Get a user
Fetch a single user by UUID. Users that don't belong to the caller's organization return `404 not_found` — existence is never leaked across tenants.
Authorization
bearerAuth Salfio API tokens start with the literal prefix sk_live_ followed
by 32 base62 characters (≈190 bits of entropy). Tokens are hashed
at rest with argon2id and shown to the user only once at creation.
In: header
Path Parameters
User UUID.
uuidResponse Body
application/json
application/json
application/json
application/json
curl -X GET "https://api.salfio.com/v1/users/497f6eca-6276-4993-bfeb-53cbbbba6f08"{
"meta": {
"cursor": "string",
"hasMore": true
},
"data": {
"id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
"firstName": "Alice",
"lastName": "Morgan",
"email": "alice@acme.com",
"imageUrl": "http://example.com",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z"
}
}{
"error": {
"code": "unauthorized",
"message": "Authentication required"
}
}{
"error": {
"code": "not_found",
"message": "client not found"
}
}{
"error": {
"code": "rate_limited",
"message": "Rate limit exceeded",
"details": {
"retry_after_seconds": 30
}
}
}List organization users
Returns the authenticated organization's members. Creation and deletion of users are managed through the Salfio dashboard's invitation flow and are intentionally not exposed via the API.
Update a user's profile
Updates whitelisted profile fields. The endpoint intentionally does not accept identity-bound fields — `email`, `clerkUserID`, and the canonical `id` are owned by Clerk and cannot be changed through the API. Unknown fields in the body are silently ignored.