Sites & Organisation

Users

A User represents a user of the Trybe platform.

get/api-users

Create a new API user (a non-human account intended to authenticate integrations) within the caller's organisation. The new user is attached to the supplied site_id, given the organisation's default API role, has their email pre-verified, and is issued a personal access token in the response — store it securely because Trybe will never return it again.

Requires the caller's site-user to hold the users:manage permission on the target site. The name must be unique across API users in the organisation.

Request body

namestringrequired
Human-readable label for the API user. Shown in the API users list and recorded against audit-log entries so operators can identify which integration made a change. Pick something descriptive like "Mailchimp sync" or "POS terminal 3". Must be unique across API users in the organisation.
site_iduuidrequired
Identifier of the site to attach the new API user to. The caller must hold the users:manage permission on this site; the user inherits the organisation that owns the site. Additional sites can be granted later by an organisation admin.

Responses

200
A newly created API user, including the access token. The token field is only returned on the create response — it is not persisted by Trybe in a retrievable form, so store it securely as soon as you receive it.
401
The user is unauthenticated
403
The authenticated user does not have permission.
422
The request didn't pass validation

curl -X POST "https://api.playground.try.be/api-users" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d '{
  "name": "Mailchimp sync",
  "site_id": "00000000-0000-0000-0000-000000000000"
}'

const response = await fetch('https://api.playground.try.be/api-users', {
  method: 'POST',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    'Content-Type': 'application/json',
    Accept: 'application/json',
  },
  body: JSON.stringify({
    "name": "Mailchimp sync",
    "site_id": "00000000-0000-0000-0000-000000000000"
  }),
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.post(
    "https://api.playground.try.be/api-users",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
        "Content-Type": "application/json",
    },
    json={
        "name": "Mailchimp sync",
        "site_id": "00000000-0000-0000-0000-000000000000"
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('POST', 'https://api.playground.try.be/api-users', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
        'Content-Type' => 'application/json',
    ],
    'json' => [
            'name' => 'Mailchimp sync',
            'site_id' => '00000000-0000-0000-0000-000000000000'
        ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"bytes"
	"encoding/json"
	"net/http"
)

func main() {
	payload, _ := json.Marshal(map[string]interface{}{
		"name": "Mailchimp sync",
		"site_id": "00000000-0000-0000-0000-000000000000",
	})
	req, _ := http.NewRequest("POST", "https://api.playground.try.be/api-users", bytes.NewBuffer(payload))
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	req.Header.Set("Content-Type", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

A newly created API user, including the access token. The `token` field is only returned on the create response — it is not persisted by Trybe in a retrievable form, so store it securely as soon as you receive it.

{
  "data": {
    "id": "00000000-0000-0000-0000-000000000000",
    "name": "Internal",
    "organisation_name": "Trybe Spa",
    "organisation_id": "00000000-0000-0000-0000-000000000000",
    "site_ids": [
      "00000000-0000-0000-0000-000000000000"
    ],
    "status": "active",
    "created_at": "2020-01-01T00:00:00.000Z",
    "updated_at": "2020-01-01T00:00:00.000Z",
    "token": "eyABCDEFGHIJKLMNOPQRSTUVWXYZ12345678910ABCDEFGHIJKLMNOPQRSTUVWXYZx.eyABCDEFGHIJKLMNOPQRSTUVWXYZ12345678910ABCDEFGHIJKLMNOPQRSTUVWXYZx.ABCDEFGHIJKLMNOPQRSTUVWXYZ12345678910ABCDEFGHIJKLMNOPQRSTUVWXYZ"
  }
}

{
  "message": "Unauthenticated"
}

{
  "message": "This action is unauthorized."
}

{
  "errors": {},
  "message": "The request didn't pass validation"
}

get/api-users/{userId}

Get an API user

getApiUser

This endpoint retrieves an API user in Trybe

Path parameters

userIduuidrequired
The ID of the user

Responses

200
An API User
401
The user is unauthenticated
404
The resource couldn't be found

curl "https://api.playground.try.be/api-users/00000000-0000-0000-0000-000000000000" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

const response = await fetch('https://api.playground.try.be/api-users/00000000-0000-0000-0000-000000000000', {
  method: 'GET',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    Accept: 'application/json',
  },
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.get(
    "https://api.playground.try.be/api-users/00000000-0000-0000-0000-000000000000",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('GET', 'https://api.playground.try.be/api-users/00000000-0000-0000-0000-000000000000', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
    ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"encoding/json"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("GET", "https://api.playground.try.be/api-users/00000000-0000-0000-0000-000000000000", nil)
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

An API User

{
  "data": {
    "id": "00000000-0000-0000-0000-000000000000",
    "name": "Internal",
    "organisation_name": "Trybe Spa",
    "organisation_id": "00000000-0000-0000-0000-000000000000",
    "site_ids": [
      "00000000-0000-0000-0000-000000000000"
    ],
    "status": "active",
    "created_at": "2020-01-01T00:00:00.000Z",
    "updated_at": "2020-01-01T00:00:00.000Z"
  }
}

{
  "message": "Unauthenticated"
}

{
  "message": "The requested resource could not be found"
}

put/api-users/{userId}

Update an API user

updateApiUser

Rename an existing API user. The user's site memberships, roles and access token are left unchanged — only the human-readable label is updated. The new name must remain unique across API users in the organisation.

Requires the caller's site-user to hold the users:manage permission on a site that the API user belongs to.

Path parameters

userIduuidrequired
The ID of the user

Request body

namestringrequired
New human-readable label for the API user. Must be unique across API users in the organisation.
site_iduuidrequired
Identifier of the API user's primary site. Used to validate uniqueness of name within the owning organisation; the user's existing site memberships are not changed by this field.

Responses

200
An API User
401
The user is unauthenticated
403
The authenticated user does not have permission.
404
The resource couldn't be found
422
The request didn't pass validation

curl -X PUT "https://api.playground.try.be/api-users/00000000-0000-0000-0000-000000000000" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d '{
  "name": "Mailchimp sync (production)",
  "site_id": "00000000-0000-0000-0000-000000000000"
}'

const response = await fetch('https://api.playground.try.be/api-users/00000000-0000-0000-0000-000000000000', {
  method: 'PUT',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    'Content-Type': 'application/json',
    Accept: 'application/json',
  },
  body: JSON.stringify({
    "name": "Mailchimp sync (production)",
    "site_id": "00000000-0000-0000-0000-000000000000"
  }),
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.put(
    "https://api.playground.try.be/api-users/00000000-0000-0000-0000-000000000000",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
        "Content-Type": "application/json",
    },
    json={
        "name": "Mailchimp sync (production)",
        "site_id": "00000000-0000-0000-0000-000000000000"
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('PUT', 'https://api.playground.try.be/api-users/00000000-0000-0000-0000-000000000000', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
        'Content-Type' => 'application/json',
    ],
    'json' => [
            'name' => 'Mailchimp sync (production)',
            'site_id' => '00000000-0000-0000-0000-000000000000'
        ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"bytes"
	"encoding/json"
	"net/http"
)

func main() {
	payload, _ := json.Marshal(map[string]interface{}{
		"name": "Mailchimp sync (production)",
		"site_id": "00000000-0000-0000-0000-000000000000",
	})
	req, _ := http.NewRequest("PUT", "https://api.playground.try.be/api-users/00000000-0000-0000-0000-000000000000", bytes.NewBuffer(payload))
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	req.Header.Set("Content-Type", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

An API User

{
  "data": {
    "id": "00000000-0000-0000-0000-000000000000",
    "name": "Internal",
    "organisation_name": "Trybe Spa",
    "organisation_id": "00000000-0000-0000-0000-000000000000",
    "site_ids": [
      "00000000-0000-0000-0000-000000000000"
    ],
    "status": "active",
    "created_at": "2020-01-01T00:00:00.000Z",
    "updated_at": "2020-01-01T00:00:00.000Z"
  }
}

{
  "message": "Unauthenticated"
}

{
  "message": "This action is unauthorized."
}

{
  "message": "The requested resource could not be found"
}

{
  "errors": {},
  "message": "The request didn't pass validation"
}

delete/api-users/{userId}

Delete an API user

deleteApiUser

Permanently delete an API user and invalidate any access tokens issued to them. Use this when an integration is retired or its credentials are believed to be compromised.

Requires the caller's site-user to hold the users:manage permission on a site that the API user belongs to. The operation cannot be undone.

Path parameters

userIduuidrequired
The ID of the user

Responses

204
The API user was deleted.
401
The user is unauthenticated
403
The authenticated user does not have permission.
404
The resource couldn't be found

curl -X DELETE "https://api.playground.try.be/api-users/00000000-0000-0000-0000-000000000000" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

const response = await fetch('https://api.playground.try.be/api-users/00000000-0000-0000-0000-000000000000', {
  method: 'DELETE',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    Accept: 'application/json',
  },
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.delete(
    "https://api.playground.try.be/api-users/00000000-0000-0000-0000-000000000000",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('DELETE', 'https://api.playground.try.be/api-users/00000000-0000-0000-0000-000000000000', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
    ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"encoding/json"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("DELETE", "https://api.playground.try.be/api-users/00000000-0000-0000-0000-000000000000", nil)
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

The API user was deleted.

// empty response

{
  "message": "Unauthenticated"
}

{
  "message": "This action is unauthorized."
}

{
  "message": "The requested resource could not be found"
}

get/users

Get all users

listAllUsers

Use this endpoint to retrieve all users

Query parameters

pageintegeroptional
The page to retrieve results from
per_pageintegeroptional
The number of results to return per page
site_idstringoptional
Filter results by the site they belong to
organisation_iduuidoptional
Filter users by the organisation they belong to
sortstringoptional
The field to order results by.
querystringoptional
Filter users by their name or email
twofa_enabledbooleanoptional
Filter users according to whether they have two-factor authentication enabled.
twofa_disabledbooleanoptional
Filter users according to whether they do not shave two-factor authentication enabled.
managed_by_ssobooleanoptional
Filter users according to whether they are managed by SSO.
not_managed_by_ssobooleanoptional
Filter users according to whether they are not managed by SSO.
include_inactivebooleanoptional
Filter users according to whether they are active or not.

Responses

200
A list of users
401
The user is unauthenticated

curl "https://api.playground.try.be/users" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

const response = await fetch('https://api.playground.try.be/users', {
  method: 'GET',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    Accept: 'application/json',
  },
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.get(
    "https://api.playground.try.be/users",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('GET', 'https://api.playground.try.be/users', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
    ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"encoding/json"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("GET", "https://api.playground.try.be/users", nil)
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

A list of users

{
  "links": {
    "first": "http://example.com?page=1",
    "next": "https://example.com?page=3",
    "prev": "https://example.com?page=1",
    "last": "https://example.com?page=4"
  },
  "meta": {
    "from": 1,
    "to": 2,
    "total": 2,
    "current_page": 1,
    "last_page": 2,
    "per_page": 15,
    "path": "http://example.com/api"
  },
  "data": [
    {
      "id": "5e1e3f6c-2a44-4f6e-8c61-9c1f7d2e1c11",
      "name": "John Smith",
      "given_name": "John",
      "family_name": "Smith",
      "email": "john.smith@example.com",
      "email_verified": true,
      "organisation_id": "9c3ad1e2-2d1b-4f4f-9e07-6d6c4f3a2b1a",
      "organisation_name": "Trybe Spa Group",
      "site_ids": [
        "00000000-0000-0000-0000-000000000000"
      ],
      "avatar_id": "7d2a1f9c-5b3e-4d8c-9f0a-2c4e6f8b1d3a",
      "avatar": {
        "id": "00000000-0000-0000-0000-000000000000",
        "file_name": "super-cool-photo.jpg",
        "mime_type": "image/jpeg",
        "original_url": "https://example.com/media/super-cool-photo.jpg",
        "size": 84256,
        "url": "https://example.com/media/super-cool-photo-thumbnail@2x.jpg"
      },
      "cashier_id": "cashier-042",
      "status": "active",
      "2fa_enabled": true,
      "twofa_enabled": true,
      "created_at": "2020-01-01T00:00:00.000Z",
      "updated_at": "2020-01-01T00:00:00.000Z",
      "managed_by_sso": true,
      "whitelisted_internal_user": false
    }
  ]
}

{
  "message": "Unauthenticated"
}

post/users

Create a new user

createUser

This endpoint creates a new user in Trybe

Request body

emailemailrequired
The email address of the user
first_namestringrequired
The user's given name. Shown in the admin UI alongside the surname and used in notification templates as the personalised greeting.
last_namestringrequired
The user's surname. Combined with first_name to display a full name in admin lists and email footers.
organisation_iduuidoptional
Identifier of the organisation to scope this user's access to. The caller must have organisation-admin permissions on this organisation; the user will only see sites that belong to it.
cashier_iduuidoptional
Identifier of the cashier record this user is linked to. Cashier IDs map operator activity (sales, refunds, till opens) back to a real person for reporting and audit.

Responses

200
A User
401
The user is unauthenticated
403
The authenticated user does not have permission.
422
The request didn't pass validation

curl -X POST "https://api.playground.try.be/users" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d '{
  "email": "guest@example.com",
  "first_name": "Dan",
  "last_name": "Smith",
  "organisation_id": "00000000-0000-0000-0000-000000000000",
  "cashier_id": "00000000-0000-0000-0000-000000000000"
}'

const response = await fetch('https://api.playground.try.be/users', {
  method: 'POST',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    'Content-Type': 'application/json',
    Accept: 'application/json',
  },
  body: JSON.stringify({
    "email": "guest@example.com",
    "first_name": "Dan",
    "last_name": "Smith",
    "organisation_id": "00000000-0000-0000-0000-000000000000",
    "cashier_id": "00000000-0000-0000-0000-000000000000"
  }),
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.post(
    "https://api.playground.try.be/users",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
        "Content-Type": "application/json",
    },
    json={
        "email": "guest@example.com",
        "first_name": "Dan",
        "last_name": "Smith",
        "organisation_id": "00000000-0000-0000-0000-000000000000",
        "cashier_id": "00000000-0000-0000-0000-000000000000"
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('POST', 'https://api.playground.try.be/users', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
        'Content-Type' => 'application/json',
    ],
    'json' => [
            'email' => 'guest@example.com',
            'first_name' => 'Dan',
            'last_name' => 'Smith',
            'organisation_id' => '00000000-0000-0000-0000-000000000000',
            'cashier_id' => '00000000-0000-0000-0000-000000000000'
        ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"bytes"
	"encoding/json"
	"net/http"
)

func main() {
	payload, _ := json.Marshal(map[string]interface{}{
		"email": "guest@example.com",
		"first_name": "Dan",
		"last_name": "Smith",
		"organisation_id": "00000000-0000-0000-0000-000000000000",
		"cashier_id": "00000000-0000-0000-0000-000000000000",
	})
	req, _ := http.NewRequest("POST", "https://api.playground.try.be/users", bytes.NewBuffer(payload))
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	req.Header.Set("Content-Type", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

A User

{
  "data": {
    "id": "5e1e3f6c-2a44-4f6e-8c61-9c1f7d2e1c11",
    "name": "John Smith",
    "given_name": "John",
    "family_name": "Smith",
    "email": "john.smith@example.com",
    "email_verified": true,
    "organisation_id": "9c3ad1e2-2d1b-4f4f-9e07-6d6c4f3a2b1a",
    "organisation_name": "Trybe Spa Group",
    "site_ids": [
      "00000000-0000-0000-0000-000000000000"
    ],
    "avatar_id": "7d2a1f9c-5b3e-4d8c-9f0a-2c4e6f8b1d3a",
    "avatar": {
      "id": "00000000-0000-0000-0000-000000000000",
      "file_name": "super-cool-photo.jpg",
      "mime_type": "image/jpeg",
      "original_url": "https://example.com/media/super-cool-photo.jpg",
      "size": 84256,
      "url": "https://example.com/media/super-cool-photo-thumbnail@2x.jpg"
    },
    "cashier_id": "cashier-042",
    "status": "active",
    "2fa_enabled": true,
    "twofa_enabled": true,
    "created_at": "2020-01-01T00:00:00.000Z",
    "updated_at": "2020-01-01T00:00:00.000Z",
    "managed_by_sso": true,
    "whitelisted_internal_user": false
  }
}

{
  "message": "Unauthenticated"
}

{
  "message": "This action is unauthorized."
}

{
  "errors": {},
  "message": "The request didn't pass validation"
}

get/users/{userId}

Get a user

getUser

Use this endpoint to retrieve a user.

Path parameters

userIduuidrequired
The ID of the user

Responses

200
A User
401
The user is unauthenticated
404
The resource couldn't be found

curl "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

const response = await fetch('https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000', {
  method: 'GET',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    Accept: 'application/json',
  },
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.get(
    "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('GET', 'https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
    ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"encoding/json"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("GET", "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000", nil)
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

A User

{
  "data": {
    "id": "5e1e3f6c-2a44-4f6e-8c61-9c1f7d2e1c11",
    "name": "John Smith",
    "given_name": "John",
    "family_name": "Smith",
    "email": "john.smith@example.com",
    "email_verified": true,
    "organisation_id": "9c3ad1e2-2d1b-4f4f-9e07-6d6c4f3a2b1a",
    "organisation_name": "Trybe Spa Group",
    "site_ids": [
      "00000000-0000-0000-0000-000000000000"
    ],
    "avatar_id": "7d2a1f9c-5b3e-4d8c-9f0a-2c4e6f8b1d3a",
    "avatar": {
      "id": "00000000-0000-0000-0000-000000000000",
      "file_name": "super-cool-photo.jpg",
      "mime_type": "image/jpeg",
      "original_url": "https://example.com/media/super-cool-photo.jpg",
      "size": 84256,
      "url": "https://example.com/media/super-cool-photo-thumbnail@2x.jpg"
    },
    "cashier_id": "cashier-042",
    "status": "active",
    "2fa_enabled": true,
    "twofa_enabled": true,
    "created_at": "2020-01-01T00:00:00.000Z",
    "updated_at": "2020-01-01T00:00:00.000Z",
    "managed_by_sso": true,
    "whitelisted_internal_user": false
  }
}

{
  "message": "Unauthenticated"
}

{
  "message": "The requested resource could not be found"
}

put/users/{userId}

Update a user

updateUser

This endpoint updates an API user in Trybe

Path parameters

userIduuidrequired
The ID of the user

Request body

emailemailoptional
The email address of the user
first_namestringoptional
The user's given name. Shown in the admin UI alongside the surname and used in notification templates as the personalised greeting.
last_namestringoptional
The user's surname. Combined with first_name to display a full name in admin lists and email footers.
organisation_iduuidoptional
Identifier of the organisation to scope this user's access to. The caller must have organisation-admin permissions on this organisation; the user will only see sites that belong to it.
cashier_iduuidoptional
Identifier of the cashier record this user is linked to. Cashier IDs map operator activity (sales, refunds, till opens) back to a real person for reporting and audit.
site_idsstring[]optional
The IDs of the sites to add the user to

Responses

200
A User
401
The user is unauthenticated
403
The authenticated user does not have permission.
404
The resource couldn't be found
422
The request didn't pass validation

curl -X PUT "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d '{
  "email": "guest@example.com",
  "first_name": "Dan",
  "last_name": "Smith",
  "organisation_id": "00000000-0000-0000-0000-000000000000",
  "cashier_id": "00000000-0000-0000-0000-000000000000",
  "site_ids": [
    "00000000-0000-0000-0000-000000000000"
  ]
}'

const response = await fetch('https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000', {
  method: 'PUT',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    'Content-Type': 'application/json',
    Accept: 'application/json',
  },
  body: JSON.stringify({
    "email": "guest@example.com",
    "first_name": "Dan",
    "last_name": "Smith",
    "organisation_id": "00000000-0000-0000-0000-000000000000",
    "cashier_id": "00000000-0000-0000-0000-000000000000",
    "site_ids": [
      "00000000-0000-0000-0000-000000000000"
    ]
  }),
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.put(
    "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
        "Content-Type": "application/json",
    },
    json={
        "email": "guest@example.com",
        "first_name": "Dan",
        "last_name": "Smith",
        "organisation_id": "00000000-0000-0000-0000-000000000000",
        "cashier_id": "00000000-0000-0000-0000-000000000000",
        "site_ids": [
            "00000000-0000-0000-0000-000000000000"
        ]
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('PUT', 'https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
        'Content-Type' => 'application/json',
    ],
    'json' => [
            'email' => 'guest@example.com',
            'first_name' => 'Dan',
            'last_name' => 'Smith',
            'organisation_id' => '00000000-0000-0000-0000-000000000000',
            'cashier_id' => '00000000-0000-0000-0000-000000000000',
            'site_ids' => [
                '00000000-0000-0000-0000-000000000000'
            ]
        ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"bytes"
	"encoding/json"
	"net/http"
)

func main() {
	payload, _ := json.Marshal(map[string]interface{}{
		"email": "guest@example.com",
		"first_name": "Dan",
		"last_name": "Smith",
		"organisation_id": "00000000-0000-0000-0000-000000000000",
		"cashier_id": "00000000-0000-0000-0000-000000000000",
		"site_ids": []interface{}{
			"00000000-0000-0000-0000-000000000000",
		},
	})
	req, _ := http.NewRequest("PUT", "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000", bytes.NewBuffer(payload))
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	req.Header.Set("Content-Type", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

A User

{
  "data": {
    "id": "5e1e3f6c-2a44-4f6e-8c61-9c1f7d2e1c11",
    "name": "John Smith",
    "given_name": "John",
    "family_name": "Smith",
    "email": "john.smith@example.com",
    "email_verified": true,
    "organisation_id": "9c3ad1e2-2d1b-4f4f-9e07-6d6c4f3a2b1a",
    "organisation_name": "Trybe Spa Group",
    "site_ids": [
      "00000000-0000-0000-0000-000000000000"
    ],
    "avatar_id": "7d2a1f9c-5b3e-4d8c-9f0a-2c4e6f8b1d3a",
    "avatar": {
      "id": "00000000-0000-0000-0000-000000000000",
      "file_name": "super-cool-photo.jpg",
      "mime_type": "image/jpeg",
      "original_url": "https://example.com/media/super-cool-photo.jpg",
      "size": 84256,
      "url": "https://example.com/media/super-cool-photo-thumbnail@2x.jpg"
    },
    "cashier_id": "cashier-042",
    "status": "active",
    "2fa_enabled": true,
    "twofa_enabled": true,
    "created_at": "2020-01-01T00:00:00.000Z",
    "updated_at": "2020-01-01T00:00:00.000Z",
    "managed_by_sso": true,
    "whitelisted_internal_user": false
  }
}

{
  "message": "Unauthenticated"
}

{
  "message": "This action is unauthorized."
}

{
  "message": "The requested resource could not be found"
}

{
  "errors": {},
  "message": "The request didn't pass validation"
}

delete/users/{userId}

Delete a user

deleteUser

This endpoint deletes a user in Trybe

Path parameters

userIduuidrequired
The ID of the user

Responses

204
No content
401
The user is unauthenticated
403
The authenticated user does not have permission.
404
The resource couldn't be found

curl -X DELETE "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

const response = await fetch('https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000', {
  method: 'DELETE',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    Accept: 'application/json',
  },
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.delete(
    "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('DELETE', 'https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
    ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"encoding/json"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("DELETE", "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000", nil)
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

No content

// empty response

{
  "message": "Unauthenticated"
}

{
  "message": "This action is unauthorized."
}

{
  "message": "The requested resource could not be found"
}

get/users/{userId}/site-roles

Retrieve User Roles

listUserSiteRoles

Use this endpoint to retrieve all the Roles a User has.

Path parameters

userIduuidrequired
The ID of the user

Responses

200
Roles were successfully retrieved.
401
The user is unauthenticated
403
The authenticated user does not have permission.
404
The resource couldn't be found

curl "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/site-roles" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

const response = await fetch('https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/site-roles', {
  method: 'GET',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    Accept: 'application/json',
  },
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.get(
    "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/site-roles",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('GET', 'https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/site-roles', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
    ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"encoding/json"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("GET", "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/site-roles", nil)
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

Roles were successfully retrieved.

{
  "data": [
    {
      "permissions": [
        "users.view"
      ],
      "role": {
        "id": "beddda88-947d-4bd8-8f0c-828b187f93b2",
        "name": "Therapist",
        "description": "Therapists have read-only access to the system. This should be used to give users basic access to clients and reservations.",
        "organisation_id": "beddda88-947d-4bd8-8f0c-828b187f93b2"
      },
      "role_id": "00000000-0000-0000-0000-000000000000",
      "site": {
        "id": "00000000-0000-0000-0000-111111111111",
        "name": "Top Spa",
        "frontend_subdomain": "topspa",
        "currency": "gbp",
        "timezone": "Europe/London",
        "locale": "en",
        "country_code": "GB",
        "external_id": "GBSPA1",
        "organisation_id": "00000000-0000-0000-0000-000000000000",
        "organisation_name": "Palm Tree Group Ltd.",
        "is_read_only": true,
        "created_at": "2023-05-24 12:00:00"
      },
      "site_id": "00000000-0000-0000-0000-000000000000"
    }
  ]
}

{
  "message": "Unauthenticated"
}

{
  "message": "This action is unauthorized."
}

{
  "message": "The requested resource could not be found"
}

put/users/{userId}/site-roles

Assign User to Role

actionAssignUserSiteRole

Use this endpoint to assign a Role to a User.

Path parameters

userIduuidrequired
The ID of the user

Request body

site_idstringrequired
Identifier of the site to grant the role at. Site roles scope permissions to a single site; the user only receives the role's permissions when acting on this site. The caller's API key must have access to it.
role_idstringrequired
Identifier of the role to assign. The role's permissions apply only when the user is operating in the context of the specified site_id.

Responses

201
The role was successfully assigned.
401
The user is unauthenticated
403
The authenticated user does not have permission.
404
The resource couldn't be found
422
The request didn't pass validation

curl -X PUT "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/site-roles" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d '{
  "site_id": "beddda88-947d-4bd8-8f0c-828b187f93b2",
  "role_id": "beddda88-947d-4bd8-8f0c-828b187f93b3"
}'

const response = await fetch('https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/site-roles', {
  method: 'PUT',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    'Content-Type': 'application/json',
    Accept: 'application/json',
  },
  body: JSON.stringify({
    "site_id": "beddda88-947d-4bd8-8f0c-828b187f93b2",
    "role_id": "beddda88-947d-4bd8-8f0c-828b187f93b3"
  }),
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.put(
    "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/site-roles",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
        "Content-Type": "application/json",
    },
    json={
        "site_id": "beddda88-947d-4bd8-8f0c-828b187f93b2",
        "role_id": "beddda88-947d-4bd8-8f0c-828b187f93b3"
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('PUT', 'https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/site-roles', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
        'Content-Type' => 'application/json',
    ],
    'json' => [
            'site_id' => 'beddda88-947d-4bd8-8f0c-828b187f93b2',
            'role_id' => 'beddda88-947d-4bd8-8f0c-828b187f93b3'
        ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"bytes"
	"encoding/json"
	"net/http"
)

func main() {
	payload, _ := json.Marshal(map[string]interface{}{
		"site_id": "beddda88-947d-4bd8-8f0c-828b187f93b2",
		"role_id": "beddda88-947d-4bd8-8f0c-828b187f93b3",
	})
	req, _ := http.NewRequest("PUT", "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/site-roles", bytes.NewBuffer(payload))
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	req.Header.Set("Content-Type", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

The role was successfully assigned.

// empty response

{
  "message": "Unauthenticated"
}

{
  "message": "This action is unauthorized."
}

{
  "message": "The requested resource could not be found"
}

{
  "errors": {},
  "message": "The request didn't pass validation"
}

delete/users/{userId}/site-roles

Unassign User from Role

deleteUserSiteRole

Use this endpoint to remove a Role from a User.

Path parameters

userIduuidrequired
The ID of the user

Request body

site_idstringrequired
Identifier of the site from which the role should be removed. Only the assignment at this site is revoked; the user's roles at other sites are unaffected.
role_idstringrequired
Identifier of the role to revoke. Must match a role currently assigned to the user at the given site_id; no-op if the user does not hold this role at this site.

Responses

204
The role was successfully removed.
400
The request didn't pass validation
401
The user is unauthenticated
403
The authenticated user does not have permission.
404
The resource couldn't be found
422
The request didn't pass validation

curl -X DELETE "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/site-roles" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d '{
  "site_id": "beddda88-947d-4bd8-8f0c-828b187f93b2",
  "role_id": "beddda88-947d-4bd8-8f0c-828b187f93b3"
}'

const response = await fetch('https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/site-roles', {
  method: 'DELETE',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    'Content-Type': 'application/json',
    Accept: 'application/json',
  },
  body: JSON.stringify({
    "site_id": "beddda88-947d-4bd8-8f0c-828b187f93b2",
    "role_id": "beddda88-947d-4bd8-8f0c-828b187f93b3"
  }),
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.delete(
    "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/site-roles",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
        "Content-Type": "application/json",
    },
    json={
        "site_id": "beddda88-947d-4bd8-8f0c-828b187f93b2",
        "role_id": "beddda88-947d-4bd8-8f0c-828b187f93b3"
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('DELETE', 'https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/site-roles', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
        'Content-Type' => 'application/json',
    ],
    'json' => [
            'site_id' => 'beddda88-947d-4bd8-8f0c-828b187f93b2',
            'role_id' => 'beddda88-947d-4bd8-8f0c-828b187f93b3'
        ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"bytes"
	"encoding/json"
	"net/http"
)

func main() {
	payload, _ := json.Marshal(map[string]interface{}{
		"site_id": "beddda88-947d-4bd8-8f0c-828b187f93b2",
		"role_id": "beddda88-947d-4bd8-8f0c-828b187f93b3",
	})
	req, _ := http.NewRequest("DELETE", "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/site-roles", bytes.NewBuffer(payload))
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	req.Header.Set("Content-Type", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

The role was successfully removed.

// empty response

{
  "errors": {},
  "message": "The request didn't pass validation"
}

{
  "message": "Unauthenticated"
}

{
  "message": "This action is unauthorized."
}

{
  "message": "The requested resource could not be found"
}

{
  "errors": {},
  "message": "The request didn't pass validation"
}

get/users/{userId}/sites

Get a user's Sites

getUserSites

Use this endpoint to get a user's Sites

Path parameters

userIduuidrequired
The ID of the user

Responses

200
The user's sites were successfully retrieved
401
The user is unauthenticated
404
The resource couldn't be found

curl "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/sites" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

const response = await fetch('https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/sites', {
  method: 'GET',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    Accept: 'application/json',
  },
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.get(
    "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/sites",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('GET', 'https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/sites', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
    ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"encoding/json"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("GET", "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/sites", nil)
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

The user's sites were successfully retrieved

{
  "data": [
    {
      "id": "00000000-0000-0000-0000-000000000000",
      "billing_customer_id": "00000000-0000-0000-0000-000000000000",
      "brand_id": "00000000-0000-0000-0000-000000000000",
      "brand_name": "string",
      "country_code": "GB",
      "created_at": "2026-01-15T09:30:00+00:00",
      "onboarding_completed_at": "2026-01-15T09:30:00+00:00",
      "currency": "GBP",
      "external_id": "ext-site-london-bridge",
      "frontend_subdomain": "palmtreespa",
      "is_read_only": true,
      "locale": "en",
      "name": "Palm Tree Spa",
      "organisation_id": "00000000-0000-0000-0000-000000000000",
      "organisation_name": "Palm Tree Holdings Ltd.",
      "timezone": "Europe/London"
    }
  ]
}

{
  "message": "Unauthenticated"
}

{
  "message": "The requested resource could not be found"
}

get/shop/my-notification-config

Get the authenticated user's notification config

getMyNotificationConfig

Returns the authenticated user's per-site automated-report subscription state. Today this only exposes the end-of-day summary preference — whether the calling user is currently a recipient of the daily end-of-day email for the site.

The site is resolved from the request authentication context; no site_id query parameter is required. Sub-resources under /shop/my-notification-config toggle individual subscriptions.

Responses

200
The authenticated user's notification config.
401
The user is unauthenticated
403
The authenticated user does not have permission.

curl "https://api.playground.try.be/shop/my-notification-config" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

const response = await fetch('https://api.playground.try.be/shop/my-notification-config', {
  method: 'GET',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    Accept: 'application/json',
  },
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.get(
    "https://api.playground.try.be/shop/my-notification-config",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('GET', 'https://api.playground.try.be/shop/my-notification-config', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
    ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"encoding/json"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("GET", "https://api.playground.try.be/shop/my-notification-config", nil)
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

The authenticated user's notification config.

{
  "data": {
    "automated_reports": {
      "end_of_day_summary": true
    }
  }
}

{
  "message": "Unauthenticated"
}

{
  "message": "This action is unauthorized."
}

post/shop/my-notification-config/end-of-day-summary

Subscribe to the end-of-day summary

createMyEndOfDaySummarySubscription

Adds the authenticated user as a recipient of the site's end-of-day summary email — the daily wrap-up report sent to subscribed operators after close of business.

Calls are idempotent: re-subscribing an already-subscribed user is a no-op and still returns 204 No Content. The site is resolved from the request authentication context.

Responses

204
The user is now subscribed to the end-of-day summary.
401
The user is unauthenticated
403
The authenticated user does not have permission.

curl -X POST "https://api.playground.try.be/shop/my-notification-config/end-of-day-summary" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

const response = await fetch('https://api.playground.try.be/shop/my-notification-config/end-of-day-summary', {
  method: 'POST',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    Accept: 'application/json',
  },
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.post(
    "https://api.playground.try.be/shop/my-notification-config/end-of-day-summary",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('POST', 'https://api.playground.try.be/shop/my-notification-config/end-of-day-summary', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
    ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"encoding/json"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("POST", "https://api.playground.try.be/shop/my-notification-config/end-of-day-summary", nil)
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

The user is now subscribed to the end-of-day summary.

// empty response

{
  "message": "Unauthenticated"
}

{
  "message": "This action is unauthorized."
}

delete/shop/my-notification-config/end-of-day-summary

Unsubscribe from the end-of-day summary

deleteMyEndOfDaySummarySubscription

Removes the authenticated user from the site's end-of-day summary email recipients. Calls are idempotent: unsubscribing a user who isn't subscribed is a no-op and still returns 204 No Content. The site is resolved from the request authentication context.

Responses

204
The user is no longer subscribed to the end-of-day summary.
401
The user is unauthenticated
403
The authenticated user does not have permission.

curl -X DELETE "https://api.playground.try.be/shop/my-notification-config/end-of-day-summary" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

const response = await fetch('https://api.playground.try.be/shop/my-notification-config/end-of-day-summary', {
  method: 'DELETE',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    Accept: 'application/json',
  },
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.delete(
    "https://api.playground.try.be/shop/my-notification-config/end-of-day-summary",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('DELETE', 'https://api.playground.try.be/shop/my-notification-config/end-of-day-summary', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
    ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"encoding/json"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("DELETE", "https://api.playground.try.be/shop/my-notification-config/end-of-day-summary", nil)
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

The user is no longer subscribed to the end-of-day summary.

// empty response

{
  "message": "Unauthenticated"
}

{
  "message": "This action is unauthorized."
}

get/personal-access-tokens

Get the personal access tokens for the authenticated user

listPersonalAccessTokens

Returns metadata for every personal-access token issued to the currently authenticated user. The raw token values are never returned by this endpoint — use the token IDs together with deletePersonalAccessToken to revoke a token, or createPersonalAccessToken to issue a new one.

Responses

200
A list of personal access tokens
401
The user is unauthenticated

curl "https://api.playground.try.be/personal-access-tokens" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

const response = await fetch('https://api.playground.try.be/personal-access-tokens', {
  method: 'GET',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    Accept: 'application/json',
  },
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.get(
    "https://api.playground.try.be/personal-access-tokens",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('GET', 'https://api.playground.try.be/personal-access-tokens', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
    ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"encoding/json"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("GET", "https://api.playground.try.be/personal-access-tokens", nil)
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

A list of personal access tokens

[
  {
    "id": "27ebb191b5f4f2024b0c5671e580d6de2b03f6c48259753b01976807a14eb41e05f0b7def4593f5a",
    "name": "Salesforce",
    "created_at": "2019-01-15T11:00:00.000Z"
  }
]

{
  "message": "Unauthenticated"
}

post/personal-access-tokens

Create a personal access token for the authenticated user

createPersonalAccessToken

Issues a new personal-access token for the currently authenticated user. The raw token value is included in the response; subsequent reads will only expose the metadata. Treat the response as sensitive.

Request body

idstringoptional
Stable identifier for the personal-access token. Use this to revoke the token later via deletePersonalAccessToken. The ID is safe to log; the raw secret is only ever returned at creation as accessToken.
namestringrequired
A human-readable label for the token, used to distinguish it from other tokens issued to the same user.
created_atdate-timeoptional
The date and time the personal access token was created.

Responses

200
A newly issued personal access token
401
The user is unauthenticated
403
The authenticated user does not have permission.
422
The request didn't pass validation

curl -X POST "https://api.playground.try.be/personal-access-tokens" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d '{
  "id": "27ebb191b5f4f2024b0c5671e580d6de2b03f6c48259753b01976807a14eb41e05f0b7def4593f5a",
  "name": "Salesforce",
  "created_at": "2019-01-15T11:00:00.000Z"
}'

const response = await fetch('https://api.playground.try.be/personal-access-tokens', {
  method: 'POST',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    'Content-Type': 'application/json',
    Accept: 'application/json',
  },
  body: JSON.stringify({
    "id": "27ebb191b5f4f2024b0c5671e580d6de2b03f6c48259753b01976807a14eb41e05f0b7def4593f5a",
    "name": "Salesforce",
    "created_at": "2019-01-15T11:00:00.000Z"
  }),
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.post(
    "https://api.playground.try.be/personal-access-tokens",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
        "Content-Type": "application/json",
    },
    json={
        "id": "27ebb191b5f4f2024b0c5671e580d6de2b03f6c48259753b01976807a14eb41e05f0b7def4593f5a",
        "name": "Salesforce",
        "created_at": "2019-01-15T11:00:00.000Z"
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('POST', 'https://api.playground.try.be/personal-access-tokens', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
        'Content-Type' => 'application/json',
    ],
    'json' => [
            'id' => '27ebb191b5f4f2024b0c5671e580d6de2b03f6c48259753b01976807a14eb41e05f0b7def4593f5a',
            'name' => 'Salesforce',
            'created_at' => '2019-01-15T11:00:00.000Z'
        ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"bytes"
	"encoding/json"
	"net/http"
)

func main() {
	payload, _ := json.Marshal(map[string]interface{}{
		"id": "27ebb191b5f4f2024b0c5671e580d6de2b03f6c48259753b01976807a14eb41e05f0b7def4593f5a",
		"name": "Salesforce",
		"created_at": "2019-01-15T11:00:00.000Z",
	})
	req, _ := http.NewRequest("POST", "https://api.playground.try.be/personal-access-tokens", bytes.NewBuffer(payload))
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	req.Header.Set("Content-Type", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

A newly issued personal access token

{
  "token": {
    "id": "27ebb191b5f4f2024b0c5671e580d6de2b03f6c48259753b01976807a14eb41e05f0b7def4593f5a",
    "name": "Salesforce",
    "created_at": "2019-01-15T11:00:00.000Z"
  },
  "accessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjVkYTRhZmEwNjUwZGQ2MDFiNzI2Mzc0YjVmMWM2MjgyIn0.eyJhdWQiOiI5M2MwMGY1NC04NjZhLTRiMjMtYWJiYi05MmFjY"
}

{
  "message": "Unauthenticated"
}

{
  "message": "This action is unauthorized."
}

{
  "errors": {},
  "message": "The request didn't pass validation"
}

delete/personal-access-tokens/{tokenId}

Delete a personal access token for the authenticated user

deletePersonalAccessToken

Revokes a personal-access token issued to the currently authenticated user. The revocation takes effect immediately — any in-flight requests using the token will continue to succeed, but subsequent requests will be rejected.

Path parameters

tokenIdstringrequired
Stable identifier for the personal-access token. Only the user who owns the token (or an admin acting on their behalf) can read or revoke it. Use this to scope deletePersonalAccessToken calls to a specific token.

Responses

204
The personal access token was successfully deleted.
401
The user is unauthenticated
403
The authenticated user does not have permission.
404
The resource couldn't be found

curl -X DELETE "https://api.playground.try.be/personal-access-tokens/636314fa433bf39aeae79b031e5218b999968174ccabcd37a40a8a04614e3fd6a21f08385fee7d65" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

const response = await fetch('https://api.playground.try.be/personal-access-tokens/636314fa433bf39aeae79b031e5218b999968174ccabcd37a40a8a04614e3fd6a21f08385fee7d65', {
  method: 'DELETE',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    Accept: 'application/json',
  },
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.delete(
    "https://api.playground.try.be/personal-access-tokens/636314fa433bf39aeae79b031e5218b999968174ccabcd37a40a8a04614e3fd6a21f08385fee7d65",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('DELETE', 'https://api.playground.try.be/personal-access-tokens/636314fa433bf39aeae79b031e5218b999968174ccabcd37a40a8a04614e3fd6a21f08385fee7d65', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
    ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"encoding/json"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("DELETE", "https://api.playground.try.be/personal-access-tokens/636314fa433bf39aeae79b031e5218b999968174ccabcd37a40a8a04614e3fd6a21f08385fee7d65", nil)
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

The personal access token was successfully deleted.

// empty response

{
  "message": "Unauthenticated"
}

{
  "message": "This action is unauthorized."
}

{
  "message": "The requested resource could not be found"
}

get/user-options

Get all options for the current user

getCurrentUserOptions

Returns the stored UI preferences for the currently authenticated user. Options are an opaque key/value map — see the UserOptions schema for details.

Responses

200
A map of options for a user
400
The options could not be retrieved.
401
The user is unauthenticated

curl "https://api.playground.try.be/user-options" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

const response = await fetch('https://api.playground.try.be/user-options', {
  method: 'GET',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    Accept: 'application/json',
  },
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.get(
    "https://api.playground.try.be/user-options",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('GET', 'https://api.playground.try.be/user-options', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
    ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"encoding/json"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("GET", "https://api.playground.try.be/user-options", nil)
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

A map of options for a user

{
  "data": {}
}

// empty response

{
  "message": "Unauthenticated"
}

put/user-options

Update options for the current user

updateCurrentUserOptions

Replaces or extends the stored UI preferences for the currently authenticated user. The request body is merged with any existing options at the top level — keys that are not present in the request are left untouched, but nested objects are replaced wholesale.

Request body

No request body

Responses

200
A map of options for a user
401
The user is unauthenticated
403
The authenticated user does not have permission.
422
The request didn't pass validation

curl -X PUT "https://api.playground.try.be/user-options" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d '{}'

const response = await fetch('https://api.playground.try.be/user-options', {
  method: 'PUT',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    'Content-Type': 'application/json',
    Accept: 'application/json',
  },
  body: JSON.stringify({}),
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.put(
    "https://api.playground.try.be/user-options",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
        "Content-Type": "application/json",
    },
    json={

    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('PUT', 'https://api.playground.try.be/user-options', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
        'Content-Type' => 'application/json',
    ],
    'json' => [

        ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"bytes"
	"encoding/json"
	"net/http"
)

func main() {
	payload, _ := json.Marshal(map[string]interface{}{

	})
	req, _ := http.NewRequest("PUT", "https://api.playground.try.be/user-options", bytes.NewBuffer(payload))
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	req.Header.Set("Content-Type", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

A map of options for a user

{
  "data": {}
}

{
  "message": "Unauthenticated"
}

{
  "message": "This action is unauthorized."
}

{
  "errors": {},
  "message": "The request didn't pass validation"
}

post/user/confirmed-two-factor-authentication

Confirm 2FA enrolment for the authenticated user

actionConfirmCurrentUserTwoFactorAuthentication

Completes the two-factor-authentication enrolment flow by submitting the six-digit code from the user's authenticator app. Once confirmed, 2FA is active for subsequent logins.

Request body

codestringrequired
The 2FA code from the user's authenticator app.

Responses

200
2FA was successfully confirmed.
401
The user is unauthenticated
403
The authenticated user does not have permission.
422
The request didn't pass validation

curl -X POST "https://api.playground.try.be/user/confirmed-two-factor-authentication" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d '{
  "code": "123456"
}'

const response = await fetch('https://api.playground.try.be/user/confirmed-two-factor-authentication', {
  method: 'POST',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    'Content-Type': 'application/json',
    Accept: 'application/json',
  },
  body: JSON.stringify({
    "code": "123456"
  }),
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.post(
    "https://api.playground.try.be/user/confirmed-two-factor-authentication",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
        "Content-Type": "application/json",
    },
    json={
        "code": "123456"
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('POST', 'https://api.playground.try.be/user/confirmed-two-factor-authentication', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
        'Content-Type' => 'application/json',
    ],
    'json' => [
            'code' => '123456'
        ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"bytes"
	"encoding/json"
	"net/http"
)

func main() {
	payload, _ := json.Marshal(map[string]interface{}{
		"code": "123456",
	})
	req, _ := http.NewRequest("POST", "https://api.playground.try.be/user/confirmed-two-factor-authentication", bytes.NewBuffer(payload))
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	req.Header.Set("Content-Type", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

2FA was successfully confirmed.

{}

{
  "message": "Unauthenticated"
}

{
  "message": "This action is unauthorized."
}

{
  "errors": {},
  "message": "The request didn't pass validation"
}

post/user/two-factor-authentication

Enable 2FA for the authenticated user

createCurrentUserTwoFactorAuthentication

Starts the two-factor-authentication enrolment flow for the currently authenticated user. The shared secret and QR code can be fetched via getCurrentUserTwoFactorQrCode / getCurrentUserTwoFactorSecretKey. The user must then confirm enrolment via actionConfirmCurrentUserTwoFactorAuthentication before 2FA is fully active.

Request body

No request body

Responses

200
2FA enrolment was successfully started.
401
The user is unauthenticated
403
The authenticated user does not have permission.
422
The request didn't pass validation

curl -X POST "https://api.playground.try.be/user/two-factor-authentication" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d '{}'

const response = await fetch('https://api.playground.try.be/user/two-factor-authentication', {
  method: 'POST',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    'Content-Type': 'application/json',
    Accept: 'application/json',
  },
  body: JSON.stringify({}),
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.post(
    "https://api.playground.try.be/user/two-factor-authentication",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
        "Content-Type": "application/json",
    },
    json={

    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('POST', 'https://api.playground.try.be/user/two-factor-authentication', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
        'Content-Type' => 'application/json',
    ],
    'json' => [

        ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"bytes"
	"encoding/json"
	"net/http"
)

func main() {
	payload, _ := json.Marshal(map[string]interface{}{

	})
	req, _ := http.NewRequest("POST", "https://api.playground.try.be/user/two-factor-authentication", bytes.NewBuffer(payload))
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	req.Header.Set("Content-Type", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

2FA enrolment was successfully started.

{}

{
  "message": "Unauthenticated"
}

{
  "message": "This action is unauthorized."
}

{
  "errors": {},
  "message": "The request didn't pass validation"
}

delete/user/two-factor-authentication

Disable 2FA for the authenticated user

deleteCurrentUserTwoFactorAuthentication

Removes the registered second factor for the currently authenticated user. The user can re-enrol later via createCurrentUserTwoFactorAuthentication.

Request body

No request body

Responses

200
2FA was successfully disabled.
401
The user is unauthenticated
403
The authenticated user does not have permission.
422
The request didn't pass validation

curl -X DELETE "https://api.playground.try.be/user/two-factor-authentication" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d '{}'

const response = await fetch('https://api.playground.try.be/user/two-factor-authentication', {
  method: 'DELETE',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    'Content-Type': 'application/json',
    Accept: 'application/json',
  },
  body: JSON.stringify({}),
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.delete(
    "https://api.playground.try.be/user/two-factor-authentication",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
        "Content-Type": "application/json",
    },
    json={

    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('DELETE', 'https://api.playground.try.be/user/two-factor-authentication', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
        'Content-Type' => 'application/json',
    ],
    'json' => [

        ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"bytes"
	"encoding/json"
	"net/http"
)

func main() {
	payload, _ := json.Marshal(map[string]interface{}{

	})
	req, _ := http.NewRequest("DELETE", "https://api.playground.try.be/user/two-factor-authentication", bytes.NewBuffer(payload))
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	req.Header.Set("Content-Type", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

2FA was successfully disabled.

{}

{
  "message": "Unauthenticated"
}

{
  "message": "This action is unauthorized."
}

{
  "errors": {},
  "message": "The request didn't pass validation"
}

get/user/two-factor-qr-code

Get the QR code for the authenticated user's 2FA enrolment

getCurrentUserTwoFactorQrCode

Returns a fresh QR code the user can scan with their authenticator app to register the shared secret. The QR code is returned both as an otpauth:// URL and as an inline SVG ready for embedding in HTML.

Responses

200
The QR code was successfully retrieved.
401
The user is unauthenticated

curl "https://api.playground.try.be/user/two-factor-qr-code" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

const response = await fetch('https://api.playground.try.be/user/two-factor-qr-code', {
  method: 'GET',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    Accept: 'application/json',
  },
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.get(
    "https://api.playground.try.be/user/two-factor-qr-code",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('GET', 'https://api.playground.try.be/user/two-factor-qr-code', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
    ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"encoding/json"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("GET", "https://api.playground.try.be/user/two-factor-qr-code", nil)
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

The QR code was successfully retrieved.

{
  "url": "otpauth://totp/Trybe:jane@example.com?secret=JBSWY3DPEHPK3PXP&issuer=Trybe",
  "svg": "<svg></svg>"
}

{
  "message": "Unauthenticated"
}

get/user/two-factor-recovery-codes

Get the recovery codes for the authenticated user's 2FA

getCurrentUserTwoFactorRecoveryCodes

Returns the user's two-factor recovery codes — single-use codes the user can fall back to if they lose access to their authenticator app. Treat the response as sensitive; the codes should be displayed once and stored by the user offline.

Responses

200
The recovery codes were successfully retrieved.
401
The user is unauthenticated

curl "https://api.playground.try.be/user/two-factor-recovery-codes" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

const response = await fetch('https://api.playground.try.be/user/two-factor-recovery-codes', {
  method: 'GET',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    Accept: 'application/json',
  },
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.get(
    "https://api.playground.try.be/user/two-factor-recovery-codes",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('GET', 'https://api.playground.try.be/user/two-factor-recovery-codes', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
    ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"encoding/json"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("GET", "https://api.playground.try.be/user/two-factor-recovery-codes", nil)
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

The recovery codes were successfully retrieved.

[
  "string"
]

{
  "message": "Unauthenticated"
}

get/user/two-factor-secret-key

Get the secret key for the authenticated user's 2FA enrolment

getCurrentUserTwoFactorSecretKey

Returns the base32-encoded shared secret for the user's 2FA enrolment. Use this if the user is configuring their authenticator app by typing the secret in by hand rather than scanning the QR code returned by getCurrentUserTwoFactorQrCode.

Responses

200
The secret key was successfully retrieved.
401
The user is unauthenticated
404
The resource couldn't be found

curl "https://api.playground.try.be/user/two-factor-secret-key" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

const response = await fetch('https://api.playground.try.be/user/two-factor-secret-key', {
  method: 'GET',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    Accept: 'application/json',
  },
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.get(
    "https://api.playground.try.be/user/two-factor-secret-key",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('GET', 'https://api.playground.try.be/user/two-factor-secret-key', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
    ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"encoding/json"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("GET", "https://api.playground.try.be/user/two-factor-secret-key", nil)
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

The secret key was successfully retrieved.

{
  "secretKey": "JBSWY3DPEHPK3PXP"
}

{
  "message": "Unauthenticated"
}

{
  "message": "The requested resource could not be found"
}

post/users/{userId}/password-reset

Reset a user's password

actionResetUserPassword

Triggers a password-reset flow for the target user. The user receives an email containing a one-time link they can use to choose a new password. This endpoint does not return the new password and does not invalidate existing sessions until the reset link is followed.

Path parameters

userIduuidrequired
The ID of the user

Responses

200
The password reset was successfully triggered.
401
The user is unauthenticated
403
The authenticated user does not have permission.
404
The resource couldn't be found
422
The request didn't pass validation

curl -X POST "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/password-reset" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

const response = await fetch('https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/password-reset', {
  method: 'POST',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    Accept: 'application/json',
  },
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.post(
    "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/password-reset",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('POST', 'https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/password-reset', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
    ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"encoding/json"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("POST", "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/password-reset", nil)
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

The password reset was successfully triggered.

{
  "message": "Success!"
}

{
  "message": "Unauthenticated"
}

{
  "message": "This action is unauthorized."
}

{
  "message": "The requested resource could not be found"
}

{
  "errors": {},
  "message": "The request didn't pass validation"
}

delete/users/{userId}/two-factor-authentication

Disable 2FA for a user

deleteUserTwoFactorAuthentication

Administratively disables two-factor authentication for the target user, removing any registered authenticator and recovery codes. Use this when a user has lost access to their second factor and the caller has verified the user's identity through another channel.

Path parameters

userIduuidrequired
The ID of the user

Query parameters

site_iduuidrequired
The site id the action is being performed on.

Responses

204
2FA was successfully disabled for the user.
401
The user is unauthenticated
403
The authenticated user does not have permission.
404
The resource couldn't be found

curl -X DELETE "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/two-factor-authentication?site_id=00000000-0000-0000-0000-111111111111" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

const response = await fetch('https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/two-factor-authentication?site_id=00000000-0000-0000-0000-111111111111', {
  method: 'DELETE',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    Accept: 'application/json',
  },
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.delete(
    "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/two-factor-authentication?site_id=00000000-0000-0000-0000-111111111111",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('DELETE', 'https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/two-factor-authentication?site_id=00000000-0000-0000-0000-111111111111', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
    ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"encoding/json"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("DELETE", "https://api.playground.try.be/users/00000000-0000-0000-0000-000000000000/two-factor-authentication?site_id=00000000-0000-0000-0000-111111111111", nil)
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

2FA was successfully disabled for the user.

// empty response

{
  "message": "Unauthenticated"
}

{
  "message": "This action is unauthorized."
}

{
  "message": "The requested resource could not be found"
}

get/token-info

Get the current bearer token info

getTokenInfo

Decode the bearer token used to make this request and return its standard JWT claims (aud, jti, iat, nbf, exp, sub). Useful as an introspection endpoint when a client needs to know when its token expires or which user the token is currently bound to without parsing the JWT itself.

The token is verified with Trybe's signing key before the claims are returned, so a successful response also confirms the token is currently valid. The response only includes the six claims listed above; custom claims and private extensions are intentionally stripped.

Responses

200
The decoded JWT claims for the caller's bearer token.
401
The user is unauthenticated

curl "https://api.playground.try.be/token-info" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

const response = await fetch('https://api.playground.try.be/token-info', {
  method: 'GET',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    Accept: 'application/json',
  },
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.get(
    "https://api.playground.try.be/token-info",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('GET', 'https://api.playground.try.be/token-info', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
    ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"encoding/json"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("GET", "https://api.playground.try.be/token-info", nil)
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

The decoded JWT claims for the caller's bearer token.

{
  "aud": "string",
  "jti": "string",
  "iat": 1,
  "nbf": 1,
  "exp": 1,
  "sub": "string"
}

{
  "message": "Unauthenticated"
}

get/customers/user

Get the current user

getCurrentUser

Returns the authenticated User derived from the bearer token on the request — i.e. a "whoami" probe for confirming credentials are valid and inspecting the caller's identity, organisation and site access.

Although the endpoint is mounted under the api-public middleware (no auth required for the route to resolve), the response body is meaningful only when a bearer token is supplied — without one, the body is null. Use this in clients that need to test "is my token still good?" without committing to a heavier authenticated request.

Responses

200
The current user, or null if the request is unauthenticated.

curl "https://api.playground.try.be/customers/user" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

const response = await fetch('https://api.playground.try.be/customers/user', {
  method: 'GET',
  headers: {
    Authorization: 'Bearer YOUR_API_KEY',
    Accept: 'application/json',
  },
})

if (!response.ok) {
  throw new Error(`Trybe API ${response.status}: ${await response.text()}`)
}

const data = await response.json()

import httpx

response = httpx.get(
    "https://api.playground.try.be/customers/user",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Accept": "application/json",
    },
)
response.raise_for_status()
data = response.json()

<?php

$client = new \GuzzleHttp\Client();

$response = $client->request('GET', 'https://api.playground.try.be/customers/user', [
    'headers' => [
        'Authorization' => 'Bearer YOUR_API_KEY',
        'Accept' => 'application/json',
    ],
]);

$data = json_decode($response->getBody(), true);

package main

import (
	"encoding/json"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("GET", "https://api.playground.try.be/customers/user", nil)
	req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
	req.Header.Set("Accept", "application/json")
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()
	var data map[string]interface{}
	json.NewDecoder(resp.Body).Decode(&data)
}

The current user, or `null` if the request is unauthenticated.

{
  "id": "5e1e3f6c-2a44-4f6e-8c61-9c1f7d2e1c11",
  "name": "John Smith",
  "given_name": "John",
  "family_name": "Smith",
  "email": "john.smith@example.com",
  "email_verified": true,
  "organisation_id": "9c3ad1e2-2d1b-4f4f-9e07-6d6c4f3a2b1a",
  "organisation_name": "Trybe Spa Group",
  "site_ids": [
    "00000000-0000-0000-0000-000000000000"
  ],
  "avatar_id": "7d2a1f9c-5b3e-4d8c-9f0a-2c4e6f8b1d3a",
  "avatar": {
    "id": "00000000-0000-0000-0000-000000000000",
    "file_name": "super-cool-photo.jpg",
    "mime_type": "image/jpeg",
    "original_url": "https://example.com/media/super-cool-photo.jpg",
    "size": 84256,
    "url": "https://example.com/media/super-cool-photo-thumbnail@2x.jpg"
  },
  "cashier_id": "cashier-042",
  "status": "active",
  "2fa_enabled": true,
  "twofa_enabled": true,
  "created_at": "2020-01-01T00:00:00.000Z",
  "updated_at": "2020-01-01T00:00:00.000Z",
  "managed_by_sso": true,
  "whitelisted_internal_user": false
}