Attach a mobile device id to the currently logged in session. This will enable push notifications for a user, if configured by the server. ##### Permissions Must be authenticated.
Get a list of users for the purpose of autocompleting based on the provided search term. Specify a combination of team_id and channel_id to filter results further. ##### Permissions Requires an active session and view_team and read_channel on any teams or channels used to filter the results further.
Check if a user has multi-factor authentication active on their account by providing a login id. Used to check whether an MFA code needs to be provided when logging in. ##### Permissions No permission required.
Create a new user on the system. Password is required for email login. For other authentication types such as LDAP or SAML, auth_data and auth_service fields are required. ##### Permissions No permission required for creating email/username accounts on an open server. Auth Token is required for other authentication types such as LDAP or SAML.
Generate a user access token that can be used to authenticate with the Mattermost REST API. Minimum server version: 4.1 ##### Permissions Must have create_user_access_token permission. For non-self requests, must also have the edit_other_users permission.
Deactivates the user and revokes all its sessions by archiving its user object. As of server version 5.28, optionally use the permanent=true query parameter to permanently delete the user for compliance reasons. To use this feature ServiceSettings.EnableAPIUserDeletion must be set to true in the server’s configuration. ##### Permissions Must be logged in as the user being deactivated or have the edit_other_users permission.
Convert a regular user into a guest. This will convert the user into a guest for the whole system while retaining their existing team and channel memberships. Minimum server version: 5.16 ##### Permissions Must be logged in as the user or have the demote_to_guest permission.
Disable a personal access token and delete any sessions using the token. The token can be re-enabled using /users/tokens/enable. Minimum server version: 4.4 ##### Permissions Must have revoke_user_access_token permission. For non-self requests, must also have the edit_other_users permission.
Re-enable a personal access token that has been disabled. Minimum server version: 4.4 ##### Permissions Must have create_user_access_token permission. For non-self requests, must also have the edit_other_users permission.
Generates an multi-factor authentication secret for a user and returns it as a string and as base64 encoded QR code image. ##### Permissions Must be logged in as the user or have the edit_other_users permission.
Get all channel members from all teams for a user. Minimum server version: 6.2.0 ##### Permissions Logged in as the user, or have edit_other_users permission.
Get the list of user IDs of users with any direct relationship with a user. That means any user sharing any channel, including direct and group channels. ##### Permissions Must be authenticated. Minimum server version: 5.23
Get a list of sessions by providing the user GUID. Sensitive information will be sanitized out. ##### Permissions Must be logged in as the user being updated or have the edit_other_users permission.
Gets all the upload sessions belonging to a user. Minimum server version: 5.28 ##### Permissions Must be logged in as the user who created the upload sessions.
Get a user access token. Does not include the actual authentication token. Minimum server version: 4.1 ##### Permissions Must have read_user_access_token permission. For non-self requests, must also have the edit_other_users permission.
Get a page of user access tokens for users on the system. Does not include the actual authentication tokens. Use query parameters for paging. Minimum server version: 4.7 ##### Permissions Must have manage_system permission.
Get a list of user access tokens for a user. Does not include the actual authentication tokens. Use query parameters for paging. Minimum server version: 4.1 ##### Permissions Must have read_user_access_token permission. For non-self requests, must also have the edit_other_users permission.
Get a user object by providing a user email. Sensitive information will be sanitized out. ##### Permissions Requires an active session and for the current session to be able to view another user’s email based on the server’s privacy settings.
Get a user object by providing a username. Sensitive information will be sanitized out. ##### Permissions Requires an active session but no other permissions.
Will be deprecated in v6.0 Fetches user’s latest terms of service action if the latest action was for acceptance. Minimum server version: 5.6 ##### Permissions Must be logged in as the user being acted on.
Get a page of a list of users. Based on query string parameters, select users from a team, channel, or select users not in a specific channel. Since server version 4.0, some basic sorting is available using the sort query parameter. Sorting is currently only supported when selecting users on a team. ##### Permissions Requires an active session and (if specified) membership to the channel or team being selected from.
Get an object containing a key per group channel id in the query and its value as a list of users members of that group channel. The user must be a member of the group ids in the query, or they will be omitted from the response. ##### Permissions Requires an active session but no other permissions. Minimum server version: 5.14
Migrates accounts from one authentication provider to another. For example, you can upgrade your authentication provider from email to LDAP. Minimum server version: 5.28 ##### Permissions Must have manage_system permission.
Migrates accounts from one authentication provider to another. For example, you can upgrade your authentication provider from email to SAML. Minimum server version: 5.28 ##### Permissions Must have manage_system permission.
Partially update a user by providing only the fields you want to update. Omitted fields will not be updated. The fields that can be updated are defined in the request body, all other provided fields will be ignored. ##### Permissions Must be logged in as the user being updated or have the edit_other_users permission.
Permanently deletes all users and all their related information, including posts. Minimum server version: 5.26.0 Local mode only: This endpoint is only available through local mode.
Convert a guest into a regular user. This will convert the guest into a user for the whole system while retaining any team and channel memberships and automatically joining them to the default channels. Minimum server version: 5.16 ##### Permissions Must be logged in as the user or have the promote_guest permission.
Notify users in the given channel via websocket that the given user is typing. Minimum server version: 5.26 ##### Permissions Must have manage_system permission to publish for any user other than oneself.
Records user action when they accept or decline custom terms of service. Records the action in audit table. Updates user’s last accepted terms of service ID if they accepted it. Minimum server version: 5.4 ##### Permissions Must be logged in as the user being acted on.
Update the password for a user using a one-use, timed recovery code tied to the user’s account. Only works for non-SSO users. ##### Permissions No permissions required.
Revokes all user sessions from the provided user id and session id strings. ##### Permissions Must be logged in as the user being updated or have the edit_other_users permission. Minimum server version: 4.4
Revokes a user session from the provided user id and session id strings. ##### Permissions Must be logged in as the user being updated or have the edit_other_users permission.
For any session currently on the server (including admin) it will be revoked. Clients will be notified to log out users. Minimum server version: 5.14 ##### Permissions Must have manage_system permission.
Revoke a user access token and delete any sessions using the token. Minimum server version: 4.1 ##### Permissions Must have revoke_user_access_token permission. For non-self requests, must also have the edit_other_users permission.
Get a list of tokens based on search criteria provided in the request body. Searches are done against the token id, user id and username. Minimum server version: 4.7 ##### Permissions Must have manage_system permission.
Get a list of users based on search criteria provided in the request body. Searches are typically done against username, full name, nickname and email unless otherwise configured by the server. ##### Permissions Requires an active session and read_channel and/or view_team permissions for any channels or teams specified in the request body.
Send an email containing a link for resetting the user’s password. The link will contain a one-use, timed recovery code tied to the user’s account. Only works for non-SSO users. ##### Permissions No permissions required.
Send an email with a verification link to a user that has an email matching the one in the request body. This endpoint will return success even if the email does not match any users on the system. ##### Permissions No permissions required.
Delete user’s profile image and reset to default image based on user_id string parameter. ##### Permissions Must be logged in as the user being updated or have the edit_other_users permission. Minimum server version: 5.5
Set a user’s profile image based on user_id string parameter. ##### Permissions Must be logged in as the user being updated or have the edit_other_users permission.
Switch a user’s login method from using email to OAuth2/SAML/LDAP or back to email. When switching to OAuth2/SAML, account switching is not complete until the user follows the returned link and completes any steps on the OAuth2/SAML service provider. To switch from email to OAuth2/SAML, specify current_service, new_service, email and password. To switch from OAuth2/SAML to email, specify current_service, new_service, email and new_password. To switch from email to LDAP/AD, specify current_service, new_service, email, password, ldap_ip and new_password (this is the user’s LDAP password). To switch from LDAP/AD to email, specify current_service, new_service, ldap_ip, password (this is the user’s LDAP password), email and new_password. Additionally, specify mfa_code when trying to switch an account on LDAP/AD or email that has MFA activated. ##### Permissions No current authentication required except when switching from OAuth2/SAML to email.
Update a user by providing the user object. The fields that can be updated are defined in the request body, all other provided fields will be ignored. Any fields not included in the request body will be set to null or reverted to default values. ##### Permissions Must be logged in as the user being updated or have the edit_other_users permission.
Update user active or inactive status. Since server version 4.6, users using a SSO provider to login can be activated or deactivated with this endpoint. However, if their activation status in Mattermost does not reflect their status in the SSO provider, the next synchronization or login by that user will reset the activation status to that of their account in the SSO provider. Server versions 4.5 and before do not allow activation or deactivation of SSO users from this endpoint. ##### Permissions User can deactivate themselves. User with manage_system permission can activate or deactivate a user.
Updates a user’s authentication method. This can be used to change them to/from LDAP authentication for example. Minimum server version: 4.6 ##### Permissions Must have the edit_other_users permission.
Activates multi-factor authentication for the user if activate is true and a valid code is provided. If activate is false, then code is not required and multi-factor authentication is disabled for the user. ##### Permissions Must be logged in as the user being updated or have the edit_other_users permission.
Update a user’s password. New password must meet password policy set by server configuration. Current password is required if you’re updating your own password. ##### Permissions Must be logged in as the user the password is being changed for or have manage_system permission.
Update a user’s system-level roles. Valid user roles are "system_user", "system_admin" or both of them. Overwrites any previously assigned system-level roles. ##### Permissions Must have the manage_roles permission.