1. Docs
  2. Identities
  3. Dashboard invite

Dashboard invite

Admin-driven invite flow that sends an email and creates the identity row when the recipient sets their password.

Two invite surfaces

Two invite surfaces

The dashboard exposes two distinct invite paths. They share an email ceremony and a one-time accept link, but they land in different layers of the identity model and bundle different things at acceptance.

Tenant > Identities → Invite — Account-tier. The invitation creates a directory-only Identity at the Account on accept; the optional App picker adds an AppMembership for the chosen Application but no role assignment. Use this for federated/SSO users you want to pre-stage, or for inviting someone before you know what role they'll need.Access Control > Identities → Invite & Assign — Environment-scoped. The invitation creates the Identity, the AppMembership for the active App, and a role assignment at a hierarchy node, all in one transaction. Use this when the invitee should land with permissions already wired up. This is the surface covered in detail on this page.
 See the three-layer model on the Identities overview →

Using the Dashboard

Access Control > Identities is the Environment-scoped page where invitations and role assignments are managed. The page header offers three entry points. Invite sends an email-only invite with no roles attached. Invite & Assign — covered on this page — opens a dialog that pairs the invite with a role assignment in a single step. Create Identity skips the email entirely and writes the identity row immediately; see the Dashboard create page for that flow.

Invite an identity
Open the Identities page from the left nav under Access Control — it's scoped to whichever Environment is currently active in the workspace switcher.Click Invite & Assign in the page header. The invite dialog opens.Enter the email address, first name, and last name for the new identity.Pick a Role and the Node the assignment lands on. In a flat Environment, only the root node is available. In a hierarchy-enabled Environment, the node picker lists every node you can manage, with indentation reflecting the tree.Optionally pick an Application. When set, the invite link in the email points at that OAuth client's invite_redirect_url so the recipient lands on your branded accept page. When left blank, the link goes to Canopy's hosted /app/identity/accept-invite fallback.Click Send Invite. The recipient gets an email with a link to set a password. As soon as they accept, the identity becomes active and their assignment is live.
Other entry points
Invite: email-only invite — same dialog without the role + node fields. Use this when you want to add the person now and decide their access later.Create Identity: writes the identity row immediately with no email ceremony, optionally with a starting password. See the Dashboard create page.Invites tab on Identities → Directory: every pending invitation is listed here. Open one to resend the email, copy a fresh accept URL, or revoke.
First time setting up?

When you land on a fresh Environment — the dashboard seeds every Account with a Development and Production env at signup, both empty — the Overview page shows a banner that reads "You haven't invited any users or assigned them roles yet." Click Complete Invite & Assign Users Setup to open the Setup Guide on its Invite & Assign Users tab — an interactive slide-out panel that walks you through inviting identities and assigning them roles. Each step links directly to the right page and surfaces contextual help alongside, so you don't have to bounce between docs and the dashboard to figure out where to click next.

What the guide walks you through:

Invite identitiesAssign roles to identities
 Inviting many at once? Use the dashboard CSV import wizard →

What the recipient sees

Once you click Send Invite, the recipient receives an email built from the configured template — a generic subject line, a greeting that includes the Account's name when available, and a primary call-to-action button.

Their flow
The email arrives within a few seconds. The subject reads "You've Been Invited", and the body opens with "You've been invited to join {Account name}" when an Account name is available.Clicking the call-to-action takes them to the accept page — the OAuth client's invite_redirect_url when an Application was selected, or Canopy's hosted /app/identity/accept-invite page when not.They confirm their first and last name (pre-filled from the invite) and set a password. Passwords go through a HaveIBeenPwned breach check; breached passwords are rejected up front.On submit, the identity row is created (or updated, if the email already existed in the Account), the password is stored as an Argon2id hash, and any role assignment that was attached to the invite is materialised in the same transaction.The accept link is single-use. The token is consumed on success, and the invite flips from pending to accepted.

Invites expire after 7 days. Expired invites can be resent from the dashboard to issue a fresh token with a new 7-day window.

Managing pending invites

Open Identities → Directory from the left nav and switch to the Invites tab to see every invitation that hasn't been accepted yet, plus history for accepted, expired, and revoked ones. Click any row to open its detail drawer.

From the invite drawer
Resend generates a fresh token, resets the 7-day expiry, and (when the original invite was set to send the email) sends it again. There's a 5-minute cooldown to avoid accidental flooding.Revoke immediately invalidates the token. The recipient's existing accept link will land on a "this invite is no longer valid" page. Useful when you sent to the wrong address or the recipient never plans to accept.Accepted, expired, and revoked invites stay in the list as history. Only pending invites can be resent or revoked.

If you need to re-invite someone whose original invite expired or was revoked, just send a brand-new invite — the old row stays in history and the new one is independent.

Using the API

You can also invite identities through the API instead of using the dashboard. Use this when you're provisioning users in bulk, syncing from an HR or directory system, or wiring sign-up into a self-service flow on your own site. Each API key is scoped to one Environment — POST /api/v1/identity-invites creates the invitation, and any role + node attached to it, in that Environment and nowhere else.

Endpoint 
POST /api/v1/identity-invites

Authenticate with your API key in the X-API-Key header.

Example

Send the recipient's email, first name, and last name, with an optional initial role and node, in the request body:

{
  "email": "regional.manager@example.com",
  "first_name": "Pat",
  "last_name": "Lee",
  "role_id": "5e1f2a3b-4c5d-4e6f-7a8b-9c0d1e2f3a4b",
  "node_id": "0aa1b2c3-d4e5-4f6a-7b8c-9d0e1f2a3b4c"
}

The response returns the created invitation with its id and an accept_url. Until the recipient accepts, the identity is in the pending state and the pre-attached assignment is dormant. Once accepted, the identity flips to active and the assignment takes effect immediately. For mass invitations, the same surface exposes POST /api/v1/identity-invites/bulk-create for up to 200 invites per call with per-row partial-success semantics.

 View full API reference →
Environment
On this page
Canopy