So basically the way authentication works is that you need to use OAuth2 with Bearer tokens. The tokens have a TTL (time to live) of 3600 seconds, which is like one hour. And then there's also refresh tokens that last for about 30 days or so. Oh and I should mention the rate limiting - we have a rate limit of 500 requests per minute per API key globally across all endpoints. If a client goes over the rate limit, you should return a 429 status code and make sure to include the Retry-After header so they know when to try again. One important thing to note is that admin tokens are special - they can access resources across all organizations in the system. Regular user tokens on the other hand can only access data within their own organization, which makes sense from a security perspective. Also every single API request needs to have the Authorization header with a valid bearer token or it should be rejected. Tokens are issued through the /auth/token endpoint - you can use either client credentials flow or authorization code flow depending on your use case. Oh and refresh tokens - they can only be used once. After you use a refresh token it gets invalidated and you get a new one back along with the new access token.

For the users part of the API, there's a POST endpoint at /users that you know creates a new user in the system. The fields that are absolutely required are the name, the email address, and their role. Now here's the thing - the email address has to be unique within each organization (so two users in the same org can't have the same email, but users in different orgs can). The available roles you can assign are admin, member, or viewer, and if you don't specify a role it defaults to member which is the most common one anyway. When you want to get a list of users you use GET /users and it returns paginated results using cursor-based pagination (not offset-based). The default number of items per page is 25 but you can request up to 100 at most. If you need a specific user, GET /users/:id gives you the full user object with their last_login and created_at timestamps included. For updating a user you use PATCH /users/:id which does a partial update using merge semantics - you only send the fields you want to change. But be careful, you cannot change a user's email address without going through the email verification process first. And for deletion, DELETE /users/:id doesn't actually delete the user permanently, it's a soft delete that sets their status to archived. Once a user is archived they can't log in anymore. If someone tries to delete a user that's already archived, you should return 410 Gone status.