Impersonate user
POST
https://app.speybooks.com/api/v1/admin/users/{id}/impersonateIssue a short-lived impersonation session as the target user. The session authenticates as that user but carries a claim identifying the acting admin, so an impersonated session is distinguishable from the user's own.
Contract
- The session is valid for 10 minutes.
- A
reasonof at least 5 characters is required and is recorded. - Only a one-way hash of the session token is retained, never the raw token.
- Every session is audited (a
USER_IMPERSONATEDaction) with the acting admin, the target user and organisation, the reason, the IP address, and the user agent.
Returns 404 if the target user does not exist.
Path parameters
idstringrequiredUser ID to impersonate.
Response
200Impersonation token (10-minute TTL) with target user details.
Show response fields
expiresAtstringdate-timetargetUserobjectShow child attributes
emailstringidintegertokenstringError codes
400Invalid user ID or cannot impersonate admin users.
404User not found.