Impersonate user

POST https://app.speybooks.com/api/v1/admin/users/{id}/impersonate

Create a short-lived impersonation session as the target user. Generates a JWT valid for 10 minutes with an impersonatedBy claim identifying the admin.

Flow

Validate target user exists and has an organisation
Generate JWT with 10-minute expiry and impersonatedBy: adminId claim
Hash the token (SHA-256) and store in admin_impersonation_sessions with reason, admin ID, target user/org, and expiry
Write USER_IMPERSONATED audit log entry
Return the token and expiry

Request Body

reason — minimum 5 characters, required for audit trail

Security

Tokens are short-lived (10 minutes)
Only the SHA-256 hash is stored, not the raw token
All impersonation sessions are audited with IP and user agent
The impersonation claim is visible in the JWT payload

Returns 404 if the target user does not exist.

Path parameters

id string required

User ID to impersonate.

Response

200 Impersonation token (10-minute TTL) with target user details.

Show response fields

expiresAt string date-time

targetUser object

Show child attributes

email string

id integer

token string

Error codes

400 Invalid user ID or cannot impersonate admin users.

404 User not found.

Request POST /v1/admin/users/{id}/impersonate curl

curl -X POST https://api.speybooks.com/v1/admin/users/12/impersonate \
  -H "Authorization: Bearer <admin-token>" \
  -H "Content-Type: application/json" \
  -d '{"reason": "Investigating invoice rendering bug #42"}'

Response 200

{
  "success": true,
  "data": {
    "token": "eyJ...",
    "expiresAt": "2026-02-19T14:40:00.000Z",
    "targetUser": {
      "id": 12,
      "email": "user@example.com"
    }
  }
}