RE: Best Practices for Securing Partner APIs with FusionAuth

Yes—using FusionAuth access tokens to secure partner-facing APIs is a solid approach. The key is ensuring the tokens contain the right claims to enforce proper authorization for your endpoints.

Separating partners into a different tenant or application can improve security and simplify management. Different tenants fully isolate users and tokens, but would require duplicating application configs. Alternatively, you could keep partners in the same tenant and distinguish them via roles, claims, or separate applications.

If partners are accessing APIs server-to-server, the client credentials grant (Entities in FusionAuth) is the correct choice. Be sure to carefully scope each partner’s access to avoid over-permissioning.

More on these topics:

• API Authorization with FusionAuth
• Tenants Overview
• JWT Anatomy
• Authorization Models

We use FusionAuth for user authentication on our website and plan to expose certain API endpoints to external partners. Our idea is to have partners authenticate via FusionAuth and then use the access token (JWT) to call our secured APIs.

Is this the recommended way to secure partner APIs with FusionAuth? Should we separate partner users into a different tenant or application for better isolation? And if partners need server-to-server access, is the client credentials grant the right approach?

Yes—you can safely add a fourth custom URL. The “replace” label appears because the system expects you to submit the entire list of domains each time. To avoid losing any URLs, make sure all four domains—including your existing three—are entered in the form before you submit. Only custom domains omitted from the list will be removed.

More details here:
Updating Custom Domains

We have three custom URLs in production and want to add a fourth. The interface only shows a “replace” option, which worries us in a production environment. Can you confirm if we can safely add a fourth URL without affecting the existing ones?

Yes! FusionAuth stores MFA details on the user object, and you can search for users with MFA enabled using Elasticsearch queries.

For example, in the Admin UI’s User search, you can run:

_exists_:twoFactor

This returns all users with at least one MFA method configured. You can also perform similar searches via the User Search API to build custom reports. For more details on searchable user fields and Elasticsearch queries, see:

• User Fields Reference
• User Search with Elasticsearch

We’d like to generate a custom report showing which imported user accounts have set up multi-factor authentication (MFA). Ideally, we want to see all users and their MFA status under the Multi-Factor tab. Is this possible?

This is definitely an uncommon scenario, so there’s no out-of-the-box flow documented for it, but here’s one way to handle it:

1. Create a second Google IdP: FusionAuth supports only one native Google IdP, but you can set up an additional Google connection as a generic OpenID Connect (OIDC) IdP. This second IdP can request the elevated scopes you need for email access. See the OIDC docs here: OpenID Connect IdP in FusionAuth.
2. Trigger reauthentication: When a user opts into the email client feature, redirect them through the second IdP’s OAuth flow to acquire the elevated scopes. This effectively escalates their session without forcing all users through additional authentication unnecessarily.

This approach allows you to avoid reauthentication for users who don’t need the extra scopes while supporting a higher-privilege flow for users who do.

We want to provide two different login experiences:

• Users who opt to have us as an email client should re-login with Google to get elevated OAuth scopes (e.g. to read their email).
• Users who don’t opt for email services shouldn’t be forced to reauthenticate and should have a smooth login experience.

Ideally, we’d like to build our /oauth2/authorize URL with the additional scopes when needed, have users reauthenticate via Google, and have FusionAuth update the linked account with the new access token and elevated permissions. Is this possible?

Great question—this often causes confusion.

In FusionAuth, logging in after a Forgot Password flow is tracked as ONE_TIME_PASSWORD. That’s because, technically, FusionAuth uses a one-time password during that process. For example, if you look at the Change a User’s Password API, it returns a one-time password token. On the hosted pages, FusionAuth automatically consumes this token to sign the user in immediately after they reset their password via the forgot password link in their email.

So even without traditional OTP or MFA configured, these login events can appear as ONE_TIME_PASSWORD due to password reset flows.

In the login events from webhooks, I’m seeing many logins where authenticationType is set to ONE_TIME_PASSWORD. Our current configuration doesn’t seem to explain this, and as far as I know, we’re not using any OTP or MFA. What does this refer to?

Good question—it’s a common challenge.

By default, the email verification flow breaks the OAuth/PKCE context because the user leaves the registration page to check their email and clicks a verification link. FusionAuth can’t continue the OAuth flow automatically from that email link, which is why your hard-coded redirect URI fails without the required OAuth code.

A better solution is to switch your email verification strategy from Clickable Link to Form Field (under Tenant → Email → Email Verification → Verification Strategy). With this approach, users stay on the original registration page, enter the verification code from their email, and the OAuth/PKCE flow remains intact—including the authorization code. This enables seamless redirecting back into your app after verification.

If you’re creating and registering users for an application at the same time, remember to also check the app-level registration verification settings under:
FusionAuth Admin UI → Applications → Edit Application → Registration tab.

More details are in the docs: Registration Email Verification

I’m trying to fine-tune our user registration flow so that, after verifying their email, users are deep-linked back into our mobile app. Ideally, I’d like them redirected to the login redirect URI monitored by the OS so the native web browser window used for OAuth/PKCE can close automatically. Right now, this isn’t working as expected. If I hard-code my login redirect URI into the email verification template, it errors out because the OAuth/PKCE code is missing. How can I achieve this with FusionAuth?

You’re correct that user_support_manager is the right role, but it has a limitation: it can only remove MFA devices if the manager has the user’s MFA code or recovery codes. Only admins can disable MFA without those.

If you want to remove MFA without needing a code, you’d need to use the User API to clear the user’s MFA data. Also, confirm that both support managers have the same role assigned under their registrations in the FusionAuth application. Check this under each user’s Source tab in the Admin UI under registrations.roles.

More details:

Update a User via API

FusionAuth Admin UI Roles

We have two users assigned the role of user_support_manager, yet only one can manage and specifically remove multi-factor devices for other users. As far as we know, this is the appropriate role for facilitating that, and we cannot identify any other differences in permissions. What should we be on the lookout for, and is our assumption regarding permissions accurate?

Yes, you can localize social login buttons, but it requires customizing your theme.

In the Theme Helpers file, locate the macro for each IdP button—for example, the Google button macro (starting around line 409). Change the text like this:

From:

<div class="text">${identityProvider.lookupButtonText(clientId)?trim}</div>

To:

<div class="text">${theme.message('google-login')}</div>

Then, define google-login in your Theme → Messages bundles for each supported language. Repeat the same process for the Apple button macro (starting around line 363).

This allows the social login button text to display localized strings based on the user’s selected language.

Our users sign in via Google or Apple accounts. While testing internationalization, we noticed that the social login button text doesn’t change with the selected language. Is there a way to localize the social login buttons for different languages in FusionAuth?

This error usually means FusionAuth doesn’t have the public key it needs to verify the JWT signature.

Make sure you’ve imported the public key that Keycloak uses to sign tokens into Settings → Key Master in FusionAuth. Check whether your JWT includes a kid (Key ID) claim. If it does, the key you import into Key Master must have a matching Key ID. You can confirm the Key ID after importing by clicking the view () icon next to the key.

Once the correct key is imported and matches the kid from the JWT, FusionAuth will be able to verify the token’s signature.

I’m trying to set up an External JWT Identity Provider to accept tokens from Keycloak. I’ve filled out all the necessary fields in FusionAuth, but when I send a token request to /api/jwt/reconcile, I get this error:

io.fusionauth.jwt.MissingVerifierException : Message: No Verifier has been provided for verifying a signature signed using [SHA256withRSA]

How can I resolve this?

FusionAuth doesn’t currently support setting a default IdP for an application or automatically forcing logins through an IdP. You’re welcome to submit a feature request on our GitHub issues page.

If all your users share the same email domain, you could try Managed Domains to route them to the correct IdP.

Another option is to place a proxy in front of FusionAuth. The proxy could inspect incoming requests and append the idp_hint before forwarding traffic to FusionAuth. You can learn more about using a proxy setup here.

We’re building a Microsoft PowerPages website that needs user authentication through FusionAuth, with token enrichment via custom claims. We’ve configured an application and identity provider in FusionAuth, so users can authenticate via our external IdP instead of using FusionAuth’s login form. In our other apps, we use idp_hint in the path, which works well. However, Microsoft PowerPages doesn’t allow us to add this query parameter.

Is there a way in FusionAuth to set a default IdP for an application, or do you have suggestions for handling this without relying on idp_hint?