Class UsersManager

Assign permissions to a user. Assign Permissions to a User

Throws

Associate roles with a user. Assign roles to a user

Throws

Create a new user for a given database or passwordless connection.

Note: connection is required but other parameters such as email and password are dependent upon the type of connection. Create a User

Throws

Creates an authentication method for a given user. Authentication methods created via this endpoint will be auto confirmed and should already have verification completed.

Throws

Delete a user. Delete a User

Throws

Delete All Authenticators

Throws

Deletes an authentication method by ID

Throws

Deletes all authentication methods for the given user

Throws

Delete a multifactor configuration for a user. This forces the user to re-configure the multi-factor provider. Delete a User's Multi-factor Provider

Throws

Remove permissions from a user.

Remove Permissions from a User

Throws

Delete all refresh tokens for a user. Delete refresh tokens for a user

Throws

Remove roles from a user. Removes roles from a user

Throws

Delete all sessions for a user. Delete sessions for user

Throws

Retrieve user details. A list of fields to include or exclude may also be specified. Get a User

Throws

Retrieve details of users. It is possible to:

• Specify a search criteria for users
• Sort the users to be returned
• Select the fields to be returned
• Specify the number of users to retrieve per page and the page index The q query parameter can be used to get users that match the specified criteria using query string syntax.

Learn more about searching for users.

Read about best practices when working with the API endpoints for retrieving users.

Auth0 limits the number of users you can return. If you exceed this threshold, please redefine your search, use the export job, or the User Import / Export extension.

List or Search Users

Throws

Gets an authentication method by ID.

Throws

Gets a list of authentication methods

Throws

Retrieve the first confirmed Guardian enrollment for a user. Get the First Confirmed Multi-factor Authentication Enrollment

Throws

Retrieve log events for a specific user.

Note: For more information on all possible event types, their respective acronyms and descriptions, see Log Event Type Codes.

For more information on the list of fields that can be used in sort, see Searchable Fields.

Auth0 limits the number of logs you can return by search criteria to 100 logs per request. Furthermore, you may only paginate through up to 1,000 search results. If you exceed this threshold, please redefine your search. Get user's log events

Throws

Retrieve all permissions associated with the user. Get a User's Permissions

Throws

Retrieve details for a user's refresh tokens. Get refresh tokens for a user

Throws

List the the roles associated with a user. Get a user's roles

Throws

Retrieve details for a user's sessions. Get sessions for user

Throws

This endpoint will retrieve all organizations that the specified user is a member of.

List user's organizations

Throws

Invalidate all remembered browsers across all authentication factors for a user. Invalidate All Remembered Browsers for Multi-factor Authentication

Throws

Link two user accounts together forming a primary and secondary relationship. On successful linking, the endpoint returns the new array of the primary account identities.

Note: There are two ways of invoking the endpoint:

• With the authenticated primary account's JWT in the Authorization header, which has the update:current_user_identities scope:

        POST /api/v2/users/PRIMARY_ACCOUNT_USER_ID/identities
        Authorization: "Bearer PRIMARY_ACCOUNT_JWT"
        {
          "link_with": "SECONDARY_ACCOUNT_JWT"
        }
      

  In this case, only the link_with param is required in the body, which also contains the JWT obtained upon the secondary account's authentication.
• With a token generated by the API V2 containing the update:users scope:

      POST /api/v2/users/PRIMARY_ACCOUNT_USER_ID/identities
      Authorization: "Bearer YOUR_API_V2_TOKEN"
      {
        "provider": "SECONDARY_ACCOUNT_PROVIDER",
        "connection_id": "SECONDARY_ACCOUNT_CONNECTION_ID(OPTIONAL)",
        "user_id": "SECONDARY_ACCOUNT_USER_ID"
      }
      

  In this case you need to send provider and user_id in the body. Optionally you can also send the connection_id param which is suitable for identifying a particular database connection for the 'auth0' provider.

Link a User Account

Throws

Remove the current multi-factor authentication recovery code and generate a new one. Generate New Multi-factor Authentication Recovery Code

Throws

Unlink an identity from the target user making it a separate user account again. Unlink a User Identity

Throws

Update a user.

These are the attributes that can be updated at the root level:

• app_metadata
• blocked
• email
• email_verified
• family_name
• given_name
• name
• nickname
• password
• phone_number
• phone_verified
• picture
• username
• user_metadata
• verify_email

Some considerations:

• The properties of the new object will replace the old ones.
• The metadata fields are an exception to this rule (user_metadata and app_metadata). These properties are merged instead of being replaced but be careful, the merge only occurs on the first level.
• If you are updating email, email_verified, phone_number, phone_verified, username or password of a secondary identity, you need to specify the connection property too.
• If you are updating email or phone_number you can specify, optionally, the client_id property.
• Updating email_verified is not supported for enterprise and passwordless sms connections.
• Updating the blocked to false does not affect the user's blocked state from an excessive amount of incorrectly provided credentials. Use the "Unblock a user" endpoint from the "User Blocks" API to change the user's state.

Updating a field (non-metadata property)

To mark the email address of a user as verified, the body to send should be:

{ "email_verified": true }

Updating a user metadata root property

Let's assume that our test user has the following user_metadata:

{ "user_metadata" : { "profileCode": 1479 } }

To add the field addresses the body to send should be:

{ "user_metadata" : { "addresses": {"work_address": "100 Industrial Way"} }}

The modified object ends up with the following user_metadata property:

{
  "user_metadata": {
    "profileCode": 1479,
    "addresses": { "work_address": "100 Industrial Way" }
  }
}

Updating an inner user metadata property

If there's existing user metadata to which we want to add "home_address": "742 Evergreen Terrace" (using the addresses property) we should send the whole addresses object. Since this is a first-level object, the object will be merged in, but its own properties will not be. The body to send should be:

{
  "user_metadata": {
    "addresses": {
      "work_address": "100 Industrial Way",
      "home_address": "742 Evergreen Terrace"
    }
  }
}

The modified object ends up with the following user_metadata property:

{
  "user_metadata": {
    "profileCode": 1479,
    "addresses": {
      "work_address": "100 Industrial Way",
      "home_address": "742 Evergreen Terrace"
    }
  }
}

Update a User

Throws

Updates an authentication method.

Throws

Updates all authentication methods by replacing them with the given ones.

Throws