Dynamic User Keys
Descope allows you to load data for both authenticated and unauthenticated users. When a user first
supplies their login ID (email, phone number, custom login ID, etc.) but has not completed authentication,
you can load their details within your flow using the unauthUser dynamic keys. Once the user has completed
authentication, you can load their details within your flow using the user dynamic keys.
Custom attributes can be loaded within both user and unauthUser context keys. Example: user.customAttributes.attribute1
or unauthUser.customAttributes.attribute1
User
user: Keys prefixed withuseris used for authenticated users.
| Dynamic Key | Description |
|---|---|
user.userId | A unique identifier for a user |
user.loginIds | All unique identifiers for a user. Usually an email and/or phone |
user.name | The user's name |
user.givenName | The user's given name |
user.middleName | The user's middle name |
user.familyName | The user's family name |
user.email | The user's email address |
user.emailDomain | The domain of the user's email address |
user.phone | The user's phone number |
user.verifiedEmail | Whether the user's email address has been verified |
user.verifiedPhone | Whether the user's phone number has been verified |
user.userTenants | An array of tenants associated with the user |
user.picture | The user's picture |
user.status | The user's status including active , invited or disabled |
user.tenantNames | All user tenant names as array |
user.tenantIds | All user tenant IDs as array |
user.tenant.roles | The tenant level user roles |
user.fingerprint.knownDevice | Indication of whether the unauthenticated user is using a device that has been spotted before in your application |
user.test | Will be set to true if this user is a test user |
user.lastAuth.country | Last country user logged in from |
user.lastAuth.countries | Latest countries user logged in from |
user.lastAuth.city | Last city user logged in from |
user.lastAuth.cities | Latest cities user logged in from |
user.lastAuth.ip | Last IP user logged in from |
user.lastAuth.ips | Latest IPs user logged in from |
user.lastAuth.time | Last time user logged in |
user.password | Indicates whether the user has ever logged in with a password |
user.totp | Indicates whether user has TOTP set |
user.project.roles | All project level roles associated with this user |
user.project.permissions | All project level permissions associated with this user |
user.saml | Indicates whether the user has ever logged in with SAML |
user.webauthn | Indicates whether the user has ever logged in with Passkeys (Webauthn) |
user.loggedIn | Indicates whether the user is already logged in |
Example of utilizing user Dynamic keys in a flow condition:
UnauthUser
unauthUser: Keys prefixed withunauthUseris used for unauthenticated users.
| Dynamic Key | Description |
|---|---|
unauthUser.userId | A unique identifier for a user |
unauthUser.loginIds | All unique identifiers for a user. Usually an email and/or phone |
unauthUser.name | The user's name |
unauthUser.givenName | The user's given name |
unauthUser.middleName | The user's middle name |
unauthUser.familyName | The user's family name |
unauthUser.email | The user's email address |
unauthUser.emailDomain | The domain of the user's email address |
unauthUser.phone | The user's phone number |
unauthUser.verifiedEmail | Whether the user's email address has been verified |
unauthUser.verifiedPhone | Whether the user's phone number has been verified |
unauthUser.userTenants | An array of tenants associated with the user |
unauthUser.picture | The user's picture |
unauthUser.status | The user's status including active , invited or disabled |
unauthUser.tenantNames | All user tenant names as array |
unauthUser.tenantIds | All user tenant IDs as array |
unauthUser.tenant.roles | The tenant level user roles |
unauthUser.fingerprint.knownDevice | Indication of whether the unauthenticated user is using a device that has been spotted before in your application |
unauthUser.test | Will be set to true if this user is a test user |
unauthUser.lastAuth.country | Last country user logged in from |
unauthUser.lastAuth.countries | Latest countries user logged in from |
unauthUser.lastAuth.city | Last city user logged in from |
unauthUser.lastAuth.cities | Latest cities user logged in from |
unauthUser.lastAuth.ip | Last IP user logged in from |
unauthUser.lastAuth.ips | Latest IPs user logged in from |
unauthUser.lastAuth.time | Last time user logged in |
unauthUser.password | Indicates whether the user has ever logged in with a password |
unauthUser.totp | Indicates whether user has TOTP set |
unauthUser.project.roles | All project level roles associated with this user |
unauthUser.project.permissions | All project level permissions associated with this user |
unauthUser.saml | Indicates whether the user has ever logged in with SAML |
unauthUser.webauthn | Indicates whether the user has ever logged in with Passkeys (Webauthn) |
Example of utilizing unauthUser Dynamic keys in a flow condition:
Further Variations of unauthUser
By default, when using unauthUser context keys, the user is loaded by email; however, there may be
scenarios where the user needs to be loaded by another variation. Descope supports loading
unauthenticated users using unauthUser.byEmail (default), unauthUser.byPhone, and
unauthUser.byTenant.
unauthUser.byEmail
In most scenarios, you'll want to load the unauthenticated user by email after the user has supplied
their email address within a Descope flow screen. This is the default behavior, but if you would like
to load the user this way, you can use any of the above unauthUser keys
like: unauthUser.byEmail.name
unauthUser.byPhone
Suppose you are using the phone number of a user within a flow rather than an email. In that case,
you can utilize the unauthUser.byPhone to load user details before authenticating the user. You can
use any of the above unauthUser keys like:
unauthUser.byPhone.name
unauthUser.byTenant
If you are loading an unauthenticated user that's associated to a SAML tenant, you will likely want to
capture details of that user within the flow, and since the user's login ID is something like
email-tenantId (me@email.com-txxxx), you'll need to load the user by tenant. You can use any of the
above unauthUser keys like: unauthUser.byTenant.name