Identity Lifecycle¶
Why This Exists¶
This document defines lifecycle states for Identity Domain records.
Owner¶
The owner is the Chief Product Officer and Enterprise Architect.
Business Value¶
Lifecycle clarity keeps accounts, memberships, invitations, sessions, API keys, and MFA predictable and auditable.
User Account Lifecycle¶
| State | Meaning |
|---|---|
| Pending Verification | Account exists but email or identity verification is incomplete. |
| Active | Account can authenticate and access authorized resources. |
| Locked | Account is temporarily blocked because of security policy. |
| Disabled | Account is administratively disabled. |
| Archived | Account is retained for audit but not active. |
Membership Lifecycle¶
| State | Meaning |
|---|---|
| Invited | User has been invited to organization. |
| Active | User has active organization membership. |
| Suspended | Membership access is temporarily removed. |
| Removed | Membership no longer grants access. |
| Archived | Membership is retained for history. |
Invitation Lifecycle¶
| State | Meaning |
|---|---|
| Created | Invitation is issued. |
| Sent | Notification delivery has been requested. |
| Accepted | Recipient accepted within valid period. |
| Expired | Invitation is no longer valid. |
| Revoked | Invitation was cancelled before acceptance. |
stateDiagram-v2
[*] --> Created
Created --> Sent
Sent --> Accepted
Sent --> Expired
Sent --> Revoked
Accepted --> [*]
Expired --> [*]
Revoked --> [*]
Session Lifecycle¶
Sessions move from created to active, refreshed, expired, revoked, or blocked. Session lifecycle should support short-lived access and revocable refresh patterns where implementation architecture requires tokens.
API Key Lifecycle¶
API keys move from created to active, rotated, expired, revoked, or archived. Plaintext key material must not be stored after creation.
MFA Lifecycle¶
MFA factors move from registered to verified, active, challenged, disabled, or recovered. Recovery actions must be auditable.