Users
Users & RBAC
Manage users and roles in HelloJohn — user lifecycle, metadata, profile updates, role-based access control, and custom permissions.
HelloJohn manages the full user lifecycle within each tenant: registration, profile updates, role assignment, and deletion. Users are scoped to a tenant — the same email address can exist as separate users in different tenants.
User object
{
"id": "usr_01HX...",
"tenant_id": "ten_01HX...",
"email": "alice@acme.com",
"email_verified": true,
"first_name": "Alice",
"last_name": "Chen",
"avatar_url": "https://...",
"roles": ["admin"],
"metadata": {
"department": "engineering",
"employee_id": "EMP-1234"
},
"mfa_enrolled": true,
"status": "active",
"created_at": "2026-01-15T10:00:00Z",
"last_login_at": "2026-03-07T14:00:00Z"
}User status
| Status | Meaning |
|---|---|
active | Normal — can authenticate |
disabled | Cannot authenticate. Existing sessions revoked |
pending | Invited but not yet accepted |
unverified | Registered but email not verified |
Roles
HelloJohn ships with two built-in roles:
| Role | Access |
|---|---|
admin | Full access to the tenant (users, config, orgs) |
member | Standard user — no admin access |
You can define custom roles per tenant. See Roles & Permissions →.
In JWTs
User roles are included in every access token:
{
"sub": "usr_01HX...",
"tenant_id": "ten_01HX...",
"roles": ["admin"],
"email": "alice@acme.com",
"email_verified": true
}Your backend enforces roles by reading the roles claim from the verified JWT.