Invite an operator

An invitation stages the OIDC sign-in handshake that materialises a User aggregate on first accept. plexctl identity drives the full lifecycle.

Prerequisites

• An authenticated session — see Log in with plexctl.
• The target Domain UUID, with an active IdP binding — see Manage IdP bindings.
• The invitee's email address.

Steps

Stage the invitation

plexctl identity invite \
  --domain <domain-uuid> \
  --email new.operator@example.com
# ID  EXTERNAL_SUBJECT_PSEUDONYM  EXPIRES_AT  INVITE_URL
# …                               …           https://…?token=***

The email is validated locally (RFC 5322) before any request. The command prints an invitation URL whose token= parameter is masked by default; add --reveal-secrets to print it verbatim (the reveal is audit-logged). Use --ttl-seconds <n> to override the server default lifetime.

Hand off and accept

Send the invitee the standard sign-in URL for the deployment. They authenticate against the Domain's IdP; on first accept the server reads display_name and the upstream subject from OIDC userinfo and provisions the User.

Revoke a pending invitation

plexctl identity revoke --domain <domain-uuid> --invitation-id <invitation-uuid>

Revoke is only meaningful while the invitation is still pending.

Verification

plexctl identity list --domain <domain-uuid> --type human \
  | grep new.operator@example.com
# …  new.operator@example.com  user  …  New Operator  …

The User appears once the invitee has completed sign-in.

See also

• List identities in a Domain — confirm the provisioned User.
• ../../reference/cli/plexctl/identity.md — every flag and exit code.
• ../../contexts/identity/invitations.md — the invitation state machine.