Users

The external merchant API does not currently expose user record endpoints. User management remains a first-party surface.

In the multi-auth model, a user is identity only. Authorization is derived from memberships and the bound merchant or organization scope, not from treating external API traffic as a user session.

External API keys are merchant-scoped machine credentials. They do not act as individual users and cannot read or mutate user profiles through /v1/users.

What This Means For External Integrations#

  • External API keys authenticate as a merchant-scoped machine principal
  • The key creator is audit metadata, not the runtime authorization subject
  • Public /v1 routes do not expose user profile CRUD
  • Merchant and organization access decisions are evaluated from Flint's internal membership model
Rate this doc