RE: How to Retrieve Last Login Dates for Multiple Users in FusionAuth via the Search API

FusionAuth doesn’t support uploading a CSV to retrieve last-login timestamps. However, you can do this efficiently with the Search for Users API and return lastLoginInstant for many users at once.

How to do it (batch via API)

1. Use the User Search endpoint
   POST /api/user/search (set your X-FusionAuth-TenantId and Authorization headers).

2. Send an Elasticsearch query using terms to match a batch of emails/usernames, and read lastLoginInstant from each returned user:

 {
  "search": {
    "query": "{\"terms\":{\"email\":[\"a@example.com\",\"b@example.com\",\"c@example.com\"]}}",
    "numberOfResults": 500,
    "startRow": 0
  }
}

• Swap email for username if that’s what you have.
• If your list is large, chunk it (e.g., 200–500 logins per request) and paginate with startRow / numberOfResults.

3. (Optional) Filter by last-login date with a range query on lastLoginInstant:

 {
  "search": {
    "query": "{\"range\":{\"lastLoginInstant\":{\"gte\":\"2025-10-01T00:00:00Z\"}}}"
  }
}

You can also query by epoch millis if you prefer.

4. Map results
   Each user object includes lastLoginInstant (epoch millis). Convert to your desired timezone/format in your script and write out a CSV.

Tips

• If you need all users in a tenant (not just your list), you can search with a wildcard or a match-all query and page through results, then filter locally.
• For ongoing metrics, consider subscribing to user.login.success webhooks and recording last logins as they happen.

Docs:

• Search for Users API (Elasticsearch): https://fusionauth.io/docs/apis/users#elasticsearch-search-engine

We have ~8,000 usernames/emails and want to look up each user’s last login date. The UI seems to allow searching only one email at a time. Is there a way to upload a CSV of usernames and get all of their lastLoginInstant values?

You can work around this by passing the IDs directly in your request. Here’s an example of how to structure the request correctly:

from fusionauth.fusionauth_client import FusionAuthClient

api_key = 'your-fusionauth-api-key'
base_url = 'https://your-fusionauth-instance.com'
group_id = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
user_ids_to_remove = [
    'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy',
    'zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz'
]

client = FusionAuthClient(api_key, base_url)
member_delete_request = {'members': {group_id: user_ids_to_remove}}
response = client.delete_group_members(member_delete_request)

if response.was_successful():
    print("Successfully removed users from group!")
else:
    print(f"Error: {response.error_response}")

This approach correctly formats the request for the API to process and delete the specified users from the group.

I tried using delete_group_members() to remove users from a group, but each request failed with a “could not find memberId” error. I tried passing in both the group ID and user ID, but it didn’t work. I was only able to get it to work manually by passing a members_delete_request directly to the client. Is there a way to get delete_group_members() to work properly, or does it have a bug?

This issue was addressed in version 1.56.0. Make sure your FusionAuth instance is updated to the latest version, as several reporting-related fixes have been released that resolve this specific problem.

When tracking daily active users and registration numbers, the data for the last day of each month is missing regardless of the number of days in that month. The last day’s data is missing from both the UI and the API response. Is there a way to determine why this is happening?

You cannot integrate Datadog directly into the cloud-hosted version of FusionAuth. The only relevant section in the documentation is "Use Datadog Agent on a Remote Host." This requires setting up Datadog to monitor FusionAuth using the Prometheus Metrics API endpoint. For monitoring failed 2FA rates, FusionAuth does not currently have built-in support. There is no webhook for failed MFA, but you can use the failed login webhook to monitor incorrect password attempts.

Retrieve system metrics using Prometheus
Use the Datadog Agent on a remote host
User login failed webhook

We are investigating what additional telemetry and data we can monitor and log to our monitoring systems. I found the self-hosted version supports integration with Datadog here: https://fusionauth.io/docs/operate/monitor/datadog

However, I am unclear what we can monitor on the cloud version since we are not managing the container or deployment side.

1. Can we integrate the cloud-hosted version into Datadog to monitor for performance issues or other issues that might impact end users? If so, are there any guides?

2. Can we monitor failed 2FA rates using a tool like this? Or are there recommended approaches for monitoring drop-off during 2FA enrollment and other login issues?

FusionAuth uses standard SMTP for all email connections. As long as Proofpoint Cloud supports a standard SMTP connection where FusionAuth sends transactional emails, initiates a handshake, and completes delivery, the integration will work. You can reference our documentation for details on configuring SMTP with common providers:

Configure Email

Is Proofpoint Cloud supported for SMTP configuration in FusionAuth, or is there anything special needed to make it work?

You can manage both flows within a single tenant. Typically, you’d configure separate applications, one for the Admin portal tied to your AD/Entra ID provider, and another for your client-facing site using FusionAuth. You can then use login hints or managed domains to direct users to the correct Identity Provider (IdP).

Identity Provider Hints
Managed Domains

We’d like to configure FusionAuth so that our Admin portal authenticates against Active Directory/Microsoft Entra ID, while our client-facing site uses FusionAuth for authentication. Does this setup make sense, and should we use separate tenants for this, or can both flows be managed within a single tenant?

Yes, you can create a user without SMTP configured. In the Admin UI, disable the Send Setup Password option and set the password manually during user creation. If you’re using the API, set "sendSetPasswordEmail": false and include a "password" field in the user object.

Users API

Can I create a user in a tenant if SMTP hasn’t been configured? I want to set up an account, but the user isn’t receiving emails (likely because SMTP isn’t set up). Is there a way to manually assign a password so they can log in?

During an upgrade, FusionAuth monitors your deployment, and if it becomes unresponsive for more than five minutes, the on-call engineer is alerted. A snapshot of the database is taken before the upgrade, so a rollback is possible, though it is manual and would result in data loss from the time of the upgrade to the rollback. Rollbacks are very rare and have only happened once in the past four years.

You can safely upgrade directly to 1.59, and many customers do skip versions. The upgrade process is straightforward: once started, the deployment status changes to Upgrading and returns to Active when complete. For production instances, downtime is minimal (typically seconds, if at all) because multi-node deployments use rolling upgrades. Most upgrades take under 20 minutes, though in rare cases they can take up to an hour.

FusionAuth never forces you to upgrade, but if you are running a very old version (1–2 years behind) and encounter issues, support may request that you upgrade before troubleshooting.

Upgrading a Deployment

We’re considering upgrading from FusionAuth 1.54 to 1.59 and want to ensure the process is smooth and safe for our clients. Could you clarify:

• What monitoring protocols are in place during the upgrade?
• Is there an automatic rollback if something goes wrong?
• Should we upgrade directly to 1.59 or go version by version?
• Will there be downtime during the upgrade?
• What does the upgrade process look like for us?
• Will older versions eventually become unsupported, requiring an upgrade?

Good question. I believe this is due to how we implemented our PATCH calls. If you are making a straight API call, you can change the Content-Type header to application/merge-patch+json which will instead overwrite the existing array with whatever you have provided. That's the most straightforward way to replace array values. There are other methods detailed in the doc below but those involve removing values one by one instead of just overwriting them. The downside here is that I don't believe Client Libraries usually support the merge-patch header.

• https://fusionauth.io/docs/apis/#the-patch-http-method

The UserData of our users contains an array which is creating a problem for us using PATCH. When PATCH is used to refresh the user it always results in an array append. It appears that one option is to perform a GET request, modify the array, and then execute a PUT request. That's multiple steps, and thus more opportunities for something to go wrong. Can the array values be replaced with a PATCH rather than adding to the array?

If you believe that you have discovered a bug or issue with FusionAuth, please log an issue below.

• https://github.com/FusionAuth/fusionauth-issues/issues/new/choose

To note, you will likely want to be listening to the registration.update webhook for changes to the registration object prompted by additional fields the user needs to have completed based on what is a required field for self service registration.

In the case of a user entering all these fields "manually" (as part of a registration form) we will create the user and the registration at the same time (thus transmitting all information, including all required registration fields, as part of the user.create and registration.create events).

However, in the case of a social login, the user and registration will be created after the IdP provider returns information via the user.create and registration.create events. Additional registration will be asked of the user as part of the complete registration process (if there are additional required fields) and that additional information will be transmitted as part of the registration.update event.

• https://fusionauth.io/docs/extend/events-and-webhooks/events/user-registration-update

My registration form includes custom fields. The values are correctly sent to our backend with the user-create-complete event. Unfortunately, this does not apply to users who register with social login. At this point, the event is dispatched without the supplementary custom content, as it occurs immediately after the social login and before the user is prompted to provide additional registration details. Consequently, I anticipated a user.update.complete event to occur shortly after the 'empty' user.create.complete event, but it did not happen. Please provide guidance on how to troubleshoot this issue.