Retrieve a User
This API is used to retrieve the information about a single User. You can use the User's Id, username or email address to retrieve the User. The Id is specified on the URI and the username or email are specified as URL parameters.
Request#
By user ID#
OpenAPI Spec
Request Parameters#
userIdUUIDrequiredThe unique Id of the User to retrieve.
Request Headers#
X-FusionAuth-TenantIdStringoptionalThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
By login ID#
OpenAPI Spec
Request Parameters#
loginIdStringrequiredThe unique Id of the User to retrieve. The loginId can be either the email or username.
Request Headers#
X-FusionAuth-TenantIdStringoptionalThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
By login ID and type#
OpenAPI Spec
Request Parameters#
loginIdStringrequiredThe login identifier of the user. The login identifier can be one of the following (see loginIdTypes for information on which of these identifiers will be used):
- Email address
- Phone number (if
phoneNumberis included in loginIdTypes) - Username
For email and username, the value will be used exactly as provided to resolve a user. If the provided value contains leading or trailing white space, these characters will not be removed, and then would only match if the values stored in FusionAuth also contain these same leading or trailing spaces.
For phoneNumber, loginId can be any valid phone number (in E.164, national, or international format) and FusionAuth will canonicalize the value. The User will be resolved if the user's E.164 formatted phone number matches the canonical E.164 phone number from loginId. If no country code is provided, a US/NANP country code of 1 is assumed.
loginIdTypesArray<String>optionalDefaults to [email, username]Available since 1.59.0The identity types that FusionAuth will compare the loginId to. Can be one or more of the following:
emailphoneNumberusername
["email", "username"] is supplied with a loginId value of terry@example.com, then a user with terry@example.com as their email address will match first before any user with terry@example.com as their username.Request Headers#
X-FusionAuth-TenantIdStringoptionalThe unique Id of the tenant used to scope this API request.
When only a single tenant is configured the tenant Id can be assumed and this additional header is optional. Once more than one tenant has been configured in FusionAuth the tenant Id is required for this request because the input parameters by themselves do not indicate which tenant the request is intended.
The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
By email#
OpenAPI Spec
Request Parameters#
emailStringrequiredThe email of the User to retrieve.
Request Headers#
X-FusionAuth-TenantIdStringoptionalThe unique Id of the tenant used to scope this API request.
When only a single tenant is configured the tenant Id can be assumed and this additional header is optional. Once more than one tenant has been configured in FusionAuth the tenant Id is required for this request because the input parameters by themselves do not indicate which tenant the request is intended.
The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
By username#
OpenAPI Spec
Request Parameters#
usernameStringrequiredThe username of the User to retrieve.
Request Headers#
X-FusionAuth-TenantIdStringoptionalThe unique Id of the tenant used to scope this API request.
When only a single tenant is configured the tenant Id can be assumed and this additional header is optional. Once more than one tenant has been configured in FusionAuth the tenant Id is required for this request because the input parameters by themselves do not indicate which tenant the request is intended.
The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
By change password ID#
OpenAPI Spec
Request Parameters#
changePasswordIdStringrequiredThe change password Id associated with the user when the Forgot Password workflow has been started.
Request Headers#
X-FusionAuth-TenantIdStringoptionalThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
By verification ID#
OpenAPI Spec
Request Parameters#
verificationIdStringrequiredThe verification Id associated with the user when the Email or Phone number verification process has been started.
Request Headers#
X-FusionAuth-TenantIdStringoptionalThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Response#
The response for this API contains the User.
Response Codes| Code | Description |
|---|---|
| 200 | The request was successful. The response will contain a JSON body. |
| 400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
| 401 | You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
| 404 | The object you requested doesn't exist. The response will be empty. |
| 500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
| 503 | The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |
Response Body#
emailVerificationIdStringAvailable since 1.27.0An email verification Id. When present, this will represent the user's current email verification Id.
When using FormField verification strategy, this is the first part of the pair of verification Ids, and the emailVerificationOneTimeCode is the second part. When ClickableLink is the verification strategy, this value is sensitive in that this value by itself can be used to verify the user's email address.
When ClickableLink is the verification strategy, this is the value that will have been emailed to the user in order to complete verification. If you have not configured SMTP, you may optionally use this value to use an out of band transport such as your own email service.
Prior to version 1.49.0, this value was only returned when using FormField verification strategy. Beginning in 1.49.0 the value is always returned when available.
emailVerificationOneTimeCodeStringAvailable since 1.49.0An email one time code that will be paired with the emailVerificationId.
When FormField is the verification strategy, this is the value that will have been emailed to the user in order to complete verification. If you have not configured SMTP, you may optionally use this value to use an out of band transport such as your own email service.
This value will only be present when using the FormField verification strategy. When present, this is the value the user will need to enter to complete email verification.
verificationIdsArrayAvailable since 1.59.0The list of all identity verifications that exist for a user. This includes the email and phone identities that a user may have. The values from emailVerificationId and emailVerificationOneTimeCode are legacy fields and will also be present in this list.
verificationIds[x].idStringAvailable since 1.59.0An identity verification Id.
When using FormField verification strategy, FusionAuth provides two values, a verification Id (this value) and the verificationIds[x].oneTimeCode value.
When ClickableLink is the verification strategy, this is the value FusionAuth sends to the user in order to complete identity verification. If you have not configured SMTP or an SMS messenger, you may optionally use this value to use an out-of-band transport such as your own email service to deliver this value.
Note that when ClickableLink is the verification strategy, this value is sensitive in that it can be used to verify the user's email address or phone number.
verificationIds[x].oneTimeCodeStringAvailable since 1.59.0A one time code that will be paired with the verificationIds[x].id.
When FormField is the verification strategy, this is the value FusionAuth sends to the user in order to complete verification. If you have not configured SMTP or an SMS messenger, you may optionally send this value using an out-of-band transport such as your own email service.
This value will only be present when using the FormField verification strategy. When present, this is the value the user will need to enter to complete email or phone verification.
verificationIds[x].typeStringAvailable since 1.59.0The identity type that the verification Id is for. This identity type, along with verificationIds[x].value, matches exactly one identity via user.identities[x].type.
verificationIds[x].valueStringAvailable since 1.59.0The identity value that the verification Id is for. This identity value, along with verificationIds[x].type, matches exactly one identity via user.identities[x].value.
registrationVerificationIdsMap<UUID, List<String>>Available since 1.27.0A map of registration verification Id keyed by the application. When present, this will represent the user's current registration verification Ids.
When using FormField verification strategy, this is the first part of the pair of verification Ids, and the one time code in the registrationVerificationOneTimeCodes map is the second part. When ClickableLink is the verification strategy, this value is sensitive in that this value by itself can be used to verify the user's registration.
When ClickableLink is the verification strategy, you may optionally use this value to use an out of band transport such as your own email service.
Prior to version 1.49.0, this value was only returned when using FormField verification strategy. Beginning in 1.49.0 the value is always returned when available.
registrationVerificationOneTimeCodesMap<UUID, List<String>>Available since 1.49.2A registration one time code that will be paired with the verification Id in the registrationVerificationIds map.
When FormField is the verification strategy, you may optionally use this value to use an out of band transport such as your own email service.
This value will only be present when using the FormField verification strategy. When present, this is the value the user will need to enter to complete registration verification.
user.activeBooleanTrue if the User is active. False if the User has been deactivated. Deactivated Users will not be able to log in.
user.birthDateStringThe User's birthdate formatted as YYYY-MM-DD
user.breachedPasswordLastCheckedInstantLongThe instant this user's password was last checked to determine if it is compromised.
user.connectorIdUUIDAvailable since 1.18.0The unique Id of the Connector associated with the System of Record being used to authenticate the user.
user.cleanSpeakIdUUIDThis Id is used by FusionAuth when the User's username is sent to CleanSpeak to be moderated (filtered and potentially sent to the approval queue). It is the content Id of the username inside CleanSpeak.
user.dataObjectAn object that can hold any information about the User that should be persisted.
user.data.emailStringThis field will be used as the email address if no user.email field is found.
This feature was removed in version 1.26.0 and added back in 1.27.2.
user.emailStringThe User's email address.
user.encryptionSchemeStringAvailable since 1.20.1The encryption scheme used to hash the password for this user. This value is only returned when the user is retrieved using an API key.
user.expiryLongThe expiration instant of the User's account. An expired user is not permitted to log in.
user.firstNameStringThe first name of the User.
user.fullNameStringThe User's full name as a separate field that is not calculated from firstName and lastName.
user.idUUIDThe User's unique Id.
user.identitiesArrayAvailable since 1.59.0The list of identities that exist for a User.
user.identities[x].displayValueStringAvailable since 1.59.0The display value for the identity. Only used for username type identities. If the unique username feature is not enabled, this value
will be the same as user.identities[x].value. Otherwise, it will be the username the User has chosen. For
primary username identities, this will be the same value as user.username.
user.identities[x].insertInstantLongAvailable since 1.59.0The instant when the identity was created.
user.identities[x].lastLoginInstantLongAvailable since 1.59.0The instant when the identity was last used to log in. If a User has multiple identity types (username, email, and phoneNumber), then this value will represent the specific identity they last used to log in. This contrasts with user.lastLoginInstant, which represents the last time any of the User's identities was used to log in.
Identity provider logins will not be reflected here (see user.lastLoginInstant for a field that includes identity provider logins).
user.identities[x].lastUpdateInstantLongAvailable since 1.59.0The instant when the identity was last updated.
user.identities[x].moderationStatusStringAvailable since 1.59.0The current status of the username. This is used if you are moderating usernames via CleanSpeak. The possible values are:
ACTIVE- the username is activePENDING- the username is pending approval/moderationREJECTED- the username was rejected during moderation
If a username has been rejected, it is still possible to allow the User to update it and have the new one moderated again.
Only used for username type identities. For primary username identities, this will be the same value as user.usernameStatus.
user.identities[x].typeStringAvailable since 1.59.0The identity type. The possible values are:
email- identities defined by an email addressphoneNumber- identities defined by a phone numberusername- identities defined by a username
user.identities[x].valueStringAvailable since 1.59.0The value represented by the identity. The contents of this field depend on user.identities[x].typeand will be one of the following:
- Email address - The User's email address, always lower cased. For primary email identities, this will be the same value as user.email
- Phone number - The User's phone number, in E.164 canonical format. For primary phone number identities, this will be the same value as user.phoneNumber
- Username - User's username - this will be the same as user.identities[x].displayValue. For primary username identities, this will be the same value as user.username
This value is unique within a tenant for a particular user.identities[x].type.
If the unique usernames feature is enabled, value will be the unique username (within the tenant). For primary username identities, this will also be the same value as user.uniqueUsername.
user.identities[x].verifiedBooleanAvailable since 1.59.0Whether verification was actually performed on the identity by FusionAuth. This is used in combination with the user.identities[x].verifiedReason to decide whether an identity needs verification.
user.identities[x].verifiedInstantLongAvailable since 1.59.0The instant when verification was performed on the identity. This field is only populated when verification was actually performed on the identity by FusionAuth.
user.identities[x].verifiedReasonStringAvailable since 1.59.0The reason the User's identity was verified or not verified. The possible values are:
Skipped- Verification was skipped due to theskipVerificationparameter on the requestTrusted- Identity was created via an identity provider or a connectorUnverifiable- FusionAuth doesn't know how to verify this identity type. Usernames are an exampleImplicit- Verification was implicitly performed by sending a set password or passwordless messagePending- Tenant policy requires verification but no verification has been performed yetCompleted- Verification was performed by FusionAuthDisabled- Tenant policy did not require verificationImport- User was imported so verification was not performed by FusionAuth
If this field is Disabled, Import, Skipped, Trusted, or Unverifiable, then verification will not be required, regardless of the user.identities[x].verified value.
For Implicit, Pending, or Completed, the identity will require verification if user.identities[x].verified is false.
user.imageUrlStringThe URL that points to an image file that is the User's profile image.
user.insertInstantLongThe instant when the user was created.
user.lastLoginInstantLongThe instant when the User logged in last. See user.identities[x].lastLoginInstant for more granular information based on identity.
user.lastNameStringThe User's last name.
user.lastUpdateInstantLongThe instant when the User was last updated.
user.legacyIdentifierStringAvailable since 1.67Used to override the sub claim in tokens issued by the Legacy Identity Provider Adapter.
This value is immutable after the user is created and is unique within the tenant when non-null.
user.membershipsArrayThe list of memberships for the User.
user.memberships[x].dataObjectAn object that can hold any information about the User for this membership that should be persisted.
user.memberships[x].groupIdUUIDThe Id of the Group of this membership.
user.memberships[x].idUUIDThe unique Id of this membership.
user.memberships[x].insertInstantLongThe instant that the membership was created.
user.middleNameStringThe User's middle name.
user.mobilePhoneStringThe User's mobile phone number. This is useful if you will be sending push notifications or SMS messages to the User.
This differs from user.phoneNumber and cannot be used to log in.
user.parentEmailStringAvailable since 1.7.0The email address of the user's parent or guardian. If this value was provided during a create or update operation, this value will only remain until the child is claimed by a parent.
user.passwordChangeRequiredBooleanIndicates that the User's password needs to be changed during their next login attempt.
user.passwordLastUpdateInstantLongThe instant that the User last changed their password.
Since version 1.59.0, if a user does not currently have a password, this field will not be returned in the response.
user.phoneNumberStringAvailable since 1.59.0The User's primary phone number. The phone number is stored and returned in E.164 canonical format, however a phone number is considered unique regardless of the format. 303-555-1212 is considered equal to +13035551212 so either version of this phone number can be used whenever providing it as input to an API.
This differs from user.mobilePhone in that user.phoneNumber can be used to log in, just like an email address or a username.
user.preferredLanguagesArray<String>An array of locale strings that give, in order, the User's preferred languages. These are important for email templates and other localizable text. See Locales.
user.registrationsArrayThe list of registrations for the User. This will include registrations for inactive applications.
user.registrations[x].applicationIdUUIDThe Id of the Application that this registration is for.
user.registrations[x].authenticationTokenStringThe Authentication Token for this registration (if one exists).
user.registrations[x].cleanSpeakIdUUIDThis Id is used by FusionAuth when the User's username for this registration is sent to CleanSpeak to be moderated (filtered and potentially sent to the approval queue). It is the content Id of the username inside CleanSpeak.
user.registrations[x].dataObjectAn object that can hold any information about the User for this registration that should be persisted.
user.registrations[x].idUUIDThe Id of this registration.
user.registrations[x].insertInstantLongThe instant that this registration was created.
user.registrations[x].lastLoginInstantLongThe instant that the User last logged into the Application for this registration.
user.registrations[x].preferredLanguagesArray<String>An array of locale strings that give, in order, the User's preferred languages for this registration. These are important for email templates and other localizable text.
user.registrations[x].rolesArray<String>The list of roles that the User has for this registration. The string is the role's Name not the role's Id, e.g. admin or user-role.
user.registrations[x].timezoneStringThe User's preferred timezone for this registration. The string will be in an IANA time zone format.
user.registrations[x].tokensMap<String,StringDEPRECATEDA map that contains tokens returned from identity providers.
For example, if this user has authenticated using the Facebook Identity Provider, the Facebook access token will be available in this map, keyed by name Facebook. For an OpenID Connect Identity provider, or other generic providers, if a token is stored it will be keyed by the Identity Provider unique Id.
The token returned and stored from the Identity Provider is now stored in the IdP link and is retrievable using the Identity Provider Link API.
user.registrations[x].usernameStringThe username of the User for this registration only. This is for display purposes and cannot be used to log in.
user.registrations[x].usernameStatusStringThe current status of the username. This is used if you are moderating usernames via CleanSpeak. The possible values are:
ACTIVE- the username is activePENDING- the username is pending approval/moderationREJECTED- the username was rejected during moderation
If a username has been rejected, it is still possible to allow the User to update it and have the new one moderated again.
user.registrations[x].verifiedBooleanThis value indicates if this User's registration has been verified.
For additional information, see these tutorials:
user.registrations[x].verifiedInstantLongAvailable since 1.48.0The instant that this registration was verified.
user.tenantIdUUIDThe Id of the Tenant that this User belongs to.
user.timezoneStringThe User's preferred timezone. This can be used as a default to display instants, and it is recommended that you allow Users to change this per-session. The string will be in an IANA time zone format.
user.twoFactor.methods[x].authenticator.algorithmStringThe algorithm used by the TOTP authenticator. With the current implementation, this will always be HmacSHA1.
user.twoFactor.methods[x].authenticator.codeLengthIntegerThe length of code generated by the TOTP. With the current implementation, this will always be 6.
user.twoFactor.methods[x].authenticator.timeStepIntegerThe time-step size in seconds. With the current implementation, this will always be 30.
user.twoFactor.methods[x].emailStringThe value of the email address for this method. Only present if user.twoFactor.methods[x].method is email.
user.twoFactor.methods[x].idStringThe unique Id of the method.
user.twoFactor.methods[x].lastUsedBooleantrue if this method was used most recently.
user.twoFactor.methods[x].methodStringThe type of this method. There will also be an object with the same value containing additional information about this method. The possible values are:
authenticatoremailsms
user.twoFactor.methods[x].mobilePhoneStringThe value of the mobile phone for this method. Only present if user.twoFactor.methods[x].method is sms.
user.twoFactorDeliveryStringDEPRECATEDThe User's preferred delivery for verification codes during a two-factor login request.
The possible values are:
NoneTextMessage
user.twoFactorEnabledBooleanDEPRECATEDDetermines if the User has two-factor authentication enabled for their account or not.
Removed in 1.26.0user.usernameStringThe username of the User.
user.usernameStatusStringThe current status of the username. This is used if you are moderating usernames via CleanSpeak. The possible values are:
ACTIVE- the username is activePENDING- the username is pending approval/moderationREJECTED- the username was rejected during moderation
If a username has been rejected, it is still possible to allow the User to update it and have the new one moderated again.
user.verifiedBooleanDEPRECATEDWhether or not the User's primary email identity has been verified. This does NOT indicate whether phone number identity types are verified.
For additional information, see these tutorials:
Deprecated since 1.59.0See user.identities[x].verified and user.identities[x].verifiedReason.
user.verifiedInstantLongAvailable since 1.48.0The first instant that the User's primary email address or phone number was verified. This value is immutable and cannot change for a user once set.
Example Response JSON
{
"user": {
"active": true,
"breachedPasswordLastCheckedInstant": 1471786483322,
"breachedPasswordStatus": "None",
"birthDate": "1976-05-30",
"connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
"data": {
"displayName": "Johnny Boy",
"favoriteColors": [
"Red",
"Blue"
]
},
"email": "example@fusionauth.io",
"expiry": 1571786483322,
"firstName": "John",
"fullName": "John Doe",
"id": "00000000-0000-0001-0000-000000000000",
"identities": [
{
"insertInstant": 1742936980069,
"lastLoginInstant": 1742936980069,
"lastUpdateInstant": 1742936980069,
"primary": true,
"type": "email",
"value": "example@fusionauth.io",
"verified": false,
"verifiedReason": "Disabled"
},
{
"insertInstant": 1742936980069,
"lastLoginInstant": 1742936980069,
"lastUpdateInstant": 1742936980069,
"primary": true,
"type": "phoneNumber",
"value": "+13035551212",
"verified": false,
"verifiedReason": "Disabled"
},
{
"displayValue": "johnny123",
"insertInstant": 1742936980069,
"lastLoginInstant": 1742936980069,
"lastUpdateInstant": 1742936980069,
"moderationStatus": "ACTIVE",
"primary": true,
"type": "username",
"value": "johnny123",
"verified": false,
"verifiedReason": "Unverifiable"
}
],
"imageUrl": "http://65.media.tumblr.com/tumblr_l7dbl0MHbU1qz50x3o1_500.png",
"insertInstant": 1742936980069,
"lastLoginInstant": 1742936980069,
"lastName": "Doe",
"memberships": [
{
"data": {
"externalId": "cc6714c6-286c-411c-a6bc-ee413cda1dbc"
},
"groupId": "2cb5c83f-53ff-4d16-88bd-c5e3802111a5",
"id": "27218714-305e-4408-bac0-23e7e1ddceb6",
"insertInstant": 1742936980069
}
],
"middleName": "William",
"mobilePhone": "303-555-1234",
"passwordChangeRequired": false,
"passwordLastUpdateInstant": 1742936980069,
"phoneNumber": "+13035551212",
"preferredLanguages": [
"en",
"fr"
],
"registrations": [
{
"applicationId": "10000000-0000-0002-0000-000000000001",
"data": {
"displayName": "Johnny",
"favoriteSports": [
"Football",
"Basketball"
]
},
"id": "00000000-0000-0002-0000-000000000000",
"insertInstant": 1742936980069,
"lastLoginInstant": 1742936980069,
"preferredLanguages": [
"en",
"fr"
],
"roles": [
"user",
"community_helper"
],
"timezone": "America/Chicago",
"username": "johnny123",
"usernameStatus": "ACTIVE",
"verified": true,
"verifiedInstant": 1742936980069
}
],
"timezone": "America/Denver",
"tenantId": "f24aca2b-ce4a-4dad-951a-c9d690e71415",
"twoFactor": {
"methods": [
{
"authenticator": {
"algorithm": "HmacSHA1",
"codeLength": 6,
"timeStep": 30
},
"id": "35VW",
"method": "authenticator"
},
{
"id": "V7SH",
"method": "sms",
"mobilePhone": "555-555-5555"
},
{
"email": "example@fusionauth.io",
"id": "7K2G",
"method": "email"
}
]
},
"usernameStatus": "ACTIVE",
"username": "johnny123",
"verified": true,
"verifiedInstant": 1742936980069
}
}