Logto · Capability

Logto API references — Users

Logto API references — Users. 39 operations. Lead operation: Create user. Self-contained Naftiko capability covering one Logto business surface.

Run with Naftiko LogtoUsers

What You Can Do

POST
Createuser — Create user
/v1/api/users
GET
Listusers — Get users
/v1/api/users
GET
Getuser — Get user
/v1/api/users/{userid}
PATCH
Updateuser — Update user
/v1/api/users/{userid}
DELETE
Deleteuser — Delete user
/v1/api/users/{userid}
GET
Listuserallidentities — Retrieve social identities, enterprise SSO identities and associated token secret (if token storage is enabled) for a user.
/v1/api/users/{userid}/all-identities
GET
Listusercustomdata — Get user custom data
/v1/api/users/{userid}/custom-data
PATCH
Updateusercustomdata — Update user custom data
/v1/api/users/{userid}/custom-data
GET
Listusergrants — Get user active grants
/v1/api/users/{userid}/grants
DELETE
Deleteusergrant — Revoke a user grant
/v1/api/users/{userid}/grants/{grantid}
GET
Getuserhaspassword — Check if user has password
/v1/api/users/{userid}/has-password
POST
Createuseridentity — Link social identity to user
/v1/api/users/{userid}/identities
PUT
Replaceuseridentity — Update social identity of user
/v1/api/users/{userid}/identities/{target}
DELETE
Deleteuseridentity — Delete social identity from user
/v1/api/users/{userid}/identities/{target}
GET
Getuseridentity — Retrieve a user's social identity and associated token storage .
/v1/api/users/{userid}/identities/{target}
PATCH
Updateuserissuspended — Update user suspension status
/v1/api/users/{userid}/is-suspended
GET
Listuserlogtoconfigs — Get user logto config
/v1/api/users/{userid}/logto-configs
PATCH
Updateuserlogtoconfigs — Update user logto config
/v1/api/users/{userid}/logto-configs
GET
Listusermfaverifications — Get user's MFA verifications
/v1/api/users/{userid}/mfa-verifications
POST
Createusermfaverification — Create an MFA verification for a user
/v1/api/users/{userid}/mfa-verifications
DELETE
Deleteusermfaverification — Delete an MFA verification for a user
/v1/api/users/{userid}/mfa-verifications/{verificationid}
GET
Listuserorganizations — Get organizations for a user
/v1/api/users/{userid}/organizations
PATCH
Updateuserpassword — Update user password
/v1/api/users/{userid}/password
POST
Verifyuserpassword — Verify user password
/v1/api/users/{userid}/password/verify
GET
Listuserpersonalaccesstokens — Get personal access tokens
/v1/api/users/{userid}/personal-access-tokens
POST
Createuserpersonalaccesstoken — Add personal access token
/v1/api/users/{userid}/personal-access-tokens
PATCH
Updatepersonalaccesstokenname — Update personal access token
/v1/api/users/{userid}/personal-access-tokens
POST
Deletepersonalaccesstokenpost — Delete personal access token
/v1/api/users/{userid}/personal-access-tokens/delete
DELETE
Deleteuserpersonalaccesstoken — Delete personal access token
/v1/api/users/{userid}/personal-access-tokens/{name}
PATCH
Updateuserpersonalaccesstoken — Update personal access token
/v1/api/users/{userid}/personal-access-tokens/{name}
PATCH
Updateuserprofile — Update user profile
/v1/api/users/{userid}/profile
GET
Listuserroles — Get roles for user
/v1/api/users/{userid}/roles
POST
Assignuserroles — Assign roles to user
/v1/api/users/{userid}/roles
PUT
Replaceuserroles — Update roles for user
/v1/api/users/{userid}/roles
DELETE
Deleteuserrole — Remove role from user
/v1/api/users/{userid}/roles/{roleid}
GET
Listusersessions — Get user active sessions
/v1/api/users/{userid}/sessions
GET
Getusersession — Get user active session
/v1/api/users/{userid}/sessions/{sessionid}
DELETE
Deleteusersession — Revoke a user session
/v1/api/users/{userid}/sessions/{sessionid}
GET
Getuserssoidentity — Retrieve a user's enterprise SSO identity and associated token secret (if token storage is enabled).
/v1/api/users/{userid}/sso-identities/{ssoconnectorid}

MCP Tools

create-user

Create user

get-users

Get users

read-only idempotent
get-user

Get user

read-only idempotent
update-user

Update user

idempotent
delete-user

Delete user

idempotent
retrieve-social-identities-enterprise-sso

Retrieve social identities, enterprise SSO identities and associated token secret (if token storage is enabled) for a user.

read-only idempotent
get-user-custom-data

Get user custom data

read-only idempotent
update-user-custom-data

Update user custom data

idempotent
get-user-active-grants

Get user active grants

read-only idempotent
revoke-user-grant

Revoke a user grant

idempotent
check-if-user-has-password

Check if user has password

read-only idempotent
link-social-identity-user

Link social identity to user

update-social-identity-user

Update social identity of user

idempotent
delete-social-identity-user

Delete social identity from user

idempotent
retrieve-user-s-social-identity-and

Retrieve a user's social identity and associated token storage .

read-only idempotent
update-user-suspension-status

Update user suspension status

idempotent
get-user-logto-config

Get user logto config

read-only idempotent
update-user-logto-config

Update user logto config

idempotent
get-user-s-mfa-verifications

Get user's MFA verifications

read-only idempotent
create-mfa-verification-user

Create an MFA verification for a user

delete-mfa-verification-user

Delete an MFA verification for a user

idempotent
get-organizations-user

Get organizations for a user

read-only idempotent
update-user-password

Update user password

idempotent
verify-user-password

Verify user password

get-personal-access-tokens

Get personal access tokens

read-only idempotent
add-personal-access-token

Add personal access token

update-personal-access-token

Update personal access token

idempotent
delete-personal-access-token

Delete personal access token

delete-personal-access-token-2

Delete personal access token

idempotent
update-personal-access-token-2

Update personal access token

idempotent
update-user-profile

Update user profile

idempotent
get-roles-user

Get roles for user

read-only idempotent
assign-roles-user

Assign roles to user

update-roles-user

Update roles for user

idempotent
remove-role-user

Remove role from user

idempotent
get-user-active-sessions

Get user active sessions

read-only idempotent
get-user-active-session

Get user active session

read-only idempotent
revoke-user-session

Revoke a user session

idempotent
retrieve-user-s-enterprise-sso-identity

Retrieve a user's enterprise SSO identity and associated token secret (if token storage is enabled).

read-only idempotent

Capability Spec

logto-users.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: Logto API references — Users
  description: 'Logto API references — Users. 39 operations. Lead operation: Create user. Self-contained Naftiko capability
    covering one Logto business surface.'
  tags:
  - Logto
  - Users
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    LOGTO_API_KEY: LOGTO_API_KEY
capability:
  consumes:
  - type: http
    namespace: logto-users
    baseUri: https://[tenant_id].logto.app
    description: Logto API references — Users business capability. Self-contained, no shared references.
    resources:
    - name: api-users
      path: /api/users
      operations:
      - name: createuser
        method: POST
        description: Create user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
      - name: listusers
        method: GET
        description: Get users
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: page
          in: query
          type: integer
          description: Page number (starts from 1).
        - name: page_size
          in: query
          type: integer
          description: Entries per page.
        - name: search_params
          in: query
          type: object
          description: Search query parameters.
    - name: api-users-userId
      path: /api/users/{userId}
      operations:
      - name: getuser
        method: GET
        description: Get user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: includeSsoIdentities
          in: query
          type: string
          description: If it's provided with a truthy value (`true`, `1`, `yes`), each user in the response will include a
            `ssoIdentities` property containing a list of SSO identities
        - name: includePasswordHash
          in: query
          type: string
          description: If it's provided with a truthy value (`true`, `1`, `yes`), the response will include the `passwordDigest`
            and `passwordAlgorithm` fields. These fields are omitt
      - name: updateuser
        method: PATCH
        description: Update user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
      - name: deleteuser
        method: DELETE
        description: Delete user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-users-userId-all-identities
      path: /api/users/{userId}/all-identities
      operations:
      - name: listuserallidentities
        method: GET
        description: Retrieve social identities, enterprise SSO identities and associated token secret (if token storage is
          enabled) for a user.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: includeTokenSecret
          in: query
          type: string
          description: Whether to include the token secret in the response. Defaults to false. Token storage must be supported
            and enabled by the connector to return the token secret.
    - name: api-users-userId-custom-data
      path: /api/users/{userId}/custom-data
      operations:
      - name: listusercustomdata
        method: GET
        description: Get user custom data
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: updateusercustomdata
        method: PATCH
        description: Update user custom data
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-users-userId-grants
      path: /api/users/{userId}/grants
      operations:
      - name: listusergrants
        method: GET
        description: Get user active grants
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: appType
          in: query
          type: string
          description: 'Application type filter. Use ''thirdParty'' to list third-party app grants only, or ''firstParty''
            to list first-party app grants only. If omitted, grants from all '
    - name: api-users-userId-grants-grantId
      path: /api/users/{userId}/grants/{grantId}
      operations:
      - name: deleteusergrant
        method: DELETE
        description: Revoke a user grant
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-users-userId-has-password
      path: /api/users/{userId}/has-password
      operations:
      - name: getuserhaspassword
        method: GET
        description: Check if user has password
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-users-userId-identities
      path: /api/users/{userId}/identities
      operations:
      - name: createuseridentity
        method: POST
        description: Link social identity to user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-users-userId-identities-target
      path: /api/users/{userId}/identities/{target}
      operations:
      - name: replaceuseridentity
        method: PUT
        description: Update social identity of user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: target
          in: path
          type: string
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
      - name: deleteuseridentity
        method: DELETE
        description: Delete social identity from user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: target
          in: path
          type: string
          required: true
      - name: getuseridentity
        method: GET
        description: Retrieve a user's social identity and associated token storage .
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: target
          in: path
          type: string
          required: true
        - name: includeTokenSecret
          in: query
          type: string
          description: Whether to include the token secret in the response. Defaults to false. Token storage must be supported
            and enabled by the connector to return the token secret.
    - name: api-users-userId-is-suspended
      path: /api/users/{userId}/is-suspended
      operations:
      - name: updateuserissuspended
        method: PATCH
        description: Update user suspension status
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-users-userId-logto-configs
      path: /api/users/{userId}/logto-configs
      operations:
      - name: listuserlogtoconfigs
        method: GET
        description: Get user logto config
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: updateuserlogtoconfigs
        method: PATCH
        description: Update user logto config
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-users-userId-mfa-verifications
      path: /api/users/{userId}/mfa-verifications
      operations:
      - name: listusermfaverifications
        method: GET
        description: Get user's MFA verifications
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: createusermfaverification
        method: POST
        description: Create an MFA verification for a user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-users-userId-mfa-verifications-verificationId
      path: /api/users/{userId}/mfa-verifications/{verificationId}
      operations:
      - name: deleteusermfaverification
        method: DELETE
        description: Delete an MFA verification for a user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-users-userId-organizations
      path: /api/users/{userId}/organizations
      operations:
      - name: listuserorganizations
        method: GET
        description: Get organizations for a user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-users-userId-password
      path: /api/users/{userId}/password
      operations:
      - name: updateuserpassword
        method: PATCH
        description: Update user password
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-users-userId-password-verify
      path: /api/users/{userId}/password/verify
      operations:
      - name: verifyuserpassword
        method: POST
        description: Verify user password
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-users-userId-personal-access-tokens
      path: /api/users/{userId}/personal-access-tokens
      operations:
      - name: listuserpersonalaccesstokens
        method: GET
        description: Get personal access tokens
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: createuserpersonalaccesstoken
        method: POST
        description: Add personal access token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
      - name: updatepersonalaccesstokenname
        method: PATCH
        description: Update personal access token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-users-userId-personal-access-tokens-delete
      path: /api/users/{userId}/personal-access-tokens/delete
      operations:
      - name: deletepersonalaccesstokenpost
        method: POST
        description: Delete personal access token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-users-userId-personal-access-tokens-name
      path: /api/users/{userId}/personal-access-tokens/{name}
      operations:
      - name: deleteuserpersonalaccesstoken
        method: DELETE
        description: Delete personal access token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: name
          in: path
          type: string
          description: The name of the token.
          required: true
      - name: updateuserpersonalaccesstoken
        method: PATCH
        description: Update personal access token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: name
          in: path
          type: string
          description: The current name of the token.
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-users-userId-profile
      path: /api/users/{userId}/profile
      operations:
      - name: updateuserprofile
        method: PATCH
        description: Update user profile
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-users-userId-roles
      path: /api/users/{userId}/roles
      operations:
      - name: listuserroles
        method: GET
        description: Get roles for user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: page
          in: query
          type: integer
          description: Page number (starts from 1).
        - name: page_size
          in: query
          type: integer
          description: Entries per page.
        - name: search_params
          in: query
          type: object
          description: Search query parameters.
      - name: assignuserroles
        method: POST
        description: Assign roles to user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
      - name: replaceuserroles
        method: PUT
        description: Update roles for user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-users-userId-roles-roleId
      path: /api/users/{userId}/roles/{roleId}
      operations:
      - name: deleteuserrole
        method: DELETE
        description: Remove role from user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-users-userId-sessions
      path: /api/users/{userId}/sessions
      operations:
      - name: listusersessions
        method: GET
        description: Get user active sessions
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-users-userId-sessions-sessionId
      path: /api/users/{userId}/sessions/{sessionId}
      operations:
      - name: getusersession
        method: GET
        description: Get user active session
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: deleteusersession
        method: DELETE
        description: Revoke a user session
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: revokeGrantsTarget
          in: query
          type: string
          description: Optional target for revoking associated grants and tokens. 'all' revokes grants for every application
            authorized by this session. 'firstParty' revokes only firs
    - name: api-users-userId-sso-identities-ssoConnectorId
      path: /api/users/{userId}/sso-identities/{ssoConnectorId}
      operations:
      - name: getuserssoidentity
        method: GET
        description: Retrieve a user's enterprise SSO identity and associated token secret (if token storage is enabled).
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: includeTokenSecret
          in: query
          type: string
          description: Whether to include the token secret in the response. Defaults to false. Token storage must be supported
            and enabled by the connector to return the token secret.
    authentication:
      type: bearer
      token: '{{env.LOGTO_API_KEY}}'
  exposes:
  - type: rest
    namespace: logto-users-rest
    port: 8080
    description: REST adapter for Logto API references — Users. One Spectral-compliant resource per consumed operation, prefixed
      with /v1.
    resources:
    - path: /v1/api/users
      name: api-users
      description: REST surface for api-users.
      operations:
      - method: POST
        name: createuser
        description: Create user
        call: logto-users.createuser
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
      - method: GET
        name: listusers
        description: Get users
        call: logto-users.listusers
        with:
          page: rest.page
          page_size: rest.page_size
          search_params: rest.search_params
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}
      name: api-users-userid
      description: REST surface for api-users-userId.
      operations:
      - method: GET
        name: getuser
        description: Get user
        call: logto-users.getuser
        with:
          includeSsoIdentities: rest.includeSsoIdentities
          includePasswordHash: rest.includePasswordHash
        outputParameters:
        - type: object
          mapping: $.
      - method: PATCH
        name: updateuser
        description: Update user
        call: logto-users.updateuser
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
      - method: DELETE
        name: deleteuser
        description: Delete user
        call: logto-users.deleteuser
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/all-identities
      name: api-users-userid-all-identities
      description: REST surface for api-users-userId-all-identities.
      operations:
      - method: GET
        name: listuserallidentities
        description: Retrieve social identities, enterprise SSO identities and associated token secret (if token storage is
          enabled) for a user.
        call: logto-users.listuserallidentities
        with:
          includeTokenSecret: rest.includeTokenSecret
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/custom-data
      name: api-users-userid-custom-data
      description: REST surface for api-users-userId-custom-data.
      operations:
      - method: GET
        name: listusercustomdata
        description: Get user custom data
        call: logto-users.listusercustomdata
        outputParameters:
        - type: object
          mapping: $.
      - method: PATCH
        name: updateusercustomdata
        description: Update user custom data
        call: logto-users.updateusercustomdata
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/grants
      name: api-users-userid-grants
      description: REST surface for api-users-userId-grants.
      operations:
      - method: GET
        name: listusergrants
        description: Get user active grants
        call: logto-users.listusergrants
        with:
          appType: rest.appType
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/grants/{grantid}
      name: api-users-userid-grants-grantid
      description: REST surface for api-users-userId-grants-grantId.
      operations:
      - method: DELETE
        name: deleteusergrant
        description: Revoke a user grant
        call: logto-users.deleteusergrant
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/has-password
      name: api-users-userid-has-password
      description: REST surface for api-users-userId-has-password.
      operations:
      - method: GET
        name: getuserhaspassword
        description: Check if user has password
        call: logto-users.getuserhaspassword
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/identities
      name: api-users-userid-identities
      description: REST surface for api-users-userId-identities.
      operations:
      - method: POST
        name: createuseridentity
        description: Link social identity to user
        call: logto-users.createuseridentity
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/identities/{target}
      name: api-users-userid-identities-target
      description: REST surface for api-users-userId-identities-target.
      operations:
      - method: PUT
        name: replaceuseridentity
        description: Update social identity of user
        call: logto-users.replaceuseridentity
        with:
          target: rest.target
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
      - method: DELETE
        name: deleteuseridentity
        description: Delete social identity from user
        call: logto-users.deleteuseridentity
        with:
          target: rest.target
        outputParameters:
        - type: object
          mapping: $.
      - method: GET
        name: getuseridentity
        description: Retrieve a user's social identity and associated token storage .
        call: logto-users.getuseridentity
        with:
          target: rest.target
          includeTokenSecret: rest.includeTokenSecret
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/is-suspended
      name: api-users-userid-is-suspended
      description: REST surface for api-users-userId-is-suspended.
      operations:
      - method: PATCH
        name: updateuserissuspended
        description: Update user suspension status
        call: logto-users.updateuserissuspended
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/logto-configs
      name: api-users-userid-logto-configs
      description: REST surface for api-users-userId-logto-configs.
      operations:
      - method: GET
        name: listuserlogtoconfigs
        description: Get user logto config
        call: logto-users.listuserlogtoconfigs
        outputParameters:
        - type: object
          mapping: $.
      - method: PATCH
        name: updateuserlogtoconfigs
        description: Update user logto config
        call: logto-users.updateuserlogtoconfigs
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/mfa-verifications
      name: api-users-userid-mfa-verifications
      description: REST surface for api-users-userId-mfa-verifications.
      operations:
      - method: GET
        name: listusermfaverifications
        description: Get user's MFA verifications
        call: logto-users.listusermfaverifications
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: createusermfaverification
        description: Create an MFA verification for a user
        call: logto-users.createusermfaverification
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/mfa-verifications/{verificationid}
      name: api-users-userid-mfa-verifications-verificationid
      description: REST surface for api-users-userId-mfa-verifications-verificationId.
      operations:
      - method: DELETE
        name: deleteusermfaverification
        description: Delete an MFA verification for a user
        call: logto-users.deleteusermfaverification
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/organizations
      name: api-users-userid-organizations
      description: REST surface for api-users-userId-organizations.
      operations:
      - method: GET
        name: listuserorganizations
        description: Get organizations for a user
        call: logto-users.listuserorganizations
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/password
      name: api-users-userid-password
      description: REST surface for api-users-userId-password.
      operations:
      - method: PATCH
        name: updateuserpassword
        description: Update user password
        call: logto-users.updateuserpassword
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/password/verify
      name: api-users-userid-password-verify
      description: REST surface for api-users-userId-password-verify.
      operations:
      - method: POST
        name: verifyuserpassword
        description: Verify user password
        call: logto-users.verifyuserpassword
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/personal-access-tokens
      name: api-users-userid-personal-access-tokens
      description: REST surface for api-users-userId-personal-access-tokens.
      operations:
      - method: GET
        name: listuserpersonalaccesstokens
        description: Get personal access tokens
        call: logto-users.listuserpersonalaccesstokens
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: createuserpersonalaccesstoken
        description: Add personal access token
        call: logto-users.createuserpersonalaccesstoken
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
      - method: PATCH
        name: updatepersonalaccesstokenname
        description: Update personal access token
        call: logto-users.updatepersonalaccesstokenname
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/personal-access-tokens/delete
      name: api-users-userid-personal-access-tokens-delete
      description: REST surface for api-users-userId-personal-access-tokens-delete.
      operations:
      - method: POST
        name: deletepersonalaccesstokenpost
        description: Delete personal access token
        call: logto-users.deletepersonalaccesstokenpost
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/personal-access-tokens/{name}
      name: api-users-userid-personal-access-tokens-name
      description: REST surface for api-users-userId-personal-access-tokens-name.
      operations:
      - method: DELETE
        name: deleteuserpersonalaccesstoken
        description: Delete personal access token
        call: logto-users.deleteuserpersonalaccesstoken
        with:
          name: rest.name
        outputParameters:
        - type: object
          mapping: $.
      - method: PATCH
        name: updateuserpersonalaccesstoken
        description: Update personal access token
        call: logto-users.updateuserpersonalaccesstoken
        with:
          name: rest.name
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/profile
      name: api-users-userid-profile
      description: REST surface for api-users-userId-profile.
      operations:
      - method: PATCH
        name: updateuserprofile
        description: Update user profile
        call: logto-users.updateuserprofile
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/roles
      name: api-users-userid-roles
      description: REST surface for api-users-userId-roles.
      operations:
      - method: GET
        name: listuserroles
        description: Get roles for user
        call: logto-users.listuserroles
        with:
          page: rest.page
          page_size: rest.page_size
          search_params: rest.search_params
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: assignuserroles
        description: Assign roles to user
        call: logto-users.assignuserroles
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
      - method: PUT
        name: replaceuserroles
        description: Update roles for user
        call: logto-users.replaceuserroles
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/roles/{roleid}
      name: api-users-userid-roles-roleid
      description: REST surface for api-users-userId-roles-roleId.
      operations:
      - method: DELETE
        name: deleteuserrole
        description: Remove role from user
        call: logto-users.deleteuserrole
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/sessions
      name: api-users-userid-sessions
      description: REST surface for api-users-userId-sessions.
      operations:
      - method: GET
        name: listusersessions
        description: Get user active sessions
        call: logto-users.listusersessions
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/sessions/{sessionid}
      name: api-users-userid-sessions-sessionid
      description: REST surface for api-users-userId-sessions-sessionId.
      operations:
      - method: GET
        name: getusersession
        description: Get user active session
        call: logto-users.getusersession
        outputParameters:
        - type: object
          mapping: $.
      - method: DELETE
        name: deleteusersession
        description: Revoke a user session
        call: logto-users.deleteusersession
        with:
          revokeGrantsTarget: rest.revokeGrantsTarget
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/users/{userid}/sso-iden

# --- truncated at 32 KB (44 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/logto/refs/heads/main/capabilities/logto-users.yaml