Create an invite

POST

/portal/v1/accounts/{accountSlug}/applications/{appSlug}/environments/{envSlug}/identity-invites

Authentication

Bearer Token Authorization
JWT access token

Request body

client_idstring
OAuth client ID — determines which app the invite links to. If omitted, uses Canopy hosted fallback.
intentenum: "activate" | "password_reset" | "onboard"
Optional. `activate` (default) creates a net-new identity OR — if an identity with this email already exists in the Account but has no active membership in this App — auto-derives an `add_to_app` invite that adds them to this App without touching their existing password. `password_reset` is the explicit admin-driven credential-rotation flow for an existing identity; it cannot carry a role/node assignment. The legacy `onboard` value is accepted and treated as `activate`.
emailstring*
first_namestring
Required for `activate`. Ignored for `add_to_app` (the existing identity's name wins) and for `password_reset`.
last_namestring
Required for `activate`. Ignored for `add_to_app` and `password_reset`.
role_idstring
Role ID — required if node_id is provided
node_idstring
Node ID — required if role_id is provided
send_emailboolean
Whether Canopy should send the invite email. Set false to suppress delivery and handle it yourself — the API response includes accept_url with the tokenized link. Defaults to true.

Code samples

cURL

JavaScript

Python

curl -X POST "https://api.canopy.dev/portal/v1/accounts/{accountSlug}/applications/{appSlug}/environments/{envSlug}/identity-invites" \
  -H "Authorization: Bearer $CANOPY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "string",
    "intent": "activate",
    "email": "string",
    "first_name": "string",
    "last_name": "string",
    "role_id": "string",
    "node_id": "string",
    "send_email": true
  }'

const response = await fetch("https://api.canopy.dev/portal/v1/accounts/{accountSlug}/applications/{appSlug}/environments/{envSlug}/identity-invites", {
  method: "POST",
  headers: {
    "Authorization": "Bearer $CANOPY_TOKEN",
    "Content-Type": "application/json"
  },
  body: JSON.stringify({
    "client_id": "string",
    "intent": "activate",
    "email": "string",
    "first_name": "string",
    "last_name": "string",
    "role_id": "string",
    "node_id": "string",
    "send_email": true
  }),
});

const data = await response.json();

import requests

response = requests.post(
    "https://api.canopy.dev/portal/v1/accounts/{accountSlug}/applications/{appSlug}/environments/{envSlug}/identity-invites",
    headers={
    "Authorization": "Bearer $CANOPY_TOKEN",
    "Content-Type": "application/json"
    },
    json={
        "client_id": "string",
        "intent": "activate",
        "email": "string",
        "first_name": "string",
        "last_name": "string",
        "role_id": "string",
        "node_id": "string",
        "send_email": True,
    },
)

data = response.json()

package main

import (
	"bytes"
	"encoding/json"
	"net/http"
)

func main() {
	payload := map[string]interface{}{
		"client_id": "string",
		"intent": "activate",
		"email": "string",
		"first_name": "string",
		"last_name": "string",
		"role_id": "string",
		"node_id": "string",
		"send_email": true,
	}
	body, _ := json.Marshal(payload)

	req, _ := http.NewRequest("POST", "https://api.canopy.dev/portal/v1/accounts/{accountSlug}/applications/{appSlug}/environments/{envSlug}/identity-invites", bytes.NewBuffer(body))
	req.Header.Set("Authorization", "Bearer $CANOPY_TOKEN")
	req.Header.Set("Content-Type", "application/json")

	resp, _ := http.DefaultClient.Do(req)
	defer resp.Body.Close()
}

Responses

201 Invite created

{
  "id": "string",
  "email": "string",
  "intent": "activate",
  "first_name": "string",
  "last_name": "string",
  "name": "string",
  "role_id": "string",
  "node_id": "string",
  "has_initial_assignment": false,
  "status": "pending",
  "expires_at": "2026-04-20T12:00:00.000Z",
  "invited_by": "string",
  "created_at": "2026-04-20T12:00:00.000Z"
}

application/json

idstring*
emailstring*
intentenum: "activate" | "add_to_app" | "password_reset" | "onboard"*
Final intent stamped on the invite at create time. `activate` is the auto-derived default for net-new identities; `add_to_app` is auto-derived when the email matches an existing account-level identity that has no membership in this App; `password_reset` is admin-explicit. `onboard` may appear on rows created before the rename.
first_namestring*
last_namestring*
namestring*
role_idstring
node_idstring
has_initial_assignmentboolean*
statusenum: "pending" | "accepted" | "revoked" | "expired"*
expires_atstring (date-time)*
invited_bystring*
created_atstring (date-time)*

401 Invalid or expired token

403 This token is not authorized for this endpoint (wrong principal type — e.g., admin token on identity-only endpoint, or vice versa)

Returned object

The IdentityInviteResponseDto object View all properties on this resource

On this page

GETList invites
GETGet invite summary
POSTBulk-create invites
POSTResend an invite
DELETERevoke an invite