Skip to content
Book demoStart free

Documentation · API

Members API

8 min read · REST reference · Updated 2026-05-21

REST8 minShare
Documentation sections

The Members API manages every human in your workspace: tenant members, host staff, guests, and trial users. It's the source of truth for tier assignment, role gating, and the per-member booking allowance.

Two flavours of identity exist in our model — profiles (the platform identity, one per email) and company_members (the per-tenant membership row linking a profile to a specific tenant with a role + tier). This API hides the distinction by default; you opt in to the lower level via ?expand=profile.

Members are not the same as users in our auth layer. A user can be a member in many workspaces with different tiers. Always scope reads + writes by the workspace your token is issued for.

Section 1

Authentication scope

members:read · members:write · members:invite

The Members API uses three distinct scopes so you can mint least-privilege keys for each integration:

  • members:read — list, retrieve, search.
  • members:write — update fields, change tier, change role (excludes owner transfer).
  • members:invite — create new member rows + send invite emails.

Owner transfer is intentionally not API-callable — it must be done from the operator dashboard with two-factor confirmation. This isn't about API surface area; it's about preventing a single compromised key from rotating workspace ownership.

who_am_i.curl
bash
# Inspect your token's scopes
curl https://api.litehq.com/v1/auth/whoami \
  -H 'Authorization: Bearer sk_live_...'

# {
#   "workspace_id": "ws_strand",
#   "scopes": ["members:read", "members:write"],
#   "key_prefix": "sk_live_LX",
#   "created_at": "2026-03-12T08:00:00Z"
# }

Section 2

Listing members

GET /v1/members

Cursor-paginated, like every list endpoint we ship. Default sort is joined_at desc. Useful filters:

  • tierbasic | plus | pro | enterprise.
  • statusactive | trialing | paused | cancelled.
  • company_id — for chain operators, scope to a single tenant.
  • q — free-text search across name + email.
  • include_archived — default false; set true for off-boarding audits.
list_members.curl
bash
curl -G https://api.litehq.com/v1/members \
  -H 'Authorization: Bearer sk_live_...' \
  --data-urlencode 'tier=plus' \
  --data-urlencode 'status=active' \
  --data-urlencode 'limit=100'
member_object.json
json
{
  "id": "mem_J7P3kQ",
  "name": "Anya Rivera",
  "email": "anya@tidelabs.co",
  "tier": "plus",
  "status": "active",
  "role": "member",
  "company": { "id": "co_tide", "name": "Tide Labs" },
  "joined_at": "2025-11-04T09:30:00Z",
  "tokens": { "balance": 124, "monthly_grant": 40 }
}

Section 3

Creating members

POST /v1/members

Two flavours of create exist depending on whether you want the member to receive an invite email or be silently added (e.g. when you've already onboarded them via your own flow):

  • Invite flowsend_invite: true (default). Generates a magic-link, emails the member.
  • Silent provisionsend_invite: false. Creates the row in status=active immediately; you handle the welcome via your own channel.
create_member.curl
bash
curl -X POST https://api.litehq.com/v1/members \
  -H 'Authorization: Bearer sk_live_...' \
  -H 'Content-Type: application/json' \
  -d '{
    "email": "anya@tidelabs.co",
    "name": "Anya Rivera",
    "tier": "plus",
    "company_id": "co_tide",
    "send_invite": true
  }'
create_member.node
ts
const member = await litehq.members.create({
  email: 'anya@tidelabs.co',
  name: 'Anya Rivera',
  tier: 'plus',
  companyId: 'co_tide',
  sendInvite: true,
});

console.log(member.id, member.status);
// mem_J7P3kQ  invited
Invites expire after 7 days. If a member misses the window, POST /v1/members/{id}/resend-invite— stale tokens are never reused, a fresh one is issued.

Section 4

Updating tiers + roles

PATCH /v1/members/{id} · prorates immediately

Two fields drive the bulk of member changes:

  • tierbasic, plus, pro, enterprise. Tier upgrades prorate immediately via the workspace's Stripe subscription; downgrades take effect at the next billing cycle.
  • rolemember, admin, billing_contact. Owner is excluded from API mutation as noted in section 1.
upgrade_member.curl
bash
curl -X PATCH https://api.litehq.com/v1/members/mem_J7P3kQ \
  -H 'Authorization: Bearer sk_live_...' \
  -H 'Content-Type: application/json' \
  -d '{
    "tier": "pro",
    "tier_change_reason": "client_upgrade_request"
  }'

The optional tier_change_reason field is stored in the audit log and surfaces in Settings → Audit logfor compliance. We accept any string ≤ 256 chars; pick a vocabulary that's greppable.

Tier changes hit the workspace's Stripe subscription, not the individual. Members on the same tier share the same per-seat line item. If you're billing members individually, you're using us in an unusual way — talk to us first.

Section 5

Bulk operations

POST /v1/members.bulk — up to 1000 ops per request

Bulk endpoints let you import, update, or off-board large groups in one round-trip. The request takes an array of operations; the response includes per-op success + error rows so partial failures are recoverable.

bulk_import.curl
bash
curl -X POST https://api.litehq.com/v1/members.bulk \
  -H 'Authorization: Bearer sk_live_...' \
  -H 'Content-Type: application/json' \
  -d '{
    "operations": [
      { "op": "create", "email": "a@co.com", "tier": "plus" },
      { "op": "create", "email": "b@co.com", "tier": "plus" },
      { "op": "update", "id": "mem_X1", "tier": "pro" },
      { "op": "archive", "id": "mem_X2" }
    ]
  }'
bulk_import.response
json
{
  "results": [
    { "op": "create", "status": "ok", "id": "mem_new1" },
    { "op": "create", "status": "ok", "id": "mem_new2" },
    { "op": "update", "status": "ok", "id": "mem_X1" },
    { "op": "archive", "status": "error",
      "error": { "code": "member_not_found", "message": "..." } }
  ],
  "summary": { "ok": 3, "error": 1 }
}
For Nexudus / Cobot / OfficeRnD migrations we have a dedicated CSV importer in the operator dashboard — faster than bulk-API for one-shot migrations because it handles ID mapping for you.

Section 6

Webhooks for member events

HMAC-SHA256 signed · idempotent on event.id

Member webhooks fire on the same endpoint as bookings + billing — the differentiator is event.type. Subscribe by passing event_types when registering the endpoint.

MethodPath / eventPurpose
EVTmember.invitedInvite created, email queued.
EVTmember.activatedMember completed signup from invite link.
EVTmember.updatedName, email, or tier changed.
EVTmember.tier_changedTier mutation — fires alongside updated.
EVTmember.role_changedRole mutation — fires alongside updated.
EVTmember.archivedOff-boarded; row preserved for audit.
EVTmember.deletedHard delete (rare — GDPR right-to-erasure).
member.tier_changed always fires before the Stripe proration webhook for the same workspace. If your downstream system needs to settle invoices ahead of tier transitions, sequence on these two events.

Section 7

Permissions matrix

Reference · who can do what

These are the per-role capabilities enforced server-side by RLS and edge-function scope checks. UI affordances mirror them — if the API rejects, the UI will too.

CapabilityMemberAdminOwner
Read own profile
Update own profile
Read other members' profiles
Invite new members
Change another member's tier
Change another member's role
Archive a member
Hard-delete (GDPR)
Transfer workspace ownership
Read billing invoices
Manage API keys
Configure SSO / SAML
Owner-only capabilities can't be lifted with an admin API key — even with a key minted by the owner. That's deliberate: API keys are escalation-bounded by the role of the key issuer, not the role of the resource being acted on.

Next steps

Members are sorted. What’s next?