Invitations
An invitation is how a new user activates their account. Rather than an administrator setting someone else's password, the system emails the user a secure link; the user clicks it, sets their own password, and their account becomes ACTIVE. This page explains how to send, resend, and manage invitations.
Where to find it: Users → Invitations.
The invitation lifecycle
Sending an invitation
There are two ways an invitation goes out:
- At creation — when you create a user with Send invitation enabled, the email is sent automatically and the user moves from
DISABLEDtoINVITED. - Manually — for a user created without an invitation (still
DISABLED), use the Send Invite action on the user.
When an invitation is sent:
- the user's status becomes
INVITED; - a unique, single-use token is generated and emailed as a link; and
- the invitation is given an expiry date.
:::note One pending invitation at a time
A user can only have one active pending invitation. If you try to send a fresh invitation while one is still pending, the system asks you to use Resend instead. An already-ACTIVE user cannot be invited again.
:::
The accept-invitation flow
When the user opens the invitation link, they reach the Accept Invitation page, where they:
- enter a new password that meets the password policy, and
- confirm it (the two must match).
On success, the system, in a single transaction:
- sets the user's password,
- changes the user's status to
ACTIVE, - marks the email as verified, and
- marks the invitation as accepted.
The user is then told their account is active and can sign in. This activation is recorded in the audit log.
Password policy for acceptance
The new password must be at least 8 characters and include an uppercase letter, a lowercase letter, a number, and a special character (@ $ ! % * ? &). The same policy applies everywhere passwords are set in Vruksha.
Token security and expiry
- Single-use: once an invitation is accepted, its token is spent. Reusing the link returns "This invitation has already been accepted. Please sign in."
- Time-limited: an invitation expires after 7 days. After that, the link returns "This invitation has expired" and the administrator must send a new one.
- Revocable: an administrator can revoke a pending invitation, which invalidates the link.
The link only ever carries an opaque token — never the password. The user always sets the password themselves on the acceptance page.
Why a link might be rejected
| Situation | What the user sees |
|---|---|
| Link is malformed or not recognized | "Invalid invitation link." |
| Invitation already accepted | "This invitation has already been accepted. Please sign in." |
| Invitation revoked by an admin | "This invitation has been revoked." |
| Invitation older than 7 days | "This invitation has expired. Please contact your administrator for a new invitation." |
| Account already active | "This account is already active. Please sign in." |
Resending an invitation
If the email was missed or the link expired, use Resend. Resending:
- issues a fresh token and a new 7-day expiry, and
- increments the invitation's send count so you can see how many times it was sent.
To prevent abuse, resends are rate-limited: there is a short cooldown between resends and a cap on how many can be sent per hour. If you hit the limit, wait and try again.
Tracking invitations
The Invitations list shows every invitation with its current status, so you can see at a glance who still needs to accept:
| Invitation status | Meaning |
|---|---|
| PENDING | Sent, awaiting acceptance. |
| ACCEPTED | The user accepted and is now active. |
| EXPIRED | The link passed its 7-day window unused. |
| REVOKED | An administrator cancelled the invitation. |
You can filter by status and search by email to find a specific invitation quickly.
Related pages
- Managing Users — creating users and the account-status lifecycle.
- Authentication Flows — sign-in, email verification, password reset, and lockout details.