Users
The users resource represents a single Bloom user. Users cannot be directly created. Instead, a user registration request must be made.
User object
{
"id": "019429df-8f3f-7245-bc0d-73kn1u4f2284",
"email": "user@example.com",
"meta": {
"name_first": "Jon",
"name_last": "Doe"
},
"admin": false,
"enabled": true,
"created_at": "2025-01-03 01:55:04",
"updated_at": "2025-07-28 17:11:17",
"verified_at": "2025-07-28 17:11:17"
}
Fields
- idrequired readonly stringUnique ID of the record.
- emailrequired stringUnique email address of the user.
- metarequired object
- adminrequired readonly booleanWhether the user is an admin.
- enabledrequired booleanWhether the user is enabled. This field is only writable by an admin user.
- created_atrequired readonly stringUTC timestamp of when the record was created.
- updated_atnullable readonly stringUTC timestamp of when the record was last updated.
- verified_atnullable readonly stringUTC timestamp of when the user verified their email address.
Read a user
GET /users/{Id} or /users/me alias to read self.
Required permissions
User must be authenticated and can only read their own record.
Response
| HTTP status | Title | Description | Schema |
|---|---|---|---|
| 200 | OK | User object | |
| 400 | Bad Request | Invalid parameters in the request query | Error object |
| 403 | Forbidden | Unsuccessful attempt to read another user's record | Error object |
| 404 | Not Found | User ID not found | Error object |
Update a user
PATCH /users/{id}
The request body must include parts of a user object.
In addition, a password field can be included to update the user's password.
The password must meet the following requirements:
- Minimum length of 12 characters
- Contain at least one lowercase letter
- Contain at least one uppercase letter
- Contain at least one number
If the email field is updated, the user must verify their new email address before they can log in again.
A verification email will be sent to the new email address.
Required permissions
User must be authenticated and can only update their own record.
Response
| HTTP status | Title | Description | Schema |
|---|---|---|---|
| 200 | OK | Updated user record | User object |
| 400 | Bad Request | Invalid or missing field(s) | Error object |
| 404 | Not Found | User ID not found | Error object |
| 409 | Conflict | Email address already in use by another user | Error object |
Delete a user
DELETE /users/{id}
User accounts which own tenants cannot be deleted. The tenant must be transferred to another user or deleted before the user can be deleted.
Required permissions
User must be authenticated and can only delete their own record.
Response
| HTTP status | Title | Description | Schema |
|---|---|---|---|
| 204 | No content | Successfully deleted | |
| 400 | Bad Request | User owns at least one tenant and cannot be deleted | Error object |
| 404 | Not Found | User ID not found | Error object |
List tenant invitations
List all tenant invitations for a user.
GET /users/{id}/invitations
Required permissions
User must be authenticated and can only list invitations for themselves.
Response
| HTTP status | Title | Description | Schema |
|---|---|---|---|
| 200 | OK | An associative array of tenant invitation objects | |
| 400 | Bad Request | Invalid parameters in the request query | Error object |
| 403 | Forbidden | Unsuccessful attempt to read another user's invitations | Error object |
| 404 | Not Found | User ID not found | Error object |
Accept a tenant invitation
Accept a tenant invitation.
POST /users/{userId}/invitations/{id}
Required permissions
User must be authenticated and can only accept their own invitations.
Response
| HTTP status | Title | Description | Schema |
|---|---|---|---|
| 204 | No content | Successfully accepted | |
| 400 | Bad Request | Invalid parameters in the request query | Error object |
| 403 | Forbidden | Unsuccessful attempt to accept another user's invitation | Error object |
| 404 | Not Found | User or invitation ID not found | Error object |
List tenants
List all tenants the user owns or belongs to.
GET /users/{id}/tenants
Required permissions
User must be authenticated and can only list tenants they own or belong to.
Response
| HTTP status | Title | Description | Schema |
|---|---|---|---|
| 200 | OK | An associative array of tenant objects | |
| 400 | Bad Request | Invalid parameters in the request query | Error object |
| 404 | Not Found | User ID not found | Error object |
Logout
Logout the current user by invalidating their current access and refresh tokens.
POST /users/logout
Required permissions
User must be authenticated.
Response
| HTTP status | Title | Description | Schema |
|---|---|---|---|
| 204 | No content | Successfully logged out |