Admin User Management
Admin users have global access to manage tenants, configurations, and system-wide settings. All admin operations use the primary/master database.
List Admin Users
Retrieves all users assigned to the admin role with optional provider filtering.
GET /uflow/admin/users/list
POST /uflow/admin/users/list
Query Parameters:
provider(string, optional): Filter by authentication provider (e.g., local, google, azure, okta)
Authorization: Bearer Token required
Response: 200 OK
{
"users": [...],
"total": 0
}
Invite Admin User
Create a new admin user account with a temporary password that must be changed on first login.
POST /uflow/admin/invite
Request Body:
{
"email": "[email protected]",
"username": "adminuser",
"first_name": "John",
"last_name": "Doe",
"tenant_domain": "example-tenant",
"tenant_id": "uuid",
"client_id": "client-uuid",
"project_id": "project-uuid"
}
Required Fields:
email(string)username(string)
Optional Fields:
first_name(string)last_name(string)tenant_domain(string)tenant_id(string)client_id(string)project_id(string)
Response: 201 Created
{
"user_id": "uuid",
"username": "adminuser",
"email": "[email protected]",
"temporary_password": "temp-password",
"expires_at": "2026-01-27T10:00:00Z",
"email_sent": true,
"message": "Admin invitation sent successfully",
"user": {
"id": "uuid",
"username": "adminuser",
"email": "[email protected]",
"tenant_id": "uuid",
"tenant_domain": "example-tenant",
"client_id": "client-uuid",
"project_id": "project-uuid"
}
}
Error Responses:
400: Bad request - invalid input409: Conflict - user already exists500: Internal server error
Activate/Deactivate Admin User
Updates the active flag for an admin user in the master database.
POST /uflow/admin/users/active
Request Body:
{
"user_id": "uuid",
"tenant_id": "uuid",
"active": true
}
Required Fields:
user_id(string): User IDtenant_id(string): Tenant IDactive(boolean): Active status
Response: 200 OK
Error Responses:
400: Bad request403: Forbidden - cannot modify this user404: User not found500: Internal server error
Soft Delete Admin User
Marks an admin user as inactive. Cannot delete the primary admin or the last remaining admin.
DELETE /uflow/admin/users/{user_id}
Path Parameters:
user_id(required): Admin user ID
Response: 200 OK
Error Responses:
400: Bad request403: Forbidden - cannot delete primary admin or last admin404: User not found500: Internal server error
Hard Delete Admin User
Permanently deletes an admin user and all associated data including role_bindings, totp_secrets, backup_codes, webauthn_credentials, sessions, etc. Cannot delete the primary admin or the last remaining admin.
POST /uflow/admin/users/delete_all
Request Body:
{
"user_id": "uuid",
"tenant_id": "uuid"
}
Required Fields:
user_id(string): User ID to deletetenant_id(string): Tenant ID
Response: 200 OK
{
"message": "Admin user and all related data deleted successfully"
}
Error Responses:
400: Invalid request403: Cannot delete primary admin or last admin404: Admin user not found500: Internal server error
Admin Invitations Management
List Pending Invitations
Get all pending admin invitations (users with temporary_password=true who haven't logged in).
GET /uflow/admin/invite/pending
Response: 200 OK
{
"total": 5,
"invites": [
{
"user_id": "uuid",
"email": "[email protected]",
"username": "username",
"invited_at": "2026-01-20T10:00:00Z",
"expires_at": "2026-01-27T10:00:00Z",
"tenant_domain": "example"
}
]
}
Resend Invitation
Resend the invitation email to a pending admin with a new temporary password.
POST /uflow/admin/invite/resend
Request Body:
{
"user_id": "uuid"
}
Response: 200 OK
{
"user_id": "uuid",
"email": "[email protected]",
"temporary_password": "new-temp-password",
"expires_at": "2026-01-27T10:00:00Z",
"email_sent": true,
"message": "Invitation resent successfully"
}
Error Responses:
400: Bad request403: Forbidden - user already logged in404: Invitation not found500: Internal server error
Cancel Invitation
Cancel a pending admin invitation. Only works for users who have not yet logged in.
POST /uflow/admin/invite/cancel
Request Body:
{
"user_id": "uuid"
}
Response: 200 OK
{
"user_id": "uuid",
"email": "[email protected]",
"message": "Invitation cancelled successfully"
}
Error Responses:
400: Bad request403: Forbidden - user already logged in404: Invitation not found500: Internal server error