User management

User management covers inviting users to an existing account, updating their roles, and allowing them to create their own passkeys.

High-level flows

Invitation-to-account

Updating roles

Technical implementation

Inviting users

Get invite users payload — Request the payload that a root user must sign with their passkey to invite new users to the account. Use this endpoint to get the payload:

Get invite users payload

Submit signed invite-users payload — Then call the below endpoint with the signed payload to execute the invitations:

Invite users to a account

Accepting an invitation

Initialize OTP for a user — Initialize an OTP for the invited person to authenticate by calling this endpoint:

Initialize OTP for a user

Authenticate with OTP — Invited user enters the OTP code to create a session and authenticate with OTP. Call this endpoint to submit the authenticated session to accept the invitation:

Authenticate with OTP code and create a session

(Optional) Create a passkey for the new member — Allow the new user to create a passkey by using the below endpoint. The user must have an active OTP session (from step 1 and 2).

Create authenticators

This last option step is only required if the new user has the role of root (Admin). Once passkeys are created, the user can use them for deposits and withdrawals.

Invitations can be listed per account or per email via the get-invitations-by-account-id and get-invitations-by-email endpoints.

Promoting and demoting roles of a member

Get update users role payload — Request the payload that the root user must sign to change users’ roles. Call this endpoint:

Get update users role payload

Submit the signed payload — Then call the below endpoint with the signed payload to execute the role update:

Update users' role

Roles and permissions

Four different roles exist:

root: The root user is the admin of the account and has full permissions.
view: The view user can only view the account and cannot make any transactions.
beneficiary: Beneficiary users are UBOs of an entity account at the moment of creation. By default, they cannot make any transactions.
self_custodial: All accounts created with a self-custodial wallet have this role.

The roles and permissions are described in the table below:

Role	Can view	Can deposit & withdraw	Can manage users	Can add bank accounts
`root`	✅	✅	✅	✅
`view`	✅	❌	❌	❌
`beneficiary`	✅	❌	❌	❌
`self_custodial`	✅	✅	❌	✅

Integrator API

API endpoints

High-level flows

Invitation-to-account

Updating roles

Technical implementation

Inviting users

Get invite users payload

Invite users to a account

Accepting an invitation

Initialize OTP for a user

Authenticate with OTP code and create a session

Create authenticators

Promoting and demoting roles of a member

Get update users role payload

Update users' role

Roles and permissions

Integrator API

API endpoints

​High-level flows

​Invitation-to-account

​Updating roles

​Technical implementation

​Inviting users

Get invite users payload

Invite users to a account

​Accepting an invitation

Initialize OTP for a user

Authenticate with OTP code and create a session

Create authenticators

​Promoting and demoting roles of a member

Get update users role payload

Update users' role

​Roles and permissions

High-level flows

Invitation-to-account

Updating roles

Technical implementation

Inviting users

Accepting an invitation

Promoting and demoting roles of a member

Roles and permissions