Logo / Docs

Email Variables

Templates & Replacement Variables

The email template body (both HTML and text values), subject, and from name fields support replacement variables. This means placeholders can be inserted and the value will be calculated at the time the email template is rendered and sent to a user.

Most templates will contain the User object as returned on the Retrieve User API. This means you can utilize any value found on the User object such as email, first name, last name, etc.

Below you will find each stock template that FusionAuth ships for reference. The available replacement values will be outlined below for each template.

If you create a template with content and template variables for one type of email template (Forgot Password), but assign it to another type of email template (Passwordless Login, for example), the email will not be sent as expected.

Instead, the attempt will fail and there will be an error added to the Event Log.

Retrieving Default Templates

In order to version control the templates or customize them, you can use the admin UI. But you can also pull retrieve them all by using the following command:

wget -i https://raw.githubusercontent.com/FusionAuth/fusionauth-site/main/astro/src/content/docs/_shared/email/template_url_list

This will place all the email templates in the current working directory.

Using Replacement Variables

Below are some basic examples of using replacement values in your email templates.

Consider the following User represented by this condensed JSON object.

{
  "email": "monica@piedpiper.com",
  "firstName": "Monica",
  "id": "1c592f8a-59c6-4a09-82f8-f4257e3ea4c8",
  "lastName": "Hall"
}

The following are example usages with a rendered output based upon the above mentioned example User. The replacement variables are rendered using Apache FreeMarker which is an HTML template language.

A default value should be provided for variables that may be undefined at runtime such as firstName. See firstName in the example below is followed by a bang ! and then the string Unknown User. This indicates that if firstName is undefined when the template is rendered the value of Unknown User should be used as a default value.

Template Source

Hi ${user.firstName!'Unknown User'}, welcome to Pied Piper.

Please verify your email address ${user.email} by following the provided link.

https://piedpiper.fusionauth.io/email/verify/${verificationId}
- Admin

Rendered Output

Hi Monica, welcome to Pied Piper.

Please verify your email address monica@piedpiper.com by following the provided link.

https://piedpiper.fusionauth.io/email/verify/YkQY5Gsyo4RlfmDciBGRmvfj3RmatUqrbjoIZ19fmw4
- Admin

Custom Replacement Variables

In addition to the variables mentioned in the previous section, when defining your own email templates to be used by the Send Email API custom data may be provided on the API request to be used in the email template.

On Send Email API request the contents of the requestData field will be made available to you when the template is rendered.

For example, consider the following request to the Send API to send email template Id 1bc118ae-d5fa-4cdf-a90e-e8ef55c3e11e to the User by Id ce485a91-906f-4615-af75-81d37dc71e90.

POST /api/email/send/1bc118ae-d5fa-4cdf-a90e-e8ef55c3e11e

Example Request JSON

{
  "requestData": {
    "paymentAmount": "$9.99",
    "product": "party hat",
    "quantity": "12"
  },
  "userIds": [
    "ce485a91-906f-4615-af75-81d37dc71e90"
  ]
}

Template Source

Hello ${user.firstName!''},

Thank you for your purchase! We value your business, please come again!

Product: ${requestData.product!'unknown'}
Quantity: ${requestData.quantity!'unknown'}

- Pied Piper Customer Success

Rendered Output

Hello Kelly,

Thank you for your purchase! We value your business, please come again!

Product: party hat
Quantity: 12

- Pied Piper Customer Success

Available Email Templates

Below is an overview of each email template that ships with FusionAuth.

The email templates ship with a base URL of http://localhost:9011 for links, such as the verify email or change password link. While this works for local development, for production, make sure to update all base URLs to a public URL, such as https://auth.example.com.

One option is to store a base URL value on the tenant.data object. For example, set tenant.data.baseEmailURL to https://auth.example.com, and then access it from each email template. Setting the tenant.data.baseEmailURL field can be done using the API or the client libraries.

There is currently no support for changing the base URL in all templates in an instance, though there is an open feature request.

Breached Password

HTML

[#setting url_escaping_charset="UTF-8"]
<p>This password was found in the list of vulnerable passwords, and is no longer secure.</p>

<p>In order to secure your account, it is recommended to change your password at your earliest convenience.</p>

<p>Follow this link to change your password.</p>

<a href="http://localhost:9011/password/forgot?client_id=${(application.oauthConfiguration.clientId)!''}&email=${user.email?url}&tenantId=${user.tenantId}">
  http://localhost:9011/password/forgot?client_id=${(application.oauthConfiguration.clientId)!''}&email=${user.email?url}&tenantId=${user.tenantId}
</a>

- FusionAuth Admin

Text

[#setting url_escaping_charset="UTF-8"]
This password was found in the list of vulnerable passwords, and is no longer secure.

In order to secure your account, it is recommended to change your password at your earliest convenience.

Follow this link to change your password.

http://localhost:9011/password/forgot?client_id=${(application.oauthConfiguration.clientId)!''}&email=${user.email?url}&tenantId=${user.tenantId}

- FusionAuth Admin

Replacement Variables

applicationApplicationAvailable since 1.27.2

The Application object, see the Application API for field definitions.

Note: This object may not be available depending upon when this template is constructed. If you utilize this object in your template, ensure you first check to see if it is defined.

breachResult.loginIds

The breach result matching loginIds. This is an array of zero or more email addresses or usernames found in the breach result matching this user. A length of zero means only the password was matched.

breachResult.matchString

The breach result match type determined by the FusionAuth Reactor. Possible values include:

  • ExactMatch The User’s loginId and password were found exactly as entered.
  • SubAddressMatch The User’s loginId and password were matched, but the email address was a sub-address match. For example, joe+test@example.com is a sub-address match for joe@example.com.
  • PasswordOnly Only the password found, the loginId and password combination were not matched.
  • CommonPassword The User’s password was found to be one of the most commonly known breached passwords.
tenantTenant

The Tenant object, see the Tenant API for field definitions.

userUser

The User object, see the User API for field definitions.

Confirm Child

HTML

Your child has created an account with us and you need to confirm them before they are added to your family. Click the link below to confirm your child's account.
<p>
  <a href="http://example.com/family/confirm-child">http://example.com/family/confirm-child</a>
</p>
- FusionAuth Admin

Text

Your child has created an account with us and you need to confirm them before they are added to your family. Click the link below to confirm your child's account.

http://example.com/family/confirm-child

- FusionAuth Admin

Replacement Variables

childUser

The child User object, see the User API for field definitions of a User.

parentUser

The parent User object, see the User API for field definitions of a User.

tenantTenantAvailable since 1.18.2

The Tenant object, see the Tenant API for field definitions.

user

The parent User object. This field has been deprecated, please use the parent object instead.

COPPA Email Plus Notice

HTML

A while ago, you granted your child consent in our system. This email is a second notice of this consent as required by law and also to remind to that you can revoke this consent at anytime on our website or by clicking the link below:
<p>
  <a href="http://example.com/consent/manage">http://example.com/consent/manage</a>
</p>
- FusionAuth Admin

Text

A while ago, you granted your child consent in our system. This email is a second notice of this consent as required by law and also to remind to that you can revoke this consent at anytime on our website or by clicking the link below:

http://example.com/consent/manage

- FusionAuth Admin

Replacement Variables

consentUserConsent

The User Consent object, see the Consent API for field definitions of a User consent.

tenantTenantAvailable since 1.18.2

The Tenant object, see the Tenant API for field definitions of a Tenant.

userUser

The User giving consent, see the User API for field definitions of a User.

COPPA Notice

HTML

You recently granted your child consent in our system. This email is to notify you of this consent. If you did not grant this consent or wish to revoke this consent, click the link below:
<p>
  <a href="http://example.com/consent/manage">http://example.com/consent/manage</a>
</p>
- FusionAuth Admin

Text

You recently granted your child consent in our system. This email is to notify you of this consent. If you did not grant this consent or wish to revoke this consent, click the link below:

http://example.com/consent/manage

- FusionAuth Admin

Replacement Variables

tenantTenantAvailable since 1.18.2

The Tenant object, see the Tenant API for field definitions of a Tenant.

userUser

The User giving consent, see the User API for field definitions of a User.

Email Verification

HTML

[#if user.verified]
Pro tip, your email has already been verified, but feel free to complete the verification process to verify your verification of your email address.
[/#if]

[#-- When a one-time code is provided, you will want the user to enter this value interactively using a form. In this workflow the verificationId
     is not shown to the user and instead the one-time code must be paired with the verificationId which is usually in a hidden form field. When the two
     values are presented together, the email address can be verified --]
[#if verificationOneTimeCode??]
<p>To complete your email verification enter this code into the email verification form.</p>
<p> ${verificationOneTimeCode} </p>
[#else]
To complete your email verification click on the following link.
<p>
  <a href="http://localhost:9011/email/verify/${verificationId}?client_id=${(application.oauthConfiguration.clientId)!''}&postMethod=true&tenantId=${user.tenantId}">
    http://localhost:9011/email/verify/${verificationId}?client_id=${(application.oauthConfiguration.clientId)!''}&postMethod=true&tenantId=${user.tenantId}
  </a>
</p>
[/#if]

- FusionAuth Admin

Text

[#if user.verified]
Pro tip, your email has already been verified, but feel free to complete the verification process to verify your verification of your email address.
[/#if]

[#-- When a one-time code is provided, you will want the user to enter this value interactively using a form. In this workflow the verificationId
     is not shown to the user and instead the one-time code must be paired with the verificationId which is usually in a hidden form field. When the two
     values are presented together, the email address can be verified --]
[#if verificationOneTimeCode??]
To complete your email verification enter this code into the email verification form.

${verificationOneTimeCode}
[#else]
To complete your email verification click on the following link.

http://localhost:9011/email/verify/${verificationId}?client_id=${(application.oauthConfiguration.clientId)!''}&postMethod=true&tenantId=${user.tenantId}
[/#if]

- FusionAuth Admin

Replacement Variables

applicationApplicationAvailable since 1.21.0

The Application object, see the Application API for field definitions.

Note: This object may not be available depending upon when this template is constructed. If you utilize this object in your template, ensure you first check to see if it is defined.

tenantTenantAvailable since 1.18.2

The Tenant object, see the Tenant API for field definitions of a Tenant.

userUser

The User object, see the User API for field definitions of a User.

verificationIdString

The verification Id intended to be used by the Verify Email API.

verificationOneTimeCodeString

The verification One Time Code (OTP) to be used with the gated Email Verification workflow. The user enters this code to verify their email.

Forgot Password

This is also known as the “Change Password” template.

HTML

[#setting url_escaping_charset="UTF-8"]
To change your password click on the following link.
<p>
  [#-- The optional 'state' map provided on the Forgot Password API call is exposed in the template as 'state'.
       If we have an application context, append the client_id to ensure the correct application theme when applicable.
  --]
  [#assign url = "http://localhost:9011/password/change/${changePasswordId}?client_id=${(application.oauthConfiguration.clientId)!''}&tenantId=${user.tenantId}" /]
  [#list state!{} as key, value][#if key != "tenantId" && key != "client_id" && value??][#assign url = url + "&" + key?url + "=" + value?url/][/#if][/#list]
  <a href="${url}">${url}</a>
</p>
- FusionAuth Admin

Text

[#setting url_escaping_charset="UTF-8"]
To change your password click on the following link.

  [#-- The optional 'state' map provided on the Forgot Password API call is exposed in the template as 'state'.
       If we have an application context, append the client_id to ensure the correct application theme when applicable.
  --]
[#assign url = "http://localhost:9011/password/change/${changePasswordId}?client_id=${(application.oauthConfiguration.clientId)!''}&tenantId=${user.tenantId}" /]
[#list state!{} as key, value][#if key != "tenantId" && key != "client_id" && value??][#assign url = url + "&" + key?url + "=" + value?url/][/#if][/#list]

${url}

- FusionAuth Admin

Replacement Variables

applicationApplicationAvailable since 1.21.0

The Application object, see the Application API for field definitions.

Note: This object may not be available depending upon when this template is constructed. If you utilize this object in your template, ensure you first check to see if it is defined.

changePasswordIdString

The change password Id intended to be used by the Change a User’s Password API.

stateObject

If the state was provided during the Forgot Password request, it will be available to you in the email template.

tenantTenantAvailable since 1.18.2

The Tenant object, see the Tenant API for field definitions.

userUser

The User object, see the User API for field definitions of a User.

Parent Registration Request

HTML

Your child has created an account with us and needs you to create an account and verify them. You can sign up using the link below:
<p>
  <a href="http://example.com/family/confirm-child">http://example.com/family/confirm-child</a>
</p>
- FusionAuth Admin

Text

Your child has created an account with us and needs you to create an account and verify them. You can sign up using the link below:

http://example.com/family/confirm-child

- FusionAuth Admin

Replacement Variables

childUser

The child User object, see the User API for field definitions of a User.

tenantTenantAvailable since 1.18.2

The Tenant object, see the Tenant API for field definitions of a Tenant.

Passwordless Login

HTML

[#setting url_escaping_charset="UTF-8"]
You have requested to log into FusionAuth using this email address. If you do not recognize this request please ignore this email.
<p>
  [#-- The optional 'state' map provided on the Start Passwordless API call is exposed in the template as 'state' --]
  [#assign url = "http://localhost:9011/oauth2/passwordless/${code}?postMethod=true&tenantId=${user.tenantId}" /]
  [#list state!{} as key, value][#if key != "tenantId" && value??][#assign url = url + "&" + key?url + "=" + value?url/][/#if][/#list]
  <a href="${url}">${url}</a>
</p>
- FusionAuth Admin

Text

[#setting url_escaping_charset="UTF-8"]
You have requested to log into FusionAuth using this email address. If you do not recognize this request please ignore this email.

[#-- The optional 'state' map provided on the Start Passwordless API call is exposed in the template as 'state' --]
[#assign url = "http://localhost:9011/oauth2/passwordless/${code}?postMethod=true&tenantId=${user.tenantId}" /]
[#list state!{} as key, value][#if key != "tenantId" && value??][#assign url = url + "&" + key?url + "=" + value?url/][/#if][/#list]

${url}

- FusionAuth Admin

Replacement Variables

applicationApplicationAvailable since 1.21.0

The Application object, see the Application API for field definitions.

Note: This object may not be available depending upon when this template is constructed. If you utilize this object in your template, ensure you first check to see if it is defined.

codeString

The unique code intended to be used by the Complete a Passwordless Login API.

stateObject

If the state was provided when the Passwordless request was initiated, it will be available to you in the email template.

tenantTenantAvailable since 1.18.2

The Tenant object, see the Tenant API for field definitions of a Tenant.

userUser

The User object, see the User API for field definitions of a User.

Registration Verification

HTML

[#if registration.verified]
Pro tip, your registration has already been verified, but feel free to complete the verification process to verify your verification of your registration.
[/#if]

[#-- When a one-time code is provided, you will want the user to enter this value interactively using a form. In this workflow the verificationId
     is not shown to the user and instead the one-time code must be paired with the verificationId which is usually in a hidden form field. When the two
     values are presented together, the registration can be verified --]
[#if verificationOneTimeCode??]
<p>To complete your registration verification enter this code into the registration verification form.</p>
<p> ${verificationOneTimeCode} </p>
[#else]
To complete your registration verification click on the following link.
<p>
  <a href="http://localhost:9011/registration/verify/${verificationId}?client_id=${(application.oauthConfiguration.clientId)!''}&postMethod=true&tenantId=${user.tenantId}">
    http://localhost:9011/registration/verify/${verificationId}?client_id=${(application.oauthConfiguration.clientId)!''}&postMethod=true&tenantId=${user.tenantId}
  </a>
</p>
[/#if]

- FusionAuth Admin

Text

[#if registration.verified]
Pro tip, your registration has already been verified, but feel free to complete the verification process to verify your verification of your registration.
[/#if]

[#-- When a one-time code is provided, you will want the user to enter this value interactively using a form. In this workflow the verificationId
     is not shown to the user and instead the one-time code must be paired with the verificationId which is usually in a hidden form field. When the two
     values are presented together, the registration can be verified --]
[#if verificationOneTimeCode??]
To complete your registration verification enter this code into the registration verification form.

${verificationOneTimeCode}
[#else]
To complete your registration verification click on the following link.

http://localhost:9011/registration/verify/${verificationId}?client_id=${(application.oauthConfiguration.clientId)!''}&postMethod=true&tenantId=${user.tenantId}
[/#if]

- FusionAuth Admin

Replacement Variables

applicationApplicationAvailable since 1.21.0

The Application object, see the Application API for field definitions.

registration

The User Registration object, see the Registration API for field definitions of a User.

tenantTenantAvailable since 1.18.2

The Tenant object, see the Tenant API for field definitions of a Tenant.

userUser

The User object, see the User API for field definitions of a User.

verificationIdString

The verification Id intended to be used by the Verify a User Registration API.

verificationOneTimeCodeString

The verification One Time Code to be used with the Gated Registration workflow. The user enters this code to verify their email.

Setup Password

HTML

Your account has been created and you must setup a password. Click on the following link to setup your password.
<p>
  <a href="http://localhost:9011/password/change/${changePasswordId}?client_id=${(application.oauthConfiguration.clientId)!''}&tenantId=${user.tenantId}">
    http://localhost:9011/password/change/${changePasswordId}?client_id=${(application.oauthConfiguration.clientId)!''}&tenantId=${user.tenantId}
  </a>
</p>
- FusionAuth Admin

Text

Your account has been created and you must setup a password. Click on the following link to setup your password.

http://localhost:9011/password/change/${changePasswordId}?client_id=${(application.oauthConfiguration.clientId)!''}&tenantId=${user.tenantId}

- FusionAuth Admin

Replacement Variables

applicationApplicationAvailable since 1.21.0

The Application object, see the Application API for field definitions.

Note: This object may not be available depending upon when this template is constructed. If you utilize this object in your template, ensure you first check to see if it is defined.

changePasswordIdString

The change password Id intended to be used by the Change a User’s Password API.

tenantTenantAvailable since 1.18.2

The Tenant object, see the Tenant API for field definitions of a Tenant.

userUser

The User object, see the User API for field definitions of a User.

Threat Detected

FusionAuth Reactor logo

This feature is only available in the Enterprise plan. Please visit our pricing page to learn more.

HTML

[#-- @ftlvariable name="event" type="io.fusionauth.domain.event.UserLoginSuspiciousEvent" --]
[#setting url_escaping_charset="UTF-8"]
[#if event.type == "UserLoginSuspicious"]
  <p>A suspicious login was made on your account. If this was you, you can safely ignore this email. If this wasn't you, we recommend that you change your password as soon as possible.</p>
[#elseif event.type == "UserLoginNewDevice"]
  <p>A login from a new device was detected on your account. If this was you, you can safely ignore this email. If this wasn't you, we recommend that you change your password as soon as possible.</p>
[#else]
  <p>Suspicious activity has been observed on your account. In order to secure your account, it is recommended to change your password at your earliest convenience.</p>
[/#if]

<p>Device details</p>
<ul>
  <li><strong>Device name:</strong> ${(event.info.deviceName)!'&mdash;'}</li>
  <li><strong>Device description:</strong> ${(event.info.deviceDescription)!'&mdash;'}</li>
  <li><strong>Device type:</strong> ${(event.info.deviceType)!'&mdash;'}</li>
  <li><strong>User agent:</strong> ${(event.info.userAgent)!'&mdash;'}</li>
</ul>

<p>Event details</p>
<ul>
  <li><strong>IP address:</strong> ${(event.info.ipAddress)!'&mdash;'}</li>
  <li><strong>City:</strong> ${(event.info.location.city)!'&mdash;'}</li>
  <li><strong>Country:</strong> ${(event.info.location.country)!'&mdash;'}</li>
  <li><strong>Zipcode:</strong> ${(event.info.location.zipcode)!'&mdash;'}</li>
  <li><strong>Lat/long:</strong> ${(event.info.location.latitude)!'&mdash;'}/${(event.info.location.longitude)!'&mdash;'}</li>
</ul>

- FusionAuth Admin

Text

[#setting url_escaping_charset="UTF-8"]
[#if event.type == "UserLoginSuspicious"]
A suspicious login was made on your account. If this was you, you can safely ignore this email. If this wasn't you, we recommend that you change your password as soon as possible.
[#elseif event.type == "UserLoginNewDevice"]
A login from a new device was detected on your account. If this was you, you can safely ignore this email. If this wasn't you, we recommend that you change your password as soon as possible.
[#else]
Suspicious activity has been observed on your account. In order to secure your account, it is recommended to change your password at your earliest convenience.
[/#if]

Device details

* Device name: ${(event.info.deviceName)!'&mdash;'}
* Device description: ${(event.info.deviceDescription)!'&mdash;'}
* Device type: ${(event.info.deviceType)!'&mdash;'}
* User agent: ${(event.info.userAgent)!'&mdash;'}

Event details

* IP address: ${(event.info.ipAddress)!'-'}
* City: ${(event.info.location.city)!'-'}
* Country: ${(event.info.location.country)!'-'}
* Zipcode: ${(event.info.location.zipcode)!'-'}
* Lat/long: ${(event.info.location.latitude)!'-'}/${(event.info.location.longitude)!'-'}

- FusionAuth Admin

Replacement Variables

applicationApplicationAvailable since 1.28.0

The Application object, see the Application API for field definitions.

event.infoEventInfo

The EventInfo object, see the User Login Suspicious event definition for example field definitions.

tenantTenantAvailable since 1.18.2

The Tenant object, see the Tenant API for field definitions.

userUser

The User object, see the User API for field definitions of a User.

Two Factor Authentication

HTML

<p>
  To complete your login request, enter this one-time code code on the login form when prompted.
</p>
<p>
  <strong>${code}</strong>
</p>

- FusionAuth Admin

Text

To complete your login request, enter this one-time code code on the login form when prompted.

${code}

- FusionAuth Admin

Replacement Variables

applicationApplicationAvailable since 1.46.0

The Application object, see the Application API for field definitions.

Note: This object may not be available depending upon when this template is constructed. If you utilize this object in your template, ensure you first check to see if it is defined. You can check for this variable safely in FreeMarker using the missing value test operator and an if statement:

[#if application??]
  [#-- Use application here --]
[/#if]

This object is not available on the email template when:

  • The multi-factor workflow was started without providing the applicationId on that request.
  • Multi-factor authentication is required during a call to the login API without providing the applicationId parameter. That documentation points out that there is likely no production use case where calling the API without the applicationId parameter is useful.
  • The message is being sent to enable or disable a multi-factor method without providing the applicationId on the request.
codeString

A code that the user must provide to complete multi-factor authentication.

tenantTenantAvailable since 1.18.2

The Tenant object, see the Tenant API for field definitions.

userUser

The User object, see the User API for field definitions of a User.

Two Factor Authentication Method Added

FusionAuth Reactor logo

This feature is only available in the Enterprise plan. Please visit our pricing page to learn more.

HTML

<p>
 The following two factor method was added to ${user.email}:

  <br>
  <strong>Method: ${method.method}</strong>
  <br>
  <strong>Identifier: ${method.id}</strong>

</p>

- FusionAuth Admin

Text

The following two factor method was added to ${user.email}:

- Method: ${method.method}
- Identifier: ${method.id}

- FusionAuth Admin

Replacement Variables

applicationApplicationAvailable since 1.28.0

The Application object, see the Application API for field definitions.

Note: This object may not be available depending upon when this template is constructed. If you utilize this object in your template, ensure you first check to see if it is defined. You can check for this variable safely in freemarker by wrapping the variable as such: ${(application)!""}.

eventEvent

The Event object for a two factor add event. See the Webhooks & Events section for field definitions.

methodObject

The two-factor method that was added. See the Multi Factor/Two Factor APIs for property definitions and example JSON.

tenantTenant

The Tenant object, see the Tenant API for field definitions.

userUser

The User object, see the User API for field definitions of a User.

Two Factor Authentication Method Removed

FusionAuth Reactor logo

This feature is only available in the Enterprise plan. Please visit our pricing page to learn more.

HTML

<p>
 The following two factor method was removed from ${user.email}:

  <br>
  <strong>Method: ${method.method}</strong>
  <br>
  <strong>Identifier: ${method.id}</strong>

</p>

- FusionAuth Admin

Text

The following two factor method was removed from ${user.email}:

- Method: ${method.method}
- Identifier: ${method.id}

- FusionAuth Admin

Replacement Variables

applicationApplication

The Application object, see the Application API for field definitions.

Note: This object may not be available depending upon when this template is constructed. If you utilize this object in your template, ensure you first check to see if it is defined. You can check for this variable safely in freemarker by wrapping the variable as such: ${(application)!""}.

eventEvent

The Event object for a two factor remove event. See the Webhooks & Events section for field definitions.

methodObject

The two-factor method that was removed. See the Multi Factor/Two Factor APIs for property definitions and example JSON.

tenantTenant

The Tenant object, see the Tenant API for field definitions.

userUser

The User object, see the User API for field definitions of a User.