Deactivate inactive users

POST 
/v1/users/deactivate-inactive

Sweep deactivation for stale accounts. A user is deactivated when all of:

• created_at is older than days days ago (so brand-new accounts that haven't had a chance to log in yet are not killed).
• They have no login_success row in authentication_audit_log within the last days days. Impersonation logins are excluded (rows where impersonation_session_id IS NOT NULL don't count).
• Their login_account is not in exclude_login_accounts.
• They are currently is_active = true (already-inactive users are skipped).

Affected users get is_active=false and active_to=NOW() — same as DELETE /users.

The response includes up to 1000 affected users with last_login_at (NULL if they've never logged in). If more were affected, truncated: true is set on the response.

Use dry_run: true to see who would be deactivated without writing anything.

Request

Responses

200

Sweep completed

400

Validation error (missing/invalid days, etc.)

403

Forbidden — insufficient permissions (POST_USER or POST_DATA required)