token. When the recipient accepts the invite (by following the URL you build with that token), their organization_members row is created and member.joined fires.
Invitations expire automatically. The
expires_at field on every invitation tells you when. Expired invitations cannot be accepted — re-invite the user with a fresh POST /team/invitations.The invitation object
| Field | Type | Notes |
|---|---|---|
id | uuid | Invitation id. Use for GET/DELETE. |
email | string | Validated as an email. The recipient must sign in with this address. |
role_id | uuid | The role the recipient will hold once accepted. |
role | string | Display-only role name. |
status | enum | One of pending, accepted, declined, expired, revoked. List/GET only return pending. |
invited_by | uuid ∣ null | The user that issued the invite. null for invitations created by org-scoped API keys. |
expires_at | timestamp | After this time the token stops working. |
created_at | timestamp | When the invitation was issued. |
updated_at | timestamp | Last status change. |
Create an invitation
POST /team/invitations with the recipient’s email and the target role id. The response returns the new invitation and a one-time secret token — this is the only time the token is shown, so capture it now.
cURL
POST /team/invitations is idempotent — pass an Idempotency-Key header to make safe retries. See Idempotency.
List pending invitations
cURL
status = "pending". Already accepted/declined/expired/revoked rows are not surfaced — query the audit log if you need full history.
Get one
cURL
Cancel an invitation
DELETE /team/invitations/{id} revokes a pending invitation. Once revoked, the token stops working — even before its expires_at. Fires invitation.revoked.
cURL
204 No Content. Already-accepted, declined, expired, or revoked invitations cannot be revoked again — the endpoint returns 409 conflict in that case.