1. Docs
  2. Identities
  3. Dashboard create

Dashboard create

Admin-driven direct creation from the dashboard — the identity row is written immediately, with an optional starting password and no email ceremony.

Two create surfaces

Two create surfaces

The dashboard exposes two distinct direct-create paths. They both write the Identity row immediately with no email ceremony, but they land in different layers and bundle different things.

Tenant > Identities → Create Identity — Account-tier. Writes a directory-only Identity at the Account; the optional App picker adds an AppMembership for the chosen Application. No role assignment, no Environment context — useful for pre-provisioning, migration, or staging identities you'll attach to access later.Access Control > Identities → Create Identity — Environment-scoped. Writes the Identity, the AppMembership for the active App, and (when role + node are supplied) a role assignment, all in one transaction. This is the surface covered in detail on this page.
 See the three-layer model on the Identities overview →

Using the Dashboard

Access Control > Identities is the Environment-scoped page where identities and assignments are managed. The page header offers three entry points. Invite sends an email-only invite. Invite & Assign bundles an invite with a role assignment. Create Identity — covered on this page — skips the email entirely and writes the identity row right away. Use it when you want the identity to exist now (with or without a starting password) rather than wait for the recipient to click an email link.

Create an identity
Open the Identities page from the left nav under Access Control — it's scoped to whichever Environment is currently active in the workspace switcher.Click Create Identity in the page header. The create dialog opens.Enter the email address, first name, and last name. These are the only required fields.Optionally set an Initial password (8–64 characters). When set, the identity can sign in immediately. When omitted, the identity is passwordless until they go through forgot-password reset or sign in via SSO/social.Optionally pick a Role and Node to bundle a first role assignment in the same step. Both are needed to create the assignment — if only one is provided, no assignment is created.Click Create Identity. The identity row is written to the database immediately, the assignment (if any) is created in the same transaction, and the identities list refreshes.
When to use Create Identity vs the alternatives
Invite: pick when you want the user to set their own password through an email link and you don't already know what it should be.Invite & Assign: same email-link ceremony, but the role assignment is wired in up front so the user lands with permissions ready when they accept.Create Identity: pick when the user already exists in your records (migration, pre-provisioning, federated SSO mapping), when you have a temp password to set out-of-band, or when the user will only ever authenticate via SSO and you want the row to exist now.
First time setting up?

When you land on a fresh Environment — the dashboard seeds every Account with a Development and Production env at signup, both empty — the Overview page shows a banner that reads "You haven't invited any users or assigned them roles yet." Click Complete Invite & Assign Users Setup to open the Setup Guide on its Invite & Assign Users tab — an interactive slide-out panel that walks you through inviting identities and assigning them roles. Each step links directly to the right page and surfaces contextual help alongside, so you don't have to bounce between docs and the dashboard to figure out where to click next.

What the guide walks you through:

Invite identitiesAssign roles to identities
 Onboarding many at once? Use the dashboard CSV import wizard →

Using the API

You can also create identities through the API instead of using the dashboard. Use this when you're provisioning users from a backend job, syncing from an HR system, or scripting a migration. Each API key is scoped to one Environment — POST /api/v1/identities creates the identity row in the Account, and any bundled role + node assignment lands in that Environment.

Endpoint 
POST /api/v1/identities

Authenticate with your API key in the X-API-Key header. The principal needs identity.manage in the target Environment.

Example

Send the email and names, with an optional password and an optional role + node pair, in the request body:

{
  "email": "regional.manager@example.com",
  "first_name": "Pat",
  "last_name": "Lee",
  "password": "temp-password-rotated-on-first-login",
  "role_id": "5e1f2a3b-4c5d-4e6f-7a8b-9c0d1e2f3a4b",
  "node_id": "0aa1b2c3-d4e5-4f6a-7b8c-9d0e1f2a3b4c"
}

The response returns the new identity with its id and is committed by the time the 201 lands — there's no async write or eventual-consistency window. For batch provisioning, the same surface exposes POST /api/v1/identities/bulk-create for up to 200 rows per call with per-row partial-success semantics.

 View full API reference →
Environment
On this page
Canopy