Let's say my reseller account is reseller.com, and my resold domain is resold.com. In order to create a user on behalf of my resold domain, here is the call that I will make using my own reseller credential.
(https://developers.google.com/admin-sdk/directory/v1/guides/manage-users?hl=ja#create_user)
POST /admin/directory/v1/users HTTP/1.1
{
"name": {
"familyName": "Lam",
"givenName": "Emily"
},
"password": "anythingyouwant",
"primaryEmail": "emily@resold.com"
}
What you input in the primaryEmail field is where the user will be created. If you take a look at your resold domain admin console now, you will see that a user is now created.
Now again for retrieval, it is the same deal.
GET /admin/directory/v1/users/emily@resold.com
You will create these users and retrieve these users using your reseller credential as if you are the super admin of their domains. Here is the catch....
If the "Enable API access" is not manually checked in your resold domain Admin console (by default, this is now automatically checked for all newly resold domains at the moment), you can't make calls on behalf of the resold domains.
The button is in Admin Console -> Security -> API reference -> Enable API access