# Human users

Human users are people who sign in to the vault through the web app using SSO. This includes administrators, trading operations staff, risk managers, and compliance users. Human users identify by email address and must enroll a passkey before gaining access.

:::note
Most programmatic integrations should use a [Machine User or Agent](/guide/users-groups/machine-users-and-agents) rather than a human user account. Human accounts are for people who interact with the vault directly.
:::

## Add a human user

You need the **Manage Users** capability to create users.

1. Navigate to **Users & Groups** in the sidebar.
2. Switch to the **Users and Trading Machines** tab.
3. Click **Create New** in the top-right corner and select **Create User** from the dropdown.

4) The **Create User** modal opens. Enter:
   * **Email address** (required): the user's corporate email. This is their identifier in the vault and must match the address they use with your SSO provider.
   * **Display name** (optional): a human-readable name shown in the UI.
   * **Description** (optional): any notes about the user's role.
5) Click **Submit**. The user is created and a success toast appears.

The new user can now log in with SSO. On their first login, they will be prompted to enroll a passkey before they can do anything else.

## Passkey requirement

Every human user must have at least one enrolled passkey. The vault enforces this:

* A user without a passkey is blocked at login with a mandatory enrollment modal. They cannot access any part of the vault until they complete enrollment.
* A user cannot delete their last passkey. The delete action is disabled when only one passkey remains.
* All state-changing operations (including policy edits, key imports, and user management actions) require a passkey signature from the acting user at the time of the action.

This requirement exists because passkeys provide phishing-resistant proof of presence. SSO credentials alone do not provide this guarantee.

## View user details and group membership

1. On the **Users and Trading Machines** tab, find the user using the search or filters.
2. Click the row actions dropdown and select **Edit**.
3. The edit modal shows the user's current display name, description, and group memberships.
4. To change group memberships, add or remove groups from the multi-select list and save.

## Filter the user list

The Users and Trading Machines tab supports several filters:

* **Name search**: match by display name substring.
* **Email search**: match by email substring.
* **User type**: filter to human users only or machine users and agents only.
* **Group membership**: show only users who belong to a specific group.

![Users and Trading Machines tab listing users and machines with type, email, and group columns](/img/guide/users-groups/machines.png)
*The combined Users and Trading Machines list. The Type column distinguishes human users from machines.*

## Delete a user

1. Find the user in the list.
2. Click the row actions dropdown and select **Delete**.
3. Confirm the deletion in the dialog.

Deleting a user removes them from all groups and prevents future logins. The user's historical audit log entries are preserved.

## Reset a user's passkey

If a user loses access to all their passkey devices (for example, a stolen or broken phone), another user with the **Manage Users** capability can initiate a passkey reset.

1. Find the user in the list.
2. Click the row actions dropdown and select **Reset passkey**.
3. The action requires passkey verification from the user initiating the reset.

After a reset, the affected user's existing passkeys are removed. On their next login they are prompted to enroll a new passkey.

## View a user's audit log

From the Users and Trading Machines tab, click the row actions dropdown and select **View Audit Log**. This navigates to the Audit Log page pre-filtered to that user's activity, showing every action they initiated.
