Invite an identity at the Account tier

POST

/portal/v1/accounts/{accountSlug}/identity-invites

Authentication

Bearer Token Authorization
JWT access token

Request body

emailstring*
first_namestring
last_namestring
application_idstring
Optional Application ID. When present, the invite acceptance creates an AppMembership for that App and the email link uses that App's invite_redirect_url. Omit for orphan invites.

Code samples

cURL

JavaScript

Python

curl -X POST "https://api.canopy.dev/portal/v1/accounts/{accountSlug}/identity-invites" \
  -H "Authorization: Bearer $CANOPY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "string",
    "first_name": "string",
    "last_name": "string",
    "application_id": "string"
  }'

const response = await fetch("https://api.canopy.dev/portal/v1/accounts/{accountSlug}/identity-invites", {
  method: "POST",
  headers: {
    "Authorization": "Bearer $CANOPY_TOKEN",
    "Content-Type": "application/json"
  },
  body: JSON.stringify({
    "email": "string",
    "first_name": "string",
    "last_name": "string",
    "application_id": "string"
  }),
});

const data = await response.json();

import requests

response = requests.post(
    "https://api.canopy.dev/portal/v1/accounts/{accountSlug}/identity-invites",
    headers={
    "Authorization": "Bearer $CANOPY_TOKEN",
    "Content-Type": "application/json"
    },
    json={
        "email": "string",
        "first_name": "string",
        "last_name": "string",
        "application_id": "string",
    },
)

data = response.json()

package main

import (
	"bytes"
	"encoding/json"
	"net/http"
)

func main() {
	payload := map[string]interface{}{
		"email": "string",
		"first_name": "string",
		"last_name": "string",
		"application_id": "string",
	}
	body, _ := json.Marshal(payload)

	req, _ := http.NewRequest("POST", "https://api.canopy.dev/portal/v1/accounts/{accountSlug}/identity-invites", bytes.NewBuffer(body))
	req.Header.Set("Authorization", "Bearer $CANOPY_TOKEN")
	req.Header.Set("Content-Type", "application/json")

	resp, _ := http.DefaultClient.Do(req)
	defer resp.Body.Close()
}

Responses

201 Creates an Account-tier identity invite and sends the email. Distinct from the env-scoped invite endpoint — this one does not anchor to an Environment and does not carry `role_id` / `node_id`. Optional `application_id` targets an App: acceptance creates an AppMembership for that App and the email link uses the App's OAuth client's `invite_redirect_url` when present. Omit `application_id` for a fully orphan invite — acceptance creates only the Account-level Identity row.

{
  "id": "string",
  "email": "string",
  "intent": "string",
  "first_name": "string",
  "last_name": "string",
  "client_id": "string",
  "expires_at": "2026-04-20T12:00:00.000Z",
  "created_at": "2026-04-20T12:00:00.000Z"
}

application/json

idstring*
emailstring*
intentstring*
first_namestring*
last_namestring*
client_idstring
Application ID this invite optionally targets. NULL for orphan invites.
expires_atstring (date-time)*
created_atstring (date-time)*

401 Invalid or expired token

403 This token is not authorized for this endpoint (wrong principal type — e.g., admin token on identity-only endpoint, or vice versa)

404 Application not found in this Account — cannot attach an identity to an Application outside its own Account

409 A pending invite already exists for this email at this scope. Revoke the existing invite or wait for it to expire before issuing a new one.

Returned object

The AccountIdentityInviteResponseDto object View all properties on this resource

On this page