Overview
Accounts allow users to authenticate with the Enterprise API using email and password credentials.
Key Concepts
Account Creation
Accounts can be created in two ways:
| Method | Endpoint | Access |
|---|---|---|
| Protected Route | /v1/admin/account/register | Requires Super Admin or admin credentials |
| Self-Registration | /v1/account/register | Public (controlled by feature flag) |
- A Super Admin (or any admin with the right permissions) typically creates accounts via the protected administration route.
- Optional self-service signup is available via an unprotected endpoint that is controlled by the
account-registrationfeature flag. The flag defaults to enabled, so public signup is exposed unless you disable it.
Initial State
- New accounts start without any roles, so they cannot perform any operations until roles are assigned.
- Accounts must be assigned roles to gain access to resources.
Account Scope
Accounts are global resources and are not bound to a single organization or tenant:
- The same account can be granted access to multiple organizations, tenants, sub-tenants, or services
- What an account can do is entirely determined by the roles assigned to it
- Permissions are evaluated based on the combination of all assigned roles
Self-Registration
The unprotected /v1/account/register endpoint is controlled by the account-registration feature flag:
| Flag State | Behavior |
|---|---|
| Enabled (default) | Public signup is available |
| Disabled | Only protected admin route works |
Recommendation: Disable this flag in production environments to prevent unauthorized account creation. Only leave it enabled for sandboxes, demos, or controlled environments.
Toggle the feature via the feature manager or _features.conf, depending on your deployment workflow.
Account vs API Key
| Feature | Account | API Key |
|---|---|---|
| Authentication | Email + password | Bearer token |
| Use case | Human users | Machine-to-machine |
| Session management | Yes (with session tokens) | Stateless |
| Self-registration | Optional (feature flag) | No (admin only) |
| Expiration | No (unless manually disabled) | Optional TTL |
Get Started
- Create Account - Provision an account via the protected admin APIs (or optional self-registration)
- Assign Roles - Give an account permissions scoped to specific organizations, tenants, or services
Last updated on May 6, 2026