Skip to main content

Users

Users are the core authentication and authorization entities in Taruvi Cloud. Each user can belong to multiple organizations and have access to multiple sites with different permission levels.

Username-Based URLs

All user endpoints use username-based URLs (e.g., /api/cloud/users/john.doe/) for accessing and managing user resources. UUIDs are still supported for identification purposes.

Overview

A user represents an individual account in Taruvi Cloud. Users can:

  • Authenticate: Login via JWT, session, or OAuth
  • Multi-Organization: Belong to multiple organizations
  • Multi-Tenant: Access multiple sites with different permissions
  • Role-Based: Have different roles and permissions per organization/site
  • Profile Management: Manage personal information and settings

Key Features

Authentication

Taruvi supports multiple authentication methods:

  • JWT Tokens: Stateless authentication for APIs
  • Session Auth: Cookie-based for browsable API
  • OAuth/Social: Google, GitHub, and other providers

Multi-Organization Membership

Users can be members of multiple organizations:

  • Different roles per organization
  • Independent permissions per organization
  • Cross-organization collaboration

Site Access

Users can access multiple sites within organizations:

  • Site-specific permissions
  • Tenant-aware operations
  • Isolated data access per site

Soft Delete

Users are soft-deleted for audit trail:

  • is_active: Controls login access
  • is_deleted: Marks as deleted but preserves data
  • Restoration capability

User Model

Fields

FieldTypeDescription
idintegerPrimary key
uuidUUIDUnique identifier (read-only)
usernamestringUnique username (required, used in URLs)
emailstringEmail address (required, unique)
first_namestringFirst name (optional)
last_namestringLast name (optional)
is_activebooleanUser can login
is_staffbooleanAdmin access
is_superuserbooleanFull permissions
is_deletedbooleanSoft delete flag
date_joineddatetimeAccount creation date (read-only)
last_logindatetimeLast login timestamp (read-only)

Using Users

Listing Users

Get all users:

curl -X GET "https://your-site.taruvi.cloud/api/cloud/users/?organization_slug=acme-corp&is_active=true" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Response (200 OK):

{
  "count": 25,
  "next": null,
  "previous": null,
  "results": [
    {
      "id": 1,
      "uuid": "550e8400-e29b-41d4-a716-446655440000",
      "username": "john.doe",
      "email": "[email protected]",
      "first_name": "John",
      "last_name": "Doe",
      "is_active": true,
      "is_staff": false,
      "is_superuser": false,
      "is_deleted": false,
      "date_joined": "2024-01-15T10:30:00Z"
    }
  ]
}

Query Parameters:

  • search: Search by username, email, name
  • is_active: Filter by active status (true, false, or all)
  • is_staff: Filter by staff status
  • organization_slug: Filter by organization membership
  • organization_uuid: Filter by organization UUID (alternative to slug)
  • ordering: Sort results (e.g., username, -date_joined)
Organization Context & Visibility Rules

When filtering by organization, visibility depends on your role:

  • Organization Admin/Owner: See all members in the organization
  • User with manage_organization permission: See all members
  • Regular member: See only yourself
  • No organization filter + view_user permission: See all users
  • No organization filter + no permission: See only yourself

Creating a User

Create a new user account:

curl -X POST https://your-site.taruvi.cloud/api/cloud/users/ \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -d '{
    "username": "jane.smith",
    "email": "[email protected]",
    "password": "SecurePassword123!",
    "first_name": "Jane",
    "last_name": "Smith"
  }'

Response (201 Created):

{
  "id": 2,
  "uuid": "650e8400-e29b-41d4-a716-446655440001",
  "username": "jane.smith",
  "email": "[email protected]",
  "first_name": "Jane",
  "last_name": "Smith",
  "is_active": true,
  "is_deleted": false,
  "date_joined": "2024-01-20T14:20:00Z"
}

Retrieving User Details

Get details of a specific user:

curl -X GET https://your-site.taruvi.cloud/api/cloud/users/john.doe/ \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Response (200 OK):

{
  "id": 1,
  "uuid": "550e8400-e29b-41d4-a716-446655440000",
  "username": "john.doe",
  "email": "[email protected]",
  "first_name": "John",
  "last_name": "Doe",
  "is_active": true,
  "is_staff": false,
  "is_superuser": false,
  "is_deleted": false,
  "date_joined": "2024-01-15T10:30:00Z",
  "organizations": [
    {
      "slug": "acme-corp",
      "name": "Acme Corporation",
      "role": "member"
    }
  ]
}

Updating a User

Update user information:

curl -X PUT https://your-site.taruvi.cloud/api/cloud/users/john.doe/ \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -d '{
    "first_name": "John",
    "last_name": "Smith",
    "email": "[email protected]"
  }'

Partial update:

curl -X PATCH https://your-site.taruvi.cloud/api/cloud/users/john.doe/ \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -d '{"first_name": "Johnny"}'

Deleting a User (Soft Delete)

Soft delete a user:

curl -X DELETE https://your-site.taruvi.cloud/api/cloud/users/john.doe/ \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"
Soft Delete Behavior

User deletion is a soft delete operation:

  • Sets is_deleted=true and is_active=false
  • User data is preserved for audit trail
  • User cannot login after deletion
  • All organization memberships are removed (hard deleted)
  • Users cannot delete themselves
  • Non-superusers cannot delete superusers

Deactivating a User

Deactivate without deleting:

curl -X PATCH https://your-site.taruvi.cloud/api/cloud/users/john.doe/ \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -d '{"is_active": false}'

Organization Membership

Adding User to Organization

curl -X POST https://your-site.taruvi.cloud/api/cloud/organizations/acme-corp/members/ \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -d '{"user_id": "john.doe"}'

Listing Organization Members

curl -X GET https://your-site.taruvi.cloud/api/cloud/organizations/acme-corp/members/ \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Removing User from Organization

curl -X DELETE https://your-site.taruvi.cloud/api/cloud/organizations/acme-corp/members/john.doe/ \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Site Permissions

Users can have specific permissions for sites within organizations:

curl -X POST https://your-site.taruvi.cloud/api/cloud/organizations/acme-corp/members/ \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -d '{
    "user_id": "john.doe",
    "sites": [
      {
        "slug": "production-site",
        "permissions": ["view_site", "manage_site"]
      },
      {
        "slug": "staging-site",
        "permissions": ["view_site"]
      }
    ]
  }'

User-Site Relationship Management

Taruvi provides bidirectional APIs to manage user-site relationships using django-guardian permissions. These APIs allow you to:

  • User → Sites: Manage which sites a user can access
  • Site → Users: Manage which users have access to a site
Bidirectional Access

You can manage the same relationships from either direction:

  • /api/cloud/users/{username}/sites/ - Manage sites for a specific user
  • /api/cloud/sites/{site_slug}/users/ - Manage users for a specific site

User → Sites API

Manage site assignments for a specific user.

List User's Sites

Get all sites a user has access to with their permissions:

curl -X GET "https://your-site.taruvi.cloud/api/cloud/users/john.doe/sites/?search=production" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Response (200 OK):

{
  "success": true,
  "data": [
    {
      "slug": "production-site",
      "name": "Production Site",
      "permissions": ["view_site", "access_site"]
    },
    {
      "slug": "staging-site",
      "name": "Staging Site",
      "permissions": ["view_site"]
    }
  ],
  "total": 2,
  "message": "User sites retrieved successfully"
}

Query Parameters:

  • search: Search by site name (case-insensitive)
  • name: Filter by exact site name
  • name__contains: Filter by name containing string

Add Sites to User

Add multiple sites to a user (non-destructive, preserves existing assignments):

curl -X POST https://your-site.taruvi.cloud/api/cloud/users/john.doe/sites/ \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -d '{
    "sites": [
      {
        "slug": "site-1",
        "permissions": ["view_site", "access_site"]
      },
      {
        "slug": "site-2"
      }
    ]
  }'

Response (200 OK):

{
  "success": true,
  "data": {
    "assigned_sites": 2
  },
  "message": "Successfully assigned 2 site(s) to user"
}
Default Permissions

If permissions are not specified, view_site is assigned by default.

Valid Permissions:

  • view_site - View site information
  • access_site - Access site resources
  • manage_site - Manage site settings
  • manage_site_users - Manage site user permissions
  • admin_site - Full site administration

Replace All Sites for User

Replace all site assignments (atomic operation):

curl -X PUT https://your-site.taruvi.cloud/api/cloud/users/john.doe/sites/ \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -d '{
    "sites": [
      {
        "slug": "site-1",
        "permissions": ["view_site"]
      }
    ]
  }'

Response (200 OK):

{
  "success": true,
  "data": {
    "total_sites": 1
  },
  "message": "Successfully replaced site assignments (1 sites)"
}
Destructive Operation

PUT replaces ALL existing site assignments. Use an empty array to remove all site permissions.

Remove Sites from User

Remove multiple sites from a user (batch operation):

curl -X DELETE https://your-site.taruvi.cloud/api/cloud/users/john.doe/sites/ \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -d '{
    "sites": ["site-1", "site-2", "site-3"]
  }'

Response (200 OK):

{
  "success": true,
  "message": "Removed 3 site(s) from user (6 permissions deleted)"
}

Site → Users API

Manage user assignments for a specific site.

List Site's Users

Get all users with access to a site:

curl -X GET "https://your-site.taruvi.cloud/api/cloud/sites/production-site/users/?search=john" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Response (200 OK):

{
  "success": true,
  "data": [
    {
      "username": "john.doe",
      "email": "[email protected]",
      "name": "John Doe",
      "permissions": ["view_site", "access_site", "manage_site"]
    },
    {
      "username": "jane.smith",
      "email": "[email protected]",
      "name": "Jane Smith",
      "permissions": ["view_site"]
    }
  ],
  "total": 2,
  "message": "Site users retrieved successfully"
}

Query Parameters:

  • search: Search by username, email, first name, or last name

Add Users to Site

Add multiple users to a site (non-destructive):

curl -X POST https://your-site.taruvi.cloud/api/cloud/sites/production-site/users/ \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -d '{
    "users": [
      {
        "username": "john.doe",
        "permissions": ["view_site", "access_site"]
      },
      {
        "username": "jane.smith"
      }
    ]
  }'

Response (200 OK):

{
  "success": true,
  "data": {
    "assigned_users": 2
  },
  "message": "Successfully assigned 2 user(s) to site"
}

Replace All Users for Site

Replace all user assignments (atomic operation):

curl -X PUT https://your-site.taruvi.cloud/api/cloud/sites/production-site/users/ \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -d '{
    "users": [
      {
        "username": "john.doe",
        "permissions": ["admin_site"]
      }
    ]
  }'

Remove Users from Site

Remove multiple users from a site:

curl -X DELETE https://your-site.taruvi.cloud/api/cloud/sites/production-site/users/ \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -d '{
    "users": ["john.doe", "jane.smith"]
  }'

Response (200 OK):

{
  "success": true,
  "message": "Removed 2 user(s) from site (4 permissions deleted)"
}

Permission Model

Who can manage user-site relationships:

  • Superusers: Can manage any user's site assignments
  • Organization Admins/Owners: Can manage user-site relationships within their organization
  • Users with manage_organization permission: Can manage relationships within their organization
  • Self-view: Users can view (but not modify) their own site assignments

Validation Rules:

  • Sites must belong to the same organization as the user
  • Users must be members of the organization that owns the site
  • Self-modification is not allowed (users cannot modify their own site assignments)
  • Cross-organization assignments are denied

Use Cases

Onboarding a New Team Member:

# Add user to organization first
curl -X POST https://your-site.taruvi.cloud/api/cloud/organizations/acme-corp/members/ \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -d '{"user_id": "john.doe"}'

# Then assign site access
curl -X POST https://your-site.taruvi.cloud/api/cloud/users/john.doe/sites/ \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -d '{
    "sites": [
      {"slug": "production", "permissions": ["view_site"]},
      {"slug": "staging", "permissions": ["view_site", "access_site"]}
    ]
  }'

Bulk User Assignment to New Site:

curl -X POST https://your-site.taruvi.cloud/api/cloud/sites/new-project/users/ \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -d '{
    "users": [
      {"username": "john.doe", "permissions": ["admin_site"]},
      {"username": "jane.smith", "permissions": ["view_site", "access_site"]},
      {"username": "bob.johnson", "permissions": ["view_site"]}
    ]
  }'

Role Change (Promotion to Site Admin):

# Replace existing permissions with admin
curl -X PUT https://your-site.taruvi.cloud/api/cloud/users/john.doe/sites/ \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -d '{
    "sites": [
      {"slug": "production", "permissions": ["admin_site"]}
    ]
  }'

Offboarding User:

# Remove all site access
curl -X DELETE https://your-site.taruvi.cloud/api/cloud/users/john.doe/sites/ \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -d '{
    "sites": ["production", "staging", "development"]
  }'

Groups

Users can be assigned to groups for shared permissions:

Platform-Level Groups

# Get user with groups
curl -X GET https://your-site.taruvi.cloud/api/cloud/users/john.doe/ \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Response includes groups:

{
  "uuid": "550e8400-e29b-41d4-a716-446655440000",
  "username": "john.doe",
  "groups": [
    {
      "id": 1,
      "name": "Developers"
    }
  ]
}

Organization-Level Groups

Assign users to organization-specific groups:

curl -X POST https://your-site.taruvi.cloud/api/cloud/organizations/acme-corp/members/ \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -d '{
    "user_id": "john.doe",
    "group_ids": [1, 2]
  }'

Authentication

JWT Authentication

Get access token:

curl -X POST https://your-site.taruvi.cloud/api/cloud/auth/jwt/token/ \
  -H "Content-Type: application/json" \
  -d '{"username": "john.doe", "password": "your-password"}'

Response:

{
  "access": "eyJ0eXAiOiJKV1QiLCJhbGc...",
  "refresh": "eyJ0eXAiOiJKV1QiLCJhbGc...",
  "user": {
    "uuid": "550e8400-e29b-41d4-a716-446655440000",
    "username": "john.doe",
    "email": "[email protected]"
  }
}

Use in requests:

curl -X GET https://your-site.taruvi.cloud/api/cloud/users/john.doe/ \
  -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGc..."

Refresh Token

curl -X POST https://your-site.taruvi.cloud/api/cloud/auth/jwt/token/refresh/ \
  -H "Content-Type: application/json" \
  -d '{"refresh": "eyJ0eXAiOiJKV1QiLCJhbGc..."}'

Verify Token

curl -X POST https://your-site.taruvi.cloud/api/cloud/auth/jwt/token/verify/ \
  -H "Content-Type: application/json" \
  -d '{"token": "eyJ0eXAiOiJKV1QiLCJhbGc..."}'

Logout (Blacklist Token)

curl -X POST https://your-site.taruvi.cloud/api/cloud/auth/jwt/token/blacklist/ \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -d '{"refresh": "eyJ0eXAiOiJKV1QiLCJhbGc..."}'

OAuth/Social Authentication

Taruvi supports OAuth authentication with various providers:

  • Google OAuth
  • GitHub OAuth
  • Other social providers

See Social Authentication Documentation for setup and usage.

Permissions

User-level permissions:

PermissionDescription
view_userView user details
add_userCreate new users
change_userUpdate user information
delete_userDelete users

Users also inherit permissions from:

  • Organization membership
  • Group assignments
  • Site-specific permissions

Best Practices

  1. Unique Usernames: Ensure usernames are unique and descriptive
  2. Strong Passwords: Enforce strong password policies
  3. Email Verification: Verify email addresses during signup
  4. Soft Deletes: Deactivate users instead of hard deleting
  5. Least Privilege: Grant minimum required permissions
  6. Regular Audits: Review user access and permissions regularly
  7. MFA: Implement multi-factor authentication for sensitive accounts
  8. Session Management: Set appropriate token expiration times

Security Considerations

  • Password Storage: Passwords are hashed using Django's default hasher (PBKDF2)
  • Token Expiration: JWT tokens have configurable expiration
  • Rate Limiting: Login attempts are rate-limited
  • Permission Checks: All operations check object-level permissions
  • Audit Trail: User actions are logged for compliance

Common Workflows

User Registration Flow

  1. User submits registration form
  2. Create user account (inactive by default)
  3. Send verification email
  4. User clicks verification link
  5. Activate user account
  6. User can login

Organization Onboarding

  1. Create organization
  2. Send invitation to users
  3. Users accept invitation
  4. Assign users to groups
  5. Grant site-specific permissions
  6. Users can access organization resources

Password Reset

  1. User requests password reset
  2. System sends reset email
  3. User clicks reset link
  4. User sets new password
  5. Previous tokens are invalidated

Error Responses

User Not Found

{
  "detail": "Not found.",
  "code": "not_found",
  "status_code": 404
}

Duplicate Username

{
  "username": ["A user with that username already exists."],
  "code": "unique_constraint",
  "status_code": 400
}

Permission Denied

{
  "detail": "You do not have permission to perform this action.",
  "code": "permission_denied",
  "status_code": 403
}

Invalid Credentials

{
  "detail": "No active account found with the given credentials",
  "code": "invalid_credentials",
  "status_code": 401
}