Team

Invite and manage org members. JWT-only.

Roles

The exact permission matrix lives in core.permissions; the docs above cover the per-endpoint guard.

GET /v1/org/members

List members in join order. Returns the user record joined with their membership role.

curl https://api.receipts.oligontech.com/v1/org/members \
  -H "Authorization: Bearer $JWT"

Response — 200 OK

[
  {
    "user_id":    "01HQX...",
    "email":      "ana@example.com",
    "full_name":  "Ana Costa",
    "role":       "owner",
    "created_at": "2026-05-20T09:00:00+00:00"
  }
]

POST /v1/org/members

Send an invitation email. The recipient accepts via POST /v1/auth/accept-invite. No user account is created here — that happens on accept.

Request body

curl https://api.receipts.oligontech.com/v1/org/members \
  -H "Authorization: Bearer $JWT" \
  -H "Content-Type: application/json" \
  -d '{"email":"bob@example.com","role":"developer"}'

Response — 201 Created

{
  "id":          "01HQX...",
  "email":       "bob@example.com",
  "role":        "developer",
  "expires_at":  "2026-06-16T12:00:00+00:00",
  "accepted_at": null,
  "created_at":  "2026-06-09T12:00:00+00:00"
}

409 conflict if the email is already a member of this org.

PATCH /v1/org/members/{user_id}

Change a member's role.

curl -X PATCH https://api.receipts.oligontech.com/v1/org/members/01HQX... \
  -H "Authorization: Bearer $JWT" \
  -H "Content-Type: application/json" \
  -d '{"role":"admin"}'

Returns the updated MemberOut. Refuses to demote the last owner with 400 validation_error. 404 not_found if the member doesn't exist in this org.

DELETE /v1/org/members/{user_id}

Remove a member from the org. As a safety side-effect, any active API keys that user created in this org are revoked (revoked_at = now).

curl -X DELETE https://api.receipts.oligontech.com/v1/org/members/01HQX... \
  -H "Authorization: Bearer $JWT"

Returns 204 No Content. 400 validation_error if you try to remove yourself. 404 not_found if the membership doesn't exist.