The Users tab is where you find, inspect, and manage the people signed up to your application. It's the page support uses to investigate "I can't log in" and the page security uses to suspend a compromised account.
# List with search and paginationcurl 'https://your-app.authaz.io/api/v1/users?search=acme.com&pageSize=20' \ -H "X-API-Key: $AUTHAZ_API_KEY"
Every role assignment, both global and tenant-scoped. The page shows the role name, scope, and an Unassign button. The header has Assign role with a searchable picker.
Every active session — device, IP, location (best-effort), last activity. Each row has a Revoke button; the page header has Revoke all sessions for the nuclear option.
Recent events from the audit log filtered to this user. Sign-ins, role changes, MFA setup, password resets — anything attributable to or affecting them.
Suspending blocks all new sign-ins and refresh-token requests. Existing access tokens stay valid until they expire (default 15 min) — pair with sessions/revoke if you need them logged out immediately.
curl -X POST https://your-app.authaz.io/api/v1/users/{userId}/suspend \ -H "X-API-Key: $AUTHAZ_API_KEY"curl -X POST https://your-app.authaz.io/api/v1/users/{userId}/activate \ -H "X-API-Key: $AUTHAZ_API_KEY"
curl -X POST https://your-app.authaz.io/api/v1/users/{userId}/mfa/reset \ -H "X-API-Key: $AUTHAZ_API_KEY"
This wipes the user's TOTP secret and recovery codes. They'll be forced to re-enroll on their next sign-in. Always paired with a real identity-verification step on your side — don't reset MFA from a chat message.
# All sessionscurl -X POST https://your-app.authaz.io/api/v1/users/{userId}/sessions/revoke \ -H "X-API-Key: $AUTHAZ_API_KEY"# A specific sessioncurl -X DELETE https://your-app.authaz.io/api/v1/users/{userId}/sessions/{sessionId} \ -H "X-API-Key: $AUTHAZ_API_KEY"
Revoked sessions are unusable immediately — refresh-token requests fail, and any short-lived access token already in the wild expires within the standard window.
Soft delete — the user record stays in the database (anonymized) so audit logs remain attributable, but the account is no longer usable and is hidden from the dashboard.
For hard-deletion (GDPR right-to-be-forgotten), pass ?hard=true. This removes the user, their sessions, their roles, their API keys, and overwrites their identifiers in the audit log with a tombstone.
When a user has lost everything (no password, no MFA, no recovery codes), they hit a wall. Authaz provides a structured recovery flow rather than ad-hoc admin overrides:
User submits a recovery request from Universal Login: their email, optional context.
Admins see Account Recovery Requests in the dashboard with the request details.
Admins approve (after verifying identity out of band) or deny.
Approved → the user gets an email with a one-time link to set a new password and re-enroll MFA.
Every step is in the audit log — useful when investigating "did anyone improperly recover this account?".
In multi-tenant apps, a user belongs to one or more tenants. The Users tab can be filtered by tenant, and the Management API has tenant-scoped variants:
# List users in a specific tenantcurl https://your-app.authaz.io/api/v1/applications/{appId}/tenants/{tenantId}/users \ -H "X-API-Key: $AUTHAZ_API_KEY"# Add an existing user to a tenantcurl -X POST https://your-app.authaz.io/api/v1/applications/{appId}/tenants/{tenantId}/users \ -H "X-API-Key: $AUTHAZ_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "userId": "user_01h..." }'# Remove from a tenant (does not delete the user)curl -X DELETE https://your-app.authaz.io/api/v1/applications/{appId}/tenants/{tenantId}/users/{userId} \ -H "X-API-Key: $AUTHAZ_API_KEY"
In the isolated-pool tenancy mode, users belong to exactly one tenant and the global Users tab segments them per tenant; in shared-pool, users can belong to many.
