Add an identity to an Application (create AppMembership)

POST

/portal/v1/accounts/{accountSlug}/identities/{id}/app-memberships

Authentication

Bearer Token Authorization
JWT access token

Path Parameters

Name	Required	Type	Description
`id`	Required	`string`

Request body

application_idstring*
The Application ID the identity should be attached to. Must belong to the same Account as the identity.

Code samples

cURL

JavaScript

Python

curl -X POST "https://api.canopy.dev/portal/v1/accounts/{accountSlug}/identities/value/app-memberships" \
  -H "Authorization: Bearer $CANOPY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "application_id": "string"
  }'

const response = await fetch("https://api.canopy.dev/portal/v1/accounts/{accountSlug}/identities/value/app-memberships", {
  method: "POST",
  headers: {
    "Authorization": "Bearer $CANOPY_TOKEN",
    "Content-Type": "application/json"
  },
  body: JSON.stringify({
    "application_id": "string"
  }),
});

const data = await response.json();

import requests

response = requests.post(
    "https://api.canopy.dev/portal/v1/accounts/{accountSlug}/identities/value/app-memberships",
    headers={
    "Authorization": "Bearer $CANOPY_TOKEN",
    "Content-Type": "application/json"
    },
    json={
        "application_id": "string",
    },
)

data = response.json()

package main

import (
	"bytes"
	"encoding/json"
	"net/http"
)

func main() {
	payload := map[string]interface{}{
		"application_id": "string",
	}
	body, _ := json.Marshal(payload)

	req, _ := http.NewRequest("POST", "https://api.canopy.dev/portal/v1/accounts/{accountSlug}/identities/value/app-memberships", bytes.NewBuffer(body))
	req.Header.Set("Authorization", "Bearer $CANOPY_TOKEN")
	req.Header.Set("Content-Type", "application/json")

	resp, _ := http.DefaultClient.Do(req)
	defer resp.Body.Close()
}

Responses

201 Creates an active AppMembership row attaching the Account-level identity to the named Application. The Application must belong to the same Account as the identity. Writes an App-tier audit row.

{
  "id": "string",
  "identity_id": "string",
  "application_id": "string",
  "status": "invited",
  "invited_at": "2026-04-20T12:00:00.000Z",
  "activated_at": "2026-04-20T12:00:00.000Z",
  "deactivated_at": "2026-04-20T12:00:00.000Z",
  "created_at": "2026-04-20T12:00:00.000Z"
}

application/json

idstring*
identity_idstring*
application_idstring*
statusenum: "invited" | "active" | "deactivated" | "suspended"*
invited_atstring (date-time)
activated_atstring (date-time)
deactivated_atstring (date-time)
created_atstring (date-time)*

401 Invalid or expired token

403 This token is not authorized for this endpoint (wrong principal type — e.g., admin token on identity-only endpoint, or vice versa)

404 Identity not found

409 Identity is already an active member of this Application — call remove first to revoke, or no-op

Returned object

The AppMembershipResponseDto object View all properties on this resource

On this page

GETList identities in Account
POSTCreate an Account identity
POSTBulk-create Account identities
GETGet directory counts for the Account
GETGet an Account identity
PATCHUpdate an Account identity profile
PATCHSet Account-wide is_active flag
POSTAdmin-trigger a password reset email
POSTRe-send email verification
GETList audit events for an Account identity
DELETERemove an identity from an Application (revoke AppMembership)