Users

List users

GET/zones/{zoneId}/users

Returns a list of users in the specified zone.

Rollout note: the paginated/searchable/sortable behavior described below is gated behind the user-pagination feature flag and is currently disabled for most zones. While the flag is off, the response returns every user in the zone (capped at 100) in items and a fixed pagination envelope where after_cursor and before_cursor are null and total_count is 0. The query parameters below are accepted but ignored. The flag is rolled out per-zone in Datadog and will become the default once Console adopts the paginated contract.

Use cursor pagination via after/before. Sort: comma-separated field list; prefix with - for descending. Use expand[]=total_count to include the matching row count, expand[]=session_count to include per-user session counts, expand[]=grant_count to include per-user delegated-grant counts, and expand[]=role-assignments to include each user's structured role grants. Filter by exact email via filter[email]; search via query[email] / query[subject] / query[] (substring match, OR'd across repeated values). query[] matches against email and federation credential subject. Pass filter[id] (repeatable, max 100) to restrict results to a known set of users — mutually exclusive with after/before (returns 400 if combined). When filter[id] is set, limit is ignored and the response contains every requested user that exists in the zone, in a single page. IDs not in the zone are silently omitted.

Path ParametersExpand Collapse

zoneId: string

Query ParametersExpand Collapse

after: optional string

Cursor for forward pagination

minLength1

maxLength255

before: optional string

Cursor for backward pagination

minLength1

maxLength255

"expand[]": optional "total_count" or "session_count" or "grant_count" or "role-assignments" or array of "total_count" or "session_count" or "grant_count" or "role-assignments"

Accepts one of the following:

UnionMember0 = "total_count" or "session_count" or "grant_count" or "role-assignments"

Accepts one of the following:

"total_count"

"session_count"

"grant_count"

"role-assignments"

UnionMember1 = array of "total_count" or "session_count" or "grant_count" or "role-assignments"

Accepts one of the following:

"total_count"

"session_count"

"grant_count"

"role-assignments"

"filter[email]": optional string or array of string

Filter by exact email address

Accepts one of the following:

UnionMember0 = string

Filter by exact email address

UnionMember1 = array of string

"filter[id]": optional string or array of string

Restrict results to users with this publicId. Repeatable, max 100. Mutually exclusive with after/before.

Accepts one of the following:

UnionMember0 = string

Restrict results to users with this publicId. Repeatable, max 100. Mutually exclusive with after/before.

UnionMember1 = array of string

limit: optional number

Maximum number of items to return

minimum1

maximum100

"query[]": optional string or array of string

Search across email and credential subject (substring match)

Accepts one of the following:

UnionMember0 = string

Search across email and credential subject (substring match)

UnionMember1 = array of string

"query[email]": optional string or array of string

Search by email (substring match)

Accepts one of the following:

UnionMember0 = string

Search by email (substring match)

UnionMember1 = array of string

"query[subject]": optional string or array of string

Search by federated credential subject (substring match)

Accepts one of the following:

UnionMember0 = string

Search by federated credential subject (substring match)

UnionMember1 = array of string

sort: optional string

Comma-separated sort fields. Prefix with - for descending. Allowed: created_at, email, authenticated_at

ReturnsExpand Collapse

items: array of User { id, created_at, email, 13 more }

id: string

Unique identifier of the user

created_at: string

Entity creation timestamp

formatdate-time

email: string

Email address of the user

formatemail

email_verified: boolean

Whether the email address has been verified

identifier: string

Zone-scoped user identifier. Defaults to the user's Keycard ID. When the provider has user_identifier_claim configured, the value is set from that claim at user creation time.

organization_id: string

Organization that owns this user

status: "active" or "disabled"

Status of the user. Disabled users cannot authenticate.

Accepts one of the following:

"active"

"disabled"

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this user belongs to

authenticated_at: optional string

Date when the user was last authenticated

grant_count: optional number

Delegated-grant count for this user. Populated only when expand[]=grant_count is set on the listing endpoint.

minimum0

issuer: optional string

Issuer identifier of the identity provider

provider_id: optional string

Reference to the identity provider. This field is undefined when the source identity provider is deleted but the user is not deleted.

role_assignments: optional array of object { role_id, role_identifier, scope }

Role grants for this user within the zone. Populated only when expand[]=role-assignments is set on the listing endpoint.

role_id: string

ID of the assigned role

role_identifier: string

Opaque role identifier. Treated as an opaque identifier by the API and unique within a zone.

minLength1

maxLength255

scope: object { id, type }

The resource this grant is scoped to, or null when the grant is unscoped (applies to the owning zone itself).

id: string

The ID of the scoped resource.

type: string

The kind of resource this grant is scoped to (e.g. zone).

session_count: optional number

Session count for this user. Populated only when expand[]=session_count is set on the listing endpoint.

minimum0

subject: optional string

Subject identifier from the identity provider

pagination: object { after_cursor, before_cursor, total_count }

Cursor-based pagination metadata

after_cursor: string

An opaque cursor used for paginating through a list of results

minLength1

maxLength255

before_cursor: string

An opaque cursor used for paginating through a list of results

minLength1

maxLength255

total_count: optional number

Total number of items matching the query. Only included when expand[]=total_count is requested.

List users

curl https://api.keycard.ai/zones/$ZONE_ID/users

{
  "items": [
    {
      "id": "id",
      "created_at": "2019-12-27T18:11:19.117Z",
      "email": "dev@stainless.com",
      "email_verified": true,
      "identifier": "identifier",
      "organization_id": "organization_id",
      "status": "active",
      "updated_at": "2019-12-27T18:11:19.117Z",
      "zone_id": "zone_id",
      "authenticated_at": "authenticated_at",
      "grant_count": 0,
      "issuer": "issuer",
      "provider_id": "provider_id",
      "role_assignments": [
        {
          "role_id": "role_id",
          "role_identifier": "x",
          "scope": {
            "id": "id",
            "type": "type"
          }
        }
      ],
      "session_count": 0,
      "subject": "subject"
    }
  ],
  "pagination": {
    "after_cursor": "x",
    "before_cursor": "x",
    "total_count": 0
  }
}

Returns Examples

{
  "items": [
    {
      "id": "id",
      "created_at": "2019-12-27T18:11:19.117Z",
      "email": "dev@stainless.com",
      "email_verified": true,
      "identifier": "identifier",
      "organization_id": "organization_id",
      "status": "active",
      "updated_at": "2019-12-27T18:11:19.117Z",
      "zone_id": "zone_id",
      "authenticated_at": "authenticated_at",
      "grant_count": 0,
      "issuer": "issuer",
      "provider_id": "provider_id",
      "role_assignments": [
        {
          "role_id": "role_id",
          "role_identifier": "x",
          "scope": {
            "id": "id",
            "type": "type"
          }
        }
      ],
      "session_count": 0,
      "subject": "subject"
    }
  ],
  "pagination": {
    "after_cursor": "x",
    "before_cursor": "x",
    "total_count": 0
  }
}