COMPLETE and the organization is live, you can add more users — accountants, ops staff, additional owners, anyone who needs to log in — without putting any of them through the application flow. These are authorized users.
When you need them
- The signed-up business has more than one person who needs access. The controller did onboarding; a bookkeeper now needs read access to balances and transfers.
- A platform admin at your company (Northfield Software) needs to log into a customer’s organization for support — invite an admin user rather than impersonating the controller.
- You are migrating users from an existing system and want each one to land as their own identity rather than collapsing them all onto a shared login.
How it differs from the controller
The controller is a beneficial-owner-grade record on the application; an authorized user is a permission-grade record on the organization. Don’t try to add additional beneficial owners through this endpoint — those belong on the application’s
businessOwners array.
Creating an authorized user
POST /identity/v1/users creates the user inside an organization. The endpoint accepts both APP and USER tokens; your backend can mint users using its client-credentials token, or a user with the user:write:all scope can mint additional users from the organization itself.
Create an invited user
To create the user inside a child organization (a platform caller acting on behalf of a customer’s org), set
X-Organization-ID to that child org’s ID. Without the header, the user lands in the caller’s own organization.
Invitation vs immediate activation
INVITED— Tesouro emails the user a one-time invitation link. They follow the link, complete sign-in on their OIDC provider, and the platform marks themACTIVE. Use this when the user owns the email account and will set up their own access.ACTIVE— The user is created already-active and skips the invitation step. Use this when your platform is doing single sign-on and the user will arrive with a valid JWT — there is no separate sign-up step to run.
INVITED for too long can be re-sent the invitation; an ACTIVE user that needs to be paused can be disabled rather than deleted.
Calling Tesouro as an authorized user
Once a user isACTIVE, your backend can mint a JWT for them and either exchange it for a REST access token or wrap it in a widget JWE — the same two flows you use for the controller. Tesouro does not distinguish controller from authorized user at the token layer; what differs is the role and permission set you assigned at create time.