Users
The external merchant API does not currently expose user record endpoints. User management remains a first-party surface.
In the multi-auth model, a user is identity only. Authorization is derived from memberships and the bound merchant or organization scope, not from treating external API traffic as a user session.
External API keys are merchant-scoped machine credentials. They do not act as individual users and cannot read or mutate user profiles through /v1/users.
What This Means For External Integrations#
- External API keys authenticate as a merchant-scoped machine principal
- The key creator is audit metadata, not the runtime authorization subject
- Public
/v1routes do not expose user profile CRUD - Merchant and organization access decisions are evaluated from Flint's internal membership model
