Users

users

Methods

Create A User -> { app_metadata, blocked, created_at, 18 more... }
post/users

Create a new user for a given database or passwordless connection.

Note: connection is required but other parameters such as email and password are dependent upon the type of connection.

Delete A User ->
delete/users/{id}

Delete a user by user ID. This action cannot be undone. For Auth0 Dashboard instructions, see Delete Users.

List Or Search Users -> UsersPageNumberPage<{ app_metadata, blocked, created_at, 18 more... }>
get/users

Retrieve details of users. It is possible to:

  • Specify a search criteria for users
  • Sort the users to be returned
  • Select the fields to be returned
  • Specify the number of users to retrieve per page and the page index The q query parameter can be used to get users that match the specified criteria using query string syntax.

Learn more about searching for users.

Read about best practices when working with the API endpoints for retrieving users.

Auth0 limits the number of users you can return. If you exceed this threshold, please redefine your search, use the export job, or the User Import / Export extension.

Security

Example: Authorization: Bearer My Bearer Token

Parameters
connection: string
Optional

Connection filter. Only applies when using search_engine=v1. To filter by connection with search_engine=v2|v3, use q=identities.connection:"connection_name"

fields: string
Optional

Comma-separated list of fields to include or exclude (based on value provided for include_fields) in the result. Leave empty to retrieve all fields.

include_fields: boolean
Optional

Whether specified fields are to be included (true) or excluded (false).

include_totals: boolean
Optional

Return results inside an object that contains the total result count (true) or as a direct array of results (false, default).

page: number
Optional
(minimum: 0)

Page index of the results to return. First page is 0.

per_page: number
Optional
(maximum: 100, minimum: 0)

Number of results per page.

q: string
Optional

Query in Lucene query string syntax. Some query types cannot be used on metadata fields, for details see Searchable Fields.

search_engine:
Optional

The version of the search engine

"v1"
"v2"
"v3"
sort: string
Optional

Field to sort by. Use field:order where order is 1 for ascending and -1 for descending. e.g. created_at:1

Response fields
UnionMember0 = Array<{ app_metadata, blocked, created_at, 18 more... }>
UnionMember1 = { length, limit, start, 2 more... }
Request example
200Example
Generate New Multi Factor Authentication Recovery Code -> { recovery_code }
post/users/{id}/recovery-code-regeneration

Remove an existing multi-factor authentication (MFA) recovery code and generate a new one. If a user cannot access the original device or account used for MFA enrollment, they can use a recovery code to authenticate.

Get A User -> { app_metadata, blocked, created_at, 18 more... }
get/users/{id}

Retrieve user details. A list of fields to include or exclude may also be specified. For more information, see Retrieve Users with the Get Users Endpoint.

Update A User -> { app_metadata, blocked, created_at, 18 more... }
patch/users/{id}

Update a user.

These are the attributes that can be updated at the root level:

  • app_metadata
  • blocked
  • email
  • email_verified
  • family_name
  • given_name
  • name
  • nickname
  • password
  • phone_number
  • phone_verified
  • picture
  • username
  • user_metadata
  • verify_email

Some considerations:

  • The properties of the new object will replace the old ones.
  • The metadata fields are an exception to this rule (user_metadata and app_metadata). These properties are merged instead of being replaced but be careful, the merge only occurs on the first level.
  • If you are updating email, email_verified, phone_number, phone_verified, username or password of a secondary identity, you need to specify the connection property too.
  • If you are updating email or phone_number you can specify, optionally, the client_id property.
  • Updating email_verified is not supported for enterprise and passwordless sms connections.
  • Updating the blocked to false does not affect the user's blocked state from an excessive amount of incorrectly provided credentials. Use the "Unblock a user" endpoint from the "User Blocks" API to change the user's state.
  • Supported attributes can be unset by supplying null as the value.
Updating a field (non-metadata property)
To mark the email address of a user as verified, the body to send should be:
{ "email_verified": true }
Updating a user metadata root property
Let's assume that our test user has the following user_metadata:
{ "user_metadata" : { "profileCode": 1479 } }

To add the field addresses the body to send should be:

{ "user_metadata" : { "addresses": {"work_address": "100 Industrial Way"} }}

The modified object ends up with the following user_metadata property:

{
  "user_metadata": {
    "profileCode": 1479,
    "addresses": { "work_address": "100 Industrial Way" }
  }
}

Updating an inner user metadata property
If there's existing user metadata to which we want to add "home_address": "742 Evergreen Terrace" (using the addresses property) we should send the whole addresses object. Since this is a first-level object, the object will be merged in, but its own properties will not be. The body to send should be:
{
  "user_metadata": {
    "addresses": {
      "work_address": "100 Industrial Way",
      "home_address": "742 Evergreen Terrace"
    }
  }
}

The modified object ends up with the following user_metadata property:

{
  "user_metadata": {
    "profileCode": 1479,
    "addresses": {
      "work_address": "100 Industrial Way",
      "home_address": "742 Evergreen Terrace"
    }
  }
}

Domain types

UserEnrollment = { id, auth_method, enrolled_at, 6 more... }
UserIdentity = { connection, provider, user_id, 5 more... }
Users

Authentication Methods

users.authentication_methods

Methods

Creates An Authentication Method For A Given User -> { type, id, authentication_methods, 9 more... }
post/users/{id}/authentication-methods

Create an authentication method. Authentication methods created via this endpoint will be auto confirmed and should already have verification completed.

Delete An Authentication Method By ID ->
delete/users/{id}/authentication-methods/{authentication_method_id}

Remove the authentication method with the given ID from the specified user. For more information, review Manage Authentication Methods with Management API.

Get A List Of Authentication Methods -> UsersAuthenticationMethodsPageNumberPage<{ id, created_at, type, 15 more... }>
get/users/{id}/authentication-methods

Retrieve detailed list of authentication methods associated with a specified user.

Get An Authentication Method By ID -> { id, created_at, type, 15 more... }
get/users/{id}/authentication-methods/{authentication_method_id}

Get an authentication method by ID

Update An Authentication Method -> { type, id, authentication_methods, 9 more... }
patch/users/{id}/authentication-methods/{authentication_method_id}

Modify the authentication method with the given ID from the specified user. For more information, review Manage Authentication Methods with Management API.

Users

Authenticators

users.authenticators

Methods

Delete All Authenticators ->
delete/users/{id}/authenticators

Remove all authenticators registered to a given user ID, such as OTP, email, phone, and push-notification. This action cannot be undone. For more information, review Manage Authentication Methods with Management API.

Users

Enrollments

users.enrollments

Methods

Get The First Confirmed Multi Factor Authentication Enrollment -> Array<>
get/users/{id}/enrollments

Retrieve the first multi-factor authentication enrollment that a specific user has confirmed.

Users

Identities

users.identities

Methods

Link A User Account -> Array<>
post/users/{id}/identities

Link two user accounts together forming a primary and secondary relationship. On successful linking, the endpoint returns the new array of the primary account identities.

Note: There are two ways of invoking the endpoint:

  • With the authenticated primary account's JWT in the Authorization header, which has the update:current_user_identities scope:
          POST /api/v2/users/PRIMARY_ACCOUNT_USER_ID/identities
          Authorization: "Bearer PRIMARY_ACCOUNT_JWT"
          {
            "link_with": "SECONDARY_ACCOUNT_JWT"
          }
        
    In this case, only the link_with param is required in the body, which also contains the JWT obtained upon the secondary account's authentication.
  • With a token generated by the API V2 containing the update:users scope:
        POST /api/v2/users/PRIMARY_ACCOUNT_USER_ID/identities
        Authorization: "Bearer YOUR_API_V2_TOKEN"
        {
          "provider": "SECONDARY_ACCOUNT_PROVIDER",
          "connection_id": "SECONDARY_ACCOUNT_CONNECTION_ID(OPTIONAL)",
          "user_id": "SECONDARY_ACCOUNT_USER_ID"
        }
        
    In this case you need to send provider and user_id in the body. Optionally you can also send the connection_id param which is suitable for identifying a particular database connection for the 'auth0' provider.
Unlink A User Identity -> Array<{ connection, provider, user_id, 5 more... }>
delete/users/{id}/identities/{provider}/{user_id}

Unlink a specific secondary account from a target user. This action requires the ID of both the target user and the secondary account.

Unlinking the secondary account removes it from the identities array of the target user and creates a new standalone profile for the secondary account. To learn more, review Unlink User Accounts.

Users

Logs

users.logs

Methods

Get User S Log Events -> LogsPageNumberPage<{ audience, client_id, client_name, 17 more... }>
get/users/{id}/logs

Retrieve log events for a specific user.

Note: For more information on all possible event types, their respective acronyms and descriptions, see Log Event Type Codes.

For more information on the list of fields that can be used in sort, see Searchable Fields.

Auth0 limits the number of logs you can return by search criteria to 100 logs per request. Furthermore, you may only paginate through up to 1,000 search results. If you exceed this threshold, please redefine your search.

Users

Multifactor

users.multifactor

Methods

Delete A User S Multi Factor Provider ->
delete/users/{id}/multifactor/{provider}

Remove a multifactor authentication configuration from a user's account. This forces the user to manually reconfigure the multi-factor provider.

Invalidate All Remembered Browsers For Multi Factor Authentication ->
post/users/{id}/multifactor/actions/invalidate-remember-browser

Invalidate all remembered browsers across all authentication factors for a user.

Users

Organizations

users.organizations

Methods

List User S Organizations -> OrganizationsPageNumberPage<{ id, branding, display_name, 2 more... }>
get/users/{id}/organizations

Retrieve list of the specified user's current Organization memberships. User must be specified by user ID. For more information, review Auth0 Organizations.

Users

Permissions

users.permissions

Methods

Assign Permissions To A User ->
post/users/{id}/permissions

Assign permissions to a user.

Remove Permissions From A User ->
delete/users/{id}/permissions

Remove permissions from a user.

Get A User S Permissions -> Array<{ description, permission_name, resource_server_identifier, 2 more... }> | { limit, permissions, start, 1 more... }
get/users/{id}/permissions

Retrieve all permissions associated with the user.

Users

Refresh Tokens

users.refresh_tokens

Methods

Delete Refresh Tokens For A User ->
delete/users/{user_id}/refresh-tokens

Delete all refresh tokens for a user.

Get Refresh Tokens For A User -> { next, tokens }
get/users/{user_id}/refresh-tokens

Retrieve details for a user's refresh tokens.

Users

Roles

users.roles

Methods

Assign Roles To A User ->
post/users/{id}/roles

Assign one or more existing user roles to a user. For more information, review Role-Based Access Control.

Note: New roles cannot be created through this action. Additionally, this action is used to assign roles to a user in the context of your whole tenant. To assign roles in the context of a specific Organization, use the following endpoint: Assign user roles to an Organization member.

Get A User S Roles -> RolesPageNumberPage<{ id, description, name }>
get/users/{id}/roles

Retrieve detailed list of all user roles currently assigned to a user.

Note: This action retrieves all roles assigned to a user in the context of your whole tenant. To retrieve Organization-specific roles, use the following endpoint: Get user roles assigned to an Organization member.

Removes Roles From A User ->
delete/users/{id}/roles

Remove one or more specified user roles assigned to a user.

Note: This action removes a role from a user in the context of your whole tenant. If you want to unassign a role from a user in the context of a specific Organization, use the following endpoint: Delete user roles from an Organization member.

Users

Sessions

users.sessions

Methods

Delete Sessions For User ->
delete/users/{user_id}/sessions

Delete all sessions for a user.

Get Sessions For User -> { next, sessions }
get/users/{user_id}/sessions

Retrieve details for a user's sessions.