"3.1.1","info":{"title":"Neostore internal API","version":"v1"},"tags":[{"name":"Users"}],"servers":[{"url":"https://app.neostore.cloud","description":"Production Server"},{"url":"https://app-qa.neostore.cloud","description":"Staging Server"}],"security":[{"admin-bearer":["ScopedAuthorizeRequirement"]},{"apiKey":["ScopedAuthorizeRequirement"]}],"components":{"securitySchemes":{"admin-bearer":{"type":"oauth2","flows":{"implicit":{"authorizationUrl":"https://auth.neostore.cloud/authorize?audience=https://app.neostore.cloud/api/","scopes":{}}}},"apiKey":{"type":"apiKey","name":"X-API-KEY","in":"header"}}},"paths":{"/api/{tenantId}/admin/users/{userId}":{"delete":{"tags":["Users"],"summary":"Remove a user from the tenant","description":"Removes the tenant access from the user but keeps the Auth0 account.\n            \n## Authorization\nRequires `tenant.access:write` scope.","parameters":[{"name":"userId","in":"path","required":true,"schema":{"type":"string"}},{"name":"tenantId","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"User removed from tenant."}}}}}}
```

## Get current authenticated user for the tenant

> Returns profile information and fully-expanded permissions for the current authenticated back-office user.\
>             \
> \- If caller is global administrator, all permissions are returned.\
> \- If role contains wildcard permissions (\`\*\` or \`area:\*\`), values are expanded.\
>             \
> \## Authorization\
> Requires \`tenant.core:read\` scope.

```json
{"openapi":"3.1.1","info":{"title":"Neostore internal API","version":"v1"},"tags":[{"name":"Users"}],"servers":[{"url":"https://app.neostore.cloud","description":"Production Server"},{"url":"https://app-qa.neostore.cloud","description":"Staging Server"}],"security":[{"admin-bearer":["ScopedAuthorizeRequirement"]},{"apiKey":["ScopedAuthorizeRequirement"]}],"components":{"securitySchemes":{"admin-bearer":{"type":"oauth2","flows":{"implicit":{"authorizationUrl":"https://auth.neostore.cloud/authorize?audience=https://app.neostore.cloud/api/","scopes":{}}}},"apiKey":{"type":"apiKey","name":"X-API-KEY","in":"header"}},"schemas":{"CurrentTenantUser":{"required":["email","permissions","userId"],"type":"object","properties":{"userId":{"minLength":1,"type":"string","description":"User identifier."},"email":{"minLength":1,"type":"string","description":"User email address."},"displayName":{"type":["null","string"],"description":"User display name."},"role":{"type":["null","string"],"description":"Tenant role assigned to the user.\nCan be globalAdministrator for global admins not assigned to a tenant role."},"permissions":{"type":"array","items":{"type":"string"},"description":"Expanded permissions for the current user."}},"additionalProperties":false,"description":"Current authenticated tenant user representation."},"ProblemDetails":{"type":"object","properties":{"type":{"type":["null","string"]},"title":{"type":["null","string"]},"status":{"type":["null","integer"],"format":"int32"},"detail":{"type":["null","string"]},"instance":{"type":["null","string"]}},"additionalProperties":{}},"HttpValidationProblemDetails":{"type":"object","allOf":[{"$ref":"#/components/schemas/ProblemDetails"}],"properties":{"errors":{"type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}}},"additionalProperties":{}}}},"paths":{"/api/{tenantId}/admin/users/me":{"get":{"tags":["Users"],"summary":"Get current authenticated user for the tenant","description":"Returns profile information and fully-expanded permissions for the current authenticated back-office user.\n            \n- If caller is global administrator, all permissions are returned.\n- If role contains wildcard permissions (`*` or `area:*`), values are expanded.\n            \n## Authorization\nRequires `tenant.core:read` scope.","parameters":[{"name":"tenantId","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Current user returned.","content":{"text/plain":{"schema":{"description":"Current authenticated tenant user representation.","$ref":"#/components/schemas/CurrentTenantUser"}},"application/json":{"schema":{"description":"Current authenticated tenant user representation.","$ref":"#/components/schemas/CurrentTenantUser"}},"text/json":{"schema":{"description":"Current authenticated tenant user representation.","$ref":"#/components/schemas/CurrentTenantUser"}}}},"401":{"description":"Caller identity is missing user identifier.","content":{"text/plain":{"schema":{"oneOf":[{"$ref":"#/components/schemas/ProblemDetails"},{"$ref":"#/components/schemas/HttpValidationProblemDetails"}]}},"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/ProblemDetails"},{"$ref":"#/components/schemas/HttpValidationProblemDetails"}]}},"text/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/ProblemDetails"},{"$ref":"#/components/schemas/HttpValidationProblemDetails"}]}}}},"403":{"description":"User does not have access to this tenant.","content":{"text/plain":{"schema":{"oneOf":[{"$ref":"#/components/schemas/ProblemDetails"},{"$ref":"#/components/schemas/HttpValidationProblemDetails"}]}},"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/ProblemDetails"},{"$ref":"#/components/schemas/HttpValidationProblemDetails"}]}},"text/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/ProblemDetails"},{"$ref":"#/components/schemas/HttpValidationProblemDetails"}]}}}}}}}}}
```