Users

List users

zones.users.list(, ) -> UserListResponse

GET/zones/{zoneId}/users

Returns a list of users in the specified zone.

Rollout note: the paginated/searchable/sortable behavior described below is gated behind the user-pagination feature flag and is currently disabled for most zones. While the flag is off, the response returns every user in the zone (capped at 100) in items and a fixed pagination envelope where after_cursor and before_cursor are null and total_count is 0. The query parameters below are accepted but ignored. The flag is rolled out per-zone in Datadog and will become the default once Console adopts the paginated contract.

Use cursor pagination via after/before. Sort: comma-separated field list; prefix with - for descending. Use expand[]=total_count to include the matching row count, expand[]=session_count to include per-user session counts, expand[]=grant_count to include per-user delegated-grant counts, and expand[]=role-assignments to include each user's structured role grants. Filter by exact email via filter[email]; search via query[email] / query[subject] / query[] (substring match, OR'd across repeated values). query[] matches against email and federation credential subject. Pass filter[id] (repeatable, max 100) to restrict results to a known set of users — mutually exclusive with after/before (returns 400 if combined). When filter[id] is set, limit is ignored and the response contains every requested user that exists in the zone, in a single page. IDs not in the zone are silently omitted.

ParametersExpand Collapse

zone_id: str

after: Optional[str]

Cursor for forward pagination

minLength1

maxLength255

before: Optional[str]

Cursor for backward pagination

minLength1

maxLength255

expand: Optional[Union[Literal["total_count", "session_count", "grant_count", "role-assignments"], List[Literal["total_count", "session_count", "grant_count", "role-assignments"]]]]

Accepts one of the following:

Literal["total_count", "session_count", "grant_count", "role-assignments"]

Accepts one of the following:

"total_count"

"session_count"

"grant_count"

"role-assignments"

List[Literal["total_count", "session_count", "grant_count", "role-assignments"]]

Accepts one of the following:

"total_count"

"session_count"

"grant_count"

"role-assignments"

filter_email: Optional[Union[str, SequenceNotStr[str]]]

Filter by exact email address

Accepts one of the following:

str

Filter by exact email address

SequenceNotStr[str]

filter_id: Optional[Union[str, SequenceNotStr[str]]]

Restrict results to users with this publicId. Repeatable, max 100. Mutually exclusive with after/before.

Accepts one of the following:

str

Restrict results to users with this publicId. Repeatable, max 100. Mutually exclusive with after/before.

SequenceNotStr[str]

limit: Optional[int]

Maximum number of items to return

minimum1

maximum100

query: Optional[Union[str, SequenceNotStr[str]]]

Search across email and credential subject (substring match)

Accepts one of the following:

str

Search across email and credential subject (substring match)

SequenceNotStr[str]

query_email: Optional[Union[str, SequenceNotStr[str]]]

Search by email (substring match)

Accepts one of the following:

str

Search by email (substring match)

SequenceNotStr[str]

query_subject: Optional[Union[str, SequenceNotStr[str]]]

Search by federated credential subject (substring match)

Accepts one of the following:

str

Search by federated credential subject (substring match)

SequenceNotStr[str]

sort: Optional[str]

Comma-separated sort fields. Prefix with - for descending. Allowed: created_at, email, authenticated_at

ReturnsExpand Collapse

class UserListResponse: …

items: List[User]

id: str

Unique identifier of the user

created_at: datetime

Entity creation timestamp

formatdate-time

email: str

Email address of the user

formatemail

email_verified: bool

Whether the email address has been verified

identifier: str

Zone-scoped user identifier. Defaults to the user's Keycard ID. When the provider has user_identifier_claim configured, the value is set from that claim at user creation time.

organization_id: str

Organization that owns this user

status: Literal["active", "disabled"]

Status of the user. Disabled users cannot authenticate.

Accepts one of the following:

"active"

"disabled"

updated_at: datetime

Entity update timestamp

formatdate-time

zone_id: str

Zone this user belongs to

authenticated_at: Optional[str]

Date when the user was last authenticated

grant_count: Optional[int]

Delegated-grant count for this user. Populated only when expand[]=grant_count is set on the listing endpoint.

minimum0

issuer: Optional[str]

Issuer identifier of the identity provider

provider_id: Optional[str]

Reference to the identity provider. This field is undefined when the source identity provider is deleted but the user is not deleted.

role_assignments: Optional[List[RoleAssignment]]

Role grants for this user within the zone. Populated only when expand[]=role-assignments is set on the listing endpoint.

role_id: str

ID of the assigned role

role_identifier: str

Opaque role identifier. Treated as an opaque identifier by the API and unique within a zone.

minLength1

maxLength255

scope: Optional[RoleAssignmentScope]

The resource this grant is scoped to, or null when the grant is unscoped (applies to the owning zone itself).

id: str

The ID of the scoped resource.

type: str

The kind of resource this grant is scoped to (e.g. zone).

session_count: Optional[int]

Session count for this user. Populated only when expand[]=session_count is set on the listing endpoint.

minimum0

subject: Optional[str]

Subject identifier from the identity provider

pagination: Pagination

Cursor-based pagination metadata

after_cursor: Optional[str]

An opaque cursor used for paginating through a list of results

minLength1

maxLength255

before_cursor: Optional[str]

An opaque cursor used for paginating through a list of results

minLength1

maxLength255

total_count: Optional[int]

Total number of items matching the query. Only included when expand[]=total_count is requested.

List users

from keycardai_api import KeycardAPI

client = KeycardAPI()
users = client.zones.users.list(
    zone_id="zoneId",
)
print(users.items)

{
  "items": [
    {
      "id": "id",
      "created_at": "2019-12-27T18:11:19.117Z",
      "email": "dev@stainless.com",
      "email_verified": true,
      "identifier": "identifier",
      "organization_id": "organization_id",
      "status": "active",
      "updated_at": "2019-12-27T18:11:19.117Z",
      "zone_id": "zone_id",
      "authenticated_at": "authenticated_at",
      "grant_count": 0,
      "issuer": "issuer",
      "provider_id": "provider_id",
      "role_assignments": [
        {
          "role_id": "role_id",
          "role_identifier": "x",
          "scope": {
            "id": "id",
            "type": "type"
          }
        }
      ],
      "session_count": 0,
      "subject": "subject"
    }
  ],
  "pagination": {
    "after_cursor": "x",
    "before_cursor": "x",
    "total_count": 0
  }
}

Returns Examples

{
  "items": [
    {
      "id": "id",
      "created_at": "2019-12-27T18:11:19.117Z",
      "email": "dev@stainless.com",
      "email_verified": true,
      "identifier": "identifier",
      "organization_id": "organization_id",
      "status": "active",
      "updated_at": "2019-12-27T18:11:19.117Z",
      "zone_id": "zone_id",
      "authenticated_at": "authenticated_at",
      "grant_count": 0,
      "issuer": "issuer",
      "provider_id": "provider_id",
      "role_assignments": [
        {
          "role_id": "role_id",
          "role_identifier": "x",
          "scope": {
            "id": "id",
            "type": "type"
          }
        }
      ],
      "session_count": 0,
      "subject": "subject"
    }
  ],
  "pagination": {
    "after_cursor": "x",
    "before_cursor": "x",
    "total_count": 0
  }
}