This API is available on self-hosted deployments only. See Self-Hosting for setup instructions and User Management: OIDC Integration for authentication configuration.
How This Helps
The User Management API provides programmatic control over user accounts on self-hosted deployments. Create users, assign roles, reset passwords, manage sessions, and control workspace membership — all through REST endpoints backed by Keycloak.
Prerequisites
- A self-hosted Visual Layer deployment with authentication enabled (
DISABLE_AUTH: false). - An authenticated session with a user that has the Keycloak
manage-usersrealm role (for write operations) orview-usersrole (for read operations). - User management enabled (automatic when
RUN_MODE=ONPREMand auth is not disabled).
List Users
Retrieve all users registered in the system.Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
search | string | No | Filter by username or name. |
max_results | integer | No | Maximum results to return (1–1000, default: 100). |
first | integer | No | Offset for pagination (default: 0). |
Example
Response
User Object Fields
| Field | Type | Description |
|---|---|---|
id | string | Keycloak user ID. |
username | string | Login username. |
firstName | string or null | First name. |
lastName | string or null | Last name. |
enabled | boolean | Whether the account is active. Disabled users cannot log in. |
createdTimestamp | integer or null | Account creation time in milliseconds since epoch. |
roles | array of strings | Keycloak realm roles assigned to the user. |
lastAccess | integer or null | Most recent session activity in milliseconds since epoch. |
Get User
Retrieve details for a specific user.Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
user_id | string | Yes | Keycloak user ID or Visual Layer user ID (UUID). Auto-resolved if a VL user ID is provided. |
Example
Response
Returns a single User object.Create User
Create a new user account. This is an atomic operation — the user is created in both Keycloak and the Visual Layer database. If either step fails, the operation is rolled back.Request Body
| Field | Type | Required | Description |
|---|---|---|---|
username | string | Yes | Login username (3–255 characters, no whitespace). |
password | string | Yes | Initial password (minimum 8 characters). |
firstName | string | Yes | First name (1–255 characters). |
lastName | string | Yes | Last name (1–255 characters). |
enabled | boolean | No | Whether the account is active (default: true). |
workspace_role | string | No | Workspace role to assign: admin, editor, or viewer (default: viewer). |
Example
Response (201 Created)
Returns the created User object.Update User
Update the username or enabled status of an existing user.Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
user_id | string | Yes | Keycloak user ID or Visual Layer user ID. |
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
username | string | No | New username (3–255 characters, no whitespace). |
enabled | boolean | No | Set to false to disable the account. |
Example
Response
Returns the updated User object.Delete User
Permanently remove a user account. This is an atomic operation that cleans up all associated data.Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
user_id | string | Yes | Keycloak user ID or Visual Layer user ID. |
Example
Response
- Transfers ownership of all datasets owned by the deleted user to the admin performing the deletion.
- Removes all workspace membership records.
- Deletes the user from Keycloak.
- Deletes the shadow user record from the Visual Layer database.
Reset Password
Reset a user’s password. The new password is set as temporary — the user must change it on next login.Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
user_id | string | Yes | Keycloak user ID or Visual Layer user ID. |
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
password | string | Yes | New temporary password (minimum 8 characters). |
Example
Response
Logout User
Terminate all active sessions for a user, forcing them to re-authenticate.Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
user_id | string | Yes | Keycloak user ID or Visual Layer user ID. |
Example
Response
Get User Sessions
List all active sessions for a user.Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
user_id | string | Yes | Keycloak user ID or Visual Layer user ID. |
Example
Response
Update User Roles
Replace all realm roles assigned to a user.Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
user_id | string | Yes | Keycloak user ID or Visual Layer user ID. |
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
roles | array of strings | Yes | Complete list of realm role names to assign. Replaces all existing roles. |
Example
Response
Returns the updated User object with the new roles.This endpoint replaces all existing roles. Include every role the user should have, not just the ones you want to add. Invalid role names are silently ignored.
Roles Reference
Workspace Roles
Workspace roles control what a user can do within Visual Layer. Assign these via theworkspace_role field when creating users, or through the Workspace Members API.
| Role | Permissions |
|---|---|
| Admin | Full control — manage users, change roles, create and delete datasets, configure settings. |
| Editor | Create and edit datasets, run enrichment, export data. Cannot manage users or settings. |
| Viewer | Read-only access — explore datasets, run searches, view results. Cannot modify data. |
Keycloak Realm Roles
These roles control access to the User Management API itself. They are managed through Keycloak and determine which API endpoints a user can call.| Role | Grants Access To |
|---|---|
manage-users | Create, update, delete users. Reset passwords. Manage roles. |
view-users | List users, get user details, view sessions. |
query-users | Query users (required for full user management). |
query-groups | Query user groups (required for full user management). |
Python Example
Response Codes
See Error Handling for the error response format.| HTTP Code | Meaning |
|---|---|
| 200 | Request successful. |
| 201 | User created successfully. |
| 400 | Validation error, self-deletion attempt, or last admin deletion attempt. |
| 401 | Unauthorized — no valid session or token. |
| 403 | Forbidden — user management not enabled, or insufficient Keycloak roles. |
| 404 | User not found. |
| 500 | Internal Server Error — contact support if this persists. |
Related Resources
OIDC Integration
Configure your Identity Provider for Single Sign-On with Visual Layer.
Workspaces & Organizations
Manage workspace membership and roles programmatically.
Admin Settings
View and update runtime configuration on self-hosted deployments.
Self-Hosting Setup
Install and configure a self-hosted Visual Layer deployment.