Team management + public API docs
May 26, 2026Team management in the Console (invite users, manage roles) plus the full API surface as a public spec under /docs-full and /openapi-full.json.
Invite Users
Owner/admins invite team members by email — branded invitation message included.
Role Editor
Create roles and assign permissions per role under /settings/roles.
/docs-full
Full API spec as a public Scalar page — no login, ready to link.
Invite Page Fix
/invite/accept no longer shows a false „login required“ toast for anonymous invitees.
Invite Users (/users)
The Console gets a dedicated Members page under Settings → Users. Owner/admins can list members, edit profiles, and invite new users by email. The invited user opens the link in their email and is taken to /invite/accept — already-registered users log in and join, new users sign up and join in one step.
The invitation email is now branded (logo and sender of the Console) instead of the previous hardcoded template. Visible only to users with the members:member:read entitlement.
Roles and Permissions (/settings/roles)
New Roles tab in Settings: create or edit roles, assign permissions per role. Usage/quota entitlements are hidden in the role editor — only real permissions are listed there. Visible to users with the rbac:role:read entitlement.
Frontend-only addition. The underlying members and role APIs are kernel core and were already in place — this release surfaces them in the Console UI.
Public Full Spec (/docs-full)
The existing /openapi-1-3.json + /docs personalize the spec to the entitlements of the calling API key — correct for the signed-in Console, but no single URL showed the entire API surface. The new endpoints fix that:
/docs-full
Scalar docs page with the complete spec (all countries, formats, endpoints). Public, no login or API key required — link it from anywhere.
/openapi-full.json
Same spec as raw JSON — drop into Postman, code generators, IDE plugins.
Browse or link
1# In the browser2open https://invoice-api.xhub.io/docs-full3 4# Or link directly from your site5<a href="https://invoice-api.xhub.io/docs-full">Full API reference</a>Fetch the JSON spec
1curl https://invoice-api.xhub.io/openapi-full.json \2 -H "Accept: application/json" \3 -o openapi-full.jsonSecurity note: Showing the full API surface publicly is safe — every call is still authorized server-side via entitlement checks (checkFeatureAccess). The spec only lists what exists. The personalized /openapi-1-3.json + /docs remain auth-gated.
CORS hint: Linking to /docs-full requires no extra setup. To fetch the JSON cross-origin via JavaScript from your own site, add your origin to CORS_ORIGINS (Render env). The /docs-full page itself does not need it.
Bug Fix: Invite Page Login Toast
Anonymous invitees opening /invite/accept saw a red error toast „You must be logged in to access this resource“ — the normal case. Cause: the page queried the protected organization.current locale globally, which returns 401 for anonymous users. The query now only runs for logged-in users; logged-out, locale detection falls back to the UI language anyway.
The invitation card itself was never affected — only the toast.