Manage Members
This guide covers the tenant membership lifecycle: add a member, change their role, list the current set, and remove access when it is no longer needed.
For the full schema, see Reference: members.
| Role | Can do |
|---|---|
admin | Full access — create, update, delete resources, manage members and API keys. |
readonly | Read-only — list and get resources, download kubeconfig. Cannot make changes. |
Add a member
Section titled “Add a member”export KUPE_TENANT="<tenant>"
curl -X POST \ -H "Authorization: Bearer $KUPE_API_KEY" \ -H "Content-Type: application/json" \ "https://api.kupe.cloud/api/v1/tenants/$KUPE_TENANT/members" \ -d '{"email": "developer@example.com", "role": "readonly"}'The email address must be unique within the tenant. The user can authenticate immediately via SSO once added.
Update a member’s role
Section titled “Update a member’s role”The email is the path identifier and must be URL-encoded (@ → %40):
curl -X PATCH \ -H "Authorization: Bearer $KUPE_API_KEY" \ -H "Content-Type: application/json" \ "https://api.kupe.cloud/api/v1/tenants/$KUPE_TENANT/members/developer%40example.com" \ -d '{"role": "admin"}'Remove a member
Section titled “Remove a member”curl -X DELETE \ -H "Authorization: Bearer $KUPE_API_KEY" \ "https://api.kupe.cloud/api/v1/tenants/$KUPE_TENANT/members/developer%40example.com"The member loses access immediately. You cannot remove yourself — the API returns 400 Bad Request if you try.
List members
Section titled “List members”curl -s \ -H "Authorization: Bearer $KUPE_API_KEY" \ "https://api.kupe.cloud/api/v1/tenants/$KUPE_TENANT/members" \ | jqConcurrency note
Section titled “Concurrency note”Add, update, and remove member operations support If-Match. Use the ETag from GET /tenants/{tenant} when several admins or automation flows might change membership at the same time.
See Reference: list members for the response shape.