User Management

User Identity

For each user created in your project, Descope assigns a unique ID (id) to the user. This ID can be used to identify the user in your application. This unique ID cannot be changed within the Descope UI, your application, or any API call. Descope has additional attributes in the user object, such as an email, phone, and name. The loginId is used as the identifier parameter in the different SDK/API calls (sign-in, sign-up, update, etc.) and can be an email, phone, or username. If a user is trying to sign up with loginId that already exists in the system, the accounts will be merged, and user will be logged into the existing account.

Custom User Attributes

Descope allows you to create custom attributes that can store further details about your users. You can create custom attributes within the user's page under the custom attributes tab.

Custom attributes can be of various types and store any data you want to store for the user. For example, this data could be a user's date of birth, location, etc. You can later utilize these attributes within custom claims or loaded for a user and displayed them within your application.

User Invite Flow

Descope supports the ability to invite users to your application. Before you invite users, you will need to configure the User Invitation Redirect URL within Project Settings.

You can invite users singularly or in batches from the Users page. You can invite users in batches by importing a csv or json file with user details. When you invite users via email, their email is labeled as verified. After inviting a user, the user's status will be Invited. Once the user has successfully signed into your application, the user's status will change to Active. You can reinvite users by re-adding them to the users page; once reinvited, the original invite will be invalid. When creating your users, you can add them to roles. Additionally, if your application is utilizing multi-tenant, you can associate the users to the applicable tenant(s) when you invite them.

Learn more about customizing the user invite and details about user invites within this article.

User Merging

Descope supports the merging of user accounts. Merging accounts will be based on trusted email addresses. Within the Authentication Methods page of the Descope UI, Descopers can configure the Social Auth(OAuth) logins to merge with existing users. Within each of the Social Auth(OAuth) methods, Descopers can configure the merging of the users by enabling the toggle for Merge user accounts based on returned email address from provider. If the email address returned from the Social Auth(OAuth) provider matches an existing user, the Descope service will merge the accounts based on the user's email address.

Associating Multiple Login IDs for a User

Within your application, you may have users signing up or in with an email authentication method but also utilizing other ways, which use SMS or Social Login. Descope allows these different auth methods to be nested into the same user by allowing multiple login IDs to be associated with the user. Storing multiple login IDs enables the user to log in with an email auth method, SMS auth method, and Social Login; all of the login IDs will be associated with the same user. The user can then log into your application using their email address or phone number as the login ID.

When utilizing the API or SDK, if you want to enable this feature, you will use the options AddToLoginIDs and OnMergeUseExisting. Setting the AddToLoginIDs to true will enable the additional login IDs to be associated with the user. When OnMergeUseExisting is set to false, it will merge the users based on the new user's details. When OnMergeUseExisting is set to true, it will merge the users based on the existing user's details.

If you are utilizing flows, please see our Knowledge Base Article which covers implementing this feature within flows.

You can also associate multiple login Ids by utilizing the create, batch create, invite, or update functions below passing the additional login IDs parameter.

User Lifecycle

Users within Descope can be in one of three states: Active, Inactive, or Invited. An invited user can log into your application; once logged in, they will become active. Active users can log in and interact with your application based on their assigned roles. Once a user becomes deactivated, they will no longer be able to log into your application. Deactivated users will remain in the Descope project and may be reactivated if you choose to reactivate them. If you delete a user from your Descope project, the user will no longer be able to log into your application. Deleting users will remove their user details from the Descope project.

In some cases with helping a user logout, the Descoper can force a logout on the user so they can login again. This requirement arises in situations like suspicious activity where the Descoper would want to force logout the user. This will log the user out from all the devices and sessions. This can be done by a Descoper with relevant permissions. This functionality is supported both in single-user and batch user actions. The action Force Logout comes under User Management in the Descope console. For this to be done via SDKs, see this and for Backend SDK refer to this documentation.

User's JWT Update Flow

When a user's details are updated, for example additional roles are added, or other items regarding the user's details, the JWT will automatically be updated within the user's current session.