Users

Users are individuals who will access and operate the account. Each user is assigned a role that determines their level of access and what actions they can perform.

note

Users can only be added after the application has been approved (APPLICATION_APPROVED) or is active (ACTIVE).

User roles

Role	Description
Owner	Full account access. Can manage users (create, update roles, deactivate), accept terms and conditions, and approve their own transactions. Every account must have at least one Owner.
Admin	Full operational access. Can create, approve, and execute payments, transfers, and FX orders. Can approve their own transactions (bypasses segregation of duties). Cannot manage users or accept terms and conditions.
Executor	Can create and approve payments, transfers, and FX orders. Cannot approve transactions they created themselves (segregation of duties enforced). Acts as the "checker" in a maker-checker workflow.
Preparer	Can draft and prepare payments, create beneficiaries, and manage receivables. Cannot confirm, submit, or approve transactions. Acts as the "maker" in a maker-checker workflow. Can only create payment instructions when maker-checker is enabled for the account.
Viewer	Read-only access. Can view account data, transactions, and balances but cannot create or modify anything.

Role permissions summary

Capability	Owner	Admin	Executor	Preparer	Viewer
View account data and transactions	Yes	Yes	Yes	Yes	Yes
Create and manage beneficiaries	Yes	Yes	Yes	Yes	No
Create and manage receivables	Yes	Yes	Yes	Yes	No
Draft and prepare payment orders	Yes	Yes	Yes	Yes	No
Approve and execute payments	Yes	Yes	Yes	No	No
Create international transfers	Yes	Yes	Yes	No	No
Create FX orders	Yes	Yes	Yes	No	No
Approve own transactions	Yes	Yes	No	No	No
Manage users	Yes	No	No	No	No
Accept terms and conditions	Yes	No	No	No	No

Adding a user

To add a user to the account, use the Invite User API to send an invite link. The invited user completes a self sign-up process — they set up their own credentials and verify their email before being linked to the account.

An invite requires the user's email, full name, and role.

curl -X POST https://sandbox-api.hubpay.io/v1/account/users/invite \
  -H "Authorization: Bearer $TOKEN" \
  -H "AccountId: $ACCOUNT_ID" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "jane.doe@example.com",
    "fullName": "Jane Doe",
    "role": "EXECUTOR"
  }'

The response includes an inviteUrl that you forward to the user through your own communication channel (email, in-app notification, etc.). Invite links expire after 14 days.

tip

You can send the invite directly to your users through your own platform. To disable Hubpay from emailing the invite or any other onboarding emails directly to the user, contact your account manager.

Resending an invite

If an invite has expired or the user lost the link, use the Resend Invite API to generate a new invite URL. This revokes the previous invite and creates a fresh one.

curl -X POST https://sandbox-api.hubpay.io/v1/account/users/invite/{inviteId}/resend \
  -H "Authorization: Bearer $TOKEN" \
  -H "AccountId: $ACCOUNT_ID"

Checking invite status

Use the Get Invite API to check the current status of an invite.

Status	Description
PENDING	Invite has been created and is waiting for the user to accept.
COMPLETED	Invite has been accepted and the user has been linked to the account.
REVOKED	Invite was revoked because a new invite was issued via resend.
EXPIRED	Invite has passed its 14-day expiry window and can no longer be used.
LOCKED	Invite is locked due to too many failed email verification attempts.

Managing users

Once users are added, you can:

• List users — retrieve all active users linked to the account
• Update user — change a user's display name or block/unblock them
• Update role — change a user's role within the account
• Delete user — deactivate a user's access to the account

See the Users API reference for the full list of available operations.