User Management API Overview
Overview
The User Management APIs let you programmatically create, update, search, and delete users using a management key.
Management keys are generated from Company > Management Keys. Include the key in the Authorization header as a bearer token in the format <Project ID>:<Management Key>.
Endpoints
These are the available User Management API endpoints:
- Load User
- Get User Provider Token
- Search Users
- Get User's Login History
- Create User
- Batch Create Users
- Update User
- Update User Status
- Update User Email
- Update User Login ID
- Update User Phone
- Update User Display Name
- Update User Picture
- Update User Custom Attributes
- Update JWT
- Expire User Password
- Set Active Password for User
- Set Temporary Password for User
- Update User Add Tenant
- Update User Remove Tenant
- Update User Add Role
- Set User's Roles
- Update User Remove Role
- Add Application to User
- Set Applications for User
- Remove Application from User
- Log User Out of All Sessions
- Delete User's Passkeys
- Delete User
- Batch Delete Users
Examples
Loading a user
Use the Load User API endpoint to retrieve user information.
Important
Do not call Load User in a frequently invoked function such as authentication middleware. Instead, use custom claims to include the data you need directly in the session token.
Creating a user
- Call the Create User API endpoint with the desired user configuration.
- The user can then log in using any supported sign-in method, which changes their status from
invitedtoactive.
Updating a user
Important
Update User performs a full overwrite — any field not included in the request body will be removed from the user. For example, if a user has both an email and a phone number but the update only includes email, the phone number will be cleared. To modify individual fields without affecting other settings, use one of the specific update endpoints listed above (Update User Email, Update User Phone, etc.).
When a user's details change (for example, a role is added), their JWT is automatically refreshed within their current session.