Users

Publisher end-user identity (upsert, lookup, ban).

📄️List tenant end-users (cursor paginated)

Returns a cursor-paginated list of publisher end-users for the resolved tenant. Dual-auth: API-key path requires an admin key; admin-JWT path mirrors the same response.

📄️Fetch a tenant end-user by internal UUID

Returns a single end-user identified by the internal Edgar UUID. Returns 404 if the user does not exist. Mirrored under admin-JWT and admin-API-key paths.

📄️Anonymise a tenant end-user (GDPR erasure)

Strips personally identifiable information from the user record and marks them `anonymized`. Irreversible. Requires the `anonymize_users` capability (both auth paths). Idempotent — re-running with the same `Idempotency-Key` replays the original response.

📄️Ban a tenant end-user

Marks the end-user as banned; they can no longer post, react, or vote. Idempotent — repeated calls remain a no-op on an already-banned user. Requires the `ban_users` capability (both auth paths).

📄️Shadow-ban a tenant end-user

Marks the user as shadow-banned — their posts appear to them but are hidden from other readers. Idempotent. Requires the `ban_users` capability (both auth paths).

📄️Lift a ban or shadow-ban on a tenant end-user

Restores a banned or shadow-banned user to active status. Idempotent. Requires the `ban_users` capability (both auth paths).

📄️List tenant end-users (cursor paginated)

Returns a cursor-paginated list of publisher end-users for the resolved tenant. Dual-auth: API-key path requires an admin key; admin-JWT path mirrors the same response.

📄️Upsert a publisher end-user

Idempotent upsert keyed by the tenant-scoped `user_id` (external identity from the publisher SDK). Creates on first call, updates `display_name` on subsequent calls. Intended to be fired whenever a logged-in end-user interacts with widgets. **Rejected with 409 on verify-mode tenants** — identity is provisioned from the signed assertion, not this endpoint.

📄️Fetch a tenant end-user by internal UUID

Returns a single end-user identified by the internal Edgar UUID. Returns 404 if the user does not exist. Mirrored under admin-JWT and admin-API-key paths.

📄️Anonymise a tenant end-user (GDPR erasure)

Strips personally identifiable information from the user record and marks them `anonymized`. Irreversible. Requires the `anonymize_users` capability (both auth paths). Idempotent — re-running with the same `Idempotency-Key` replays the original response.

📄️Ban a tenant end-user

Marks the end-user as banned; they can no longer post, react, or vote. Idempotent — repeated calls remain a no-op on an already-banned user. Requires the `ban_users` capability (both auth paths).

📄️Shadow-ban a tenant end-user

Marks the user as shadow-banned — their posts appear to them but are hidden from other readers. Idempotent. Requires the `ban_users` capability (both auth paths).

📄️Lift a ban or shadow-ban on a tenant end-user

Restores a banned or shadow-banned user to active status. Idempotent. Requires the `ban_users` capability (both auth paths).

📄️Fetch a publisher end-user by external id

Looks up a tenant-scoped user by the publisher-supplied `externalId`. Returns 404 when the id has never been upserted.