Topics created by wesley

Yes—using FusionAuth access tokens to secure partner-facing APIs is a solid approach. The key is ensuring the tokens contain the right claims to enforce proper authorization for your endpoints.

Separating partners into a different tenant or application can improve security and simplify management. Different tenants fully isolate users and tokens, but would require duplicating application configs. Alternatively, you could keep partners in the same tenant and distinguish them via roles, claims, or separate applications.

If partners are accessing APIs server-to-server, the client credentials grant (Entities in FusionAuth) is the correct choice. Be sure to carefully scope each partner’s access to avoid over-permissioning.

More on these topics:

API Authorization with FusionAuth Tenants Overview JWT Anatomy Authorization Models

Yes—you can safely add a fourth custom URL. The “replace” label appears because the system expects you to submit the entire list of domains each time. To avoid losing any URLs, make sure all four domains—including your existing three—are entered in the form before you submit. Only custom domains omitted from the list will be removed.

More details here:
Updating Custom Domains

Yes! FusionAuth stores MFA details on the user object, and you can search for users with MFA enabled using Elasticsearch queries.

For example, in the Admin UI’s User search, you can run:

_exists_:twoFactor

This returns all users with at least one MFA method configured. You can also perform similar searches via the User Search API to build custom reports. For more details on searchable user fields and Elasticsearch queries, see:

User Fields Reference User Search with Elasticsearch

This is definitely an uncommon scenario, so there’s no out-of-the-box flow documented for it, but here’s one way to handle it:

Create a second Google IdP: FusionAuth supports only one native Google IdP, but you can set up an additional Google connection as a generic OpenID Connect (OIDC) IdP. This second IdP can request the elevated scopes you need for email access. See the OIDC docs here: OpenID Connect IdP in FusionAuth. Trigger reauthentication: When a user opts into the email client feature, redirect them through the second IdP’s OAuth flow to acquire the elevated scopes. This effectively escalates their session without forcing all users through additional authentication unnecessarily.

This approach allows you to avoid reauthentication for users who don’t need the extra scopes while supporting a higher-privilege flow for users who do.

Great question—this often causes confusion.

In FusionAuth, logging in after a Forgot Password flow is tracked as ONE_TIME_PASSWORD. That’s because, technically, FusionAuth uses a one-time password during that process. For example, if you look at the Change a User’s Password API, it returns a one-time password token. On the hosted pages, FusionAuth automatically consumes this token to sign the user in immediately after they reset their password via the forgot password link in their email.

So even without traditional OTP or MFA configured, these login events can appear as ONE_TIME_PASSWORD due to password reset flows.

Good question—it’s a common challenge.

By default, the email verification flow breaks the OAuth/PKCE context because the user leaves the registration page to check their email and clicks a verification link. FusionAuth can’t continue the OAuth flow automatically from that email link, which is why your hard-coded redirect URI fails without the required OAuth code.

A better solution is to switch your email verification strategy from Clickable Link to Form Field (under Tenant → Email → Email Verification → Verification Strategy). With this approach, users stay on the original registration page, enter the verification code from their email, and the OAuth/PKCE flow remains intact—including the authorization code. This enables seamless redirecting back into your app after verification.

If you’re creating and registering users for an application at the same time, remember to also check the app-level registration verification settings under:
FusionAuth Admin UI → Applications → Edit Application → Registration tab.

More details are in the docs: Registration Email Verification

You’re correct that user_support_manager is the right role, but it has a limitation: it can only remove MFA devices if the manager has the user’s MFA code or recovery codes. Only admins can disable MFA without those.

If you want to remove MFA without needing a code, you’d need to use the User API to clear the user’s MFA data. Also, confirm that both support managers have the same role assigned under their registrations in the FusionAuth application. Check this under each user’s Source tab in the Admin UI under registrations.roles.

More details:

Update a User via API

FusionAuth Admin UI Roles

Yes, you can localize social login buttons, but it requires customizing your theme.

In the Theme Helpers file, locate the macro for each IdP button—for example, the Google button macro (starting around line 409). Change the text like this:

From:

<div class="text">${identityProvider.lookupButtonText(clientId)?trim}</div>

To:

<div class="text">${theme.message('google-login')}</div>

Then, define google-login in your Theme → Messages bundles for each supported language. Repeat the same process for the Apple button macro (starting around line 363).

This allows the social login button text to display localized strings based on the user’s selected language.

This error usually means FusionAuth doesn’t have the public key it needs to verify the JWT signature.

Make sure you’ve imported the public key that Keycloak uses to sign tokens into Settings → Key Master in FusionAuth. Check whether your JWT includes a kid (Key ID) claim. If it does, the key you import into Key Master must have a matching Key ID. You can confirm the Key ID after importing by clicking the view (🔍) icon next to the key.

Once the correct key is imported and matches the kid from the JWT, FusionAuth will be able to verify the token’s signature.

FusionAuth doesn’t currently support setting a default IdP for an application or automatically forcing logins through an IdP. You’re welcome to submit a feature request on our GitHub issues page.

If all your users share the same email domain, you could try Managed Domains to route them to the correct IdP.

Another option is to place a proxy in front of FusionAuth. The proxy could inspect incoming requests and append the idp_hint before forwarding traffic to FusionAuth. You can learn more about using a proxy setup here.

Data transfers between FusionAuth deployments aren’t typically included as a standard service, except in cases where a business is scaling up to a larger deployment. However, since this is a new production setup, we can accommodate a one-time migration for you. The process would result in about 10 minutes of downtime.

Make sure you have a master API key on hand, as certain settings—like SMTP configurations—might need to be updated manually after the transfer. Alternatively, you’re welcome to migrate the configuration manually if you prefer.

For Business hosting, FusionAuth creates daily database snapshots around midnight Mountain Time. Three days’ worth of backups are kept. Additionally, a snapshot is taken before any FusionAuth software upgrade and retained for 30 days. Direct database access isn’t available on hosted deployments, so you can’t create traditional database backups yourself. However, most user and configuration data can be retrieved via the FusionAuth API. Some sensitive data, like password hashes or one-time codes (MFA, email verification, magic links), cannot be extracted. Yes — upgrades from Basic to Business or Business to High Availability are possible. A FusionAuth support team member coordinates the process, which typically takes 60–90 minutes and may involve up to 45 minutes of downtime. New deployments use our updated infrastructure, which offers additional features. Downgrading FusionAuth is technically possible but complex and rare. It requires manual intervention by FusionAuth support and can involve significant effort. Downgrades requested within 30 days of an upgrade are simpler and involve less disruption, but the exact downtime is difficult to estimate. Yes — Basic hosting now supports a single custom domain on the new infrastructure. We can help migrate your deployment to the newer model, enabling you to add a custom domain for easier integration. Yes — it’s possible to change your current hosted URL when migrating to the new infrastructure.

More details on hosting plans and capabilities are available here: https://fusionauth.io/docs/get-started/run-in-the-cloud/

You’re correct — when duplicating a tenant, FusionAuth does not copy the SMTP password. This is by design for security reasons. Passwords are stored securely and aren’t exposed in logs, debug output, or the UI, even with debug logging enabled for email.

Unfortunately, there’s no way to automatically carry over the SMTP password when duplicating tenants, and there aren’t plans to change this behavior.

You’ll need to manually re-enter the SMTP password in the duplicated tenant’s configuration.

First, confirm that the engineer’s environment can reach FusionAuth’s licensing servers. From the server, container, or environment running FusionAuth, run the following cURL command:

curl -vv https://license.fusionauth.io

You should see output indicating a successful TLS handshake and a response from the license server. If there’s a connection issue (timeouts, certificate errors, etc.), that could explain why the license validation is failing.

More details about required network connectivity for licensed FusionAuth installations are here:
Paid Plan System Requirements

Yes, you can enable identity providers for applications using the API.

Here’s how:

Use the specific API endpoint for the identity provider type you’re configuring (SAML, OIDC, etc.).

For example, if you’re enabling a SAML or OIDC provider, you’ll use:

PATCH /api/identity-provider/{identityProviderId}

In your request body, set this field to true:

identityProvider.applicationConfiguration[applicationId].enabled

Documentation links for details and examples:

SAML Identity Provider API OIDC Identity Provider API

The general identity provider API overview is here:
Identity Provider APIs

To show the “change password complete” page instead of continuing the OAuth flow, you’ll need to update your password reset email or SMS templates.

Here’s how to do it:

Go to FusionAuth Admin UI → Customizations → Email Templates (or SMS Templates) and edit or copy the template used for password resets. Find the template assigned to the application under Applications → Edit Application → Email tab. If no template is specified there, the system uses the tenant-level template from Tenant → Edit Tenant → Email tab.

In the default template, you’ll see a line like this:

[#assign url = "http://localhost:9011/password/change/${changePasswordId}?client_id=${(application.oauthConfiguration.clientId)!''}&tenantId=${user.tenantId}" /]

Change it to remove the client_id like so:

[#assign url = "http://localhost:9011/password/change/${changePasswordId}?tenantId=${user.tenantId}" /]

Without the client_id in the URL, FusionAuth won’t attempt to continue the OAuth flow after the password change. Instead, it will show the Change Password Complete hosted page.

If you only want this behavior for a specific application, create a separate template for that app and assign it at the application level.

First, ensure that Debug is enabled in your SMTP settings for the tenant. After enabling it, try sending password reset emails again and then check the Event Logs for any errors or details about why emails aren’t going out.

For more troubleshooting steps, see the FusionAuth SMTP documentation:
Configuring Email in FusionAuth

FusionAuth provides an API to search for webhook event logs, including failed events. For example, you can use this endpoint:

/api/system/webhook-event-log/search?start=<timestamp>&end=<timestamp>&eventResult=Failed

This will return all webhook events in the specified time frame that failed. More details are here:
Search Webhook Event Logs

In the API response, the event section contains the original payload that was sent. While FusionAuth doesn’t currently have a built-in replay feature, you can extract this event data and manually re-send it to the webhook URL using your own REST calls.

A native replay feature is on the roadmap, but there’s no confirmed timeline for its release yet.

These challenges are expected because of the security protections in place on FusionAuth Cloud deployments. One option is indeed to self-host FusionAuth, which gives you full control over rate limits and CAPTCHA settings.

Alternatively, you could add your IP address to FusionAuth’s allowlist, which can exempt you from certain rate limits and CAPTCHA checks. Details on this approach and the requirements are documented here:
CAPTCHA and Rate Limits - FusionAuth Cloud

Custom domains are available for Basic Cloud deployments. However, this feature relies on a newer backend infrastructure that we’ve recently rolled out. It sounds like your current deployment is on our legacy infrastructure, which does not support custom domains.

We’d be happy to help you migrate your deployment to the new infrastructure so you can enable custom domains. Please note that this migration would involve 30 to 60 minutes of downtime to complete the transition. Let us know if you’d like to proceed!