Best flow for creating kinde user via api with admin role

Big fan of the product you and the team have. I have a few too many charging apps installed for my car.

You're correct that Machine to Machine (M2M) applications are used to access the Kinde Management API. These M2M applications are secured through an initial exchange of each application's Client ID and Client Secret.

When it comes to creating users via the Kinde Management API, you're right that you can't directly pass user information like audit logs or role checks. The M2M application operates independently of the authenticated user in your system.

However, you can still create users via the API. Here's an example of how you might create a user using the Kinde Management API:

{
  "profile": {
    "first_name": "Uncatchable",
    "last_name": "Joeseptj"
  },
  "identities": [
    {
      "type": "email",
      "details": {
        "email": "<a target="_blank" rel="noopener noreferrer" href="mailto:evgeny+test3@gmail.com">evgeny+test3@gmail.com</a>"
      }
    }
  ]
}

Hey, thanks for the shout out, we are doing our best! And right back at you, great software and developer experience all throughout!

Thanks for the detailed response. Yep, this is exactly what we are doing right now, an admin is authenticated in our own system based on roles, then on behalf of that user our backend uses its client credentials flow to create a user in kinde with the api you mentioned above. However this means we lose all end-user information in things like user activity.

What is the design decision of not giving kinde users access to parts of the management api? Is it just because that level of api-access is supposed to be administered by each customer and not Kinde? Perhaps there is something here we missed?

A small followup. If our backend is both supposed to act as an authentication flow starter <i>and</i> management api accessor, are we supposed to use two application credentials, one with m2m and one as "backend" type?

Thanks for explaining further.

Looking back on the conversation, a new end user added in your application via the Kinde API wouldnt have any audit log data yet as they would have authenticated yet. Maybe I missing something?

By 'Kinde users', you are referring to those who can access the Kinde Admin from Elton? If so, the user can do a range of actions on end users and organizations that are reflected back into your application. Is there any in particular that you would like to see?

Yes, you would need to use two different application credentials for these distinct purposes.

1.  For the authentication flow starter, you would use a "Back-end / server-side app" type application. This type of application is described as being "Secured with Authorization Code Flow" and is suitable for server-rendered web applications.

2.  For accessing the Management API, you need to use a Machine to Machine (M2M) application. The documentation specifically states: "Only machine to machine (M2M) applications can connect to Kinde's Management API".

These are two distinct types of applications in Kinde, each serving a different purpose and using different authentication methods. The back-end app uses Authorization Code Flow with a client secret, while the M2M app uses Client Credentials flow.

Therefore, to fulfill both roles (authentication flow starter and Management API accessor), you would indeed need to set up two separate applications in Kinde with different credentials.

I'll explain more in detail

However this means we lose all end-user information in things like user activity.

Ahhh thanks for explaining further. So you would want to see any extra activity type or audit log that says that User A invited/created User B.

Great to know that you are able to solving this on your side, I will add it to our requests board either wasy.