Identity API

Get account by ID Requires permission: Platform admin, tenant admin, or querying own account

List saved addresses for a specific account as admin.

List all roles for a specific account

List accounts for tenant admin panel. Supports filtering by role (customer, driver, vendor, operator), account status, and search term. Results are paginated. # Authorization Requires TenantAdmin or PlatformAdmin role.

List sessions with optional filters (admin only). Requires TenantAdmin or PlatformAdmin role.

List all partnerships the current user has access to. Returns partnerships where the user has been granted a role with entity_kind = Partnership. This is used by the client to show a partnership switcher UI.

List the authenticated account's registered passkeys.

List staff members of a partnership. Returns all accounts that have been granted roles scoped to the specified partnership. Useful for viewing and managing partnership staff. Requires: TenantAdmin, PlatformAdmin, or operating in the partnership context.

Resolve the RP for the caller. Preferred path: the SDK sends x-app / x-role headers from init (they describe the client binary, available regardless of auth state). The resolver reads RequestContext.app / .role. The app / role_kind args are a fallback for clients that haven't migrated to header-based identity yet — they override the context values when present. Once every client sends the headers the args can be dropped.

Get a permission set by ID

Get a permission set by code. Uses the tenant from the request context.

List permission sets by context. Uses the tenant from the request context.

Reset an account's password as admin. If the account has an existing password credential, the hash is updated. If no password credential exists, one is created. Requires TenantAdmin or PlatformAdmin role.

Cancel a pending account deletion request

Confirm a password reset by submitting either the 6-digit code or the opaque URL token, plus the new password. Revokes all active sessions for the account on success.

Create a new account as admin.

Create a new permission set.

Delete the current user's account based on their account type policy

Delete a permission set by ID.

Grant staff access to a partnership. This allows adding staff members to a partnership. The staff member will be able to switch to this partnership context and perform operations based on their assigned role. Requires: TenantAdmin, PlatformAdmin, PartnershipOwner, or PartnershipManager role.

Grant a role to an account

Start a self-service password reset by email. Always returns success regardless of whether the email matches an account — clients should always proceed to the confirm screen and rely on confirmPasswordReset to validate the code or token.

Mint a single-shot elevation token after re-verifying the caller's password. Attach the returned token to the danger-zone mutation as X-Elevation: <token>. The token expires after 5 minutes or on first successful use, whichever comes sooner.

Revoke staff access from a partnership. This removes a staff member's role for the partnership. They will no longer be able to switch to this partnership context. Requires: TenantAdmin, PlatformAdmin, PartnershipOwner, or PartnershipManager role.

Revoke a role from an account

Begin a passwordless email-OTP login. The supplied email must belong to an existing, phone-registered, email-verified account in the resolved tenant — anything else returns a typed error (EMAIL_NOT_REGISTERED / EMAIL_NOT_VERIFIED) and the client should route the user back to phone-based registration.

Start email verification by sending an OTP code to the provided email. Requires authentication.

Begin enrolling a passkey for the authenticated account.

Switch to a different partnership context or clear partnership context. When switching to a partnership, the system verifies the user has a role with entity_kind=Partnership and entity_id=partnershipId. If authorized, new tokens are issued with the partnership context embedded. Pass null partnershipId to clear partnership context and return to personal account mode.

Transfer the TenantOwner role from the calling account to another account in the same tenant. Requires a fresh step-up elevation token (Phase 3). The client first calls requestStepUp(password) to mint a 5-minute single-shot JWT, then attaches it as X-Elevation: <token> on this mutation. If the header is missing, malformed, or the token has already been consumed, the mutation returns STEP_UP_REQUIRED so the client can prompt for re-auth.

Update an account's profile fields as admin.

Update an account's status (Active/Blocked) as admin.

Update an existing permission set.

Verify the OTP from startEmailLogin and mint a session. Returns the same AuthFlowResponse shape as verifyOtp, so the client can dispatch on AuthSuccess / RestoreAccountRequired without branching on which channel sent the code.

Verify an email OTP code to confirm the email address. Requires authentication.