We’re embedding a custom app in Assembly and want to use Assembly as the auth layer while our external platform manages project authorization.
Do custom apps or backend integrations have any supported way to:
-
invite users by API
-
create/provision users by API
-
add users to a company/client/workspace
-
update roles/permissions
-
use SCIM/JIT/SAML provisioning
-
retrieve stable signed-in user identifiers inside the custom app
Also, what is the recommended pattern for an Assembly-embedded app that manages access to resources in an external SaaS platform?
Hi @Aaron_Lambie
Thanks for reaching out! Here’s a breakdown of what Assembly currently supports for each of your questions:
What’s available today:
-
Invite users by API — Yes. When creating a client user via our Platform API, you can send them an invite automatically at creation time.
-
Create/provision users by API — Yes. Our Platform API lets you create client users.
-
Add users to a company/client/workspace — You can add clients to a workspace via API. Adding clients to a company is not supported via API. Could you clarify what you mean by “add a user to a client”?
-
Retrieve stable signed-in user identifiers inside the custom app — Yes. When your app is rendered by Assembly, we pass in an encrypted token with the current session info. You can determine the logged-in user from the internalUserId or clientId fields in that token. See the Setting up the SDK page for details on token contents.
What’s not currently available:
Recommended pattern for an Assembly-embedded app managing external resources: Use the encrypted session token to identify the logged-in user within your embedded app, then map those Assembly user IDs to users and permissions in your external platform. Authorization for what a user can access on your side would be managed by your platform. We don’t currently have a built-in OAuth token exchange or role-syncing mechanism between Assembly and external systems.
For full details on available endpoints and the SDK, check out our API docs: https://docs.assembly.com
Please let us know if you have any other questions! Always here to help! 
On the “add user to a client” workflow: once a client is established, we would want to disable your native user-invite functionality within our environment. Instead, we need to manage user provisioning directly within our application, as access control in our system is not purely user-based but project-scoped (i.e., a simplified RBAC model tied to project-level permissions).
As a result, user creation and team management need to sit within our own workflow, where access can be assigned and governed appropriately. Conceptually, we are looking to replicate the core elements of your team management experience—user onboarding, invitations, and role assignment—while embedding our own access control layer and permissioning logic within our application.
Let me know if that aligns with how your system can be extended or integrated.
Hi @Aaron_Lambie Thanks for the response!
To your first point, you can create a client user via API without triggering an invite. You can find that endpoint here: https://docs.assembly.com/reference/create-client
Quick clarification: when you say you want to replicate the team management experience (user onboarding, invitations, and role assignment) from within your app, is this specifically for managing client users rather than internal team members? Please let me know when you can. Thanks!