FusionAuth is all about users, and it is helpful to fully understand how FusionAuth understands users to fully leverage all of the features FusionAuth offers.
The User itself is easy enough to understand, it represents your end user, your employee, or your client.
Here’s a brief video covering some aspects of users:
A User is scoped to a Tenant. A User existing within a Tenant can be registered to, and use the same credentials to authenticate to multiple applications within that Tenant.
Users have sessions in FusionAuth. Sessions are equivalent to refresh tokens. Their lifetime is controlled by the Tenant or Application refresh token settings.
These appear in the administrative user interface under thetab (you may need to scroll if your screen is small):
There are two primary types of sessions/tokens shown in this table:
Normal refresh tokens.
SSO token. While technically a refresh token, it is special, and fully managed by FusionAuth. You may safely ignore this.
A session will end when:
It is deleted using the JWT APIs.
Optionally, as a result of a user changing their password or having their account locked.
An SSO session will end if you log out of SSO.
Normal sessions are not ended, nor are associated refresh tokens revoked, by front channel logout.
When a session is no longer valid, the associated refresh token can’t be used to create new JWTs.
The JWTs themselves are valid until they expire.
What Makes a User Active
FusionAuth includes reporting on the number of daily and monthly active users. What makes a User active during a time period is any of these events:
A User is created.
A User logs in.
The Login Ping API is used.
A JWT is refreshed using a Refresh Token.
SSO is used; this calls the login ping.
Users imported with the Import API do not count as a monthly active user (MAU).
There are many different ways to log in using FusionAuth, but all of the below trigger a login event:
A login is completed using any Login API (normal, one-time, passwordless, Identity Provider, Connector).
A User is created with a password, whether self service or using the Registration API.
A Refresh Token is exchanged for a JWT.
A 2FA login is completed.
As of version 1.16.0, FusionAuth ships with a database search engine as the default.
By selecting the appropriate installation guide, one can easily create a configuration with Elasticsearch pre-enabled.
You can read more about the database and other search engines in the search core concepts section.
User search requests may be made through the User Search API or within the FusionAuth admin UI under .
Please see our search core concepts section for additional information on basic configuration. The remainder of this section will cover specifics as it relates to users and search.
Database Search Engine
This configuration is lightweight, simplifies installation and system complexity, but comes with the trade offs of limited search capabilities and performance implications.
The database search engine enables fuzzy search against the following fields of the user:
To learn more about the database search engine in general, view the search core concepts section.
Elasticsearch Search Engine
Leveraging Elasticsearch for the user search engine enables advanced search capabilities on more numerous and granular data and a performance improvement for user search.
Advanced Search UI
FusionAuth provides an advanced user search interface that reveals how you may construct queryString and query parameters for the User Search API and User Bulk Delete API with desired results. Navigate to from the left navigation and click on the "Advanced" link below the Search input field to begin. The "Advanced" portion of this UI is available when the search engine type is configured to
We provide selectors for common search fields, as well as a free-form search field for constructing complex search queries. By selecting the Show Elasticsearch query toggle, you will see either the Elasticsearch query string or JSON search query that can be used as queryString and query parameters for the User Search API and User Bulk Delete API.
Additionally, you may enter Elasticsearch query strings or raw JSON queries into the search field for testing purposes.
The following screenshot shows a query string being constructed to search for users that belong to the
Moderators group and are in the
When searching for users by application or any fields on an application, it is necessary to construct a JSON query due to the way the Elasticsearch mapping is defined.
The following screenshot shows an Elasticsearch JSON query being constructed to search for users that match the email pattern
*@fusionauth.io, are registered to the
Pied Piper application, and are assigned the
To learn more about the Elasticsearch search engine in general, view the search core concepts section.
How helpful was this page?