User APIs

The unique Id of the tenant used to scope this API request.

When only a single tenant is configured the tenant Id can be assumed and this additional header is optional. Once more than one tenant has been configured in FusionAuth the tenant Id is required for this request. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

The Id to use for the new User. If not specified a secure random UUID will be generated.

An optional Application Id. When this value is provided, it will be used to resolve an application specific email template if you have configured transactional emails such as setup password, email verification and others.

If not provided, only the tenant configuration will be used when resolving email templates.

A tenant has the option to configure one or more email domains to be blocked in order to restrict email domains during user create or update.

Setting this property equal to true will override the tenant configuration. See tenant.registrationConfiguration.blockedDomains in the Tenant API.

If true, FusionAuth will send the User an email asking them to set their password. The Email Template that is used is the one specified in the setPasswordEmailTemplateId .

When you set this value to true, any provided password field is ignored. FusionAuth will set the initial password to a securely generated random string.

If you have also enabled email verification and do not skip verification with the skipVerification parameter, only the setup password email will be sent to the user. Setting up the password using the email sent during this user create operation will verify the User’s email if it is not already verified.

If the SMTP email configuration is not complete, or disabled, this value is ignored.

Indicates to FusionAuth that it should skip email verification even if it is enabled. This is useful for creating admin or internal User accounts.

Setting this to true will set the user.verified field to true as well.

An ISO-8601 formatted date of the User’s birthdate such as YYYY-MM-DD.

An object that can hold any information about a User that should be persisted. Please review the limits on data field types as you plan for and build your custom data schema.

This field will be used as the email address if no user.email field is found. This field may be modified by advanced registration forms or the API. Setting this value to another account’s email address allows that account to, in some cases, access information about this user.

If user richard has a user.data.email with a value of dinesh@fusionauth.io, whoever controls dinesh@fusionauth.io has elevated access to the richard account. That user can now reset the password on the richard account, for example. This functionality may be useful in certain scenarios, such as when accounts must share an email address. Think through the security ramifications before using this feature.

This feature was removed in version 1.26.0 and added back in in 1.27.2.

The User’s email address. An email address is a unique in FusionAuth and stored in lower case.

If email is not provided, then the username will be required.

The method for encrypting the User’s password. The following encryptors are provided with FusionAuth:

• salted-md5
• salted-sha256
• salted-hmac-sha256
• salted-pbkdf2-hmac-sha256
• salted-pbkdf2-hmac-sha256-512 Available since 1.34.0
• bcrypt
• phpass-md5 Available since 1.45.0
• phpass-sha512Available since 1.45.0

You can also create your own password encryptor. See the Custom Password Hashing section for more information.

The expiration instant of the User’s account. An expired user is not permitted to login.

The factor used by the password encryption scheme. If not provided, the PasswordEncryptor provides a default value. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the PasswordEncryptor implementation.

The first name of the User.

The User’s full name as a separate field that is not calculated from firstName and lastName.

The URL that points to an image file that is the User’s profile image.

The User’s last name.

The User’s middle name.

The User’s mobile phone number. This is useful is you will be sending push notifications or SMS messages to the User.

The email address of the user’s parent or guardian. This field is used to allow a child user to identify their parent so FusionAuth can make a request to the parent to confirm the parent relationship.

Family configuration must be enabled in the tenant Family configuration and the corresponding family email templates must be configured for FusionAuth to notify the parent during user creation.

The User’s plain text password. This password will be hashed and the provided value will never be stored and cannot be retrieved.

This field is optional only if sendSetPasswordEmail is set to true. By default sendSetPasswordEmail is false, and then this field will be required.

Indicates that the User’s password needs to be changed during their next login attempt.

An array of locale strings that give, in order, the User’s preferred languages. These are important for email templates and other localizable text. See Locales.

The maximum number of allowed preferred languages is 20.

The User’s preferred timezone. The string must be in an IANA time zone format. For example:

America/Denver or US/Mountain

The algorithm used by the TOTP authenticator. With the current implementation, this will always be HmacSHA1.

The length of code generated by the TOTP. With the current implementation, this will always be 6.

The time-step size in seconds. With the current implementation, this will always be 30.

The value of the email address for this method. Only present if user.twoFactor.methods[x].method is email.

The type of this method. There will also be an object with the same value containing additional information about this method. The possible values are:

• authenticator
• email
• sms

The value of the mobile phone for this method. Only present if user.twoFactor.methods[x].method is sms.

A base64 encoded secret

This field is required when method is authenticator.

The User’s preferred delivery for verification codes during a two factor login request.

The possible values are:

• None
• TextMessage

When using TextMessage the User will also need a valid mobilePhone.

Determines if the User has two factor authentication enabled for their account or not.

See the Enable Two Factor and Disable Two Factor APIs as an alternative to performing this action using the User API.

The Base64 encoded secret used to generate Two Factor verification codes.

You may optionally use value provided in the secret field returned by the Two Factor Secret API instead of generating this value yourself.

Unless you are using TextMessage as your delivery type, ensure you are able to share the secret with the User before enabling Two Factor authentication. Beginning in version 1.17.0, if you do create a User with TextMessage set as the twoFactorDelivery type and you omit this value, the secret will be generated for you. The secret can be generated because it is not necessary to share the secret with the User for this delivery method.

When using None as the twoFactorDelivery this value will be required.

The username of the User. The username is stored and returned as a case sensitive value, however a username is considered unique regardless of the case. bob is considered equal to BoB so either version of this username can be used whenever providing it as input to an API.

If username is not provided, then the email will be required.

The current status of the username. This is used if you are moderating usernames via CleanSpeak. The possible values are:

• ACTIVE - the username is active
• PENDING - the username is pending approval/moderation
• REJECTED - the username was rejected during moderation

This state is managed by CleanSpeak, it may be changed by setting it on this request.

A trust token that may be used to complete another API request that requires trust. For example, if you receive an error from an API indicating trust is required - indicated by this error code [TrustTokenRequired], this value can be used to satisfy the trust requirement.

True if the User is active. False if the User has been deactivated. Deactivated Users will not be able to login.

The User’s birthdate formatted as YYYY-MM-DD

The instant this user’s password was last checked to determine if it is compromised.

The unique Id of the Connector associated with the System of Record being used to authenticate the user.

This Id is used by FusionAuth when the User’s username is sent to CleanSpeak to be moderated (filtered and potentially sent to the approval queue). It is the content Id of the username inside CleanSpeak.

An object that can hold any information about the User that should be persisted.

This field will be used as the email address if no user.email field is found.

This feature was removed in version 1.26.0 and added back in in 1.27.2.

The User’s email address.

The expiration instant of the User’s account. An expired user is not permitted to login.

The first name of the User.

The User’s full name as a separate field that is not calculated from firstName and lastName.

The User’s unique Id.

The URL that points to an image file that is the User’s profile image.

The instant when the user was created.

The instant when the User logged in last.

The User’s last name.

The instant when the User was last updated.

The User’s middle name.

The User’s mobile phone number. This is useful if you will be sending push notifications or SMS messages to the User.

The email address of the user’s parent or guardian. If this value was provided during a create or update operation, this value will only remain until the child is claimed by a parent.

Indicates that the User’s password needs to be changed during their next login attempt.

The instant that the User last changed their password.

An array of locale strings that give, in order, the User’s preferred languages. These are important for email templates and other localizable text. See Locales.

The list of registrations for the User. This will include registrations for inactive applications.

The Id of the Application that this registration is for.

The Authentication Token for this registration (if one exists).

This Id is used by FusionAuth when the User’s username for this registration is sent to CleanSpeak to be moderated (filtered and potentially sent to the approval queue). It is the content Id of the username inside CleanSpeak.

An object that can hold any information about the User for this registration that should be persisted.

The Id of this registration.

The instant that this registration was created.

The instant that the User last logged into the Application for this registration.

An array of locale strings that give, in order, the User’s preferred languages for this registration. These are important for email templates and other localizable text.

The list of roles that the User has for this registration.

The User’s preferred timezone for this registration. The string will be in an IANA time zone format.

A map that contains tokens returned from identity providers.

For example, if this user has authenticated using the Facebook Identity Provider, the Facebook access token will be available in this map, keyed by name Facebook. For an OpenID Connect Identity provider, or other generic providers, if a token is stored it will be keyed by the Identity Provider unique Id.

The token returned and stored from the Identity Provider is now stored in the IdP link and is retrievable using the Identity Provider Link API.

The username of the User for this registration only. This is for display purposes and cannot be used to login.

The current status of the username. This is used if you are moderating usernames via CleanSpeak. The possible values are:

• ACTIVE - the username is active
• PENDING - the username is pending approval/moderation
• REJECTED - the username was rejected during moderation

If a username has been rejected, it is still possible to allow the User to update it and have the new one moderated again.

This value indicates if this User’s registration has been verified.

For additional information, see these tutorials:

• Email Verification
• Registration Verification

The instant that this registration was verified.

The Id of the Tenant that this User belongs to.

The User’s preferred timezone. This can be used as a default to display instants, and it is recommended that you allow Users to change this per-session. The string will be in an IANA time zone format.

The algorithm used by the TOTP authenticator. With the current implementation, this will always be HmacSHA1.

The length of code generated by the TOTP. With the current implementation, this will always be 6.

The time-step size in seconds. With the current implementation, this will always be 30.

The value of the email address for this method. Only present if user.twoFactor.methods[x].method is email.

The unique Id of the method.

true if this method was used most recently.

The type of this method. There will also be an object with the same value containing additional information about this method. The possible values are:

• authenticator
• email
• sms

The value of the mobile phone for this method. Only present if user.twoFactor.methods[x].method is sms.

A base64 encoded secret

The User’s preferred delivery for verification codes during a two factor login request.

The possible values are:

• None
• TextMessage

Determines if the User has two factor authentication enabled for their account or not.

The username of the User.

The current status of the username. This is used if you are moderating usernames via CleanSpeak. The possible values are:

• ACTIVE - the username is active
• PENDING - the username is pending approval/moderation
• REJECTED - the username was rejected during moderation

If a username has been rejected, it is still possible to allow the User to update it and have the new one moderated again.

Whether or not the User’s email has been verified.

For additional information, see these tutorials:

• Email Verification
• Registration Verification

The instant that this email address was verified.

Note that this value is immutable and will only represent the first time the email was verified. If you enable re-verification on email change, this value will not change and will only represent the initial verification.

The unique Id of the User to retrieve.

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

The unique Id of the User to retrieve. The loginId can be either the email or username.

The unique Id of the tenant used to scope this API request.

When only a single tenant is configured the tenant Id can be assumed and this additional header is optional. Once more than one tenant has been configured in FusionAuth the tenant Id is required for this request because the input parameters by themselves do not indicate which tenant the request is intended.

The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

The email of the User to retrieve.

The unique Id of the tenant used to scope this API request.

When only a single tenant is configured the tenant Id can be assumed and this additional header is optional. Once more than one tenant has been configured in FusionAuth the tenant Id is required for this request because the input parameters by themselves do not indicate which tenant the request is intended.

The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

The username of the User to retrieve.

The unique Id of the tenant used to scope this API request.

When only a single tenant is configured the tenant Id can be assumed and this additional header is optional. Once more than one tenant has been configured in FusionAuth the tenant Id is required for this request because the input parameters by themselves do not indicate which tenant the request is intended.

The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

The change password Id associated with the user when the Forgot Password workflow has been started.

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

The verification Id associated with the user when the Email verification process has been started.

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

A trust token that may be used to complete another API request that requires trust. For example, if you receive an error from an API indicating trust is required - indicated by this error code [TrustTokenRequired], this value can be used to satisfy the trust requirement.

True if the User is active. False if the User has been deactivated. Deactivated Users will not be able to login.

The User’s birthdate formatted as YYYY-MM-DD

The instant this user’s password was last checked to determine if it is compromised.

The unique Id of the Connector associated with the System of Record being used to authenticate the user.

This Id is used by FusionAuth when the User’s username is sent to CleanSpeak to be moderated (filtered and potentially sent to the approval queue). It is the content Id of the username inside CleanSpeak.

An object that can hold any information about the User that should be persisted.

This field will be used as the email address if no user.email field is found.

This feature was removed in version 1.26.0 and added back in in 1.27.2.

The User’s email address.

The encryption scheme used to hash the password for this user. This value is only returned when the user is retrieved using an API key.

The expiration instant of the User’s account. An expired user is not permitted to login.

The first name of the User.

The User’s full name as a separate field that is not calculated from firstName and lastName.

The User’s unique Id.

The URL that points to an image file that is the User’s profile image.

The instant when the user was created.

The instant when the User logged in last.

The User’s last name.

The instant when the User was last updated.

The User’s middle name.

The User’s mobile phone number. This is useful if you will be sending push notifications or SMS messages to the User.

The email address of the user’s parent or guardian. If this value was provided during a create or update operation, this value will only remain until the child is claimed by a parent.

Indicates that the User’s password needs to be changed during their next login attempt.

The instant that the User last changed their password.

An array of locale strings that give, in order, the User’s preferred languages. These are important for email templates and other localizable text. See Locales.

The list of registrations for the User. This will include registrations for inactive applications.

The Id of the Application that this registration is for.

The Authentication Token for this registration (if one exists).

This Id is used by FusionAuth when the User’s username for this registration is sent to CleanSpeak to be moderated (filtered and potentially sent to the approval queue). It is the content Id of the username inside CleanSpeak.

An object that can hold any information about the User for this registration that should be persisted.

The Id of this registration.

The instant that this registration was created.

The instant that the User last logged into the Application for this registration.

An array of locale strings that give, in order, the User’s preferred languages for this registration. These are important for email templates and other localizable text.

The list of roles that the User has for this registration.

The User’s preferred timezone for this registration. The string will be in an IANA time zone format.

A map that contains tokens returned from identity providers.

For example, if this user has authenticated using the Facebook Identity Provider, the Facebook access token will be available in this map, keyed by name Facebook. For an OpenID Connect Identity provider, or other generic providers, if a token is stored it will be keyed by the Identity Provider unique Id.

The token returned and stored from the Identity Provider is now stored in the IdP link and is retrievable using the Identity Provider Link API.

The username of the User for this registration only. This is for display purposes and cannot be used to login.

The current status of the username. This is used if you are moderating usernames via CleanSpeak. The possible values are:

• ACTIVE - the username is active
• PENDING - the username is pending approval/moderation
• REJECTED - the username was rejected during moderation

If a username has been rejected, it is still possible to allow the User to update it and have the new one moderated again.

This value indicates if this User’s registration has been verified.

For additional information, see these tutorials:

• Email Verification
• Registration Verification

The instant that this registration was verified.

The Id of the Tenant that this User belongs to.

The User’s preferred timezone. This can be used as a default to display instants, and it is recommended that you allow Users to change this per-session. The string will be in an IANA time zone format.

The algorithm used by the TOTP authenticator. With the current implementation, this will always be HmacSHA1.

The length of code generated by the TOTP. With the current implementation, this will always be 6.

The time-step size in seconds. With the current implementation, this will always be 30.

The value of the email address for this method. Only present if user.twoFactor.methods[x].method is email.

The unique Id of the method.

true if this method was used most recently.

The type of this method. There will also be an object with the same value containing additional information about this method. The possible values are:

• authenticator
• email
• sms

The value of the mobile phone for this method. Only present if user.twoFactor.methods[x].method is sms.

A base64 encoded secret

The User’s preferred delivery for verification codes during a two factor login request.

The possible values are:

• None
• TextMessage

Determines if the User has two factor authentication enabled for their account or not.

The username of the User.

The current status of the username. This is used if you are moderating usernames via CleanSpeak. The possible values are:

• ACTIVE - the username is active
• PENDING - the username is pending approval/moderation
• REJECTED - the username was rejected during moderation

If a username has been rejected, it is still possible to allow the User to update it and have the new one moderated again.

Whether or not the User’s email has been verified.

For additional information, see these tutorials:

• Email Verification
• Registration Verification

The instant that this email address was verified.

Note that this value is immutable and will only represent the first time the email was verified. If you enable re-verification on email change, this value will not change and will only represent the initial verification.

The Id of the User to update.

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

An optional Application Id. When this value is provided, it will be used to resolve an application specific email template if you have configured transactional emails such as setup password, email verification and others.

If not provided, only the tenant configuration will be used when resolving email templates.

A tenant has the option to configure one or more email domains to be blocked in order to restrict email domains during user create or update.

Setting this property equal to true will override the tenant configuration. See tenant.registrationConfiguration.blockedDomains in the Tenant API.

Indicates to FusionAuth that it should skip email verification even if it is enabled. This is useful for creating admin or internal User accounts.

Setting this to true will set the user.verified field to true as well.

An ISO-8601 formatted date of the User’s birthdate such as YYYY-MM-DD.

An object that can hold any information about a User that should be persisted. Please review the limits on data field types as you plan for and build your custom data schema.

This field will be used as the email address if no user.email field is found. This field may be modified by advanced registration forms or the API. Setting this value to another account’s email address allows that account to, in some cases, access information about this user.

If user richard has a user.data.email with a value of dinesh@fusionauth.io, whoever controls dinesh@fusionauth.io has elevated access to the richard account. That user can now reset the password on the richard account, for example. This functionality may be useful in certain scenarios, such as when accounts must share an email address. Think through the security ramifications before using this feature.

This feature was removed in version 1.26.0 and added back in in 1.27.2.

The User’s email address. An email address is a unique in FusionAuth and stored in lower case.

If email is not provided, then the username will be required.

The method for encrypting the User’s password. The following encryptors are provided with FusionAuth:

• salted-md5
• salted-sha256
• salted-hmac-sha256
• salted-pbkdf2-hmac-sha256
• salted-pbkdf2-hmac-sha256-512 Available since 1.34.0
• bcrypt
• phpass-md5 Available since 1.45.0
• phpass-sha512Available since 1.45.0

This field is ignored unless the password field is also provided. If omitted and the password is specified, the default encryption scheme will be used.

You can also create your own password encryptor. See the Custom Password Hashing section for more information.

The expiration instant of the User’s account. An expired user is not permitted to login.

The factor used by the password encryption scheme. If not provided, the PasswordEncryptor provides a default value. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the PasswordEncryptor implementation.

This field is ignored unless the password field is also provided. If omitted and the password is specified, the default factor for the encryption scheme will be used.

The first name of the User.

The User’s full name as a separate field that is not calculated from firstName and lastName.

The URL that points to an image file that is the User’s profile image.

The User’s last name.

The User’s middle name.

The User’s mobile phone number. This is useful is you will be sending push notifications or SMS messages to the User.

The email address of the user’s parent or guardian. This field is used to allow a child user to identify their parent so FusionAuth can make a request to the parent to confirm the parent relationship.

Family configuration must be enabled in the tenant Family configuration and the corresponding family email templates must be configured for FusionAuth to notify the parent during user creation.

The User’s plain text password. This password will be hashed and the provided value will never be stored and cannot be retrieved.

If this parameter is provided it indicates you wish to change the User's password. If you do not want to change the User's password omit this field from the request.

Indicates that the User’s password needs to be changed during their next login attempt.

An array of locale strings that give, in order, the User’s preferred languages. These are important for email templates and other localizable text. See Locales.

The maximum number of allowed preferred languages is 20.

The User’s preferred timezone. The string must be in an IANA time zone format. For example:

America/Denver or US/Mountain

The algorithm used by the TOTP authenticator. With the current implementation, this will always be HmacSHA1.

The length of code generated by the TOTP. With the current implementation, this will always be 6.

The time-step size in seconds. With the current implementation, this will always be 30.

The value of the email address for this method. Only present if user.twoFactor.methods[x].method is email.

The type of this method. There will also be an object with the same value containing additional information about this method. The possible values are:

• authenticator
• email
• sms

The value of the mobile phone for this method. Only present if user.twoFactor.methods[x].method is sms.

A base64 encoded secret

This field is required when method is authenticator.

The User’s preferred delivery for verification codes during a two factor login request.

The possible values are:

• None
• TextMessage

When using TextMessage the User will also need a valid mobilePhone.

If Two Factor authentication is already enabled for this user, the delivery may not be modified. In order to change the delivery type you must first disable Two Factor authentication and re-enable with a new delivery type.

Determines if the User has two factor authentication enabled for their account or not.

If Two Factor authentication is already enabled for this user disabling Two Factor authentication will reset the delivery type and secret.

See the Enable Two Factor and Disable Two Factor APIs as an alternative to performing this action using the User API.

The Base64 encoded secret used to generate Two Factor verification codes.

You may optionally use value provided in the secret field returned by the Two Factor Secret API instead of generating this value yourself.

Unless you are using TextMessage as your delivery type, ensure you are able to share the secret with the User before enabling Two Factor authentication. Beginning in version 1.17.0, if you do create a User with TextMessage set as the twoFactorDelivery type and you omit this value, the secret will be generated for you. The secret can be generated because it is not necessary to share the secret with the User for this delivery method.

When using None as the twoFactorDelivery this value will be required.

If Two Factor authentication is already enabled for this user, the secret may not be modified. In order to change the secret you must first disable Two Factor authentication and re-enable with a new secret.

The username of the User. The username is stored and returned as a case sensitive value, however a username is considered unique regardless of the case. bob is considered equal to BoB so either version of this username can be used whenever providing it as input to an API.

If username is not provided, then the email will be required.

The current status of the username. This is used if you are moderating usernames via CleanSpeak. The possible values are:

• ACTIVE - the username is active
• PENDING - the username is pending approval/moderation
• REJECTED - the username was rejected during moderation

This state is managed by CleanSpeak, it may be changed by setting it on this request.

A trust token that may be used to complete another API request that requires trust. For example, if you receive an error from an API indicating trust is required - indicated by this error code [TrustTokenRequired], this value can be used to satisfy the trust requirement.

True if the User is active. False if the User has been deactivated. Deactivated Users will not be able to login.

The User’s birthdate formatted as YYYY-MM-DD

The instant this user’s password was last checked to determine if it is compromised.

The unique Id of the Connector associated with the System of Record being used to authenticate the user.

This Id is used by FusionAuth when the User’s username is sent to CleanSpeak to be moderated (filtered and potentially sent to the approval queue). It is the content Id of the username inside CleanSpeak.

An object that can hold any information about the User that should be persisted.

This field will be used as the email address if no user.email field is found.

This feature was removed in version 1.26.0 and added back in in 1.27.2.

The User’s email address.

The expiration instant of the User’s account. An expired user is not permitted to login.

The first name of the User.

The User’s full name as a separate field that is not calculated from firstName and lastName.

The User’s unique Id.

The URL that points to an image file that is the User’s profile image.

The instant when the user was created.

The instant when the User logged in last.

The User’s last name.

The instant when the User was last updated.

The User’s middle name.

The User’s mobile phone number. This is useful if you will be sending push notifications or SMS messages to the User.

The email address of the user’s parent or guardian. If this value was provided during a create or update operation, this value will only remain until the child is claimed by a parent.

Indicates that the User’s password needs to be changed during their next login attempt.

The instant that the User last changed their password.

An array of locale strings that give, in order, the User’s preferred languages. These are important for email templates and other localizable text. See Locales.

The list of registrations for the User. This will include registrations for inactive applications.

The Id of the Application that this registration is for.

The Authentication Token for this registration (if one exists).

This Id is used by FusionAuth when the User’s username for this registration is sent to CleanSpeak to be moderated (filtered and potentially sent to the approval queue). It is the content Id of the username inside CleanSpeak.

An object that can hold any information about the User for this registration that should be persisted.

The Id of this registration.

The instant that this registration was created.

The instant that the User last logged into the Application for this registration.

An array of locale strings that give, in order, the User’s preferred languages for this registration. These are important for email templates and other localizable text.

The list of roles that the User has for this registration.

The User’s preferred timezone for this registration. The string will be in an IANA time zone format.

A map that contains tokens returned from identity providers.

For example, if this user has authenticated using the Facebook Identity Provider, the Facebook access token will be available in this map, keyed by name Facebook. For an OpenID Connect Identity provider, or other generic providers, if a token is stored it will be keyed by the Identity Provider unique Id.

The token returned and stored from the Identity Provider is now stored in the IdP link and is retrievable using the Identity Provider Link API.

The username of the User for this registration only. This is for display purposes and cannot be used to login.

The current status of the username. This is used if you are moderating usernames via CleanSpeak. The possible values are:

• ACTIVE - the username is active
• PENDING - the username is pending approval/moderation
• REJECTED - the username was rejected during moderation

If a username has been rejected, it is still possible to allow the User to update it and have the new one moderated again.

This value indicates if this User’s registration has been verified.

For additional information, see these tutorials:

• Email Verification
• Registration Verification

The instant that this registration was verified.

The Id of the Tenant that this User belongs to.

The User’s preferred timezone. This can be used as a default to display instants, and it is recommended that you allow Users to change this per-session. The string will be in an IANA time zone format.

The algorithm used by the TOTP authenticator. With the current implementation, this will always be HmacSHA1.

The length of code generated by the TOTP. With the current implementation, this will always be 6.

The time-step size in seconds. With the current implementation, this will always be 30.

The value of the email address for this method. Only present if user.twoFactor.methods[x].method is email.

The unique Id of the method.

true if this method was used most recently.

The type of this method. There will also be an object with the same value containing additional information about this method. The possible values are:

• authenticator
• email
• sms

The value of the mobile phone for this method. Only present if user.twoFactor.methods[x].method is sms.

A base64 encoded secret

The User’s preferred delivery for verification codes during a two factor login request.

The possible values are:

• None
• TextMessage

Determines if the User has two factor authentication enabled for their account or not.

The username of the User.

The current status of the username. This is used if you are moderating usernames via CleanSpeak. The possible values are:

• ACTIVE - the username is active
• PENDING - the username is pending approval/moderation
• REJECTED - the username was rejected during moderation

If a username has been rejected, it is still possible to allow the User to update it and have the new one moderated again.

Whether or not the User’s email has been verified.

For additional information, see these tutorials:

• Email Verification
• Registration Verification

The instant that this email address was verified.

Note that this value is immutable and will only represent the first time the email was verified. If you enable re-verification on email change, this value will not change and will only represent the initial verification.

The Id of the User to delete.

To Permanently delete a user from FusionAuth set this value to true. Once a user has been permanently deleted, the action cannot be undone. When this value is set to false the user is marked as inactive and the user will be unable log into FusionAuth. This action may be undone by reactivating the user.

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

To preview the user Ids to be deleted by the request without applying the requested action set this value to true.

To Permanently delete a user from FusionAuth set this value to true. Once a user has been permanently deleted, the action cannot be undone. When this value is set to false the user is marked as inactive and the user will be unable log into FusionAuth. This action may be undone by reactivating the user.

The maximum number of users to delete in one call.

You may use this parameter to process deletes in batches in order to limit individual request processing time and the number of user Ids on the response.

The raw JSON Elasticsearch query that is used to search for Users. The userId, query, and queryString parameters are mutually exclusive, they are listed here in order of precedence.

It is necessary to use the query parameter when querying against registrations in order to achieve expected results, as this field is defined as a nested datatype in the Elasticsearch mapping.

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

To preview the user Ids to be deleted by the request without applying the requested action set this value to true.

To Permanently delete a user from FusionAuth set this value to true. Once a user has been permanently deleted, the action cannot be undone. When this value is set to false the user is marked as inactive and the user will be unable log into FusionAuth. This action may be undone by reactivating the user.

The maximum number of users to delete in one call.

You may use this parameter to process deletes in batches in order to limit individual request processing time and the number of user Ids on the response.

The raw JSON Elasticsearch query that is used to search for Users. The userIds, query, and queryString parameters are mutually exclusive, they are listed here in order of precedence.

It is necessary to use the query parameter when querying against registrations in order to achieve expected results, as this field is defined as a nested datatype in the Elasticsearch mapping.

The Elasticsearch query string that is used to search for Users to be deleted. The userIds, query, and queryString parameters are mutually exclusive, they are listed here in order of precedence.

Whether the request was a dry run or the requested action was applied.

Whether the requested action was deactivation or permanent deletion.

The count of affected Users.

The list of affected User Ids. This field is omitted from the response when no users were affected by the request.

The Id of the User to reactivate.

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

A trust token that may be used to complete another API request that requires trust. For example, if you receive an error from an API indicating trust is required - indicated by this error code [TrustTokenRequired], this value can be used to satisfy the trust requirement.

True if the User is active. False if the User has been deactivated. Deactivated Users will not be able to login.

The User’s birthdate formatted as YYYY-MM-DD

The instant this user’s password was last checked to determine if it is compromised.

The unique Id of the Connector associated with the System of Record being used to authenticate the user.

This Id is used by FusionAuth when the User’s username is sent to CleanSpeak to be moderated (filtered and potentially sent to the approval queue). It is the content Id of the username inside CleanSpeak.

An object that can hold any information about the User that should be persisted.

This field will be used as the email address if no user.email field is found.

This feature was removed in version 1.26.0 and added back in in 1.27.2.

The User’s email address.

The expiration instant of the User’s account. An expired user is not permitted to login.

The first name of the User.

The User’s full name as a separate field that is not calculated from firstName and lastName.

The User’s unique Id.

The URL that points to an image file that is the User’s profile image.

The instant when the user was created.

The instant when the User logged in last.

The User’s last name.

The instant when the User was last updated.

The User’s middle name.

The User’s mobile phone number. This is useful if you will be sending push notifications or SMS messages to the User.

The email address of the user’s parent or guardian. If this value was provided during a create or update operation, this value will only remain until the child is claimed by a parent.

Indicates that the User’s password needs to be changed during their next login attempt.

The instant that the User last changed their password.

An array of locale strings that give, in order, the User’s preferred languages. These are important for email templates and other localizable text. See Locales.

The list of registrations for the User. This will include registrations for inactive applications.

The Id of the Application that this registration is for.

The Authentication Token for this registration (if one exists).

This Id is used by FusionAuth when the User’s username for this registration is sent to CleanSpeak to be moderated (filtered and potentially sent to the approval queue). It is the content Id of the username inside CleanSpeak.

An object that can hold any information about the User for this registration that should be persisted.

The Id of this registration.

The instant that this registration was created.

The instant that the User last logged into the Application for this registration.

An array of locale strings that give, in order, the User’s preferred languages for this registration. These are important for email templates and other localizable text.

The list of roles that the User has for this registration.

The User’s preferred timezone for this registration. The string will be in an IANA time zone format.

A map that contains tokens returned from identity providers.

For example, if this user has authenticated using the Facebook Identity Provider, the Facebook access token will be available in this map, keyed by name Facebook. For an OpenID Connect Identity provider, or other generic providers, if a token is stored it will be keyed by the Identity Provider unique Id.

The token returned and stored from the Identity Provider is now stored in the IdP link and is retrievable using the Identity Provider Link API.

The username of the User for this registration only. This is for display purposes and cannot be used to login.

The current status of the username. This is used if you are moderating usernames via CleanSpeak. The possible values are:

• ACTIVE - the username is active
• PENDING - the username is pending approval/moderation
• REJECTED - the username was rejected during moderation

If a username has been rejected, it is still possible to allow the User to update it and have the new one moderated again.

This value indicates if this User’s registration has been verified.

For additional information, see these tutorials:

• Email Verification
• Registration Verification

The instant that this registration was verified.

The Id of the Tenant that this User belongs to.

The User’s preferred timezone. This can be used as a default to display instants, and it is recommended that you allow Users to change this per-session. The string will be in an IANA time zone format.

The algorithm used by the TOTP authenticator. With the current implementation, this will always be HmacSHA1.

The length of code generated by the TOTP. With the current implementation, this will always be 6.

The time-step size in seconds. With the current implementation, this will always be 30.

The value of the email address for this method. Only present if user.twoFactor.methods[x].method is email.

The unique Id of the method.

true if this method was used most recently.

The type of this method. There will also be an object with the same value containing additional information about this method. The possible values are:

• authenticator
• email
• sms

The value of the mobile phone for this method. Only present if user.twoFactor.methods[x].method is sms.

A base64 encoded secret

The User’s preferred delivery for verification codes during a two factor login request.

The possible values are:

• None
• TextMessage

Determines if the User has two factor authentication enabled for their account or not.

The username of the User.

The current status of the username. This is used if you are moderating usernames via CleanSpeak. The possible values are:

• ACTIVE - the username is active
• PENDING - the username is pending approval/moderation
• REJECTED - the username was rejected during moderation

If a username has been rejected, it is still possible to allow the User to update it and have the new one moderated again.

Whether or not the User’s email has been verified.

For additional information, see these tutorials:

• Email Verification
• Registration Verification

The instant that this email address was verified.

Note that this value is immutable and will only represent the first time the email was verified. If you enable re-verification on email change, this value will not change and will only represent the initial verification.

The unique Id of the tenant used to scope this API request.

When only a single tenant is configured the tenant Id can be assumed and this additional header is optional. Once more than one tenant has been configured in FusionAuth the tenant Id is required for this request. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

The encryption scheme used to encrypt plaintext passwords encountered in the request. If this value is omitted the system configured value will be used.

The following encryptors are provided with FusionAuth:

• salted-md5
• salted-sha256
• salted-hmac-sha256
• salted-pbkdf2-hmac-sha256
• salted-pbkdf2-hmac-sha256-512available since 1.34.0
• salted-pbkdf2-hmac-sha512-512available since 1.43.0
• bcrypt`
• phpass-md5available since 1.45.0
• phpass-sha512available since 1.45.0

The factor used to encrypt plaintext passwords encountered in the request. If this value is omitted the system configured value will be used.

The list of Users to import.

True if the User is active. False if the User has been deactivated. Deactivated Users will not be able to login. Generally this should be set to true during the bulk import.

YYYY-MM-DD formatted date of the User’s birth.

An object that can hold any information about a User that should be persisted.

The unique Id of the tenant used to scope this API request.

When only a single tenant is configured the tenant Id can be assumed and this additional header is optional. Once more than one tenant has been configured in FusionAuth the tenant Id is required for this request. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

The list of refresh tokens to import.

The unique Application Id that corresponds to the User Registration for this refresh token.

A human readable description of the device represented by the device parameter.

The IP address of this login request.

The instant of this login request.

A human readable name of the device represented by the device parameter.

The type of device represented by the device parameter.

Prior to version 1.46.0, this value was restricted to the following types:

• BROWSER
• DESKTOP
• LAPTOP
• MOBILE
• OTHER
• SERVER
• TABLET
• TV
• UNKNOWN

In version 1.46.0 and beyond, this value can be any string value you’d like, have fun with it!

The instant of the start of this token. This value will be used to calculate the token expiration.

The string representation of the refresh token.

Prior to version 1.33.0, this value was limited to a maximum length of 191 characters. If you need to import a token that is longer than 191 characters, ensure you have upgraded to version 1.33.0 or later.

The unique user Id of the refresh token owner.

Set this value to true in order to perform additional validation of the request. This validation includes, among other things, confirming that a user exists and is registered for the application which this refreshToken was created for.

If this is false, any errors such as duplicated refresh token values will return a 500 error without any additional messages. If this is true, additional validation will be performed on the input request and a 400 response will be returned with a JSON body indicating duplicate values or other error conditions encountered.

Setting this value to true will dramatically decrease the performance of this request. If importing large numbers of tokens in a single request you may need to increase request timeouts to ensure this request does not timeout before it has completed.

Set this value equal to true to receive an accurate hit count on the API response.

By default the search engine will limit the hit count to 10,000 users. This means that even if your query may match more than 10,000 users, the returned total count will be 10,000. This is adequate for many use cases such as pagination and general purpose queries. If you are looking for an accurate user count that can exceed 10,000 matches, you will want to set this value equal to true.

This parameter allows you to optionally remove the memberships and registrations from the API response. Removing these fields from the response may improve performance on large search requests, specifically when you are managing application roles through User Registrations and Group Memberships.

For backwards compatibility, the default behavior will be to return both memberships and registrations.

To request only the registrations but omit the memberships from the response, provide a value of [registrations]. To omit both the memberships and registrations from the response, provide a value of [].

A User Id to retrieve. By specifying this URL parameter multiple times you can lookup multiple Users.

Using this parameter is mutually exclusive with the queryString field and is not paginated or sorted using the sortFields field.

The number of search results to return. Used for pagination.

A query string that is used to search for Users. Using this parameter is mutually exclusive with the ids field.

Database search limits effective queries to single search terms that may match the following fields on the User:

• firstName
• lastName
• fullName
• email
• username

The search matches against all of these fields and any user with a matching field will be returned. The match is case-insensitive, and you may not search by prefix or suffix. Whitespace is not allowed in the search. Regular expressions may not be used. A value of `*` will match all records.

The start row within the search results to return. Used for pagination.

An array of sort fields used to sort the result. The order the sort fields are provided will be maintained in the sorted output.

The name of the field to sort.

Required if sortFields is provided.

The following field names are supported for the database search engine:

• birthDate
• email
• fullName
• id
• insertInstant
• lastLoginInstant
• login
• tenantId
• username

The order to sort the specified field. Possible values are:

• asc
• desc

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

Set this value equal to true to receive an accurate hit count on the API response.

By default the search engine will limit the hit count to 10,000 users. This means that even if your query may match more than 10,000 users, the returned total count will be 10,000. This is adequate for many use cases such as pagination and general purpose queries. If you are looking for an accurate user count that can exceed 10,000 matches, you will want to set this value equal to true.

This parameter allows you to optionally remove the memberships and registrations from the API response. Removing these fields from the response may improve performance on large search requests, specifically when you are managing application roles through User Registrations and Group Memberships.

For backwards compatibility, the default behavior will be to return both memberships and registrations.

To request only the registrations but omit the memberships from the response, provide a value of [registrations]. To omit both the memberships and registrations from the response, provide a value of [].

A list of User Ids to retrieve. When using this parameter, the results are not paginated or sorted using the sortFields.

The search.ids and queryString parameters are mutually exclusive, they are listed here in order of precedence.

The number of search results to return. Used for pagination.

A query string that is used to search for Users. Using this parameter is mutually exclusive with the ids field.

Database search limits effective queries to single search terms that may match the following fields on the User:

• firstName
• lastName
• fullName
• email
• username

The search matches against all of these fields and any user with a matching field will be returned. The match is case-insensitive, and you may not search by prefix or suffix. Whitespace is not allowed in the search. Regular expressions may not be used. A value of `*` will match all records.

The start row within the search results to return. Used for pagination.

An array of sort fields used to sort the result. The order the sort fields are provided will be maintained in the sorted output.

The name of the field to sort.

Required if sortFields is provided.

The following field names are supported for the database search engine:

• birthDate
• email
• fullName
• id
• insertInstant
• lastLoginInstant
• login
• tenantId
• username

The order to sort the specified field. Possible values are:

• asc
• desc