Management API
The Management API provides CRUD operations for all Paylent resources. It follows the JSON:API specification and is available at /api/ under each environment’s subdomain.
GET /api/users # List usersGET /api/users/:id # Get userPOST /api/users # Create user (create_with_password)PATCH /api/users/:id # Update userDELETE /api/users/:id # Delete userCreate User
Section titled “Create User”{ "data": { "type": "user", "attributes": { "first_name": "Jane", "last_name": "Doe", "password": "secure_password", "password_confirmation": "secure_password" } }}Sessions
Section titled “Sessions”GET /api/sessions # List sessionsGET /api/sessions/:id # Get sessionPOST /api/sessions # Create sessionPATCH /api/sessions/:id/touch # Update last activityPATCH /api/sessions/:id/revoke # Revoke sessionDELETE /api/sessions/:id # Delete sessionSessions track IP address, user agent, last activity, expiry, and revocation status.
Roles & Permissions
Section titled “Roles & Permissions”GET /api/roles # List rolesGET /api/roles/:id # Get role (includes user_count, permission_count)POST /api/roles # Create rolePATCH /api/roles/:id # Update roleDELETE /api/roles/:id # Delete role
GET /api/permissions # List permissionsPOST /api/permissions # Create permissionPATCH /api/permissions/:id # Update permissionDELETE /api/permissions/:id # Delete permissionAssign Permission to Role
Section titled “Assign Permission to Role”POST /api/role-permissions{ "data": { "type": "role_permission", "attributes": {}, "relationships": { "role": { "data": { "type": "role", "id": "ROLE_ID" } }, "permission": { "data": { "type": "permission", "id": "PERM_ID" } } } }}Assign Role to User
Section titled “Assign Role to User”POST /api/user-roles{ "data": { "type": "user_role", "attributes": {}, "relationships": { "user": { "data": { "type": "user", "id": "USER_ID" } }, "role": { "data": { "type": "role", "id": "ROLE_ID" } } } }}OAuth Clients
Section titled “OAuth Clients”GET /api/clients # List clientsGET /api/clients/:id # Get clientPOST /api/clients # Register clientPATCH /api/clients/:id # Update clientDELETE /api/clients/:id # Delete clientRegister Client
Section titled “Register Client”{ "data": { "type": "client", "attributes": { "name": "My App", "client_type": "confidential", "redirect_uris": ["https://myapp.example.com/callback"], "grant_types": ["authorization_code", "refresh_token"], "token_format": "jwt", "first_party": false } }}| Field | Values |
|---|---|
client_type | confidential, public |
grant_types | authorization_code, client_credentials, refresh_token |
token_format | jwt, opaque |
redirect_uris | Up to 10 URLs |
Resource Servers
Section titled “Resource Servers”GET /api/resource-servers # List resource serversGET /api/resource-servers/:id # Get resource serverPOST /api/resource-servers # Create resource serverPATCH /api/resource-servers/:id # Update resource serverDELETE /api/resource-servers/:id # Delete resource serverSystem resource servers (like the Management API) cannot be updated or deleted.
Scopes
Section titled “Scopes”Scopes belong to a resource server. See API Resources for details.
GET /api/scopes # List scopesGET /api/scopes/:id # Get scopePOST /api/scopes # Create scopePATCH /api/scopes/:id # Update scopeDELETE /api/scopes/:id # Delete scopeCreate Scope
Section titled “Create Scope”{ "data": { "type": "scope", "attributes": { "name": "read:users", "description": "Read user profiles" }, "relationships": { "resource_server": { "data": { "type": "resource_server", "id": "RESOURCE_SERVER_ID" } } } }}Signing Keys
Section titled “Signing Keys”GET /api/signing-keys # List signing keysGET /api/signing-keys/:id # Get signing keyPOST /api/signing-keys # Generate new key pairPATCH /api/signing-keys/:id/deactivate # Deactivate keyDELETE /api/signing-keys/:id # Delete keyKeys are RSA256. When a new key is generated, it automatically becomes the primary signing key. Deactivating the current primary promotes the next active key.
Organizations
Section titled “Organizations”GET /api/organizations # List organizationsGET /api/organizations/:id # Get organization (includes member_count)POST /api/organizations # Create organizationDELETE /api/organizations/:id # Delete organizationMemberships
Section titled “Memberships”GET /api/memberships # List membershipsGET /api/memberships/:id # Get membershipPOST /api/memberships # Create membershipDELETE /api/memberships/:id # Delete membershipEach user can have one membership per organization.
Invitations
Section titled “Invitations”GET /api/invitations # List invitationsGET /api/invitations/:id # Get invitationPOST /api/invitations # Create invitationPATCH /api/invitations/:id/revoke # Revoke invitationDELETE /api/invitations/:id # Delete invitationInvitations include email, role_ids, status (pending/accepted/declined/revoked), and expires_at. Acceptance and decline are handled via separate endpoints:
POST /invitations/:id/acceptPOST /invitations/:id/decline