Platform User Management

Platform owner endpoints for user search and MFA management.

Endpoints

Method	Path	Description
`GET`	`/api/platform/users/search`	Search users
`GET`	`/api/platform/users/:user_id/mfa/status`	Get MFA status
`DELETE`	`/api/platform/users/:user_id/mfa`	Force disable MFA
`GET`	`/api/platform/mfa/metrics`	Get MFA metrics
`GET`	`/api/platform/mfa/suspicious`	Get suspicious activity
`POST`	`/api/platform/owners`	Promote to owner
`DELETE`	`/api/platform/owners/:user_id`	Demote owner

GET /api/platform/users/search

Search users across all organizations.

Query Parameters

Parameter	Type	Description
`email`	`string`	Search by email (partial match)
`user_id`	`string`	Search by exact user ID
`limit`	`integer`	Max results (default: 20)

Example Request

curl -X GET "https://sso.example.com/api/platform/users/search?email=john" \
  -H "Authorization: Bearer {platform_owner_jwt}"

Response (200 OK)

{
  "users": [
    {
      "id": "user-uuid",
      "email": "john@example.com",
      "is_platform_owner": false,
      "mfa_enabled": true,
      "created_at": "2025-01-15T10:30:00Z",
      "organizations": ["acme-corp", "beta-inc"]
    }
  ]
}

GET /api/platform/users/:user_id/mfa/status

Get detailed MFA status for a user.

Response (200 OK)

{
  "user_id": "user-uuid",
  "email": "user@example.com",
  "mfa_enabled": true,
  "mfa_enabled_at": "2025-01-10T08:00:00Z",
  "backup_codes_remaining": 8,
  "last_mfa_challenge": "2025-01-15T10:30:00Z"
}

DELETE /api/platform/users/:user_id/mfa

Force disable MFA for a user (support scenario).

Request Body

Field	Type	Required	Description
`reason`	`string`	Yes	Reason for disabling (logged)

Example Request

curl -X DELETE https://sso.example.com/api/platform/users/user-uuid/mfa \
  -H "Authorization: Bearer {platform_owner_jwt}" \
  -H "Content-Type: application/json" \
  -d '{"reason": "User lost all backup codes and authenticator device"}'

[!WARNING] This action is logged and should only be used for legitimate support cases.

GET /api/platform/mfa/metrics

Get platform-wide MFA adoption metrics.

Response (200 OK)

{
  "total_users": 15420,
  "mfa_enabled_users": 8234,
  "mfa_adoption_rate": 53.4,
  "backup_codes_used_7d": 42,
  "mfa_failures_7d": 156
}

GET /api/platform/mfa/suspicious

Get suspicious MFA activity requiring review.

Response (200 OK)

{
  "alerts": [
    {
      "user_id": "user-uuid",
      "email": "user@example.com",
      "alert_type": "multiple_failures",
      "details": "15 failed MFA attempts in 1 hour",
      "detected_at": "2025-01-15T10:30:00Z"
    }
  ]
}

POST /api/platform/owners

Promote a user to platform owner.

Request Body

Field	Type	Required	Description
`user_id`	`string`	Yes	User to promote

DELETE /api/platform/owners/:user_id

Demote a platform owner.

[!NOTE] Cannot demote yourself or the last remaining owner.