Members & Roles
Manage tenant members, custom roles, and invitations via the LaserData Cloud API.
Set variables to auto-fill all examples and run requests in-browser.
Members are users with access to a tenant. Roles define what they can do. All endpoints use the main API at https://api.laserdata.cloud.
Required permissions: member:read to list, member:manage to invite/remove. role:read to list roles, role:manage to create/delete.
Members
List Members
GET/tenants/{tenant_id}/membersList all members of a tenant with their assigned roles.
curl "https://api.laserdata.cloud/tenants/{tenant_id}/members?page=1&results=10" \
-H "ld-api-key: YOUR_API_KEY"{
"items": [
{
"id": 1,
"email": "[email protected]",
"name": "Alice",
"active": true,
"roles": ["developer"],
"created_at": "2025-01-15T10:00:00Z"
}
],
"page": 1,
"total_results": 1,
"total_pages": 1
}Update Member Role
PUT/tenants/{tenant_id}/members/{member_id}Change the role assigned to a tenant member.
curl -X PUT https://api.laserdata.cloud/tenants/{tenant_id}/members/{member_id} \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"active": true,
"roles": [123, 456]
}'Remove Member
DELETE/tenants/{tenant_id}/members/{member_id}Remove a member from the tenant. Their API keys are not automatically revoked.
curl -X DELETE https://api.laserdata.cloud/tenants/{tenant_id}/members/{member_id} \
-H "ld-api-key: YOUR_API_KEY"Invitations
Invite a Member
POST/tenants/{tenant_id}/invitationsSend an invitation email to a new member with a specified role.
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/invitations \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"email": "[email protected]",
"roles": [100]
}'Domain-locked errors (driven by the tenant config):
| Status / Code | Cause |
|---|---|
400 invitee_domain_locked | The invitee's email domain belongs to another tenant that has set block_external_invitations: true. |
400 invitee_domain_not_allowed | This tenant has enforce_domain_only_invitations: true and the invitee's email domain is outside the tenant's claimed email_domain (and any division subdomains). |
List Invitations
GET/tenants/{tenant_id}/invitationsList all pending invitations.
curl "https://api.laserdata.cloud/tenants/{tenant_id}/invitations?page=1&results=10" \
-H "ld-api-key: YOUR_API_KEY"Cancel Invitation
DELETE/tenants/{tenant_id}/invitations/{invitation_id}Cancel a pending invitation before it is accepted.
curl -X DELETE https://api.laserdata.cloud/tenants/{tenant_id}/invitations/{invitation_id} \
-H "ld-api-key: YOUR_API_KEY"Roles
List Roles
GET/tenants/{tenant_id}/rolesList all roles defined in the tenant, including built-in and custom roles.
curl "https://api.laserdata.cloud/tenants/{tenant_id}/roles?page=1&results=10" \
-H "ld-api-key: YOUR_API_KEY"{
"items": [
{
"id": 1,
"name": "admin",
"kind": "system"
},
{
"id": 2,
"name": "developer",
"kind": "custom"
}
],
"page": 1,
"total_results": 2,
"total_pages": 1
}Role kind is one of:
system- built-in role templates (Owner, Admin, Developer, Viewer, Billing). Cannot be deleted.custom- user-created roles defined through the API or Console.api_key- implicit role auto-created when an API key is provisioned with inline permissions instead of an existingrole_id.
Get Role
GET/tenants/{tenant_id}/roles/{role_id}Get a role by ID.
curl https://api.laserdata.cloud/tenants/{tenant_id}/roles/{role_id} \
-H "ld-api-key: YOUR_API_KEY"List Role Members
GET/tenants/{tenant_id}/roles/{role_id}/membersList all members assigned to a role.
curl "https://api.laserdata.cloud/tenants/{tenant_id}/roles/{role_id}/members?page=1&results=10" \
-H "ld-api-key: YOUR_API_KEY"Create Role
POST/tenants/{tenant_id}/rolesCreate a custom role with explicit tenant and division permissions.
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/roles \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "developer",
"permissions": {
"tenant": ["info:read", "member:read", "division:read"],
"division": ["environment:read", "environment:manage"],
"divisions": {
"1": {
"permissions": ["environment:read"],
"environment": ["deployment:read", "deployment:manage"],
"environments": {
"2": ["deployment:read", "deployment:manage", "deployment:telemetry:read"]
}
}
}
}
}'| Field | Required | Description |
|---|---|---|
name | Yes | Unique role name within the tenant |
permissions.tenant | No | Tenant-level permission strings (e.g. info:read, member:manage) |
permissions.division | No | Default division permissions applied to all divisions |
permissions.divisions | No | Per-division overrides keyed by division ID, with optional per-environment overrides |
Assign Role to Members
PUT/tenants/{tenant_id}/roles/{role_id}/members/assignAssign one or more members to a role.
curl -X PUT https://api.laserdata.cloud/tenants/{tenant_id}/roles/{role_id}/members/assign \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"members": [1, 2, 3]
}'Revoke Role from Members
PUT/tenants/{tenant_id}/roles/{role_id}/members/revokeRemove one or more members from a role.
curl -X PUT https://api.laserdata.cloud/tenants/{tenant_id}/roles/{role_id}/members/revoke \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"members": [2]
}'Delete Role
DELETE/tenants/{tenant_id}/roles/{role_id}Delete a custom role. Built-in roles cannot be deleted. Members assigned to this role will need a new role assigned.
curl -X DELETE https://api.laserdata.cloud/tenants/{tenant_id}/roles/{role_id} \
-H "ld-api-key: YOUR_API_KEY"