Impersonate user

POSThttps://app.speybooks.com/api/v1/admin/users/{id}/impersonate

Issue a short-lived impersonation session as the target user. The session authenticates as that user but carries a claim identifying the acting admin, so an impersonated session is distinguishable from the user's own.

Contract

  • The session is valid for 10 minutes.
  • A reason of at least 5 characters is required and is recorded.
  • Only a one-way hash of the session token is retained, never the raw token.
  • Every session is audited (a USER_IMPERSONATED action) with the acting admin, the target user and organisation, the reason, the IP address, and the user agent.

Returns 404 if the target user does not exist.

Path parameters

idstringrequired
User ID to impersonate.

Response

200Impersonation token (10-minute TTL) with target user details.
Show response fields
expiresAtstringdate-time
targetUserobject
Show child attributes
emailstring
idinteger
tokenstring

Error codes

400Invalid user ID or cannot impersonate admin users.
404User not found.