Summary and recommendation
Fleet exposes a versioned REST API at /api/v1/fleet/ for full user lifecycle management.
Authentication uses Bearer tokens obtained via POST /api/v1/fleet/login or generated as api_only user tokens in the UI.
Critical caveat: SSO-authenticated users cannot generate API tokens - automation pipelines must use dedicated api_only accounts created separately.
All user-write operations (create, update, delete) require the Admin role;
there is no delegated or scoped token model below that level.
For identity graph construction, the user object carries id, email, global_role, teams (array with per-team role), api_only, and sso_enabled fields.
The global_role and teams fields are mutually exclusive - setting one via PATCH /api/v1/fleet/users/{id} silently clears the other, which is the single most common source of unintended role loss in automation scripts.
Pagination is offset-based using ?page=0&per_page=100.
No maximum page size is documented;
increment page until the returned array is empty.
Fleet publishes no rate limit documentation for the open-source version - effective limits are determined entirely by the operator's reverse proxy or load balancer configuration.
API quick reference
| Has user API | Yes |
| Auth method | API token (Bearer token) passed in Authorization header; tokens are generated per user via the Fleet UI or login endpoint |
| Base URL | Official docs |
| SCIM available | No |
| SCIM plan required | N/A |
Authentication
Auth method: API token (Bearer token) passed in Authorization header; tokens are generated per user via the Fleet UI or login endpoint
Setup steps
- POST to /api/v1/fleet/login with email and password to receive a token.
- Alternatively, generate an API-only user token via Fleet UI under Account Settings > API token.
- Include the token in all requests as: Authorization: Bearer
- For SSO-enabled instances, API-only users must be created separately as SSO users cannot generate API tokens.
Required scopes
| Scope | Description | Required for |
|---|---|---|
| Admin role | Full access to all API endpoints including user creation, deletion, and role management. | Create/update/delete users, manage teams, modify global settings |
| Maintainer role | Can manage hosts, queries, and policies but cannot manage users or global settings. | Host and query management endpoints |
| Observer role | Read-only access to hosts, queries, and results. | Read-only GET endpoints |
| GitOps role | Programmatic configuration management role; cannot perform interactive user operations. | GitOps/CI pipeline automation |
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| id | integer | Unique numeric identifier for the user. | auto-assigned | immutable | Used as path parameter in user-specific endpoints. |
| name | string | Full display name of the user. | required | optional | |
| string | User's email address; used as login identifier. | required | optional | Must be unique across the Fleet instance. | |
| password | string | User's password (write-only). | required (unless SSO) | optional | Never returned in API responses. |
| global_role | string|null | Global role assigned: admin, maintainer, observer, observer_plus, or gitops. | optional | optional | Mutually exclusive with team-level roles. Null if user has only team roles. |
| teams | array of objects | List of teams the user belongs to, each with id and role. | optional | optional | Each entry: {id: integer, role: string}. Only applicable when global_role is null. |
| api_only | boolean | If true, user is an API-only user and cannot log in via UI. | optional | immutable after creation | API-only users are not affected by SSO configuration. |
| sso_enabled | boolean | Whether the user authenticates via SSO. | optional | optional | SSO users cannot generate API tokens; use api_only users for automation. |
| created_at | string (ISO 8601) | Timestamp when the user was created. | auto-assigned | immutable | |
| updated_at | string (ISO 8601) | Timestamp of last user record update. | auto-assigned | auto-updated | |
| force_password_reset | boolean | If true, user must reset password on next login. | optional | optional | |
| gravatar_url | string | URL for user's Gravatar image. | auto-derived from email | auto-derived | |
| position | string | User's job title or position. | optional | optional |
Core endpoints
Login / obtain API token
- Method: POST
- URL:
/api/v1/fleet/login - Watch out for: SSO-enabled users cannot use this endpoint; they must authenticate via the SSO flow. Use api_only users for token-based automation.
Request example
POST /api/v1/fleet/login
{
"email": "admin@example.com",
"password": "supersecret"
}
Response example
{
"user": {"id": 1, "name": "Admin", "email": "admin@example.com"},
"token": "eyJhbGciOiJIUzI1NiJ9..."
}
List users
- Method: GET
- URL:
/api/v1/fleet/users - Watch out for: Requires Admin role. Returns all users globally; team-scoped filtering is not available on this endpoint.
Request example
GET /api/v1/fleet/users?page=0&per_page=50
Authorization: Bearer <token>
Response example
{
"users": [
{"id": 1, "name": "Admin", "email": "admin@example.com",
"global_role": "admin", "api_only": false}
]
}
Create user
- Method: POST
- URL:
/api/v1/fleet/users/admin - Watch out for: This endpoint creates users without sending an invitation email. To invite via email, use POST /api/v1/fleet/invites instead.
Request example
POST /api/v1/fleet/users/admin
{
"name": "Jane Doe",
"email": "jane@example.com",
"password": "Str0ngPass!",
"global_role": "observer"
}
Response example
{
"user": {
"id": 42,
"name": "Jane Doe",
"email": "jane@example.com",
"global_role": "observer"
}
}
Get user by ID
- Method: GET
- URL:
/api/v1/fleet/users/{id} - Watch out for: Users can retrieve their own record; retrieving other users requires Admin role.
Request example
GET /api/v1/fleet/users/42
Authorization: Bearer <token>
Response example
{
"user": {
"id": 42,
"name": "Jane Doe",
"email": "jane@example.com",
"global_role": "observer"
}
}
Update user
- Method: PATCH
- URL:
/api/v1/fleet/users/{id} - Watch out for: Setting global_role will clear all team-level roles, and vice versa. They are mutually exclusive.
Request example
PATCH /api/v1/fleet/users/42
{
"global_role": "maintainer",
"name": "Jane Smith"
}
Response example
{
"user": {
"id": 42,
"name": "Jane Smith",
"global_role": "maintainer"
}
}
Delete user
- Method: DELETE
- URL:
/api/v1/fleet/users/{id} - Watch out for: Requires Admin role. Deletion is immediate and irreversible; no soft-delete or deactivation state exists.
Request example
DELETE /api/v1/fleet/users/42
Authorization: Bearer <token>
Response example
{}
Invite user (email invitation)
- Method: POST
- URL:
/api/v1/fleet/invites - Watch out for: Requires SMTP to be configured on the Fleet server. Invites expire; check invite status via GET /api/v1/fleet/invites.
Request example
POST /api/v1/fleet/invites
{
"email": "newuser@example.com",
"name": "New User",
"global_role": "observer"
}
Response example
{
"invite": {
"id": 7,
"email": "newuser@example.com",
"global_role": "observer"
}
}
Logout / invalidate token
- Method: POST
- URL:
/api/v1/fleet/logout - Watch out for: Invalidates only the token used in the request. Other active tokens for the same user remain valid.
Request example
POST /api/v1/fleet/logout
Authorization: Bearer <token>
Response example
{}
Rate limits, pagination, and events
Rate limits: Fleet does not document explicit rate limits in its official REST API docs. Rate limiting is not enforced by default in the open-source version; self-hosted operators may configure upstream proxies.
Rate-limit headers: No
Retry-After header: No
Rate-limit notes: No official rate limit documentation found. Fleet is self-hosted; limits depend on operator infrastructure.
Pagination method: offset
Default page size: 20
Max page size: 0
Pagination pointer: page and per_page (e.g., ?page=0&per_page=100)
Webhooks available: No
Webhook notes: Fleet does not offer user lifecycle webhooks (e.g., user.created, user.deleted). Fleet does support webhooks for host/vulnerability/policy events, but not for user management events.
Alternative event strategy: Poll GET /api/v1/fleet/users on a schedule to detect user changes, or use Fleet's audit log (available in Fleet Premium) for change tracking.
SCIM API status
- SCIM available: No
- SCIM version: Not documented
- Plan required: N/A
- Endpoint: Not documented
Limitations:
- Fleet does not implement a SCIM 2.0 endpoint as of the current documentation.
- IdP-driven user provisioning is not natively supported; users must be created via the REST API or UI.
- SSO (SAML) is supported for authentication but does not include JIT provisioning or SCIM sync.
Common scenarios
Three automation scenarios cover the majority of lifecycle use cases.
To provision a service account: POST /api/v1/fleet/users/admin with api_only: true - note this endpoint creates the user silently with no email sent, unlike POST /api/v1/fleet/invites which requires SMTP and sends an invitation.
To audit all role assignments: paginate GET /api/v1/fleet/users and inspect global_role and teams client-side, since the list endpoint offers no server-side role filter.
To offboard a user: GET /api/v1/fleet/users to resolve id by email, then DELETE /api/v1/fleet/users/{id} - deletion is immediate, irreversible, and invalidates active sessions;
there is no soft-delete or suspend state.
Confirm removal with a follow-up GET expecting a 404.
If SSO JIT provisioning is active, a deleted user will be automatically recreated on their next SSO login - deletion alone is insufficient for full deprovisioning in SSO environments.
Programmatically provision an API-only service account
- Authenticate as an Admin: POST /api/v1/fleet/login with admin credentials to get a token.
- Create the API-only user: POST /api/v1/fleet/users/admin with {name, email, password, global_role: 'observer', api_only: true}.
- Log in as the new user: POST /api/v1/fleet/login with the new user's credentials to retrieve its dedicated API token.
- Store the token securely (e.g., in a secrets manager) and use it for all subsequent API calls.
Watch out for: api_only cannot be changed after creation. If you need a different type later, delete and recreate the user.
Bulk-list and audit all users and their roles
- Authenticate as Admin and obtain a token.
- GET /api/v1/fleet/users?page=0&per_page=100 to retrieve the first page of users.
- Increment page parameter and repeat until the returned users array is empty.
- For each user, inspect global_role and teams fields to audit role assignments.
Watch out for: There is no server-side filter by role on the list endpoint; all filtering must be done client-side after retrieval.
Remove a departed employee's access
- GET /api/v1/fleet/users to find the user's id by email.
- DELETE /api/v1/fleet/users/{id} to immediately remove the user.
- If the user had active sessions, their tokens are invalidated upon deletion.
- Verify removal by attempting GET /api/v1/fleet/users/{id} - expect a 404 response.
Watch out for: Deletion is irreversible. There is no disable/suspend state; the only option is full deletion.
Why building this yourself is a trap
The primary integration trap is the global_role / teams mutual exclusivity: a PATCH that sets global_role will silently drop all team memberships, and vice versa. Scripts that update one field without reading and preserving the other will corrupt role state without returning an error.
A secondary trap is the two distinct user-creation flows - POST /api/v1/fleet/users/admin (direct, no email) versus POST /api/v1/fleet/invites (email-based, requires SMTP, invite expiry applies) - which behave differently and are not interchangeable.
For teams building an identity graph via an MCP server with 60+ deep IT/identity integrations, the absence of user lifecycle webhooks is a structural limitation: Fleet emits no user.created or user.deleted events, so change detection requires scheduled polling of GET /api/v1/fleet/users or reliance on Fleet Premium's audit log.
Automate Fleet workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
