User Management
If you want to view the SDK documentation for User Management, click here.
User Identity
For each user created in your project, Descope assigns a unique identifier (userId
) to the user; you cannot set
or change the userId
within the Descope UI, your application, or any API call.
Descope also stores an array of loginId
s, which are used as the login identifier parameter in the different SDK/API
calls (sign-in, sign-up, update, etc.) and can be an email, phone, or username. Descope has additional attributes in
the user object, such as an email, phone, and name.
Note
If you're using phone numbers as a login ID, make sure that the phone numbers are formatted properly before adding them, if using the Management SDK or User Management APIs.
Custom User Attributes
Descope allows you to create custom attributes that can store further details about your users. You can create custom attributes within the user's page under the custom attributes tab.
Custom attributes can be of various types and store any data you want to store for the user. For example, this data could be a user's date of birth, location, etc. You can later utilize these attributes within custom claims or loaded for a user and displayed them within your application.
User Invite Flow
Descope supports the ability to invite users to your application. Before you invite users, you will need to configure the User Invitation Redirect URL within Project Settings.
You can invite users singularly or in batches from the Users page. You can invite users in batches by importing a csv or json file with user details. When you invite users via email, their
email is labeled as verified. After inviting a user, the user's status will be Invited
. Once the user has successfully signed into your application, the user's status will change to Active
. You can re-invite users by clicking on the three dots action menu next to the user.
This option will resend the invitation link if the user loses it or if it expires.
When creating your users, you can add them to roles. Additionally, if your application is utilizing multi-tenant, you can associate
the users to the applicable tenant(s) when you invite them.
Learn more about customizing the user invite and details about user invites within this article.
User Merging
Descope supports the merging of user accounts. Merging accounts will be based on trusted email addresses. Within the
Authentication Methods page of the Descope UI, Descopers can configure
the Social Auth(OAuth) logins to merge with existing users. Within each of the Social Auth(OAuth) methods, Descopers can
configure the merging of the users by enabling the toggle for Merge user accounts based on returned email address from provider.
If the email address returned from the Social Auth(OAuth) provider matches an existing user, the Descope service will merge the
accounts based on the user's email address.
Associating Multiple Login IDs for a User
Within your application, you may have users signing up or in with an email authentication method but also utilizing other ways, which use SMS or Social Login. Descope allows these different auth methods to be nested into the same user by allowing multiple login IDs to be associated with the user. Storing multiple login IDs enables the user to log in with an email auth method, SMS auth method, and Social Login; all of the login IDs will be associated with the same user. The user can then log into your application using their email address or phone number as the login ID.
When utilizing the API or SDK, if you want to enable this feature, you will use the options AddToLoginIDs
and OnMergeUseExisting.
Setting the AddToLoginIDs
to true
will enable the additional login IDs to be associated with the user. When OnMergeUseExisting
is
set to false,
it will merge the users based on the new user's details. When OnMergeUseExisting
is set to true
, it will merge the users
based on the existing user's details.
If you are utilizing flows, please see our Knowledge Base Article which covers implementing this feature within flows.
You can also associate multiple login Ids by utilizing the create, batch create, invite, or update functions below passing the additional login IDs parameter.
User Lifecycle
Users within Descope can be in one of three states: Active, Inactive, or Invited. An invited user can log into your application; once logged in, they will become active. Active users can log in and interact with your application based on their assigned roles. Once a user becomes deactivated, they will no longer be able to log into your application. Deactivated users will remain in the Descope project and may be reactivated if you choose to reactivate them. If you delete a user from your Descope project, the user will no longer be able to log into your application. Deleting users will remove their user details from the Descope project.
In some cases with helping a user logout, the Descoper can force a logout on the user so they can login again. This
requirement arises in situations like suspicious activity where the Descoper would want to force logout the user. This
will log the user out from all the devices and sessions. This can be done by a Descoper with relevant permissions. This
functionality is supported both in single-user and batch user actions. The action Force Logout
comes under User
Management in the Descope console. For this to be done via SDKs, see this
and for Backend SDK refer to this documentation.
User's JWT Update Flow
When a user's details are updated, for example additional roles are added, or other items regarding the user's details, the JWT will automatically be updated within the user's current session.