Skip to content

Users

Endpoint Method Scope Token Tier Description
/api/v1/users/ GET user:read Both List all users (paginated)
/api/v1/users/ POST user:write App-level only Create a new user
/api/v1/users/<id>/credentials/ GET user:read Both List credentials for a user
/api/v1/users/<id>/ DELETE user:write App-level only Delete a user

Try it out

Explore parameters, schemas, and live requests in the Swagger UI.

List Users

Returns a paginated list of all users owned by the authenticated application. Supports pagination and sorting by created_at.

User-scoped tokens

When using a user-scoped token, this endpoint returns only the user the token is bound to.

Create User

Create a new user managed by your application. Users created via this endpoint are managed by the OAuth2 application and cannot log in directly (password is randomly generated).

If a user with the same email already exists, the API returns 409 Conflict.

App-level token required

This endpoint requires an app-level token. Requests with a user-scoped token will receive 403 Forbidden.

Optional Attributes

You can also provide these optional attributes when creating a user:

  • locale: Optional. Defaults to en. Uses a supported BCP 47 language tag. Supported values are en, en-GB, en-AU, en-CA, ja, fr, pt, de, es, and it. This locale is used in messages that explain the reason for price changes in the booking review endpoint (not yet available).

Example

{
  "data": {
    "type": "users",
    "attributes": {
      "first-name": "John",
      "last-name": "Doe",
      "email": "john@example.com",
      "locale": "en-GB"
    }
  }
}

List User Credentials

Returns the login credentials that are visible for the requested user.

  • App-level tokens can list all credentials for the user.
  • User-scoped tokens default to the bound credential. Admin credentials can list all credentials for that user; non-admin credentials only see themselves.
  • Each credential object has its own id. Use that credential_id when requesting a user-scoped token that must enforce one credential's visibility and grants.

Delete User

Soft-delete a user managed by your application. This anonymizes the user's email, disables all enabled listings, removes managed accounts, and marks the user as deleted.

Returns 204 No Content on success.

App-level token required

This endpoint requires an app-level token. Requests with a user-scoped token will receive 403 Forbidden.