All operations on this page require the manage_company permission and the user making the API call to be a member of a company.

The User Object

  // The unique ID of the user.
  "id": "8bbf3c1b-8d5a-4c75-996c-f3daa12c1b91",

  "company_id": "6f0fba3f-65dc-4d17-8a5d-98f9441ff150",

  // The email address of the user. Case sensitive.
  "email": "",

  "email_confirmed_at": "2019-07-11T13:42:00Z", // timestamp string

  "first_name": "John",
  "last_name": "Doe",

  // The creation or registration time of the user.
  "created_at": "2019-07-11T13:42:00Z", // timestamp string

  "permissions": [

GET /users

Return all users within the company as a paginated list.

POST /users

Creates a new user and returns it. The user will become a member of the company the requesting user is a member of.

Example request:

    // The email address that the user should use to log in.
    "email": "",

    // If set to true, the user's email address is automatically confirmed.
    // Otherwise, the user should confirm their email address before being able
    // to sign in.
    "email_confirmed": true

    // If set, create the user with a user name instead of an email address. It
    // is not allowed to use an '@' character in user names.
    // It is not allowed to set an email address if this option is used.
    // Internally, the username is translated to a case sensitive email address
    // with the '@triage.local` suffix. This suffix should therefore be added
    // when logging in.
    "username": "foo",

    "password": "correcthorsebatterystaple",

    // The set of premissions that the user should have. See the user object
    // documentation for which values are accepted here.
    "permissions": ["view_samples". "submit_samples"]


Create a user with a username which is allowed to submit samples via the API:

$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
    -X POST
    --data-raw '{"username":"foo","first_name":"foo","last_name":"bar",\
# Response:
# {
#   "id": "16410a3e-fc32-44ee-820f-06ca5c99ef03",
#   "company_id": "7dd3c863-622b-4a67-a2f8-9a87ddeea5bb",
#   "email": "foo@triage.local",
#   "email_confirmed_at": "2019-07-24T15:06:39.753258246+02:00",
#   "first_name": "foo",
#   "last_name": "bar",
#   "created_at": "2019-07-24T13:06:39.753257501Z",
#   "permissions": ["view_samples","submit_samples","access_api"]
# }


  • 409, "USER_ALREADY_REGISTERED", if there already is a user with the specified email address registered.

GET /users/{userID}

Queries a single user by its ID, username or email address.

DELETE /users/{userID}

Delete a user and all associated data, invalidating any sessions and removing their API keys. Any samples submitted by this user are kept.

The user making the request is not allowed to delete themselves.


  • 404, "NOT_FOUND", if the user does not exist.
  • 409, "DELETE_SELF", if the user attempted to delete themselves.

POST /users/{userID}/apikeys

Creates a new key can be used to make API calls on behalf of the specified user. The user should have been granted the access_api permission beforehand.

This call is idempotent, meaning that if an API key with a conflicting name is already present, it is returned instead.


curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
    -X POST
    --data-raw '{"name":"myclient"}'
# Response:
# {
#   "name": "foo",
#   "key": "SGllciBuaWV0IHBvZXBlbiBhLnUuYi4K"
# }


  • 404, "NOT_FOUND", if the user does not exist.
  • 409, "MISSING_PERMISSION", if the user does not have the access_api permission.

GET /users/{userID}/apikeys

Lists all API keys that the user has.

Example response

  "data": [
      "name": "foo",
      "key": "SGllciBuaWV0IHBvZXBlbiBhLnUuYi4K"

DELETE /users/{userID}/apikeys/{apikeyName}

Delete the user's API key with the specified name.


  • 404, "NOT_FOUND", if the user does not exist or if the API key does not exist.