Users

ZITADEL knows two different types of users: Users (Human) and Service Users (Machine Accounts)

📄️ Get User History

Returns a list of changes/events that have happened on the user. It's the history of the user. Make sure to send a limit.

📄️ Create User (Machine)

Create a new user with the type machine for your API, service or device. These users are used for non-interactive authentication flows.

📄️ Change user name

Change the username of the user. Be aware that the user has to log in with the newly added username afterward

📄️ Get User Metadata By Key

Get a metadata object from a user by a specific key.

📄️ Delete User Metadata By Key

Remove a metadata object from a user with a specific key.

📄️ Set User Metadata

This endpoint either adds or updates a metadata value for the requested key. Make sure the value is base64 encoded.

📄️ Bulk Delete Metadata

Remove a list of metadata objects from a user with a list of keys.

📄️ Bulk Set User Metadata

Add or update multiple metadata values for a user. Make sure the values are base64 encoded.

📄️ Search User Metadata

Get the metadata of a user filtered by your query.

📄️ Update User Phone (Human)

Change the phone number of a user. If the state is set to not verified, the user will get an SMS to verify (if a notification provider is configured). The phone number is only for informational purposes and to send messages, not for Authentication (2FA).

📄️ Delete User Avatar (Human)

Removes the avatar that is currently set on the user.

📄️ Update Machine User

Change a service account/machine user. It is used for accounts with non-interactive authentication possibilities.

📄️ Delete Secret of Machine User

Delete a secret of a machine user/service account. The user will not be able to authenticate with the secret afterward.

📄️ Create Secret for Machine User

Create a new secret for a machine user/service account. It is used to authenticate the user (client credential grant).

📄️ Get Machine user Key By ID

Get a specific Key of a machine user by its id. Machine keys are used to authenticate with jwt profile authentication.

📄️ Delete Key for machine user

Delete a specific key from a user.

📄️ List Machine Keys

Get the list of keys of a machine user. Machine keys are used to authenticate with jwt profile authentication.

📄️ Create Key for machine user

If a public key is not supplied, a new key is generated and will be returned in the response.

📄️ Get Personal-Access-Token (PAT) by ID

Returns the PAT for a user, currently only available for machine users/service accounts. PATs are ready-to-use tokens and can be sent directly in the authentication header.

📄️ Remove a Personal-Access-Token (PAT) by ID

Delete a PAT from a user. Afterward, the user will not be able to authenticate with that token anymore.

📄️ List Personal-Access-Tokens (PATs)

Returns a list of PATs for a user, currently only available for machine users/service accounts. PATs are ready-to-use tokens and can be sent directly in the authentication header.

📄️ Create a Personal-Access-Token (PAT)

Generates a new PAT for the user. Currently only available for machine users.

📄️ List ZITADEL Permissions

Show all the permissions the user has in ZITADEL (ZITADEL Manager).

📄️ User by ID

Returns the full user object (human or machine) including the profile, email, etc.

📄️ Delete user

The state of the user will be changed to 'deleted'. The user will not be able to log in anymore. Endpoints requesting this user will return an error 'User not found.

📄️ Get User by login name (globally)

Get a user by login name searched over all organizations. The request only returns data if the login name matches exactly.

📄️ Search Users

Search for users within an organization. By default, we will return users of your organization. Make sure to include a limit and sorting for pagination.

📄️ Check for existing user

Returns if a user with the requested email or username is unique. So you can create the user.

📄️ Create User (Human)

Deprecated: use [ImportHumanUser](apis/resources/mgmt/management-service-import-human-user.api.mdx) instead.

📄️ Create/Import User (Human)

Deprecated: use [UpdateHumanUser](apis/resources/user_service_v2/user-service-update-human-user.api.mdx) instead.

📄️ Deactivate user

The state of the user will be changed to 'deactivated'. The user will not be able to log in anymore. The endpoint returns an error if the user is already in the state 'deactivated'. Use deactivate user when the user should not be able to use the account anymore, but you still need access to the user data.

📄️ Reactivate user

Reactivate a user with the state 'deactivated'. The user will be able to log in again afterward. The endpoint returns an error if the user is not in the state 'deactivated'.

📄️ Lock user

The state of the user will be changed to 'locked'. The user will not be able to log in anymore. The endpoint returns an error if the user is already in the state 'locked'. Use this endpoint if the user should not be able to log in temporarily because of an event that happened (wrong password, etc.),

📄️ Unlock user

Unlock a user with the state 'locked'. The user will be able to log in again afterward. The endpoint returns an error if the user is not in the state 'locked'.

📄️ Get User Profile (Human)

Get basic information like first_name and last_name of a user.

📄️ Update User Profile (Human)

Deprecated: use [user service v2 UpdateHumanUser](apis/resources/user_service_v2/user-service-update-human-user.api.mdx) instead.

📄️ Get User Email (Human)

Get the email address and the verification state of the address.

📄️ Update User Email (Human)

Deprecated: use [user service v2 SetEmail](apis/resources/user_service_v2/user-service-set-email.api.mdx) instead.

📄️ Resend User Initialization Email

A newly created user will get an initialization email to verify the email address and set a password. Resend the email with this request to the user's email address, or a newly added address.

📄️ Resend User Email Verification

Deprecated: use [user service v2 ResendEmailCode](apis/resources/user_service_v2/user-service-resend-email-code.api.mdx) instead.

📄️ Get User Phone (Human)

Get the phone number and the verification state of the number. The phone number is only for informational purposes and to send messages, not for Authentication (2FA).

📄️ Remove User Phone (Human)

Deprecated: use user service v2 [user service v2 SetPhone](apis/resources/user_service_v2/user-service-set-phone.api.mdx) instead.

📄️ Resend User Phone Verification

Deprecated: use user service v2 [user service v2 ResendPhoneCode](apis/resources/user_service_v2/user-service-resend-phone-code.api.mdx) instead.

📄️ Set Human Initial Password

Deprecated: use [user service v2 SetPassword](apis/resources/user_service_v2/user-service-set-password.api.mdx) instead.

📄️ Set User Password

Deprecated: use [user service v2 SetPassword](apis/resources/user_service_v2/user-service-set-password.api.mdx) instead.

📄️ Send Reset Password Notification

Deprecated: use [user service v2 PasswordReset](apis/resources/user_service_v2/user-service-password-reset.api.mdx) instead.

📄️ Get User Authentication Factors (2FA/MFA)

Get a list of authentication factors the user has set. Including Second Factors (2FA) and Multi-Factors (MFA).

📄️ Remove Multi-Factor OTP

Remove the configured One-Time Password (OTP) as a factor from the user. OTP is an authentication app, like Authy or Google/Microsoft Authenticator.

📄️ Remove Multi-Factor U2F

Remove the configured Universal Second Factor (U2F) as a factor from the user. U2F is a device-dependent factor like FingerPrint, Windows-Hello, etc.

📄️ Remove Multi-Factor OTP SMS

Remove the configured One-Time Password (OTP) SMS as a factor from the user. As only one OTP SMS per user is allowed, the user will not have OTP SMS as a second factor afterward.

📄️ Remove Multi-Factor OTP SMS

Remove the configured One-Time Password (OTP) Email as a factor from the user. As only one OTP Email per user is allowed, the user will not have OTP Email as a second factor afterward.

📄️ Search Passwordless/Passkey authentication

Get a list of configured passwordless/passkey authentication methods from the user. Passwordless/passkey is a device-dependent authentication like FingerScan, WindowsHello or a Hardware Token.

📄️ Add Passwordless/Passkey Registration Link

Adds a new passwordless/passkey authenticator link to the user and returns it in the response. The link enables the user to register a new device if current passwordless/passkey devices are all platform authenticators. e.g. User has already registered Windows Hello and wants to register FaceID on the iPhone

📄️ Send Passwordless/Passkey Registration Link

Adds a new passwordless/passkey authenticator link to the user and sends it to the user per email. The link enables the user to register a new device if current passwordless/passkey devices are all platform authenticators. e.g. User has already registered Windows Hello and wants to register FaceID on the iPhone.

📄️ Delete Passwordless/Passkey

Remove a configured passwordless/passkey authentication method from the user. (e.g FaceID, FingerScane, WindowsHello, etc.).

📄️ List Social Logins

Returns a list of all linked identity providers/social logins of the user. (e. Google, Microsoft, AzureAD, etc.).

📄️ Remove Social Login

Remove a configured social logins/identity providers of the user (e.g. Google, Microsoft, AzureAD, etc.). The user will not be able to log in with the given provider afterward. Make sure the user does have other possibilities to authenticate.