> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tesouro.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Creates a new user in the specified organization.

> Creates an ACTIVE or INVITED user in an organization accessible to the caller.
Creating a user in the caller's own organization requires the user:write:org scope.
Creating a user in another (downstream) organization additionally requires the user:write:all scope.

**Token types:** APP, USER | **Accepted scopes (any of):** `user:write:all`, `user:write:org`



## OpenAPI

````yaml /.tooling/schemas/rest/tags/product-embedded-banking.json post /identity/v1/users
openapi: 3.1.0
info:
  title: Tesouro Partner API
  version: '2025-06-23'
  description: The Tesouro REST API, for Tesouro partners to integrate with our solution.
  termsOfService: https://tesouro.com/terms
  contact:
    name: Tesouro team
    url: https://tesouro.com/about/
    email: developers@tesouro.com
servers:
  - url: https://api.sandbox.tesouro.com
    description: Sandbox
security: []
tags:
  - name: Applications
  - name: Bank Account Access
  - name: Bank Accounts
  - name: Beneficial Owners
  - name: Disclosures
  - name: Embedded Banking
  - name: External Bank Accounts
  - name: Identity
  - name: MoneyMovements
  - name: Organization
paths:
  /identity/v1/users:
    post:
      tags:
        - Identity
      summary: Creates a new user in the specified organization.
      description: >-
        Creates an ACTIVE or INVITED user in an organization accessible to the
        caller.

        Creating a user in the caller's own organization requires the
        user:write:org scope.

        Creating a user in another (downstream) organization additionally
        requires the user:write:all scope.


        **Token types:** APP, USER | **Accepted scopes (any of):**
        `user:write:all`, `user:write:org`
      operationId: CreateUser
      parameters:
        - name: X-Organization-ID
          in: header
          description: >-
            ID of the organization to scope this operation to. When omitted, the
            request creates the user in the caller's own organization. Must be a
            valid non-empty UUID. Present but empty or malformed values return
            400.
          schema:
            type: string
            format: uuid
      requestBody:
        description: Cancellation token.
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateUserRequestDto'
          text/json:
            schema:
              $ref: '#/components/schemas/CreateUserRequestDto'
          application/*+json:
            schema:
              $ref: '#/components/schemas/CreateUserRequestDto'
        required: true
      responses:
        '201':
          description: User created successfully.
          content:
            text/plain:
              schema:
                $ref: '#/components/schemas/CreateUserResponseDto'
            application/json:
              schema:
                $ref: '#/components/schemas/CreateUserResponseDto'
            text/json:
              schema:
                $ref: '#/components/schemas/CreateUserResponseDto'
        '400':
          description: Bad request - invalid or missing required fields.
          content:
            text/plain:
              schema:
                $ref: '#/components/schemas/ProblemDetails'
            application/json:
              schema:
                $ref: '#/components/schemas/ProblemDetails'
            text/json:
              schema:
                $ref: '#/components/schemas/ProblemDetails'
        '401':
          description: Unauthorized - no valid JWT token provided.
          content:
            text/plain:
              schema:
                $ref: '#/components/schemas/ProblemDetails'
            application/json:
              schema:
                $ref: '#/components/schemas/ProblemDetails'
            text/json:
              schema:
                $ref: '#/components/schemas/ProblemDetails'
        '403':
          description: Forbidden - caller lacks required scope.
          content:
            text/plain:
              schema:
                $ref: '#/components/schemas/ProblemDetails'
            application/json:
              schema:
                $ref: '#/components/schemas/ProblemDetails'
            text/json:
              schema:
                $ref: '#/components/schemas/ProblemDetails'
        '422':
          description: >-
            Unprocessable entity - business rule violation (e.g. duplicate
            email, domain mismatch).
          content:
            text/plain:
              schema:
                $ref: '#/components/schemas/ProblemDetails'
            application/json:
              schema:
                $ref: '#/components/schemas/ProblemDetails'
            text/json:
              schema:
                $ref: '#/components/schemas/ProblemDetails'
        '500':
          description: Internal server error.
      security:
        - APPToken:
            - user:write:all
        - USERToken:
            - user:write:all
        - APPToken:
            - user:write:org
        - USERToken:
            - user:write:org
components:
  schemas:
    CreateUserRequestDto:
      required:
        - email
        - name
        - status
      type: object
      properties:
        address1:
          type:
            - 'null'
            - string
        address2:
          type:
            - 'null'
            - string
        city:
          type:
            - 'null'
            - string
        country:
          type:
            - 'null'
            - string
        email:
          type: string
        jobTitle:
          type:
            - 'null'
            - string
        name:
          type: string
        permissionIds:
          type:
            - 'null'
            - array
          items:
            type: string
            format: uuid
          description: >-
            Permission GUIDs to grant the user. Mutually exclusive with
            `permissionKeys`;

            exactly one must be supplied. Prefer `permissionKeys` for new
            integrations.
        permissionKeys:
          type:
            - 'null'
            - array
          items:
            $ref: '#/components/schemas/PermissionKey'
          description: >-
            Permission keys (e.g. `"user:write:org"`) to grant the user.
            Resolved server-side to the

            underlying permission IDs. Mutually exclusive with `permissionIds`;
            exactly one

            must be supplied.
        phoneNumber:
          type:
            - 'null'
            - string
        postalCode:
          type:
            - 'null'
            - string
        redirectUri:
          type:
            - 'null'
            - string
        reportingManagerUserId:
          type:
            - 'null'
            - string
          format: uuid
        stateOrProvince:
          type:
            - 'null'
            - string
        status:
          type: string
    CreateUserResponseDto:
      required:
        - createdAt
        - email
        - id
        - name
        - organizationId
        - status
      type: object
      properties:
        id:
          type: string
          format: uuid
        createdAt:
          type: string
          format: date-time
        email:
          type: string
        jobTitle:
          type:
            - 'null'
            - string
        name:
          type: string
        organizationId:
          type: string
          format: uuid
        reportingManagerUserId:
          type:
            - 'null'
            - string
          format: uuid
        status:
          type: string
    ProblemDetails:
      type: object
      properties:
        detail:
          type:
            - 'null'
            - string
        instance:
          type:
            - 'null'
            - string
        status:
          pattern: ^-?(?:0|[1-9]\d*)$
          type:
            - 'null'
            - integer
            - string
          format: int32
        title:
          type:
            - 'null'
            - string
        type:
          type:
            - 'null'
            - string
    PermissionKey:
      enum:
        - acceptor:application:read
        - acceptor:application:secondaryapproval
        - acceptor:application:write
        - accounting_config:read:org
        - accounting_config:write:org
        - acquiring:report:read
        - approval_policy:read:org
        - approval_policy:write:org
        - approval_request:create:org
        - approval_request:delete:org
        - approval_request:read:org
        - approval_request:update:org
        - authorization_control:read:org
        - bank_account:read:org
        - bank_account:write:org
        - bank_account_application:read:org
        - bank_account_application:write:org
        - beneficial_owner:read:org
        - comment:read:org
        - comment:write:org
        - counterpart:read:org
        - counterpart:write:org
        - credit_card:activate:org
        - credit_card:read:org
        - credit_card_application:read:org
        - credit_card_application:write:org
        - developer_portal
        - dispute:read
        - dispute:write
        - expense:approve:org
        - expense:read:org
        - expense:read:self
        - expense:write:org
        - expense:write:self
        - export:read:org
        - export:write:org
        - external_bank_account:micro_deposit:org
        - external_bank_account:read:org
        - external_bank_account:set_verification:org
        - external_bank_account:write:org
        - invoice:read:org
        - invoice:write:org
        - mailbox:read:org
        - mailbox:write:org
        - notification:subscription:read
        - notification:subscription:write
        - ocr_task:read:org
        - ocr_task:write:org
        - oidc:app:manage
        - oidc:app:read
        - oidc:app:write
        - org:write:all
        - organization:read:org
        - organization:write:org
        - organization_settings:read:org
        - organization_settings:write:org
        - partner_portal
        - payable:approve:org
        - payable:pay:org
        - payable:read:org
        - payable:write:org
        - payment_link:write
        - payment_rail:ach
        - payment_rail:fednow
        - payment_rail:rtp
        - payment_record:read:org
        - payment_record:write:org
        - product:read:org
        - product:write:org
        - role:read:org
        - role:write:org
        - transfer:write:org
        - underwriting:application:approval:escalation
        - underwriting:application:approval:secondary
        - underwriting:application:read
        - underwriting:application:write
        - user:read:org
        - user:read:self
        - user:write:all
        - user:write:org
        - user_profile:write:all
        - user_profile:write:self
      type: string
  securitySchemes:
    APPToken:
      type: oauth2
      description: Application (M2M) OAuth2 access token (client credentials).
      flows:
        clientCredentials:
          tokenUrl: /connect/token
          scopes:
            acceptor:application:read: >-
              View merchant boarding applications, including business and
              ownership details. Contains sensitive personally identifiable
              information.
            acceptor:application:secondaryapproval: >-
              Provide a secondary approval on merchant boarding and underwriting
              applications as part of a multi-step review.
            acceptor:application:write: >-
              Edit, approve, and manage merchant boarding and underwriting
              applications, and attach supporting documents.
            accounting_config:read:org: >-
              View ledger accounts, tax rates, cost centers, tags, and projects
              configured for your organization.
            accounting_config:write:org: >-
              Create and update ledger accounts, tax rates, cost centers, tags,
              and projects for your organization.
            acquiring:report:read: >-
              View transaction and settlement reports for your acquiring
              activity.
            approval_policy:read:org: >-
              View approval workflows and spending policies configured for your
              organization.
            approval_policy:write:org: >-
              Create and update approval workflows and spending policies for
              your organization.
            approval_request:create:org: >-
              Submit items for approval within your organization's approval
              workflows.
            approval_request:delete:org: Delete approval requests within your organization.
            approval_request:read:org: >-
              View pending and completed approval requests across your
              organization.
            approval_request:update:org: >-
              Edit and update existing approval requests within your
              organization.
            authorization_control:read:org: Read access to authorization control at the organization level.
            bank_account_application:read:org: >-
              View submitted applications to open bank accounts within your
              organization.
            bank_account_application:write:org: >-
              Submit and manage applications to open new bank accounts within
              your organization.
            bank_account:read:org: View bank account details and balances within your organization.
            bank_account:write:org: Create, update, and close bank accounts within your organization.
            beneficial_owner:read:org: >-
              View beneficial ownership information, including individuals'
              ownership stakes and identifying details.
            comment:read:org: >-
              View comments and notes added to financial records across your
              organization.
            comment:write:org: >-
              Add and manage comments and notes on financial records across your
              organization.
            counterpart:read:org: >-
              View the suppliers and clients your organization transacts with.
              Counterparts are required before creating invoices, quotes, and
              other financial documents.
            counterpart:write:org: >-
              Add and update the suppliers and clients your organization
              transacts with. Counterparts are required before creating
              invoices, quotes, and other financial documents.
            credit_card:activate:org: >-
              Activate newly issued credit cards for use within your
              organization.
            credit_card_application:read:org: View credit card applications submitted within your organization.
            credit_card_application:write:org: >-
              Submit and manage credit card applications within your
              organization.
            credit_card:read:org: >-
              View credit card details and status for cards in your
              organization.
            developer_portal: >-
              Access the Tesouro Developer Portal to view API documentation and
              manage developer resources.
            dispute:read: >-
              View payment disputes and any supporting documents attached to
              them.
            dispute:write: >-
              Accept or challenge payment disputes by uploading and submitting
              supporting evidence.
            email: ''
            expense:approve:org: >-
              Review and approve or reject expense reports submitted across your
              organization.
            expense:read:org: View expense reports and submissions across your organization.
            expense:read:self: View your own expense submissions and reports.
            expense:write:org: Create and update expense submissions across your organization.
            expense:write:self: Submit and update your own expense reports.
            export:read:org: >-
              View and download previously generated data exports for your
              organization.
            export:write:org: Generate and manage data exports for your organization.
            external_bank_account:micro_deposit:org: >-
              Initiate micro-deposit verification to confirm ownership of
              external bank accounts linked to your organization.
            external_bank_account:read:org: >-
              View external bank accounts that have been linked to your
              organization.
            external_bank_account:set_verification:org: >-
              Manually set the verification status of linked external bank
              accounts, bypassing the standard verification process.
            external_bank_account:write:org: >-
              Add, update, or remove external bank accounts linked to your
              organization.
            invoice:read:org: View invoices issued and received across your organization.
            invoice:write:org: Create, edit, and manage invoices across your organization.
            mailbox:read:org: >-
              View the email mailboxes configured to automatically capture
              incoming invoices as payables and collect expense receipts for
              your organization.
            mailbox:write:org: >-
              Configure email mailboxes that automatically capture incoming
              invoices as payables and collect expense receipts for your
              organization.
            notification:subscription:read: >-
              View active webhook and event notification subscriptions and their
              configurations.
            notification:subscription:write: >-
              Create, update, and delete webhook and event notification
              subscriptions.
            ocr_task:read:org: >-
              View the results and status of automated receipt and invoice
              scanning tasks.
            ocr_task:write:org: >-
              Submit and manage automated receipt and invoice scanning tasks for
              your organization.
            offline_access: ''
            oidc:app:manage: >-
              Add, edit, and remove access to OIDC applications and their
              scopes.
            oidc:app:read: Read only access to the OIDC applications and their scopes
            oidc:app:write: >-
              Add and edit - but not remove - access to OIDC applications and
              their scopes
            openid: ''
            organization:read:org: View your organization's profile and general details.
            organization_settings:read:org: View configuration settings for your organization.
            organization_settings:write:org: Update configuration settings for your organization.
            organization:write:org: Update your organization's profile and general details.
            org:write:all: >-
              Enable or disable organizations on the platform. This is a
              high-privilege permission typically reserved for platform
              administrators.
            partner_portal: >-
              Access the Tesouro Partner Portal to manage your partnership
              settings and sub-merchant configurations.
            payable:approve:org: >-
              Review and approve bills and accounts payable before they are
              paid.
            payable:pay:org: >-
              Authorize and submit payments for approved bills and accounts
              payable.
            payable:read:org: View bills and accounts payable across your organization.
            payable:write:org: >-
              Create and update bills and accounts payable across your
              organization.
            payment_link:write: >-
              Generate and manage shareable payment links to collect payments
              from customers.
            payment_processing: ''
            payment_rail:ach: Process payments via the ACH (Automated Clearing House) network.
            payment_rail:fednow: Process instant payments via the FedNow network.
            payment_rail:rtp: Process real-time payments via the RTP network.
            payment_record:read:org: >-
              View payment transaction history and records for your
              organization.
            payment_record:write:org: >-
              Record payments against invoices and manage their status,
              including marking payments as succeeded, cancelling, or moving
              them into processing.
            product:read:org: >-
              View the product and service catalog used for invoicing within
              your organization.
            product:write:org: >-
              Add and update products and services in your organization's
              invoicing catalog.
            profile: ''
            role:read:org: >-
              View user roles and their associated permissions within your
              organization.
            role:write:org: >-
              Create and update user roles and permission sets within your
              organization.
            transfer:write:org: Create and submit money transfers within your organization.
            underwriting:application:approval:escalation: >-
              Provide a senior-level escalation approval on underwriting
              applications that require additional review.
            underwriting:application:approval:secondary: >-
              Provide a second-level approval on underwriting applications as
              part of a multi-step review process.
            underwriting:application:read: >-
              View underwriting applications, including sensitive business
              details and personally identifiable information.
            underwriting:application:write: >-
              Edit, approve, and manage underwriting applications and decisions,
              and attach supporting documents.
            user_profile:write:all: >-
              Update profile information for any user across all organizations.
              This is a high-privilege permission typically reserved for
              platform administrators.
            user_profile:write:self: >-
              Update your own user profile, including your name, contact
              information, and preferences.
            user:read:org: View user accounts and their details within your organization.
            user:read:self: >-
              Read access to the user's own record and the name/email of their
              direct reports.
            user:write:all: >-
              Create and manage user accounts across multiple organizations.
              This is a high-privilege permission typically reserved for
              platform administrators.
            user:write:org: Create, update, and manage user accounts within your organization.
    USERToken:
      type: oauth2
      description: User OAuth2 access token (authorization code with PKCE).
      flows:
        authorizationCode:
          authorizationUrl: /connect/authorize
          tokenUrl: /connect/token
          scopes:
            acceptor:application:read: >-
              View merchant boarding applications, including business and
              ownership details. Contains sensitive personally identifiable
              information.
            acceptor:application:secondaryapproval: >-
              Provide a secondary approval on merchant boarding and underwriting
              applications as part of a multi-step review.
            acceptor:application:write: >-
              Edit, approve, and manage merchant boarding and underwriting
              applications, and attach supporting documents.
            accounting_config:read:org: >-
              View ledger accounts, tax rates, cost centers, tags, and projects
              configured for your organization.
            accounting_config:write:org: >-
              Create and update ledger accounts, tax rates, cost centers, tags,
              and projects for your organization.
            acquiring:report:read: >-
              View transaction and settlement reports for your acquiring
              activity.
            approval_policy:read:org: >-
              View approval workflows and spending policies configured for your
              organization.
            approval_policy:write:org: >-
              Create and update approval workflows and spending policies for
              your organization.
            approval_request:create:org: >-
              Submit items for approval within your organization's approval
              workflows.
            approval_request:delete:org: Delete approval requests within your organization.
            approval_request:read:org: >-
              View pending and completed approval requests across your
              organization.
            approval_request:update:org: >-
              Edit and update existing approval requests within your
              organization.
            authorization_control:read:org: Read access to authorization control at the organization level.
            bank_account_application:read:org: >-
              View submitted applications to open bank accounts within your
              organization.
            bank_account_application:write:org: >-
              Submit and manage applications to open new bank accounts within
              your organization.
            bank_account:read:org: View bank account details and balances within your organization.
            bank_account:write:org: Create, update, and close bank accounts within your organization.
            beneficial_owner:read:org: >-
              View beneficial ownership information, including individuals'
              ownership stakes and identifying details.
            comment:read:org: >-
              View comments and notes added to financial records across your
              organization.
            comment:write:org: >-
              Add and manage comments and notes on financial records across your
              organization.
            counterpart:read:org: >-
              View the suppliers and clients your organization transacts with.
              Counterparts are required before creating invoices, quotes, and
              other financial documents.
            counterpart:write:org: >-
              Add and update the suppliers and clients your organization
              transacts with. Counterparts are required before creating
              invoices, quotes, and other financial documents.
            credit_card:activate:org: >-
              Activate newly issued credit cards for use within your
              organization.
            credit_card_application:read:org: View credit card applications submitted within your organization.
            credit_card_application:write:org: >-
              Submit and manage credit card applications within your
              organization.
            credit_card:read:org: >-
              View credit card details and status for cards in your
              organization.
            developer_portal: >-
              Access the Tesouro Developer Portal to view API documentation and
              manage developer resources.
            dispute:read: >-
              View payment disputes and any supporting documents attached to
              them.
            dispute:write: >-
              Accept or challenge payment disputes by uploading and submitting
              supporting evidence.
            email: ''
            expense:approve:org: >-
              Review and approve or reject expense reports submitted across your
              organization.
            expense:read:org: View expense reports and submissions across your organization.
            expense:read:self: View your own expense submissions and reports.
            expense:write:org: Create and update expense submissions across your organization.
            expense:write:self: Submit and update your own expense reports.
            export:read:org: >-
              View and download previously generated data exports for your
              organization.
            export:write:org: Generate and manage data exports for your organization.
            external_bank_account:micro_deposit:org: >-
              Initiate micro-deposit verification to confirm ownership of
              external bank accounts linked to your organization.
            external_bank_account:read:org: >-
              View external bank accounts that have been linked to your
              organization.
            external_bank_account:set_verification:org: >-
              Manually set the verification status of linked external bank
              accounts, bypassing the standard verification process.
            external_bank_account:write:org: >-
              Add, update, or remove external bank accounts linked to your
              organization.
            invoice:read:org: View invoices issued and received across your organization.
            invoice:write:org: Create, edit, and manage invoices across your organization.
            mailbox:read:org: >-
              View the email mailboxes configured to automatically capture
              incoming invoices as payables and collect expense receipts for
              your organization.
            mailbox:write:org: >-
              Configure email mailboxes that automatically capture incoming
              invoices as payables and collect expense receipts for your
              organization.
            notification:subscription:read: >-
              View active webhook and event notification subscriptions and their
              configurations.
            notification:subscription:write: >-
              Create, update, and delete webhook and event notification
              subscriptions.
            ocr_task:read:org: >-
              View the results and status of automated receipt and invoice
              scanning tasks.
            ocr_task:write:org: >-
              Submit and manage automated receipt and invoice scanning tasks for
              your organization.
            offline_access: ''
            oidc:app:manage: >-
              Add, edit, and remove access to OIDC applications and their
              scopes.
            oidc:app:read: Read only access to the OIDC applications and their scopes
            oidc:app:write: >-
              Add and edit - but not remove - access to OIDC applications and
              their scopes
            openid: ''
            organization:read:org: View your organization's profile and general details.
            organization_settings:read:org: View configuration settings for your organization.
            organization_settings:write:org: Update configuration settings for your organization.
            organization:write:org: Update your organization's profile and general details.
            org:write:all: >-
              Enable or disable organizations on the platform. This is a
              high-privilege permission typically reserved for platform
              administrators.
            partner_portal: >-
              Access the Tesouro Partner Portal to manage your partnership
              settings and sub-merchant configurations.
            payable:approve:org: >-
              Review and approve bills and accounts payable before they are
              paid.
            payable:pay:org: >-
              Authorize and submit payments for approved bills and accounts
              payable.
            payable:read:org: View bills and accounts payable across your organization.
            payable:write:org: >-
              Create and update bills and accounts payable across your
              organization.
            payment_link:write: >-
              Generate and manage shareable payment links to collect payments
              from customers.
            payment_processing: ''
            payment_rail:ach: Process payments via the ACH (Automated Clearing House) network.
            payment_rail:fednow: Process instant payments via the FedNow network.
            payment_rail:rtp: Process real-time payments via the RTP network.
            payment_record:read:org: >-
              View payment transaction history and records for your
              organization.
            payment_record:write:org: >-
              Record payments against invoices and manage their status,
              including marking payments as succeeded, cancelling, or moving
              them into processing.
            product:read:org: >-
              View the product and service catalog used for invoicing within
              your organization.
            product:write:org: >-
              Add and update products and services in your organization's
              invoicing catalog.
            profile: ''
            role:read:org: >-
              View user roles and their associated permissions within your
              organization.
            role:write:org: >-
              Create and update user roles and permission sets within your
              organization.
            transfer:write:org: Create and submit money transfers within your organization.
            underwriting:application:approval:escalation: >-
              Provide a senior-level escalation approval on underwriting
              applications that require additional review.
            underwriting:application:approval:secondary: >-
              Provide a second-level approval on underwriting applications as
              part of a multi-step review process.
            underwriting:application:read: >-
              View underwriting applications, including sensitive business
              details and personally identifiable information.
            underwriting:application:write: >-
              Edit, approve, and manage underwriting applications and decisions,
              and attach supporting documents.
            user_profile:write:all: >-
              Update profile information for any user across all organizations.
              This is a high-privilege permission typically reserved for
              platform administrators.
            user_profile:write:self: >-
              Update your own user profile, including your name, contact
              information, and preferences.
            user:read:org: View user accounts and their details within your organization.
            user:read:self: >-
              Read access to the user's own record and the name/email of their
              direct reports.
            user:write:all: >-
              Create and manage user accounts across multiple organizations.
              This is a high-privilege permission typically reserved for
              platform administrators.
            user:write:org: Create, update, and manage user accounts within your organization.

````