List pending invitations for the active org
Returns every still-pending invitation for the active organization, newest first. Existence of the row IS the pending state; accepted invitations are deleted on first sign-in.
List pending invitations for the active org › Responses
Pending invitations
created_atemailidinvited_byorganization_idrole_namesworkspace_idInvite a teammate to the active org
Sends a Keycloak-hosted invitation email to the supplied address and records the role names to apply on acceptance. Re-inviting the same address replaces the previous pending role intent. Empty role_names defaults to no_access.
Invite a teammate to the active org › Responses
Persisted invitation
created_atemailidinvited_byorganization_idrole_namesworkspace_idRevoke a pending invitation
Cancels a pending invitation: deletes the kontorion row and best-effort removes the matching Keycloak org-invitation so the action token in the user's inbox stops working. Already-accepted invitations don't exist as rows - remove the user via the membership API instead.
path Parameters
idInvitation ID
Revoke a pending invitation › Responses
Revoked
Get the current organization profile
Returns the organization profile resolved from the caller's auth context (name, slug, default locale, etc.).
Get the current organization profile › Responses
Organization profile
billing_emailbusiness_addresscreated_atdefault_currencydefault_date_formatdefault_first_day_of_weekdefault_languagedefault_localedefault_number_formatdefault_timezoneidlegal_namenamephoneslugstatussupport_emailtax_registration_numberUpdate the current organization profile
Updates editable fields on the caller's organization profile. The default_locale must be one of the supported invoicing languages (en, de, fr, es, it, pt, nl, ja).
Update the current organization profile › Request Body
billing_emailbusiness_addressdefault_countryDefaultCountry: ISO 3166-1 alpha-2 (two uppercase letters) or empty string to clear. Mirrors the public-checkout cascade described on Organization.DefaultCountry.
default_currencydefault_date_formatdefault_first_day_of_weekdefault_languageLocale & formatting cascade defaults — feed the per-field cascade users see in the dashboard. Each nullable; empty payload leaves the stored value untouched (COALESCE in UPDATE below).
default_localedefault_number_formatdefault_timezonelegal_namenamephonesupport_emailtax_inclusiveTaxInclusive: tenant default for the public checkout page's tax-display toggle. Same nullable-pointer convention as the rest of this struct; pass NULL on the wire (i.e. omit the field) to leave the stored value unchanged.
tax_registration_numberUpdate the current organization profile › Responses
Updated organization
billing_emailbusiness_addresscreated_atdefault_currencydefault_date_formatdefault_first_day_of_weekdefault_languagedefault_localedefault_number_formatdefault_timezoneidlegal_namenamephoneslugstatussupport_emailtax_registration_numberCreate a new workspace (organization)
Provisions a new organization and mints its first API key. Mode determines the key prefix - "live" mints sk_live_, "sandbox" mints sk_test_. The plaintext key is returned once.
Create a new workspace (organization) › Request Body
billing_emaildefault_currencydefault_localenameslugCreate a new workspace (organization) › Responses
Created organization with one-shot API key
api_keyGet the active org's security settings
Returns the per-org auth policy: require_mfa, allowed_idps, allowed_email_domains, session_timeout_seconds. Empty arrays mean "no restriction." See the policy package for enforcement semantics.
Get the active org's security settings › Responses
Security settings
allowed_email_domainsallowed_idpscreated_atjit_default_rolejit_enabledorganization_idrequire_mfasession_timeout_secondsupdated_atUpdate the active org's security settings
Partial update - fields omitted from the body are left unchanged. Empty arrays clear the restriction (no allowed_idps / allowed_email_domains). Setting require_mfa=true takes effect on the next request; existing sessions whose access token's amr claim lacks an MFA method receive 403 MFA_REQUIRED until they re-auth with MFA.
Update the active org's security settings › Request Body
allowed_email_domainsallowed_idpsjit_default_rolejit_enabledrequire_mfasession_timeout_secondsUpdate the active org's security settings › Responses
Updated security settings
allowed_email_domainsallowed_idpscreated_atjit_default_rolejit_enabledorganization_idrequire_mfasession_timeout_secondsupdated_at