Invite your team
Obexal works on an invitation model: self-signup is off by default, and accepting an invitation is what activates the account.
New members join your organization by invitation. Self-signup is disabled by default, so the directory only contains accounts you explicitly invited or provisioned.
An invitation-only directory
Out of the box, the public "create an account" path is off for your organization: the sign-up endpoint refuses, and the hosted sign-in page hides the link. An account comes into existence when its owner accepts a nominative invitation. The invitation link doubles as email verification, so activated accounts always start with a verified address.
Invitations are single use, tied to one email address, and expire after 7 days by default. Self-signup can be re-enabled per organization in the console settings if your use case calls for it. For automated provisioning from an HR system or another IdP, see inbound SCIM.
Send an invitation
In the admin console, open Invitations:
- Enter the invitee's email address. The invitation is nominative: only this exact address can activate it.
- Optionally pre-fill the first name and last name: they seed the invitee's profile at activation.
- Pick a role: a system role (
owner,admin,member) or one of your custom roles. - Send. The invitee receives an email containing a single-use activation link.
The same operation through the API (session or admin API token):
curl -sS -X POST https://accounts.obexal.com/v1/admin/invitations \
-H "Authorization: Bearer $OBEXAL_API_TOKEN" \
-H 'Content-Type: application/json' \
-d '{"email":"alice@example.eu","role":"member","givenName":"Alice","familyName":"Martin"}'
# 202 -> {"status":"ok"}Only one pending invitation can exist per address: inviting the same email again while one is pending returns 409.
What the invitee sees
The email links to https://accounts.obexal.com/accept-invite?token=... (your custom domain replaces the default one). On that page, the invitee:
- Optionally sets or completes their first and last name; their input takes precedence over your pre-fill.
- Chooses a password (12 characters minimum under the default policy).
- Is signed in automatically and lands on the "My Apps" portal at
/dashboard, showing the applications assigned to them.
No prior account and no separate verification step are needed: the link itself is the proof of identity, and the address is marked verified. The other profile fields (job title, department, language) remain managed by an admin or by SCIM: see Users and profiles.
The role is re-checked at acceptance: if the inviter has lost the authority to grant it in the meantime, the invitee joins as member instead.
Roles at invitation
- A
membercannot send invitations: managing members requires the corresponding permission. - You can only assign a role whose permissions are a subset of your own (anti-escalation); only an
ownercan invite anotherowner. - Custom roles are assignable exactly like system roles.
Details: Roles and RBAC.
Revoke or resend an invitation
The console lists invitations with their status (pending, accepted, revoked) and expiry date; the API equivalent is GET /v1/admin/invitations.
- Revoke: a pending invitation can be cancelled at any time; the link stops working immediately.
curl -sS -X DELETE https://accounts.obexal.com/v1/admin/invitations/<id> \
-H "Authorization: Bearer $OBEXAL_API_TOKEN"- Resend: there is no separate resend action. Revoke the pending invitation, then invite the same address again: a fresh link is generated.
- Expired: simply invite the address again.
Next steps
- Invitations in detail: API, statuses, expiry, audit events.
- Groups and app access: decide which applications your new members see on their portal.