client.users¶
Bases: SyncResource
Sync users namespace (client.users).
create ¶
create(*, email: str, first_name: str, last_name: str, password: str, role: WorkspaceRole | str = WorkspaceRole.MEMBER) -> User
Create a ready-to-login member directly — programmatic SEEDING only
(admin; 201). No email is sent; the account is created with the given
password. Humans join via client.invitations.create + their in-app
accept (ADR-0113).
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
email
|
str
|
login email for the seeded account; must be unique within the workspace (409 USER_EMAIL_TAKEN otherwise). |
required |
first_name
|
str
|
given name on the new user's profile. |
required |
last_name
|
str
|
family name on the new user's profile. |
required |
password
|
str
|
initial password the account logs in with; must satisfy the identity provider's strength rules. |
required |
role
|
WorkspaceRole | str
|
workspace role to grant — |
MEMBER
|
Raises:
| Type | Description |
|---|---|
ForbiddenError
|
caller is not a workspace admin (AUTH_FORBIDDEN). |
ConflictError
|
email already a member (USER_EMAIL_TAKEN) or user quota reached (RESOURCE_LIMIT_EXCEEDED). |
UnprocessableError
|
invalid email/name/password (incl. WorkOS password-strength rejection). |
leave ¶
Leave this workspace (204). The account survives; the membership and its API keys go. The last admin can't leave (400 LAST_ADMIN).
remove ¶
Remove a member from this workspace (admin; 204). Removing yourself
is :meth:leave; the last admin is guarded (400 LAST_ADMIN).
Raises:
| Type | Description |
|---|---|
NotFoundError
|
unknown user id (USER_NOT_FOUND). |
BadRequestError
|
target is yourself, or the last admin (LAST_ADMIN). |
update_me ¶
Edit your own first/last name (only the fields you pass change).
Email and password have dedicated flows (email is IdP-managed; use
:meth:change_my_password for the password).
change_my_password ¶
Change your own password (204, returns nothing).
previous_password is re-verified against the identity provider before
new_password is set.
Raises:
| Type | Description |
|---|---|
AuthenticationError
|
the current password is wrong (AUTH_INVALID_CREDENTIAL). |
BadRequestError
|
the account has no password credential to rotate (BAD_REQUEST). |
UnprocessableError
|
the request body is malformed (empty fields / new password below the minimum length). |
list ¶
list(*, q: str | None = None, role: WorkspaceRole | str | None = None, limit: int | None = None, cursor: str | None = None) -> Page[User]
List workspace users, newest first (cursor-paginated; iterate for all).
Open to any tenant user (not admin-only).
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
q
|
str | None
|
case-insensitive substring matched against email + first/last name. |
None
|
role
|
WorkspaceRole | str | None
|
filter to |
None
|
Raises:
| Type | Description |
|---|---|
BadRequestError
|
malformed pagination cursor (INVALID_CURSOR). |
UnprocessableError
|
invalid |
update_role ¶
Change a workspace user's role (admin-only).
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
role
|
WorkspaceRole | str
|
the new workspace role — |
required |
Raises:
| Type | Description |
|---|---|
ForbiddenError
|
caller is not a workspace admin (AUTH_FORBIDDEN). |
NotFoundError
|
no such user in this tenant (USER_NOT_FOUND). |
BadRequestError
|
would demote the only remaining admin (BAD_REQUEST) — promote a replacement first. |
Response models¶
Models returned by client.users methods (fields, types, and what each means).
User domain models.
OWNERSHIP (STYLE.md): this module owns User (the full workspace-user row) and
UserSummary (the compact reference other domains embed). It sits LOW in the
type-module dependency order (common ← jobs ← users ← …) so later domains —
project members, asset state, comments — import UserSummary from here rather
than re-declaring it.