Docs
Browse docs

Admin SDK

Server-to-server management of users, organizations, invitations, and sessions. Authenticates with a secret API key starting with sk_live_ or sk_test_.

Copy this quickstart guide as a prompt for LLMs to implement KolayLogin in your application.

Install

npm install @kolaylogin/backend

Create the client

import { createKolayLoginClient } from '@kolaylogin/backend';

const kolay = createKolayLoginClient({
  // baseUrl defaults to https://api.kolaylogin.com         // e.g. https://api.kolaylogin.com
  secretKey: process.env.KL_SECRET_KEY!,         // sk_live_...
});

Users

const { users, total } = await kolay.users.list({ limit: 20 });
const me = await kolay.users.get(userId);
await kolay.users.update(userId, { publicMetadata: { tier: 'gold' } });
await kolay.users.ban(userId, 'tos_violation');
await kolay.users.unban(userId);
await kolay.users.delete(userId);

Organizations

const { organizations } = await kolay.organizations.list({ limit: 50 });
const org = await kolay.organizations.create({ name: 'Acme', slug: 'acme' });
await kolay.organizations.addMember(org.id, { userId, role: 'admin' });
await kolay.organizations.removeMember(org.id, userId);
await kolay.organizations.delete(org.id);

Invitations

Create returns a one-time token. Embed it in your own transactional email (https://api.kolaylogin.com/invite?token=) — the end user confirms via POST /v1/orgs/invitations/accept.

const invite = await kolay.invitations.create({
  email: 'teammate@example.com',
  orgId: org.id,
  role: 'member',
});
console.log(invite.token); // use once in your email
await kolay.invitations.revoke(invite.id);

Sessions

const { sessions } = await kolay.sessions.list({ userId });
await kolay.sessions.revoke(sessions[0].id);

Error handling

Every call throws on non-2xx responses. The error carries status(HTTP code) and body (parsed JSON).

try {
  await kolay.users.delete('bogus-id');
} catch (err: any) {
  if (err.status === 404) return; // already gone
  throw err;
}
Keep sk_ keys server-side
Secret API keys grant full admin access over the instance's tenants. Never ship them in browser bundles. Rotate at the first sign of leak — revoke from the dashboard and issue a fresh one.

Raw REST

Not on Node.js? Every admin endpoint is also an HTTPS call. See the API reference for the full surface.

← Previous
Organizations
Next →
API keys