Skip to main content
Version: v1.0+

User Management

Manage server subusers including invitations, permissions, and access control.

List Server Subusers

Retrieve all users with access to the server.

GET /api/client/servers/{server}/users

URL Parameters

ParameterTypeDescription
serverstringServer identifier (UUID or short ID)

Example Request

GET /api/client/servers/{server}/users
curl "https://your-panel.com/api/client/servers/d3aac109/users" \
-H "Authorization: Bearer ptlc_YOUR_API_KEY" \
-H "Accept: Application/vnd.pterodactyl.v1+json" \
-H "Content-Type: application/json"

Example Response

{
"object": "list",
"data": [
{
"object": "subuser",
"attributes": {
"uuid": "c4022c6c-9bf1-4a23-bff9-519cceb38335",
"username": "john_admin",
"email": "[email protected]",
"image": "https://www.gravatar.com/avatar/2fd4d83d4672e8fc7ddda3bd6e01c64e.jpg",
"2fa_enabled": true,
"created_at": "2023-08-15T10:30:00+00:00",
"permissions": [
"control.console",
"control.start",
"control.stop",
"control.restart",
"user.create",
"user.read",
"user.update",
"user.delete",
"file.create",
"file.read",
"file.update",
"file.delete",
"file.archive",
"backup.create",
"backup.read",
"backup.delete",
"allocation.read",
"allocation.create",
"allocation.update",
"allocation.delete",
"startup.read",
"startup.update",
"database.create",
"database.read",
"database.update",
"database.delete",
"schedule.create",
"schedule.read",
"schedule.update",
"schedule.delete"
]
}
},
{
"object": "subuser",
"attributes": {
"uuid": "a8b2c3d4-e5f6-7890-1234-567890abcdef",
"username": "sarah_mod",
"email": "[email protected]",
"image": "https://www.gravatar.com/avatar/8fd9d842a732e3fc9bb1f9f0e8f7e6d5.jpg",
"2fa_enabled": false,
"created_at": "2023-09-20T14:45:00+00:00",
"permissions": [
"control.console",
"control.start",
"control.stop",
"control.restart",
"file.read",
"backup.read"
]
}
}
]
}

Subuser Object Attributes

FieldDescription
uuidUnique user identifier
usernameUser's username
emailUser's email address
imageUser's avatar image URL (usually Gravatar)
2fa_enabledWhether two-factor authentication is enabled
created_atWhen user was added to server
permissionsArray of granted permissions

Get Subuser Details

Retrieve detailed information about a specific subuser.

GET /api/client/servers/{server}/users/{user}

URL Parameters

ParameterTypeDescription
serverstringServer identifier (UUID or short ID)
userstringUser UUID

Example Request

GET /api/client/servers/{server}/users/{user}
curl "https://your-panel.com/api/client/servers/d3aac109/users/c4022c6c-9bf1-4a23-bff9-519cceb38335" \
-H "Authorization: Bearer ptlc_YOUR_API_KEY" \
-H "Accept: Application/vnd.pterodactyl.v1+json" \
-H "Content-Type: application/json"

Example Response

{
"object": "subuser",
"attributes": {
"uuid": "c4022c6c-9bf1-4a23-bff9-519cceb38335",
"username": "john_admin",
"email": "[email protected]",
"image": "https://www.gravatar.com/avatar/2fd4d83d4672e8fc7ddda3bd6e01c64e.jpg",
"2fa_enabled": true,
"created_at": "2023-08-15T10:30:00+00:00",
"permissions": [
"control.console",
"control.start",
"control.stop",
"control.restart",
"user.create",
"user.read",
"user.update",
"user.delete",
"file.create",
"file.read",
"file.update",
"file.delete",
"file.archive",
"backup.create",
"backup.read",
"backup.delete",
"allocation.read",
"allocation.create",
"allocation.update",
"allocation.delete",
"startup.read",
"startup.update",
"database.create",
"database.read",
"database.update",
"database.delete",
"schedule.create",
"schedule.read",
"schedule.update",
"schedule.delete"
]
}
}

Create Subuser

Invite a new user to access the server with specific permissions.

POST /api/client/servers/{server}/users

Request Body

FieldTypeRequiredDescription
emailstringYesEmail address of user to invite
permissionsarrayYesArray of permission keys to grant

Example Request

curl -X POST "https://your-panel.com/api/client/servers/d3aac109/users" \
-H "Authorization: Bearer ptlc_YOUR_API_KEY" \
-H "Accept: Application/vnd.pterodactyl.v1+json" \
-H "Content-Type: application/json" \
-d '{
"email": "[email protected]",
"permissions": [
"control.console",
"control.start",
"control.stop",
"control.restart",
"file.read",
"file.create",
"file.update",
"backup.read"
]
}'

Success Response

{
"object": "subuser",
"attributes": {
"uuid": "f1e2d3c4-b5a6-9897-8765-432109fedcba",
"username": "mike_helper",
"email": "[email protected]",
"image": "https://www.gravatar.com/avatar/default.jpg",
"2fa_enabled": false,
"created_at": "2023-10-21T16:20:00+00:00",
"permissions": [
"control.console",
"control.start",
"control.stop",
"control.restart",
"file.read",
"file.create",
"file.update",
"backup.read"
]
}
}

Error Responses

User Limit Reached (400)

{
"errors": [
{
"code": "TooManySubusersException",
"status": "400",
"detail": "This server has reached its subuser limit."
}
]
}

User Already Has Access (409)

{
"errors": [
{
"code": "UserAlreadyHasAccessException",
"status": "409",
"detail": "The specified user already has access to this server."
}
]
}

Invalid Email (422)

{
"errors": [
{
"code": "ValidationException",
"status": "422",
"detail": "The email field must be a valid email address.",
"meta": {
"rule": "email",
"source_field": "email"
}
}
]
}

User Not Found (404)

{
"errors": [
{
"code": "UserNotFoundException",
"status": "404",
"detail": "No user with that email address was found."
}
]
}

Update Subuser Permissions

Modify the permissions granted to an existing subuser.

POST /api/client/servers/{server}/users/{user}

URL Parameters

ParameterTypeDescription
serverstringServer identifier (UUID or short ID)
userstringUser UUID

Request Body

FieldTypeRequiredDescription
permissionsarrayYesArray of permission keys to grant

Example Request

curl -X POST "https://your-panel.com/api/client/servers/d3aac109/users/a8b2c3d4-e5f6-7890-1234-567890abcdef" \
-H "Authorization: Bearer ptlc_YOUR_API_KEY" \
-H "Accept: Application/vnd.pterodactyl.v1+json" \
-H "Content-Type: application/json" \
-d '{
"permissions": [
"control.console",
"control.start",
"control.stop",
"control.restart",
"file.read",
"file.update",
"backup.read",
"backup.create",
"database.read"
]
}'

Success Response

{
"object": "subuser",
"attributes": {
"uuid": "a8b2c3d4-e5f6-7890-1234-567890abcdef",
"username": "sarah_mod",
"email": "[email protected]",
"image": "https://www.gravatar.com/avatar/8fd9d842a732e3fc9bb1f9f0e8f7e6d5.jpg",
"2fa_enabled": false,
"created_at": "2023-09-20T14:45:00+00:00",
"permissions": [
"control.console",
"control.start",
"control.stop",
"control.restart",
"file.read",
"file.update",
"backup.read",
"backup.create",
"database.read"
]
}
}
Permission Updates

Permission updates completely replace the user's existing permissions. Include all permissions you want the user to have, not just the ones you're adding.


Remove Subuser

Remove a user's access to the server.

DELETE /api/client/servers/{server}/users/{user}

URL Parameters

ParameterTypeDescription
serverstringServer identifier (UUID or short ID)
userstringUser UUID

Example Request

curl -X DELETE "https://your-panel.com/api/client/servers/d3aac109/users/f1e2d3c4-b5a6-9897-8765-432109fedcba" \
-H "Authorization: Bearer ptlc_YOUR_API_KEY" \
-H "Accept: Application/vnd.pterodactyl.v1+json" \
-H "Content-Type: application/json"

Success Response (204)

Returns empty response body with status code 204.

Access Removal

Removing a subuser immediately revokes all their access to the server. They will be logged out and unable to perform any actions.

Error Responses

Cannot Remove Server Owner (400)

{
"errors": [
{
"code": "CannotRemoveServerOwnerException",
"status": "400",
"detail": "Cannot remove the server owner."
}
]
}

Available Permissions

Server Control Permissions

PermissionDescription
control.consoleView console output and send commands
control.startStart the server
control.stopStop the server
control.restartRestart the server
control.killForce kill the server process

File Management Permissions

PermissionDescription
file.createCreate new files and directories
file.readView file contents and directory listings
file.updateModify existing files
file.deleteDelete files and directories
file.archiveCreate and extract archives
file.sftpAccess files via SFTP

Backup Permissions

PermissionDescription
backup.createCreate new backups
backup.readView backup list and details
backup.deleteDelete backups
backup.downloadDownload backup files
backup.restoreRestore from backups

Network Allocation Permissions

PermissionDescription
allocation.readView server allocations
allocation.createAssign new allocations
allocation.updateModify allocation settings
allocation.deleteRemove allocations

Database Permissions

PermissionDescription
database.createCreate new databases
database.readView database list and details
database.updateRotate database passwords
database.deleteDelete databases

Schedule Permissions

PermissionDescription
schedule.createCreate new schedules
schedule.readView schedules and tasks
schedule.updateModify existing schedules
schedule.deleteDelete schedules

User Management Permissions

PermissionDescription
user.createInvite new subusers
user.readView subuser list and details
user.updateModify subuser permissions
user.deleteRemove subusers

Startup Permissions

PermissionDescription
startup.readView startup configuration
startup.updateModify startup variables

Permission Templates

Read-Only Access

Suitable for monitoring and viewing server status:

{
"permissions": [
"control.console",
"file.read",
"backup.read",
"allocation.read",
"database.read",
"schedule.read",
"user.read",
"startup.read"
]
}

Moderator Access

Basic server management without administrative functions:

{
"permissions": [
"control.console",
"control.start",
"control.stop",
"control.restart",
"file.read",
"file.update",
"backup.read",
"backup.create"
]
}

Administrator Access

Full server management capabilities:

{
"permissions": [
"control.console",
"control.start",
"control.stop",
"control.restart",
"control.kill",
"file.create",
"file.read",
"file.update",
"file.delete",
"file.archive",
"backup.create",
"backup.read",
"backup.delete",
"backup.download",
"backup.restore",
"allocation.read",
"allocation.create",
"allocation.update",
"allocation.delete",
"database.create",
"database.read",
"database.update",
"database.delete",
"schedule.create",
"schedule.read",
"schedule.update",
"schedule.delete",
"startup.read",
"startup.update"
]
}

Developer Access

File management and deployment focused:

{
"permissions": [
"control.console",
"control.start",
"control.stop",
"control.restart",
"file.create",
"file.read",
"file.update",
"file.delete",
"file.archive",
"file.sftp",
"backup.create",
"backup.read",
"backup.download",
"database.read",
"startup.read"
]
}

User Management Best Practices

Security Principles

  • Principle of Least Privilege: Grant only the minimum permissions needed
  • Regular Audits: Periodically review user access and permissions
  • Time-Limited Access: Remove access when no longer needed
  • Role-Based Access: Use consistent permission sets for similar roles

Permission Guidelines

  • Start Small: Begin with minimal permissions and add as needed
  • Group Related Permissions: Grant logical permission groups together
  • Document Roles: Maintain documentation of what each role can do
  • Test Permissions: Verify permissions work as expected

Access Management

  • Regular Cleanup: Remove inactive users periodically
  • Monitor Activity: Track user actions and access patterns
  • Emergency Procedures: Have a plan for revoking access quickly
  • Backup Access: Ensure multiple users can manage critical functions

Communication

  • Clear Expectations: Communicate what users can and cannot do
  • Training: Provide guidance on using granted permissions
  • Support Channels: Establish channels for permission requests
  • Change Notifications: Notify users of permission changes

User Invitation Process

How Invitations Work

  1. User Creation: Server owner creates subuser with email and permissions
  2. Account Linking: If user exists, they're linked to server immediately
  3. New User Registration: If user doesn't exist, they must register first
  4. Access Activation: User gains access once account is confirmed

Email Requirements

  • Valid Email: Email must be properly formatted and deliverable
  • Existing Account: User must have a Pterodactyl panel account
  • Unique Access: Each user can only have one access level per server

Registration Flow

For new users who don't have accounts:

  1. Email Invitation: Invited user receives email notification
  2. Account Creation: User creates account using same email address
  3. Automatic Linking: System automatically grants server access
  4. Permission Activation: All assigned permissions become active

Troubleshooting User Issues

Common Problems

IssueCauseSolution
User can't access serverPermissions not grantedCheck and update permissions
Invitation failedInvalid email addressVerify email format and deliverability
User limit reachedToo many subusersRemove inactive users or upgrade plan
Permission denied errorsMissing specific permissionGrant required permission

Diagnostic Steps

# Check current subusers
curl "https://your-panel.com/api/client/servers/{server}/users" \
-H "Authorization: Bearer YOUR_API_KEY"

# View specific user permissions
curl "https://your-panel.com/api/client/servers/{server}/users/{user}" \
-H "Authorization: Bearer YOUR_API_KEY"

# Test user access
# Have user attempt the action and check error messages

Permission Debugging

  • Test with minimal permissions: Start with basic permissions and add incrementally
  • Check error messages: API errors often specify which permission is missing
  • Compare working users: Look at permissions of users who can perform the action
  • Verify permission names: Ensure permission keys are spelled correctly

User Limits and Quotas

Default Limits

ResourceDefault LimitDescription
Subusers per server5-50Varies by hosting plan
Permission combinationsUnlimitedAny combination of available permissions
Invitation attemptsRate limitedLimited to prevent abuse
Access durationPermanentUntil manually removed

Account Requirements

  • Panel Account: User must have Pterodactyl panel account
  • Email Verification: Account email must be verified
  • Active Status: Account must not be suspended or banned
  • Unique Email: One account per email address

Common Error Codes

StatusCodeDescription
400TooManySubusersExceptionSubuser limit reached
400CannotRemoveServerOwnerExceptionCannot remove server owner
401InvalidCredentialsExceptionInvalid API key
403InsufficientPermissionsExceptionMissing required permissions
404UserNotFoundExceptionUser not found
404NotFoundHttpExceptionSubuser not found
409UserAlreadyHasAccessExceptionUser already has server access
422ValidationExceptionInvalid request data

Required Permissions

User management operations require specific permissions:

PermissionDescription
user.createInvite new subusers
user.readView subuser list and details
user.updateModify subuser permissions
user.deleteRemove subusers
Server Owner Privileges

Server owners automatically have all permissions and can perform all user management operations regardless of explicit permission grants.

Security Considerations

Access Control

  • Multi-factor Authentication: Encourage users to enable 2FA
  • Strong Passwords: Require strong passwords for all accounts
  • Regular Reviews: Periodically audit user access and permissions
  • Session Management: Monitor and manage active user sessions

Permission Security

  • Sensitive Permissions: Be careful with delete and administrative permissions
  • Cross-Permission Impact: Consider how permissions interact with each other
  • Escalation Prevention: Avoid granting users ability to elevate their own permissions
  • Audit Trails: Monitor permission changes and user actions

Source References

Controller: SubuserController
Routes: api-client.php - Subuser endpoints
Subuser Model: Subuser.php
Permission Model: Permission.php
Subuser Service: SubuserCreationService

Next Steps