Identity: Organizations & Teams

APIs for organizations and the teams inside them. Organizations own clusters, contracts, and billing scope; teams provide per-org grouping with role-based permissions. All authorization checks are OpenFGA-backed (relationship-based), so access to each endpoint depends on the caller’s role in the organization or team.

All routes are served under the /api/v1 prefix. Most endpoints authenticate with a personal access token sent as Authorization: token <YOUR_TOKEN> (it may also be supplied as a token or access_token query parameter). A few read endpoints are public (no auth) and return only what an anonymous caller may see — this is called out per endpoint.

Organizations own clusters, contracts, and billing scope. Teams provide per-org grouping with role-based permissions (all checks are OpenFGA-backed).

MethodPathAuthDescription
POST/api/v1/orgsTokenCreate an organization
PATCH/api/v1/orgs/claim/:claimIDToken; AppsCode-hostedClaim a standalone (marketplace) organization
GET/api/v1/orgs/claim/Site admin; marketplace/dev modeGet standalone-org claim ID
GET/api/v1/orgs/:orgnameOrg contextGet organization details
PATCH/api/v1/orgs/:orgnameToken + authzCheck(edit:org)Edit an organization
DELETE/api/v1/orgs/:orgnameToken + authzCheck(delete:org)Delete an organization
GET/api/v1/orgs/:orgname/user/:usernameOrg contextCheck if a user exists in the org
GET/api/v1/orgs/:orgname/is-ownerOrg contextCheck if requester is org owner
GET/POST/api/v1/orgs/:orgname/avatar/, POST /avatar/deleteauthzCheck(view/update/delete:avatar)Manage org avatar
GET/api/v1/orgs/:orgname/membersOrg contextList members
POST/api/v1/orgs/:orgname/members/action/:actionOrg membershipMember actions (invite, etc.)
GET/api/v1/orgs/:orgname/members/:usernameOrg contextCheck membership
DELETE/api/v1/orgs/:orgname/members/:usernameOrg ownership + authzCheck(admin:org)Remove a member
GET/api/v1/orgs/:orgname/public_members, /:usernameOrg contextPublic membership info
PUT/DELETE/api/v1/orgs/:orgname/public_members/:usernameOrg membershipPublicize / conceal membership
GET/POST/api/v1/orgs/:orgname/teamsOrg membership + authzList / create teams
POST/api/v1/orgs/:orgname/teams/:teamid/action/:actionOrg membership + authzTeam actions
GET/POST/DELETE/api/v1/orgs/:orgname/rancher/sync-tokenauthzCheck(sync-token perms)Manage Rancher org sync token
GET/POST/DELETE/api/v1/orgs/:orgname/rancher/user-tokenauthzCheck (deprecated)Manage Rancher user token
GET/api/v1/orgs/:orgname/tokens/access-tokens/authzCheck(list:access-token)List org access tokens
DELETE/api/v1/orgs/:orgname/tokens/access-tokens/:idauthzCheck(delete:access-token)Delete org access token
GET/api/v1/orgs/:orgname/tokens/nats-tokens/authzCheck(list:nats-token)List org NATS tokens
POST/api/v1/orgs/:orgname/tokens/nats-tokens/:id/revokeauthzCheck(revoke:nats-token)Revoke org NATS token
GET/PATCH/DELETE/api/v1/teams/:teamidauthzCheck(view/edit/delete:team)Manage a team
GET/api/v1/teams/:teamid/members, /:usernameauthzCheck(view)List / get team members
PUT/DELETE/api/v1/teams/:teamid/members/:usernameauthzCheck(add/remove:team-member)Add / remove team member

Pages

  • Organizations — the /api/v1/orgs/* endpoints: create/claim organizations, get/edit/delete an org, ownership and membership checks, member management, avatars, Rancher sync/user tokens, and org access/NATS tokens.
  • Teams — the /api/v1/orgs/{orgname}/teams and /api/v1/teams/{teamid}/* endpoints: list/create teams, team actions, and team member management.