User by ID

GET /v3alpha/users/:userId

Returns the user identified by the requested ID.

Request

Path Parameters

userId stringrequired

unique identifier of the user.

Responses

200
403
404
default

User successfully retrieved

application/json
application/grpc
application/grpc-web+proto

Schema
Example (from schema)

Schema

user

object

userId string

ID is the read-only unique identifier of the user.

details

object

Details provide some base information (such as the last change date) of the user.

sequence uint64

on read: the sequence of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation

changeDate date-time

on read: the timestamp of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation

resourceOwner resource_owner is the organization or instance_id an object belongs to (string)

authenticators

object

The user's authenticators. They are used to identify and authenticate the user during the authentication process.

usernames

object[]

All of the user's usernames, which will be used for identification during authentication.

Array [

usernameId string

unique identifier of the username.

username string

The user's unique username. It is used for identification during authentication.

isOrganizationSpecific boolean

By default usernames must be unique across all organizations in an instance. This option allow to restrict the uniqueness to the user's own organization. As a result, this username can only be used if the authentication is limited to the corresponding organization.

This can be useful if you provide multiple usernames for a single user, where one if specific to your organization, e.g.:

gigi-giraffe@zitadel.com (unique across organizations)
gigi-giraffe (unique only inside the ZITADEL organization)

]

password

object

If the user has set a password, the time it was last changed will be returned.

lastChanged date-time

States the time the password was last changed.

webAuthN

object[]

Meta information about the user's WebAuthN authenticators.

Array [

webAuthNId string

unique identifier of the WebAuthN authenticator.

name string

Name of the WebAuthN authenticator. This is used for easier identification.

isVerified boolean

State whether the WebAuthN registration has been completed.

userVerified boolean

States if the user has been verified during the registration. Authentication with this device will be considered as multi factor authentication (MFA) without the need to check a password (typically known as Passkeys). Without user verification it will be a second factor authentication (2FA), typically done after a password check.

More on WebAuthN User Verification: https://www.w3.org/TR/webauthn/#user-verification

]

totps

object[]

A list of the user's time-based one-time-password (TOTP) authenticators, incl. the name for identification.

Array [

totpId string

unique identifier of the time-based one-time-password (TOTP) authenticator.

name string

The name provided during registration. This is used for easier identification.

isVerified boolean

State whether the TOTP registration has been completed.

]

otpSms

object[]

A list of the user's one-time-password (OTP) SMS authenticators.

Array [

otpSmsId string

unique identifier of the one-time-password (OTP) SMS authenticator.

phone string

The phone number used for the OTP SMS authenticator.

isVerified boolean

State whether the OTP SMS registration has been completed.

]

otpEmail

object[]

A list of the user's one-time-password (OTP) Email authenticators.

Array [

otpEmailId string

unique identifier of the one-time-password (OTP) Email authenticator.

address string

The email address used for the OTP Email authenticator.

isVerified boolean

State whether the OTP Email registration has been completed.

]

authenticationKeys

object[]

A list of the user's authentication keys. They can be used to authenticate e.g. by JWT Profile.

Array [

authenticationKeyId string

ID is the read-only unique identifier of the authentication key.

details

object

sequence uint64

on read: the sequence of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation

changeDate date-time

on read: the timestamp of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation

resourceOwner resource_owner is the organization or instance_id an object belongs to (string)

type the file type of the key (string)

Possible values: [AUTHN_KEY_TYPE_UNSPECIFIED, AUTHN_KEY_TYPE_JSON]

Default value: AUTHN_KEY_TYPE_UNSPECIFIED

expirationDate date-time

After the expiration date, the key will no longer be usable for authentication.

]

identityProviders

object[]

A list of the user's linked identity providers (IDPs).

Array [

idpId string

IDP ID is the read-only unique identifier of the identity provider in ZITADEL.

idpName string

IDP name is the name of the identity provider in ZITADEL.

userId string

The user ID represents the ID provided by the identity provider. This ID is used to link the user in ZITADEL with the identity provider.

username string

The username represents the username provided by the identity provider.

]

contact

object

Contact information for the user. ZITADEL will use this in case of internal notifications.

email

object

Email contact information of the user.

address string

Email address of the user.

isVerified boolean

IsVerified states if the email address has been verified to belong to the user.

phone

object

Phone contact information of the user.

number string

Phone number of the user.

isVerified boolean

IsVerified states if the phone number has been verified to belong to the user.

state string

Possible values: [USER_STATE_UNSPECIFIED, USER_STATE_ACTIVE, USER_STATE_INACTIVE, USER_STATE_DELETED, USER_STATE_LOCKED]

Default value: USER_STATE_UNSPECIFIED

State of the user.

schema

object

The schema the user and it's data is based on.

id string

The unique identifier of the user schema.

type string

The human readable name of the user schema.

revision int64

The revision the user's data is based on of the revision.

data object

The user's data based on the provided schema.

{
  "user": {
    "userId": "69629012906488334",
    "details": {
      "sequence": "2",
      "changeDate": "2024-06-25T13:35:39.101Z",
      "resourceOwner": "69629023906488334"
    },
    "authenticators": {
      "usernames": [
        {
          "usernameId": "string",
          "username": "gigi-giraffe",
          "isOrganizationSpecific": true
        }
      ],
      "password": {
        "lastChanged": "2019-04-01T08:45:00.000000Z"
      },
      "webAuthN": [
        {
          "webAuthNId": "69629023906488334",
          "name": "fido key",
          "isVerified": true,
          "userVerified": true
        }
      ],
      "totps": [
        {
          "totpId": "69629023906488334",
          "name": "Google Authenticator",
          "isVerified": true
        }
      ],
      "otpSms": [
        {
          "otpSmsId": "69629023906488334",
          "phone": "+41791234567",
          "isVerified": true
        }
      ],
      "otpEmail": [
        {
          "otpEmailId": "69629023906488334",
          "address": "mini@mouse.com",
          "isVerified": true
        }
      ],
      "authenticationKeys": [
        {
          "authenticationKeyId": "69629023906488334",
          "details": {
            "sequence": "2",
            "changeDate": "2024-06-25T13:35:39.101Z",
            "resourceOwner": "69629023906488334"
          },
          "type": "KEY_TYPE_JSON",
          "expirationDate": "3019-04-01T08:45:00.000000Z"
        }
      ],
      "identityProviders": [
        {
          "idpId": "69629023906488334",
          "idpName": "google",
          "userId": "as-12-df-89",
          "username": "gigi.long-neck@gmail.com"
        }
      ]
    },
    "contact": {
      "email": {
        "address": "mini@mouse.com",
        "isVerified": true
      },
      "phone": {
        "number": "+41791234567",
        "isVerified": true
      }
    },
    "state": "USER_STATE_UNSPECIFIED",
    "schema": {
      "id": "69629026806489455",
      "type": "employees",
      "revision": 7
    },
    "data": {}
  }
}

Schema
Example (from schema)

Schema

user

object

userId string

ID is the read-only unique identifier of the user.

details

object

Details provide some base information (such as the last change date) of the user.

sequence uint64

on read: the sequence of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation

changeDate date-time

on read: the timestamp of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation

resourceOwner resource_owner is the organization or instance_id an object belongs to (string)

authenticators

object

The user's authenticators. They are used to identify and authenticate the user during the authentication process.

usernames

object[]

All of the user's usernames, which will be used for identification during authentication.

Array [

usernameId string

unique identifier of the username.

username string

The user's unique username. It is used for identification during authentication.

isOrganizationSpecific boolean

This can be useful if you provide multiple usernames for a single user, where one if specific to your organization, e.g.:

gigi-giraffe@zitadel.com (unique across organizations)
gigi-giraffe (unique only inside the ZITADEL organization)

]

password

object

If the user has set a password, the time it was last changed will be returned.

lastChanged date-time

States the time the password was last changed.

webAuthN

object[]

Meta information about the user's WebAuthN authenticators.

Array [

webAuthNId string

unique identifier of the WebAuthN authenticator.

name string

Name of the WebAuthN authenticator. This is used for easier identification.

isVerified boolean

State whether the WebAuthN registration has been completed.

userVerified boolean

More on WebAuthN User Verification: https://www.w3.org/TR/webauthn/#user-verification

]

totps

object[]

A list of the user's time-based one-time-password (TOTP) authenticators, incl. the name for identification.

Array [

totpId string

unique identifier of the time-based one-time-password (TOTP) authenticator.

name string

The name provided during registration. This is used for easier identification.

isVerified boolean

State whether the TOTP registration has been completed.

]

otpSms

object[]

A list of the user's one-time-password (OTP) SMS authenticators.

Array [

otpSmsId string

unique identifier of the one-time-password (OTP) SMS authenticator.

phone string

The phone number used for the OTP SMS authenticator.

isVerified boolean

State whether the OTP SMS registration has been completed.

]

otpEmail

object[]

A list of the user's one-time-password (OTP) Email authenticators.

Array [

otpEmailId string

unique identifier of the one-time-password (OTP) Email authenticator.

address string

The email address used for the OTP Email authenticator.

isVerified boolean

State whether the OTP Email registration has been completed.

]

authenticationKeys

object[]

A list of the user's authentication keys. They can be used to authenticate e.g. by JWT Profile.

Array [

authenticationKeyId string

ID is the read-only unique identifier of the authentication key.

details

object

sequence uint64

on read: the sequence of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation

changeDate date-time

on read: the timestamp of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation

resourceOwner resource_owner is the organization or instance_id an object belongs to (string)

type the file type of the key (string)

Possible values: [AUTHN_KEY_TYPE_UNSPECIFIED, AUTHN_KEY_TYPE_JSON]

Default value: AUTHN_KEY_TYPE_UNSPECIFIED

expirationDate date-time

After the expiration date, the key will no longer be usable for authentication.

]

identityProviders

object[]

A list of the user's linked identity providers (IDPs).

Array [

idpId string

IDP ID is the read-only unique identifier of the identity provider in ZITADEL.

idpName string

IDP name is the name of the identity provider in ZITADEL.

userId string

The user ID represents the ID provided by the identity provider. This ID is used to link the user in ZITADEL with the identity provider.

username string

The username represents the username provided by the identity provider.

]

contact

object

Contact information for the user. ZITADEL will use this in case of internal notifications.

email

object

Email contact information of the user.

address string

Email address of the user.

isVerified boolean

IsVerified states if the email address has been verified to belong to the user.

phone

object

Phone contact information of the user.

number string

Phone number of the user.

isVerified boolean

IsVerified states if the phone number has been verified to belong to the user.

state string

Possible values: [USER_STATE_UNSPECIFIED, USER_STATE_ACTIVE, USER_STATE_INACTIVE, USER_STATE_DELETED, USER_STATE_LOCKED]

Default value: USER_STATE_UNSPECIFIED

State of the user.

schema

object

The schema the user and it's data is based on.

id string

The unique identifier of the user schema.

type string

The human readable name of the user schema.

revision int64

The revision the user's data is based on of the revision.

data object

The user's data based on the provided schema.

{
  "user": {
    "userId": "69629012906488334",
    "details": {
      "sequence": "2",
      "changeDate": "2024-06-25T13:35:39.104Z",
      "resourceOwner": "69629023906488334"
    },
    "authenticators": {
      "usernames": [
        {
          "usernameId": "string",
          "username": "gigi-giraffe",
          "isOrganizationSpecific": true
        }
      ],
      "password": {
        "lastChanged": "2019-04-01T08:45:00.000000Z"
      },
      "webAuthN": [
        {
          "webAuthNId": "69629023906488334",
          "name": "fido key",
          "isVerified": true,
          "userVerified": true
        }
      ],
      "totps": [
        {
          "totpId": "69629023906488334",
          "name": "Google Authenticator",
          "isVerified": true
        }
      ],
      "otpSms": [
        {
          "otpSmsId": "69629023906488334",
          "phone": "+41791234567",
          "isVerified": true
        }
      ],
      "otpEmail": [
        {
          "otpEmailId": "69629023906488334",
          "address": "mini@mouse.com",
          "isVerified": true
        }
      ],
      "authenticationKeys": [
        {
          "authenticationKeyId": "69629023906488334",
          "details": {
            "sequence": "2",
            "changeDate": "2024-06-25T13:35:39.104Z",
            "resourceOwner": "69629023906488334"
          },
          "type": "KEY_TYPE_JSON",
          "expirationDate": "3019-04-01T08:45:00.000000Z"
        }
      ],
      "identityProviders": [
        {
          "idpId": "69629023906488334",
          "idpName": "google",
          "userId": "as-12-df-89",
          "username": "gigi.long-neck@gmail.com"
        }
      ]
    },
    "contact": {
      "email": {
        "address": "mini@mouse.com",
        "isVerified": true
      },
      "phone": {
        "number": "+41791234567",
        "isVerified": true
      }
    },
    "state": "USER_STATE_UNSPECIFIED",
    "schema": {
      "id": "69629026806489455",
      "type": "employees",
      "revision": 7
    },
    "data": {}
  }
}

Schema
Example (from schema)

Schema

user

object

userId string

ID is the read-only unique identifier of the user.

details

object

Details provide some base information (such as the last change date) of the user.

sequence uint64

on read: the sequence of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation

changeDate date-time

on read: the timestamp of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation

resourceOwner resource_owner is the organization or instance_id an object belongs to (string)

authenticators

object

The user's authenticators. They are used to identify and authenticate the user during the authentication process.

usernames

object[]

All of the user's usernames, which will be used for identification during authentication.

Array [

usernameId string

unique identifier of the username.

username string

The user's unique username. It is used for identification during authentication.

isOrganizationSpecific boolean

This can be useful if you provide multiple usernames for a single user, where one if specific to your organization, e.g.:

gigi-giraffe@zitadel.com (unique across organizations)
gigi-giraffe (unique only inside the ZITADEL organization)

]

password

object

If the user has set a password, the time it was last changed will be returned.

lastChanged date-time

States the time the password was last changed.

webAuthN

object[]

Meta information about the user's WebAuthN authenticators.

Array [

webAuthNId string

unique identifier of the WebAuthN authenticator.

name string

Name of the WebAuthN authenticator. This is used for easier identification.

isVerified boolean

State whether the WebAuthN registration has been completed.

userVerified boolean

More on WebAuthN User Verification: https://www.w3.org/TR/webauthn/#user-verification

]

totps

object[]

A list of the user's time-based one-time-password (TOTP) authenticators, incl. the name for identification.

Array [

totpId string

unique identifier of the time-based one-time-password (TOTP) authenticator.

name string

The name provided during registration. This is used for easier identification.

isVerified boolean

State whether the TOTP registration has been completed.

]

otpSms

object[]

A list of the user's one-time-password (OTP) SMS authenticators.

Array [

otpSmsId string

unique identifier of the one-time-password (OTP) SMS authenticator.

phone string

The phone number used for the OTP SMS authenticator.

isVerified boolean

State whether the OTP SMS registration has been completed.

]

otpEmail

object[]

A list of the user's one-time-password (OTP) Email authenticators.

Array [

otpEmailId string

unique identifier of the one-time-password (OTP) Email authenticator.

address string

The email address used for the OTP Email authenticator.

isVerified boolean

State whether the OTP Email registration has been completed.

]

authenticationKeys

object[]

A list of the user's authentication keys. They can be used to authenticate e.g. by JWT Profile.

Array [

authenticationKeyId string

ID is the read-only unique identifier of the authentication key.

details

object

sequence uint64

on read: the sequence of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation

changeDate date-time

on read: the timestamp of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation

resourceOwner resource_owner is the organization or instance_id an object belongs to (string)

type the file type of the key (string)

Possible values: [AUTHN_KEY_TYPE_UNSPECIFIED, AUTHN_KEY_TYPE_JSON]

Default value: AUTHN_KEY_TYPE_UNSPECIFIED

expirationDate date-time

After the expiration date, the key will no longer be usable for authentication.

]

identityProviders

object[]

A list of the user's linked identity providers (IDPs).

Array [

idpId string

IDP ID is the read-only unique identifier of the identity provider in ZITADEL.

idpName string

IDP name is the name of the identity provider in ZITADEL.

userId string

The user ID represents the ID provided by the identity provider. This ID is used to link the user in ZITADEL with the identity provider.

username string

The username represents the username provided by the identity provider.

]

contact

object

Contact information for the user. ZITADEL will use this in case of internal notifications.

email

object

Email contact information of the user.

address string

Email address of the user.

isVerified boolean

IsVerified states if the email address has been verified to belong to the user.

phone

object

Phone contact information of the user.

number string

Phone number of the user.

isVerified boolean

IsVerified states if the phone number has been verified to belong to the user.

state string

Possible values: [USER_STATE_UNSPECIFIED, USER_STATE_ACTIVE, USER_STATE_INACTIVE, USER_STATE_DELETED, USER_STATE_LOCKED]

Default value: USER_STATE_UNSPECIFIED

State of the user.

schema

object

The schema the user and it's data is based on.

id string

The unique identifier of the user schema.

type string

The human readable name of the user schema.

revision int64

The revision the user's data is based on of the revision.

data object

The user's data based on the provided schema.

{
  "user": {
    "userId": "69629012906488334",
    "details": {
      "sequence": "2",
      "changeDate": "2024-06-25T13:35:39.107Z",
      "resourceOwner": "69629023906488334"
    },
    "authenticators": {
      "usernames": [
        {
          "usernameId": "string",
          "username": "gigi-giraffe",
          "isOrganizationSpecific": true
        }
      ],
      "password": {
        "lastChanged": "2019-04-01T08:45:00.000000Z"
      },
      "webAuthN": [
        {
          "webAuthNId": "69629023906488334",
          "name": "fido key",
          "isVerified": true,
          "userVerified": true
        }
      ],
      "totps": [
        {
          "totpId": "69629023906488334",
          "name": "Google Authenticator",
          "isVerified": true
        }
      ],
      "otpSms": [
        {
          "otpSmsId": "69629023906488334",
          "phone": "+41791234567",
          "isVerified": true
        }
      ],
      "otpEmail": [
        {
          "otpEmailId": "69629023906488334",
          "address": "mini@mouse.com",
          "isVerified": true
        }
      ],
      "authenticationKeys": [
        {
          "authenticationKeyId": "69629023906488334",
          "details": {
            "sequence": "2",
            "changeDate": "2024-06-25T13:35:39.107Z",
            "resourceOwner": "69629023906488334"
          },
          "type": "KEY_TYPE_JSON",
          "expirationDate": "3019-04-01T08:45:00.000000Z"
        }
      ],
      "identityProviders": [
        {
          "idpId": "69629023906488334",
          "idpName": "google",
          "userId": "as-12-df-89",
          "username": "gigi.long-neck@gmail.com"
        }
      ]
    },
    "contact": {
      "email": {
        "address": "mini@mouse.com",
        "isVerified": true
      },
      "phone": {
        "number": "+41791234567",
        "isVerified": true
      }
    },
    "state": "USER_STATE_UNSPECIFIED",
    "schema": {
      "id": "69629026806489455",
      "type": "employees",
      "revision": 7
    },
    "data": {}
  }
}

Returned when the user does not have permission to access the resource.

application/json
application/grpc
application/grpc-web+proto

Schema
Example (from schema)

Schema

code int32

message string

details

object[]

Array [

@type string

]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema
Example (from schema)

Schema

code int32

message string

details

object[]

Array [

@type string

]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema
Example (from schema)

Schema

code int32

message string

details

object[]

Array [

@type string

]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Returned when the resource does not exist.

application/json
application/grpc
application/grpc-web+proto

Schema
Example (from schema)

Schema

code int32

message string

details

object[]

Array [

@type string

]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema
Example (from schema)

Schema

code int32

message string

details

object[]

Array [

@type string

]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema
Example (from schema)

Schema

code int32

message string

details

object[]

Array [

@type string

]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

An unexpected error response.

application/json
application/grpc
application/grpc-web+proto

Schema
Example (from schema)

Schema

code int32

message string

details

object[]

Array [

@type string

]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema
Example (from schema)

Schema

code int32

message string

details

object[]

Array [

@type string

]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema
Example (from schema)

Schema

code int32

message string

details

object[]

Array [

@type string

]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

User by ID

/v3alpha/users/:userId

Request​

Path Parameters

Responses​

Request

Responses