Create an Add-on "user access list"

Last updated February 06, 2024

To manage users of your add-on, you have at least one login tool set up. Heroku provides the Add-on Single Sign-on integration, which allows users to log in with their Heroku account directly from their app’s dashboard. Some add-ons also have their own login systems, or use third-party OAuth services like GitHub to gain additional capabilities. Having a consolidated list of logins between the Add-on SSO service and your own login system can make managing permissions in your add-on easier.

This article describes how to create a “user access list” by making requests to the Platform API for Partners.

Prerequisites

Implementation

User List Types

There are two different lists of Heroku users that you must combine to see all users with access to the app:

  • App collaborators are users that an app’s owner has granted access to. These users appear on the app’s collaborators list.

  • Team members for Heroku Teams or Heroku Enterprise Teams appear on the team member list of the team that owns an app.

Get a Full List of Heroku Users

To get a full list of Heroku users with access to your add-on, combine the app’s collaborators list with the team member list. Make these API requests to get the lists:

  • Add-on Info: Use the resource UUID sent on the provisioning request to get the app id or name: GET https://api.heroku.com/addons/:resource_uuid.
  • App Collaborator List: Use the app id or name to get the list of collaborator users: GET https://api.heroku.com/apps/:app_id_or_name/collaborators.
  • App Info: Use the app id or name to check for the existence of a team object on the serialized response to grab the team id: GET https://api.heroku.com/apps/:app_id_or_name.
  • Team Member List: If the app belongs to a team, use the team id: GET https://api.heroku.com/teams/:team_id/members.

If the email address given during the SSO request appears in your combined list, that user has access to the add-on for the specified app.

Repeat this process for each provisioned add-on resource, authenticating with the resource-scoped access token for that add-on under the Platform API for Partner.

The list of app collaborators and team members is dynamic and can change at any time when owners add or remove users from their apps. You must keep the information synchronized by running this process regularly. We recommend using an interval that doesn’t exceed the session expiration time for your add-on dashboard.

Feedback

Log in to submit feedback.