Authenticate
Manage Users
Customize
Auth0 AI
PlatformThe user data file used for bulk user imports must be in JSON format. It must contain an array of user objects matching the specified schema.Documentation Index
Fetch the complete documentation index at: https://auth-test.auth0-mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
User JSON schema
The following JSON schema describes valid users:{
"type": "object",
"properties": {
"email": {
"type": "string",
"description": "The user's email address.",
"format": "email"
},
"email_verified": {
"type": "boolean",
"default": false,
"description": "Indicates whether the user has verified their email address."
},
"user_id": {
"type": "string",
"description": "The user's unique identifier. This will be prepended by the connection strategy."
},
"username": {
"type": "string",
"description": "The user's username."
},
"given_name": {
"type": "string",
"description": "The user's given name."
},
"family_name": {
"type": "string",
"description": "The user's family name."
},
"name": {
"type": "string",
"description": "The user's full name."
},
"nickname": {
"type": "string",
"description": "The user's nickname."
},
"picture": {
"type": "string",
"description": "URL pointing to the user's profile picture."
},
"blocked": {
"type": "boolean",
"description": "Indicates whether the user has been blocked."
},
"password_hash": {
"type": "string",
"description": "Hashed password for the user. Passwords should be hashed using bcrypt $2a$ or $2b$ and have 10 saltRounds."
},
"custom_password_hash": {
"type": "object",
"description": "A more generic way to provide the users password hash. This can be used in lieu of the password_hash field when the users password hash was created with an alternate algorithm. Note that this field and password_hash are mutually exclusive.",
"properties": {
"algorithm": {
"type": "string",
"enum": [
"argon2",
"bcrypt",
"hmac",
"ldap",
"md4",
"md5",
"sha1",
"sha256",
"sha512",
"pbkdf2",
"scrypt"
],
"description": "The algorithm that was used to hash the password."
},
"hash": {
"type": "object",
"properties": {
"value": {
"type": "string",
"description": "The password hash."
},
"encoding": {
"type": "string",
"enum": [
"base64",
"hex",
"utf8"
],
"description": "The encoding of the provided hash. Note that both upper and lower case hex variants are supported, as well as url-encoded base64."
},
"digest": {
"type": "string",
"description": "The algorithm that was used to generate the HMAC hash",
"enum": [
"md4",
"md5",
"ripemd160",
"sha1",
"sha224",
"sha256",
"sha384",
"sha512",
"whirlpool"
]
},
"key": {
"type": "object",
"description": "The key that was used to generate the HMAC hash",
"required": [
"value"
],
"properties": {
"value": {
"type": "string",
"description": "The key value"
},
"encoding": {
"type": "string",
"enum": [
"base64",
"hex",
"utf8"
],
"default": "utf8",
"description": "The key encoding"
}
}
}
}
},
"salt": {
"type": "object",
"properties": {
"value": {
"type": "string",
"description": "The salt value used to generate the hash."
},
"encoding": {
"type": "string",
"enum": [
"base64",
"hex",
"utf8"
],
"default": "utf8",
"description": "The encoding of the provided salt. Note that both upper and lower case hex variants are supported, as well as url-encoded base64."
},
"position": {
"type": "string",
"enum": [
"prefix",
"suffix"
],
"default": "prefix",
"description": "The position of the salt when the hash was calculated. For example; MD5('salt' + 'password') = '67A1E09BB1F83F5007DC119C14D663AA' would have \"position\":\"prefix\"."
}
},
"required": [
"value"
]
},
"password": {
"type": "object",
"properties": {
"encoding": {
"type": "string",
"enum": [
"ascii",
"utf8",
"utf16le",
"ucs2",
"latin1",
"binary"
],
"default": "utf8",
"description": "The encoding of the password used to generate the hash. On login, the user-provided password will be transcoded from utf8 before being checked against the provided hash. For example; if your hash was generated from a ucs2 encoded string, then you would supply \"encoding\":\"ucs2\"."
}
}
},
"keylen": {
"type": "integer",
"description": "Desired key length in bytes for the scrypt hash. Must be an integer greater than zero. Required when algorithm is set to scrypt."
},
"cost": {
"type": "integer",
"default": 16384,
"description": "CPU/memory cost parameter used for the scrypt hash. Must be a power of two greater than one. Only used when algorithm is set to scrypt."
},
"blockSize": {
"type": "integer",
"default": 8,
"description": "Block size parameter used for the scrypt hash. Must be a positive integer. Only used when algorithm is set to scrypt."
},
"parallelization": {
"type": "integer",
"default": 1,
"description": "Parallelization parameter used for the scrypt hash. Must be a positive integer. Only used when algorithm is set to scrypt."
}
},
"required": [
"algorithm",
"hash"
],
"additionalProperties": false
},
"app_metadata": {
"type": "object",
"description": "Data related to the user that does affect the application's core functionality."
},
"user_metadata": {
"type": "object",
"description": "Data related to the user that does not affect the application's core functionality."
},
"mfa_factors": {
"type": "array",
"items": {
"type": "object",
"properties": {
"totp": {
"type": "object",
"properties": {
"secret": {
"type": "string",
"pattern": "^[A-Z2-7]+$",
"description": "The OTP secret is used with authenticator apps (Google Authenticator, Microsoft Authenticator, Authy, 1Password, LastPass). It must be supplied in un-padded Base32 encoding, such as: JBTWY3DPEHPK3PNP"
}
},
"additionalProperties": false,
"required": [
"secret"
]
},
"phone": {
"type": "object",
"properties": {
"value": {
"type": "string",
"pattern": "^\\+[0-9]{1,15}$",
"description": "The phone number for SMS MFA. The phone number should include a country code and begin with +, such as: +12125550001"
}
},
"additionalProperties": false,
"required": [
"value"
]
},
"email": {
"type": "object",
"properties": {
"value": {
"type": "string",
"format": "email",
"description": "The email address for MFA"
}
},
"additionalProperties": false,
"required": [
"value"
]
}
},
"maxProperties": 1,
"additionalProperties": false
},
"minItems": 1,
"maxItems": 10
}
},
"required": [
"email"
],
"additionalProperties": false
}
User object properties
Data that can affect the application’s core functionality or what the user can access. Data stored in
app_metadata cannot be edited by users. This may include things such as support plans, roles or access groups.For more information about metadata, read Understand How Metadata Works in User Profiles.Show prohibited properties
Show prohibited properties
app_metadata cannot contain the following properties:__tenant_idblockedclientIDcreated_atemail_verifiedemailglobalClientIDglobal_client_ididentitieslastIPlastLoginloginsCountmetadatamultifactor_last_modifiedmultifactorupdated_atuser_id
Whether the user has been blocked.
The user’s email address.
Indicates whether the user has verified their email address. Set to
false by default if email is updated by upsert but not email_verified.The user’s family name.
The user’s given name.
The user’s full name.
The user’s nickname.
URL pointing to the user’s profile picture.
The user’s unique identifier. This is prepended by the connection strategy.
Data that does not impact what users can or cannot access, such as work address, home address, or user preferences.For more information about metadata, read Understand How Metadata Works in User Profiles.
The user’s username.
Hashed password for the user’s connection.When users are created, Auth0 uses bcrypt to secure the password. Importing hashed passwords lets users keep their passwords for a smoother experience. Compatible passwords should be hashed using bcrypt
$2a$ or $2b$ and have 10 saltRounds.This property can only be provided when the user is first imported and cannot be updated later.A more generic way to provide the user’s password hash.You can use this field instead of the
password_hash field when the user’s password hash was created with an alternate algorithm. This field and password_hash are mutually exclusive.During the bulk import process, you can update the custom_password_hash if the user did not login using the initially imported custom_password_hash.Show children
Show children
The algorithm used to hash the password.Auth0 supports the following algorithms:
- Argon2
- bcrypt
- HMAC
- LDAP
- MD and SHA
- PBKDF2
- scrypt
When the
algorithm is set to argon2:hash.encodingmust beutf8.hash.saltis not allowed.hash.valuemust be in PHC string format, specified in P-H-C / phc-string-format on GitHub. It also must conform to the requirements specified in Auth0 / magic on GitHub.hash.valuemust include the base64 encoded salt (as specified in thePHCdocumentation).
When the
algorithm is set to bcrypt:-
hash.encodingmust beutf8. -
hash.saltis allowed in conjunction with with salt encoding and position. -
hash.valuemust include one of these prefixes:$2a$$2b$$2y$
$2$,$sha1$, and$2x$, are not supported at this time.
hello using a cost parameter of 10: $2b$10$nFguVi9LsCAcvTZFKQlRKeLVydo8ETv483lkNsSFI/Wl1Rz1Ypo1KThe bcrypt algorithm processes a maximum of 72 bytes of input when computing password hashes or performing comparisons and the length of salt.value counts towards the 72-byte input limit. Any input beyond the 72 byte limit is truncated; for example, if the salt consumes 10 bytes, the maximum password length for hashing or comparison is 62 bytes.Passwords longer than the reduced limit are truncated, potentially weakening password strength or introducing hash collisions. Always validate password lengths before hashing.When the
algorithm is set to hmac:hash.encodingmust be eitherhexorbase64.hash.digestis required and must be one of:md4md5ripemd160sha1sha224sha256sha384sha512whirlpool
hash.key.valueis required.hash.key.encodingmust be eitherbase64orhexorutf8.
When the
algorithm is set to ldap (RFC-2307 "userPassword"):hash.encodingmust beutf8.hash.saltis not allowed.hash.valuemust adhere to the format outlined in RFC-2307 section-5.3 on IETF Datatracker.- The scheme must be one of
md5|smd5|sha*|ssha*. See here for more info. The crypt scheme is not supported due to system/implementation dependent behavior. To learn more, read Open LDAP Admin Guide - 14.4.2. CRYPT password storage scheme.
When the
algorithm is set to md4, md5, sha1, sha256, or sha512:hash.encodingmust be eitherhexorbase64.
When the
algorithm is set to pbkdf2:hash.encodingmust beutf8.hash.saltis not allowed.hash.valueshould be in PHC string format, specified in P-H-C / phc-string-format on GitHub.hash.valuemust include the B64 encoded salt (base64 omitting padding characters=, as specified in thePHCdocumentation).hash.valueshould includei(iterations) andl(keylen) parameters. If these parameters are omitted, they will default toi=100000andl=64.- The
idshould be in apbkdf2-<digest>format (pbkdf2-sha512,pbkdf2-md5, etc). The supported digests are:RSA-MD4RSA-MD5RSA-MDC2RSA-RIPEMD160RSA-SHA1RSA-SHA1-2RSA-SHA224RSA-SHA256RSA-SHA384RSA-SHA512md4md4WithRSAEncryptionmd5md5WithRSAEncryptionmdc2mdc2WithRSAripemdripemd160ripemd160WithRSArmd160sha1sha1WithRSAEncryptionsha224sha224WithRSAEncryptionsha256sha256WithRSAEncryptionsha384sha384WithRSAEncryptionsha512sha512WithRSAEncryptionssl3-md5ssl3-sha1whirlpool
When the
algorithm is set to scrypt:hash.encodingmust be eitherhexorbase64.
Desired key length in bytes for the scrypt hash. Must be an integer greater than zero.
CPU/memory cost parameter used for the scrypt hash. Must be a power of two greater than one.
Block size parameter used for the scrypt hash. Must be a positive integer.
Parallelization parameter used for the scrypt hash. Must be a positive integer.
Show children
Show children
The password hash.
The encoding of the provided hash. Must be one of:
base64hexutf8
The algorithm used to generate the HMAC hash. Must be one of:
md4md5ripemd160sha1sha224sha256sha384sha512whirlpool
Show children
Show children
The salt value used to generate the hash.
The encoding of the provided salt. Must be one of:
base64hexutf8
The position of the salt when the hash was calculated.
The encoding of the password used to generate the hash. Must be one of:
asciiutf8utf16leucs2latin1binary
password.encoding before being checked against the provided hash. For example, if your hash was generated from a ucs2 encoded string, then you would set: "encoding": "ucs2"The multi-factor authentication (MFA) that can be used to authenticate this user. Importing enrollments prevents the need for users to re-enroll in MFA after they’re imported.The supported enrollment factors are email, SMS, and TOTP.
Show children
Show children
The phone number for SMS MFA. Must have a country code and begin with
+, such as "+12125550001".User data JSON examples
Basic example
Basic example
A file with the following contents is valid:
[
{
"email": "john.doe@example.com",
"email_verified": false,
"app_metadata": {
"roles": ["admin"],
"plan": "premium"
},
"user_metadata": {
"theme": "light"
}
}
]
Custom password hash examples
Custom password hash examples
Some example users with hashes provided:
[
{
"email": "antoinette@example.com",
"email_verified": false,
"custom_password_hash": {
"algorithm": "md4",
"hash": {
"value": "AbuUujgF0pPPkJPSFRTpmA==",
"encoding": "base64"
}
}
},
{
"email": "mary@example.com",
"email_verified": false,
"custom_password_hash": {
"algorithm": "sha256",
"hash": {
"value": "d24e794fce503c3ddb1cd1ba1dd5d9b250cf9917336a0316fefd87fecf79200f",
"encoding": "hex"
},
"salt": {
"value": "abc123",
"position": "prefix"
}
}
},
{
"email": "velma@example.com",
"email_verified": false,
"custom_password_hash": {
"algorithm": "bcrypt",
"hash": {
"value": "$2b$10$C9hB01.YxRSTcn/ZOOo4j.TW7xCKKFKBSF.C7E0xiUwumqIDqWUXG"
}
}
},
{
"email": "edward@example.com",
"email_verified": false,
"custom_password_hash": {
"algorithm": "argon2",
"hash": {
"value": "$argon2id$v=19$m=65536,t=2,p=1$J6Q/82PCyaNpYKRELJyTZg$m04qUAB8rexWDR4+/0f+SFB+4XMFxt7YAvAq2UycYos"
}
}
},
{
"email": "terrell@example.com",
"email_verified": false,
"custom_password_hash": {
"algorithm": "pbkdf2",
"hash": {
"value": "$pbkdf2-md4$i=100000,l=64$+N375B8q0Fw$fp2R9KAM4hK/votGHC5Fu+jhqbxUD8+Nic/EMSGvNC3UP/k7wSHI0uXluHRSkZfl/BOheYqNOemayG90ZaSSQw",
"encoding": "utf8"
}
}
},
{
"email": "cecil@example.com",
"email_verified": false,
"custom_password_hash": {
"algorithm": "pbkdf2",
"hash": {
"value": "$pbkdf2-sha512$i=100000,l=64$KNyFsA2rWoE$I2CQGI9H0JxdDf3kERRI97kPCGxh0KWBIV3MxyaS191gDGfzVBGyS4BibhgqWQ0/ails8mHuU9ckASxHOOq58w"
}
}
},
{
"email": "sean@example.com",
"email_verified": false,
"custom_password_hash": {
"algorithm": "ldap",
"hash": {
"value": "{SSHA384}/cgEjdoZh85DhurDeOQEMO1rMlAur93SVPbYe5XSD4lF7nNuvrBju5hUeg9A6agRemgSXGl5YuE=",
"encoding": "utf8"
}
}
},
{
"email": "peter@example.com",
"email_verified": false,
"custom_password_hash": {
"algorithm": "hmac",
"hash": {
"value": "cg7f42jH39/2EaAU4wNd4s2lKIk=",
"encoding": "base64",
"digest": "sha1",
"key": {
"value": "736868",
"encoding": "hex"
}
}
}
},
{
"email": "carmella@example.com",
"email_verified": false,
"custom_password_hash": {
"algorithm": "scrypt",
"hash": {
"value": "097f6197e1b41538f723e32aa7a68e8d76227d8e432ce5faa4882a913032db29",
"encoding": "hex"
},
"salt": {
"value": "abc123",
"encoding": "utf8"
},
"keylen": 32,
"cost": 4096
}
}
]
MFA factors examples
MFA factors examples
Some examples of users with MFA factors:
[
{
"email": "antoinette@example.com",
"mfa_factors": [
{
"totp": {
"secret": "2PRXZWZAYYDAWCD"
}
},
{
"phone": {
"value": "+15551112233"
}
},
{
"email": {
"value": "antoinette@example.org"
}
}
]
},
{
"email": "mary@example.com",
"mfa_factors": [
{
"totp": {
"secret": "JBTWY3DPEHPK3PNP"
}
}
]
},
{
"email": "velma@example.com",
"mfa_factors": [
{
"phone": {
"value": "+15551234567"
}
},
]
},
{
"email": "edward@example.com",
"mfa_factors": [
{
"email": {
"value": "edward@example.org"
}
}
]
}
]