The Userfront API is an HTTPS-only API served by Userfront. It is used to make programmatic requests to Userfront regarding users, tenants, access control, and more.

Each request to the Userfront API must be accompanied by a valid JWT access token.

Userfront Client-to-Server API Documentation

Log in with a password and email/username

The user's password. Password must be at least 16 characters OR at least 8 characters including a number and a letter.

password

emailOrUsername

tenantId

options

By default, Userfront sends a password reset email when a user without a password attempts to log in with a password. If noResetEmail is set to true, Userfront does not send a password reset email and instead returns an error for incorrect password.

options.noResetEmail

Set a new password for a user with their existing password and JWT access token

New password to set. Password must be at least 16 characters OR at least 8 characters including a number and a letter.

The user's existing (old) password. Required if the user has an existing password.

existingPassword

Send a verification code by a given channel

channel

The user's email address. Used only when verification code is a first factor.

email

Phone number in E.164 format. Used only when verification code is a first factor.

phoneNumber

The user's username. Used only when verification code is used to register a new user.

username

The user's first and last name. Used only when verification code is used to register a new user.

name

The user's email address. Used only when verification code is used to register a new user.

data

Unique numerical identifier for the user. Used only when admin is sending on behalf of another user.

userId

userUuid

verificationCode

Log in with a verification code sent by the upstream service

Register a new user with email & password.

The user's username. If not provided, one is created automatically.

A flexible JSON object for saving additional user data.

When set to true, the user must log in with MFA.

isMfaRequired

The factor preferred by the user for their first login step.

preferredFirstFactor

The factor preferred by the user for their second login step.

preferredSecondFactor

If true, Userfront does not send a welcome or signup email when registering a new user.

options.noSignupEmail

Jane Doe

Demo Account

Find or register a new user with login link (passwordless)

redirect

A path to redirect the user to upon login.

options.redirect

Log in with the token & uuid from a login link

token

uuid

Generate an email link for user login, welcome, or verification.

The user's email address. Must be present if userId is not present.

Unique numerical identifier for the user. Must be present if email is not present.

options.type

The length of time before the link expires.

options.duration

Log out a user and invalidate their session

Obtain a new JWT access token with a refresh token.

Reset a user's password with the token & uuid sent in the password reset link

The new password to set for the user. Password must be at least 16 characters OR at least 8 characters including a number and a letter.

The origin to use in the link. Must be a live mode domain.

options.origin

SAMLRequest

Signature

SigAlg

RelayState

tenant_id

Read TOTP information, including QR code image and backup codes

A code generated by the TOTP Authenticator application.

totpCode

A single-use backup code, used to log in if the TOTP device is lost.

backupCode

Unique numerical identifier for the user. Used only when TOTP is a first factor.

Universal unique identifier (UUID) for the user. Used only when TOTP is a first factor.

Email or username to look up for login. Used only when TOTP is a first factor.

The user's email address. Used only when TOTP is a first factor.

The user's username. Used only when TOTP is a first factor.

Phone number in E.164 format. Used only when TOTP is a first factor.

The user's email address. To change a user's email address, use the new email address here along with their current userId or userUuid.

Unique numerical identifier for the user. Must include userId or userUuid.

Universal unique identifier (UUID) for the user. Must include userId or userUuid.

The phone number to verify. To change a user's phone number, use the new phone number here.

Unique numerical identifier for the user. Must include userId or userUuid to send a verification code on behalf of another user.

Universal unique identifier (UUID) for the user. Must include userId or userUuid to send a verification code on behalf of another user.

origin

John Doe

Delete the tenantKey included in the payload

Create a tenantKey of a given type (admin, readonly)

The type of API key ("admin", "readonly", "webhook")

type

Invalidate the tenantKey included in the payload

Verify a tenantKey using an admin tenantKey

Get all the tenantKeys of a given type (admin, readonly)

order

page

admin

member

Role name. Cannot begin or end with whitespace.

resource_owner

roles

The type of link to send in the invitation email.

The length of time before the invitation link expires.

image

Unique numerical identifier for the user.

Acme Group

The name of the tenant, which is displayed in the dashboard.

details

A flexible JSON object for saving additional tenant data.

Parent tenant

viewer

The order in which to return the results. Can be ascending or descending for the following: lastActiveAt (default), createdAt, updatedAt, or name. For example: createdAt_ASC or name_DESC.

A filter object for returning tenant results.

filters

brand

loginRedirectPath

logoutRedirectPath

passwordResetPath

signupRedirectPath

pkceLoginRedirectUri

userCreatedWebhookUrl

userUpdatedWebhookUrl

userDeletedWebhookUrl

tenantCreatedWebhookUrl

tenantUpdatedWebhookUrl

tenantDeletedWebhookUrl

verificationCodeSmsWebhookUrl

verificationCodeEmailWebhookUrl

linkEmailWebhookUrl

providerOrder

hasActivatedLiveMode

isPhoneNumberUnique

cookieOptionsSameSite

cookieOptionsPath

cookieOptionsSetDomain

allowNonHttpOnlyRefresh

dataRetentionMonths

Get all user import records for the given tenant

users

importUuid

When set to true, the user will not be able to log in or obtain new access tokens.

locked

The user's ID. Must include userId or userUuid.

The user's UUID. Must include userId or userUuid.

The user's email address. Required if creating a user.

The order in which to return the results. Can be ascending or descending for the following: lastActiveAt (default), createdAt, updatedAt, name, or username. For example: createdAt_ASC or name_DESC.

A filter object for returning user results.

Unique identifier for the user (userUuid also OK)

An array of roles to assign to the user. To remove all roles for a user, pass an empty array `{ roles: [] }`

Webhooks

#Authentication

#Users

#User created

Payload parameters

#User updated

Payload parameters

#User deleted

Payload parameters

#Tenants

#Tenant created

Payload parameters

#Tenant updated

Payload parameters

#Tenant deleted

Payload parameters