Invitations
Purpose
Section titled “Purpose”Invitations control who can register for an application. They are required
when the application’s signup policy is set to invite_only. Without a
valid invitation, the signup endpoint rejects registration.
Creating Invitations
Section titled “Creating Invitations”In the admin console, enter email addresses (one per line) and send:
POST /api/admin/applications/tobby/invitationsEach invitation creates a record with:
- A unique token (
inv_xxx) - A 7-day expiration
- A configurable role (default: member)
- An optional message
Invitation States
Section titled “Invitation States”| State | Meaning |
|---|---|
pending | Invitation sent, awaiting registration |
accepted | User registered using this invitation |
expired | Invitation passed its expiration date |
cancelled | Admin revoked the invitation |
Signup Flow with Invitation
Section titled “Signup Flow with Invitation”1. Admin creates invitation for [email protected] → Invitation token stored in DB
2. User receives invitation link: https://auth.example.com/invite?token=inv_xxx
3. User clicks link → redirected to signup page → Token is validated → User completes registration → ApplicationUser created with status=active → Invitation status set to "accepted"Revoking Invitations
Section titled “Revoking Invitations”Pending invitations can be revoked from the admin console. Revoked invitations return an error if the recipient attempts to use the link.