Skip to main content
POST
/
v1
/
indexes
/
{index_name}
/
users
Create User
curl --request POST \
  --url https://api.example.com/v1/indexes/{index_name}/users
Mint a per-user API key scoped to a single index. Requires RBAC enabled on the service (CYBORGDB_SERVICE_ROOT_KEY set) and the request must be authenticated with the root key.
See Multi-Tenancy & RBAC for the full operator playbook.

Authentication

Required — root API key in the X-API-Key header:
X-API-Key: cyborg_your_root_api_key_here
The legacy single API key (CYBORGDB_API_KEY) is not accepted on this route; it returns 403.

Path Parameters

ParameterTypeDescription
index_namestringName of the index the user will be scoped to.

Request Body

{
  "permissions": ["read", "write"],
  "index_key": "64_character_hex_string_representing_32_bytes"
}
For POST, the index key rides in the JSON body as index_key (alongside permissions). The sibling GET /v1/indexes/{index_name}/users and DELETE /v1/indexes/{index_name}/users/{user_id} endpoints have no request body, so they take the same key via the X-Index-Key header instead.

Response

{
  "user_id": "a1b2c3d4e5f6...",
  "api_key": "cdbk_..."
}
The returned api_key is shown only in this response and is never persisted by the service. If you lose it, revoke the user (DELETE) and mint a new one.

Exceptions

  • 400: permissions is missing, empty, or contains values outside {"read", "write"}.
  • 401: Authentication failed (invalid root API key).
  • 403: RBAC is not enabled (CYBORGDB_SERVICE_ROOT_KEY unset), or the caller is not using the root key.
  • 404: Index not found.
  • 500: Internal server error.

Example Usage

curl -X POST "http://localhost:8000/v1/indexes/documents/users" \
     -H "X-API-Key: cyborg_your_root_api_key_here" \
     -H "Content-Type: application/json" \
     -d '{
       "permissions": ["read", "write"]
     }'
Read-only user:
curl -X POST "http://localhost:8000/v1/indexes/documents/users" \
     -H "X-API-Key: cyborg_your_root_api_key_here" \
     -H "Content-Type: application/json" \
     -d '{
       "permissions": ["read"]
     }'
SDK-supplied index (legacy path):
curl -X POST "http://localhost:8000/v1/indexes/documents/users" \
     -H "X-API-Key: cyborg_your_root_api_key_here" \
     -H "Content-Type: application/json" \
     -d '{
       "permissions": ["read", "write"],
       "index_key": "your_64_character_hex_key_here"
     }'