API reference

The email to use for email magic links. This can be changed later via the update endpoint.

The phone number to use for one-time passcodes. This can be changed later via the update endpoint. The phone number should be in E.164 format.

The name of the user. Each field in the name object is optional.

Flag for whether or not to save a user as pending vs active in Stytch. Defaults to false. If true, users will be saved with status pending in Stytch's backend until authenticated. If false, users will be created as active. An example usage of a true flag would be to require users to verify their phone by entering the OTP code before creating an account for them.

Provided attributes help with fraud detection.

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

Globally unique UUID that identifies a specific user in the Stytch API. The user_id critical to perform operations on a user in our API, like Get user, Delete user, etc, so be sure to preserve this value.

The user object affected by this API call. See the Get user endpiont for complete response field detail.

Globally unique UUID that identifies a specific email address in the Stytch API. The email_id is used when you need to operate on a specific user's email address, e.g. to delete the email address from the Stytch user.

The status value denotes whether or not a user has successfully logged in at least once with any available login method.

Possible values are active and pending.

The number of users to return per page, the default is 100. A maximum of 1000 users can be returned by a single request. If the total size of your result is greater than one page size, you must paginate the response. See the cursor field below.

The cursor field allows you to paginate through your result responses. Each result array is limited to 1000 users, if your query returns more than 1000 users, you will need to paginate the responses using the cursor. If you receive a response that includes a non-null next_cursor in the results_metadata object, you should repeat the call, being sure to include all of the original fields, but pass in the next_cursor in the cursor field. Continue to make calls until the next_cursor in the response is null.

Note: Our client libraries have convenient helper functions to paginate for you.

The optional query object contains the operator, e.g. AND or OR, and the operands that will filter your users. Only an operator is required, if you include no operands, no filtering will be applied. Similarly if you include no query object, no filtering is applied and we'll return all of your users with no filtering applied.

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

The User searchresults array contains a list of all of the user objects that match your query.

The User searchresults_metadata object contains metadata relevant to your specific query like total and next_cursor.

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

The user_id for the user to fetch.

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

Globally unique UUID that identifies a specific user in the Stytch API. The user_id critical to perform operations on a user in our API, like Get user, Delete user, etc, so be sure to preserve this value.

The name object contains three values: first_name,middle_name,last_name.

The emails object contains an array of email objects for the user.

The phone_numbers array contains an array of phone number objects for the user.

The providers array contains an array of provider objects for the user, i.e. which OAuth providers the user has used to link their account.

The webauthn_registrations array contains a list of all WebAuthn registrations for a given user in the Stytch API.

The totps array contains a list of all TOTP instances for a given user in the Stytch API.

The crypto_wallets array contains a list of all crypto wallets that a user has linked via Stytch.

The timestamp of the user's creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

The status value denotes whether or not a user has successfully logged in at least once with any available login method.

Possible values are active and pending.

The user_id to update.

The name of the user. If at least one name field is passed, all name fields will be updated.

Multiple emails can exist for one user. Add additional emails via this endpoint. To delete an email, use the delete user email endpoint.

Multiple phone numbers can exist for one user. Add additional phone numbers via this endpoint. To delete a phone number, use the delete user phone number endpoint.

Multiple crypto wallets can exist for a single user. You may add crypto wallets to a Stytch user via this endpoint, this endpoint accepts a list of crypto objects, i.e. a set of crypto_wallet_addresss and crypto_wallet_types.

To delete a crypto wallet, use the /users/crypto_wallets/CRYPTO_WALLET_ID endpoint.

Provided attributes help with fraud detection.

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

Globally unique UUID that identifies a specific user in the Stytch API. The user_id critical to perform operations on a user in our API, like Get user, Delete user, etc, so be sure to preserve this value.

The user object affected by this API call. See the Get user endpiont for complete response field detail.

The name object contains three values: first_name,middle_name,last_name.

The emails object contains an array of email objects for the user.

The phone_numbers array contains an array of phone number objects for the user.

The crypto_wallets array contains a list of all crypto wallets that a user has linked via Stytch.

The user_id to be deleted.

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

Globally unique UUID that identifies a specific user in the Stytch API. The user_id critical to perform operations on a user in our API, like Get user, Delete user, etc, so be sure to preserve this value.

The email_id to be deleted.

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

Globally unique UUID that identifies a specific user in the Stytch API. The user_id critical to perform operations on a user in our API, like Get user, Delete user, etc, so be sure to preserve this value.

The user object affected by this API call. See the Get user endpiont for complete response field detail.

The phone_id to be deleted.

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

Globally unique UUID that identifies a specific user in the Stytch API. The user_id critical to perform operations on a user in our API, like Get user, Delete user, etc, so be sure to preserve this value.

The user object affected by this API call. See the Get user endpiont for complete response field detail.

The webauthn_registration_id to be deleted.

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

Globally unique UUID that identifies a specific user in the Stytch API. The user_id critical to perform operations on a user in our API, like Get user, Delete user, etc, so be sure to preserve this value.

The user object affected by this API call. See the Get user endpiont for complete response field detail.

The totp_id to be deleted.

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

Globally unique UUID that identifies a specific user in the Stytch API. The user_id critical to perform operations on a user in our API, like Get user, Delete user, etc, so be sure to preserve this value.

The user object affected by this API call. See the Get user endpiont for complete response field detail.

The crypto_wallet_id to be deleted.

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

Globally unique UUID that identifies a specific user in the Stytch API. The user_id critical to perform operations on a user in our API, like Get user, Delete user, etc, so be sure to preserve this value.

The user object affected by this API call. See the Get user endpiont for complete response field detail.

The maximum number of users to be returned per API call.

The user ID to start after.

The email of the user to send the invite magic link to.

The URL that users click from the login email magic link. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's authenticate endpoint and finishes the login. If this value is not passed, the default login redirect URL that you set in your Dashboard is used. If you have not set a default login redirect URL, an error is returned.

The url the user clicks from the sign-up email magic link. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's authenticate endpoint and finishes the login. If this value is not passed, the default sign-up redirect URL that you set in your Dashboard is used. If you have not set a default sign-up redirect URL, an error is returned.

Set the expiration for the login email magic link, in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins).

Set the expiration for the sign-up email magic link, in minutes. By default, it expires in 1 week. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins).

Provided attributes help with fraud detection. When authenticating a user's magic link token, you can require the IP address and/or the user agent to match that user's attributes when they originated the initial authentication request. To enable this functionality, you can use the options parameter in AuthenticateMagic.

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

Globally unique UUID that identifies a specific user in the Stytch API. The user_id critical to perform operations on a user in our API, like Get user, Delete user, etc, so be sure to preserve this value.

Globally unique UUID that identifies a specific email address in the Stytch API. The email_id is used when you need to operate on a specific user's email address, e.g. to delete the email address from the Stytch user.

The email of the user to send the invite magic link to.

The url the user clicks from the login email magic link. This should be a url that your app receives and parses and subsequently send an API request to authenticate the magic link and log in the user. If this value is not passed, the default login redirect URL that you set in your Dashboard is used. If you have not set a default login redirect URL, an error is returned.

The url the user clicks from the sign-up email magic link. This should be a url that your app receives and parses and subsequently send an api request to authenticate the magic link and sign-up the user. If this value is not passed, the default sign-up redirect URL that you set in your Dashboard is used. If you have not set a default sign-up redirect URL, an error is returned.

Set the expiration for the login email magic link, in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins).

Set the expiration for the sign-up email magic link, in minutes. By default, it expires in 1 week. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins).

Flag for whether or not to save a user as pending vs active in Stytch. Defaults to false. If true, new users will be created with status pending in Stytch's backend. Their status will remain pending and they will continue to receive sign-up magic links until a magic link is authenticated for that user. If false, new users will be created with status active. They will receive a sign-up magic link for their first magic link but subsequent magic links will use the login email template, even if the user never authenticated their initial magic link.

Provided attributes help with fraud detection. When authenticating a user's magic link token, you can require the IP address and/or the user agent to match that user's attributes when they originated the initial authentication request. To enable this functionality, you can use the options parameter in AuthenticateMagic.

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

Globally unique UUID that identifies a specific user in the Stytch API. The user_id critical to perform operations on a user in our API, like Get user, Delete user, etc, so be sure to preserve this value.

Globally unique UUID that identifies a specific email address in the Stytch API. The email_id is used when you need to operate on a specific user's email address, e.g. to delete the email address from the Stytch user.

In login_or_create endpoints, this field indicates whether or not a user was freshly created or the user went through a login path.

The email of the user to send the invite magic link to.

The url the user clicks from the email magic link. This should be a url that your app receives and parses and subsequently send an api request to authenticate the magic link and log in the user. If this value is not passed, the default invite redirect URL that you set in your Dashboard is used. If you have not set a default invite redirect URL, an error is returned.

Set the expiration for the email magic link, in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins).

The name of the user. Each field in the name object is optional.

Provided attributes help with fraud detection.

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

Globally unique UUID that identifies a specific user in the Stytch API. The user_id critical to perform operations on a user in our API, like Get user, Delete user, etc, so be sure to preserve this value.

Globally unique UUID that identifies a specific email address in the Stytch API. The email_id is used when you need to operate on a specific user's email address, e.g. to delete the email address from the Stytch user.

The email of the user to revoke invite for.

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

The user ID for the magic link token.

Set the expiration for the magic token, in minutes. By default, it expires in 1 hour. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins).

Provided attributes help with fraud detection. When authenticating a user's magic link token, you can require the IP address and/or the user agent to match that user's attributes when they originated the initial authentication request. To enable this functionality, you can use the options parameter in AuthenticateMagic.

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

Globally unique UUID that identifies a specific user in the Stytch API. The user_id critical to perform operations on a user in our API, like Get user, Delete user, etc, so be sure to preserve this value.

The magic link token that you'll include in your contact method of choice, e.g. email or SMS. Check out our Embeddable magic link guide for more detail on where to include the token.

The token to authenticate.

Specify optional security settings

Provided attributes help with fraud detection. You can require the IP address and/or the user agent to match the request used to send the magic link using the options parameter.

Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque session_token and session_jwt for this session. Remember that the session_jwt will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time.

This value must be a minimum of 5 and a maximum of 129600 minutes (90 days).

If a session_token or session_jwt is provided then a successful authentication will continue to extend the session this many minutes.

Reuse an existing session instead of creating a new one. If you provide us with a session_jwt, then we'll update the session represented by this JWT with this magic link factor. If this session_jwt belongs to a different user than the magic token, the session_jwt will be ignored. This endpoint will error if both session_token and session_jwt are provided.

Reuse an existing session instead of creating a new one. If you provide us with a session_token, then we'll update the session represented by this session token with this magic link factor. If this session_token belongs to a different user than the magic token, the session_token will be ignored. This endpoint will error if both session_token and session_jwt are provided.

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

Globally unique UUID that identifies a specific user in the Stytch API. The user_id critical to perform operations on a user in our API, like Get user, Delete user, etc, so be sure to preserve this value.

The user object affected by this API call. See the Get user endpiont for complete response field detail.

The JSON Web Token (JWT) for a given Stytch session. Read more about JWTs in our session management guide.

A secret token for a given Stytch session. Read more about session_token in our session management guide.

Globally unique UUID that identifies a specific session in the Stytch API. The session_id is used when you need to operate on a specific user's session, e.g. to revoke the session, refresh it, etc.

The phone number of the user to send a one-time passcode.The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). You may use +10000000000 to test this endpoint, see Testing for more detail.

Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes.

Provided attributes help with fraud detection. When authenticating a user's provided passcode, you can require the IP address and/or the user agent to match that user's attributes when they originated the initial authentication request. To enable this functionality, you can use the options parameter in AuthenticateOTP.

The phone number of the user to send a one-time passcode.The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). You may use +10000000000 to test this endpoint, see Testing for more detail.

Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes.

Flag for whether or not to save a user as pending vs active in Stytch. Defaults to false. If true, users will be saved with status pending in Stytch's backend until the invite is accepted by entering an OTP code. If false, users will be created as active. An example usage of a true flag would be to require users to verify their phone by entering the OTP code before creating an account for them.

Provided attributes help with fraud detection. When authenticating a user's provided passcode, you can require the IP address and/or the user agent to match that user's attributes when they originated the initial authentication request. To enable this functionality, you can use the options parameter in AuthenticateOTP.

The phone number of the user to send a one-time passcode.The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). You may use +10000000000 to test this endpoint, see Testing for more detail.

Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes.

Provided attributes help with fraud detection. When authenticating a user's provided passcode, you can require the IP address and/or the user agent to match that user's attributes when they originated the initial authentication request. To enable this functionality, you can use the options parameter in AuthenticateOTP.

The phone number of the user to send a one-time passcode.The phone number should be in E.164 format (i.e. +1XXXXXXXXXX). You may use +10000000000 to test this endpoint, see Testing for more detail.

Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes.

Flag for whether or not to save a user as pending vs active in Stytch. Defaults to false. If true, users will be saved with status pending in Stytch's backend until the invite is accepted by entering an OTP code. If false, users will be created as active. An example usage of a true flag would be to require users to verify their phone by entering the OTP code before creating an account for them.

Provided attributes help with fraud detection. When authenticating a user's provided passcode, you can require the IP address and/or the user agent to match that user's attributes when they originated the initial authentication request. To enable this functionality, you can use the options parameter in AuthenticateOTP.

The email address of the user to send the one-time passcode to. You may use sandbox@stytch.com to test this endpoint, see Testing for more detail.

Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes.

Provided attributes help with fraud detection. When authenticating a user's provided passcode, you can require the IP address and/or the user agent to match that user's attributes when they originated the initial authentication request. To enable this functionality, you can use the options parameter in AuthenticateOTP.

The email address of the user to send the one-time passcode to. You may use sandbox@stytch.com to test this endpoint, see Testing for more detail.

Set the expiration for the one-time passcode, in minutes. The minimum expiration is 1 minute and the maximum is 10 minutes. The default expiration is 2 minutes.

Flag for whether or not to save a user as pending vs active in Stytch. Defaults to false. If true, users will be saved with status pending in Stytch's backend until the invite is accepted by entering an OTP code. If false, users will be created as active. An example usage of a true flag would be to require users to verify their email by entering the OTP code before creating an account for them.

Provided attributes help with fraud detection. When authenticating a user's provided passcode, you can require the IP address and/or the user agent to match that user's attributes when they originated the initial authentication request. To enable this functionality, you can use the options parameter in AuthenticateOTP.

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

Globally unique UUID that identifies a specific user in the Stytch API. The user_id critical to perform operations on a user in our API, like Get user, Delete user, etc, so be sure to preserve this value.

Globally unique UUID that identifies a specific email address in the Stytch API. The email_id is used when you need to operate on a specific user's email address, e.g. to delete the email address from the Stytch user.

The ID of the method used to send a one-time passcode.

The code to authenticate.

Specify optional security settings

Provided attributes help with fraud detection. You can require the IP address and/or the user agent to match the request used to send the OTP code link using the options parameter.

Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque session_token and session_jwt for this session. Remember that the session_jwt will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time.

This value must be a minimum of 5 and a maximum of 129600 minutes (90 days).

If a session_token or session_jwt is provided then a successful authentication will continue to extend the session this many minutes.

Reuse an existing session instead of creating a new one. If you provide us with a session_jwt, then we'll update the session represented by this JWT with this OTP factor. If this session_jwt belongs to a different user than the OTP code, the session_jwt will be ignored. This endpoint will error if both session_token and session_jwt are provided.

Reuse an existing session instead of creating a new one. If you provide us with a session_token, then we'll update the session represented by this session token with this OTP factor. If this session_token belongs to a different user than the OTP code, the session_token will be ignored. This endpoint will error if both session_token and session_jwt are provided.

The public token from the Stytch dashboard is safe to embed client side. The public token authenticates the request instead of the project ID and secret since this endpoint is called client side instead of from the backend server.

The URL that Stytch redirects to after the OAuth flow is completed for a user that already exists. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login. The URL should be configured as a Login URL in the Stytch Dashboard's Redirect URL page. If the field is not specified, the default in the Dashboard is used.

The URL that Stytch redirects to after the OAuth flow is completed for a user that does not yet exist. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login. The URL should be configured as a Sign Up URL in the Stytch Dashboard's Redirect URL page. If the field is not specified, the default in the Dashboard is used.

Include a space separated list of custom scopes that you'd like to include. Note that this list must be URL encoded, i.e. the spaces must be expressed as %20.

A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. See the PKCE OAuth guide for usage instructions.

The public token from the Stytch dashboard is safe to embed client side. The public token authenticates the request instead of the project ID and secret since this endpoint is called client side instead of from the backend server.

The URL that Stytch redirects to after the OAuth flow is completed for a user that already exists. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login. The URL should be configured as a Login URL in the Stytch Dashboard's Redirect URL page. If the field is not specified, the default in the Dashboard is used.

The URL that Stytch redirects to after the OAuth flow is completed for a user that does not yet exist. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login. The URL should be configured as a Sign Up URL in the Stytch Dashboard's Redirect URL page. If the field is not specified, the default in the Dashboard is used.

Include a space separated list of custom scopes that you'd like to include. Note that this list must be URL encoded, i.e. the spaces must be expressed as %20.

A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. See the PKCE OAuth guide for usage instructions.

The public token from the Stytch dashboard is safe to embed client side. The public token authenticates the request instead of the project ID and secret since this endpoint is called client side instead of from the backend server.

The URL that Stytch redirects to after the OAuth flow is completed for a user that already exists. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login. The URL should be configured as a Login URL in the Stytch Dashboard's Redirect URL page. If the field is not specified, the default in the Dashboard is used.

The URL that Stytch redirects to after the OAuth flow is completed for a user that does not yet exist. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login. The URL should be configured as a Sign Up URL in the Stytch Dashboard's Redirect URL page. If the field is not specified, the default in the Dashboard is used.

Include a space separated list of custom scopes that you'd like to include. Note that this list must be URL encoded, i.e. the spaces must be expressed as %20.

A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. See the PKCE OAuth guide for usage instructions.

The public token from the Stytch dashboard is safe to embed client side. The public token authenticates the request instead of the project ID and secret since this endpoint is called client side instead of from the backend server.

The URL that Stytch redirects to after the OAuth flow is completed for a user that already exists. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login. The URL should be configured as a Login URL in the Stytch Dashboard's Redirect URL page. If the field is not specified, the default in the Dashboard is used.

The URL that Stytch redirects to after the OAuth flow is completed for a user that does not yet exist. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login. The URL should be configured as a Sign Up URL in the Stytch Dashboard's Redirect URL page. If the field is not specified, the default in the Dashboard is used.

Include a space separated list of custom scopes that you'd like to include. Note that this list must be URL encoded, i.e. the spaces must be expressed as %20.

A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. See the PKCE OAuth guide for usage instructions.

The public token from the Stytch dashboard is safe to embed client side. The public token authenticates the request instead of the project ID and secret since this endpoint is called client side instead of from the backend server.

The URL that Stytch redirects to after the OAuth flow is completed for a user that already exists. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login. The URL should be configured as a Login URL in the Stytch Dashboard's Redirect URL page. If the field is not specified, the default in the Dashboard is used.

The URL that Stytch redirects to after the OAuth flow is completed for a user that does not yet exist. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login. The URL should be configured as a Sign Up URL in the Stytch Dashboard's Redirect URL page. If the field is not specified, the default in the Dashboard is used.

Include a space separated list of custom scopes that you'd like to include. Note that this list must be URL encoded, i.e. the spaces must be expressed as %20.

A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. See the PKCE OAuth guide for usage instructions.

The public token from the Stytch dashboard is safe to embed client side. The public token authenticates the request instead of the project ID and secret since this endpoint is called client side instead of from the backend server.

The URL that Stytch redirects to after the OAuth flow is completed for a user that already exists. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login. The URL should be configured as a Login URL in the Stytch Dashboard's Redirect URL page. If the field is not specified, the default in the Dashboard is used.

The URL that Stytch redirects to after the OAuth flow is completed for a user that does not yet exist. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login. The URL should be configured as a Sign Up URL in the Stytch Dashboard's Redirect URL page. If the field is not specified, the default in the Dashboard is used.

Include a space separated list of custom scopes that you'd like to include. Note that this list must be URL encoded, i.e. the spaces must be expressed as %20.

A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. See the PKCE OAuth guide for usage instructions.

The public token from the Stytch dashboard is safe to embed client side. The public token authenticates the request instead of the project ID and secret since this endpoint is called client side instead of from the backend server.

The URL that Stytch redirects to after the OAuth flow is completed for a user that already exists. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login. The URL should be configured as a Login URL in the Stytch Dashboard's Redirect URL page. If the field is not specified, the default in the Dashboard is used.

The URL that Stytch redirects to after the OAuth flow is completed for a user that does not yet exist. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login. The URL should be configured as a Sign Up URL in the Stytch Dashboard's Redirect URL page. If the field is not specified, the default in the Dashboard is used.

Include a space separated list of custom scopes that you'd like to include. Note that this list must be URL encoded, i.e. the spaces must be expressed as %20.

A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. See the PKCE OAuth guide for usage instructions.

The public token from the Stytch dashboard is safe to embed client side. The public token authenticates the request instead of the project ID and secret since this endpoint is called client side instead of from the backend server.

The URL that Stytch redirects to after the OAuth flow is completed for a user that already exists. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login. The URL should be configured as a Login URL in the Stytch Dashboard's Redirect URL page. If the field is not specified, the default in the Dashboard is used.

The URL that Stytch redirects to after the OAuth flow is completed for a user that does not yet exist. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login. The URL should be configured as a Sign Up URL in the Stytch Dashboard's Redirect URL page. If the field is not specified, the default in the Dashboard is used.

Include a space separated list of custom scopes that you'd like to include. Note that this list must be URL encoded, i.e. the spaces must be expressed as %20.

A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. See the PKCE OAuth guide for usage instructions.

The public token from the Stytch dashboard is safe to embed client side. The public token authenticates the request instead of the project ID and secret since this endpoint is called client side instead of from the backend server.

The URL that Stytch redirects to after the OAuth flow is completed for a user that already exists. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login. The URL should be configured as a Login URL in the Stytch Dashboard's Redirect URL page. If the field is not specified, the default in the Dashboard is used.

The URL that Stytch redirects to after the OAuth flow is completed for a user that does not yet exist. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login. The URL should be configured as a Sign Up URL in the Stytch Dashboard's Redirect URL page. If the field is not specified, the default in the Dashboard is used.

Include a space separated list of custom scopes that you'd like to include. Note that this list must be URL encoded, i.e. the spaces must be expressed as %20.

A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. See the PKCE OAuth guide for usage instructions.

The public token from the Stytch dashboard is safe to embed client side. The public token authenticates the request instead of the project ID and secret since this endpoint is called client side instead of from the backend server.

The URL that Stytch redirects to after the OAuth flow is completed for a user that already exists. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login. The URL should be configured as a Login URL in the Stytch Dashboard's Redirect URL page. If the field is not specified, the default in the Dashboard is used.

The URL that Stytch redirects to after the OAuth flow is completed for a user that does not yet exist. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login. The URL should be configured as a Sign Up URL in the Stytch Dashboard's Redirect URL page. If the field is not specified, the default in the Dashboard is used.

Include a space separated list of custom scopes that you'd like to include. Note that this list must be URL encoded, i.e. the spaces must be expressed as %20.

A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. See the PKCE OAuth guide for usage instructions.

The public token from the Stytch dashboard is safe to embed client side. The public token authenticates the request instead of the project ID and secret since this endpoint is called client side instead of from the backend server.

The URL that Stytch redirects to after the OAuth flow is completed for a user that already exists. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login. The URL should be configured as a Login URL in the Stytch Dashboard's Redirect URL page. If the field is not specified, the default in the Dashboard is used.

The URL that Stytch redirects to after the OAuth flow is completed for a user that does not yet exist. This URL should be an endpoint in the backend server that verifies the request by querying Stytch's /oauth/authenticate endpoint and finishes the login. The URL should be configured as a Sign Up URL in the Stytch Dashboard's Redirect URL page. If the field is not specified, the default in the Dashboard is used.

Include a space separated list of custom scopes that you'd like to include. Note that this list must be URL encoded, i.e. the spaces must be expressed as %20.

A base64url encoded SHA256 hash of a one time secret used to validate that the request starts and ends on the same device. See the PKCE OAuth guide for usage instructions.

The token to authenticate.

(Stytch sessions only) Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque session_token and session_jwt for this session. Remember that session_jwt will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time.

This argument only sets the lifetime for Stytch sessions, not for IdP sessions. This value must be a minimum of 5 and a maximum of 129600 minutes (90 days).

If a session_token or session_jwt is provided then a successful authentication will continue to extend the session this many minutes.

(Stytch sessions only) Reuse an existing session instead of creating a new one. If you provide us with a session_jwt, then we'll update the session represented by this JWT with this OAuth factor. If this session_jwt belongs to a different user than the OAuth token, the session_jwt will be ignored. This endpoint will error if both session_token and session_jwt are provided.

(Stytch sessions only) Reuse an existing session instead of creating a new one. If you provide us with a session_token, then we'll update the session represented by this session token with this OAuth factor. If this session_token belongs to a different user than the OAuth token, the session_token will be ignored. This endpoint will error if both session_token and session_jwt are provided.

A base64url encoded one time secret used to validate that the request starts and ends on the same device. See the PKCE OAuth guide for usage instructions.

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

Globally unique UUID that identifies a specific user in the Stytch API. The user_id critical to perform operations on a user in our API, like Get user, Delete user, etc, so be sure to preserve this value.

The user object affected by this API call. See the Get user endpiont for complete response field detail.

The provider_subject field is the unique identifier used to identify the user within a given OAuth provider. Also commonly called the "sub" or "Subject field" in OAuth protocols.

The type field denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Facebook, GitHub etc.

The provider_values object lists relevant identifiers, values, and scopes for a given OAuth provider. For example this object will include a provider's access_token that you can use to access the provider's API for a given user.

Note that these values will vary based on the OAuth provider in question, e.g. id_token is only returned by Microsoft.

If you initiate a session, by including session_duration_minutes in your authenticate call, you'll receive a full session object in the response.

See GET sessions for complete response fields.

A secret token for a given Stytch session. Read more about session_token in our session management guide.

The JSON Web Token (JWT) for a given Stytch session. Read more about JWTs in our session management guide.

The project_idto get the JWKS for.

The user ID to get active sessions for.

The JWT to authenticate. You may provide a JWT that has expired according to its exp claim and needs to be refreshed. If the signature is valid and the underlying session is still active then Stytch will return a new JWT.

The session token to authenticate.

Set the session lifetime to be this many minutes from now; minimum of 5 and a maximum of 129600 minutes (90 days). Note that a successful authentication will continue to extend the session this many minutes.

The session ID to revoke.

A JWT for the session to revoke.

The session token to revoke.

The user_id of an active user the WebAuthn registration should be tied to.

The domain for the WebAuthn registration.

The user_agent of the user.

The requested authenticator type of the WebAuthn device. The two valid value are platform and cross-platform. If no value passed, we assume both values are allowed.

The user_id the WebAuthn registration is tied to.

The response of the navigator.credentials.create().

The user_id of an active user the WebAuthn authentication is for.

The domain for the WebAuthn authentication.

The response of the navigator.credentials.get() request.

Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque session_token and session_jwt for this session. Remember that the session_jwt will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time.

This value must be a minimum of 5 and a maximum of 129600 minutes (90 days).

If a session_token or session_jwt is provided then a successful authentication will continue to extend the session this many minutes.

Reuse an existing session instead of creating a new one. If you provide us with a session_jwt, then we'll update the session represented by this JWT with this WebAuthn factor. If this session_jwt belongs to a different user than the WebAuthn registration, the session_jwt will be ignored. This endpoint will error if both session_token and session_jwt are provided.

Reuse an existing session instead of creating a new one. If you provide us with a session_token, then we'll update the session represented by this session token with this WebAuthn factor. If this session_token belongs to a different user than the WebAuthn registration, the session_token will be ignored. This endpoint will error if both session_token and session_jwt are provided.

The ID of the user to create the TOTP instance for.

The expiration for the TOTP instance. If the newly created TOTP is not authenticated within this time frame the TOTP will be unusable. Defaults to 60 (1 hour) with a minimum of 5 and a maximum of 1440.

The ID of the user the TOTP belongs too.

The TOTP code to authenticate. The TOTP code should consist of 6 digits.

Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque session_token and session_jwt for this session. Remember that the session_jwt will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time.

This value must be a minimum of 5 and a maximum of 129600 minutes (90 days).

If a session_token or session_jwt is provided then a successful authentication will continue to extend the session this many minutes.

Reuse an existing session instead of creating a new one. If you provide us with a session_jwt, then we'll update the session represented by this JWT with this TOTP factor. If this session_jwt belongs to a different user than the TOTP, the session_jwt will be ignored. This endpoint will error if both session_token and session_jwt are provided.

Reuse an existing session instead of creating a new one. If you provide us with a session_token, then we'll update the session represented by this session token with this TOTP factor. If this session_token belongs to a different user than the TOTP, the session_token will be ignored. This endpoint will error if both session_token and session_jwt are provided.

The user_id of the user to fetch TOTP recovery codes for.

The ID of the user the TOTP belongs too.

The recovery code to authenticate.

Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque session_token and session_jwt for this session. Remember that the session_jwt will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time.

This value must be a minimum of 5 and a maximum of 129600 minutes (90 days).

If a session_token or session_jwt is provided then a successful authentication will continue to extend the session this many minutes.

Reuse an existing session instead of creating a new one. If you provide us with a session_jwt, then we'll update the session represented by this JWT with this TOTP recovery code factor. If this session_jwt belongs to a different user than the TOTP recovery code, the session_jwt will be ignored. This endpoint will error if both session_token and session_jwt are provided.

Reuse an existing session instead of creating a new one. If you provide us with a session_token, then we'll update the session represented by this session token with this TOTP recovery code factor. If this session_token belongs to a different user than the TOTP recovery code, the session_token will be ignored. This endpoint will error if both session_token and session_jwt are provided.

The type of wallet to authenticate. Currently ethereum and solana are supported.

The address to authenticate.

The user_id to associate the address with. If no user_id is provided and the address is not associated with an existing Stytch user in your Project, a new user will be created.

The type of wallet to authenticate. Currently ethereum and solana are supported.

The address to authenticate.

The signature from the message.

Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque session_token and session_jwt for this session. Remember that the session_jwt will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time.

This value must be a minimum of 5 and a maximum of 129600 minutes (90 days).

If a session_token or session_jwt is provided then a successful authentication will continue to extend the session this many minutes.

Reuse an existing session instead of creating a new one. If you provide us with a session_jwt, then we'll update the session represented by this JWT with this crypto wallet factor. If this session_jwt belongs to a different user than the one tied to the address, the session_jwt will be ignored. This endpoint will error if both session_token and session_jwt are provided.

Reuse an existing session instead of creating a new one. If you provide us with a session_token, then we'll update the session represented by this session token with this crypto wallet factor. If this session_token belongs to a different user than the one tied to the address, the session_token will be ignored. This endpoint will error if both session_token and session_jwt are provided.

The email of the new user.

The password for the new user.

Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque session_token and session_jwt for this session. Remember that the session_jwt will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time.

This value must be a minimum of 5 and a maximum of 129600 minutes (90 days).

If a session_token or session_jwt is provided then a successful authentication will continue to extend the session this many minutes.

The email of the user.

The password of the user.

Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque session_token and session_jwt for this session. Remember that the session_jwt will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time.

This value must be a minimum of 5 and a maximum of 129600 minutes (90 days).

If a session_token or session_jwt is provided then a successful authentication will continue to extend the session this many minutes.

Reuse an existing session instead of creating a new one. If you provide us with a session_jwt, then we'll update the session represented by this JWT with this crypto wallet factor. If this session_jwt belongs to a different user than the one tied to the address, the session_jwt will be ignored. This endpoint will error if both session_token and session_jwt are provided.

Reuse an existing session instead of creating a new one. If you provide us with a session_token, then we'll update the session represented by this session token with this crypto wallet factor. If this session_token belongs to a different user than the one tied to the address, the session_token will be ignored. This endpoint will error if both session_token and session_jwt are provided.

The email of the user that requested the password reset.

The url the user clicks from the password reset email. This should be a url that your app receives and parses and subsequently send an API request to complete the password reset process. If this value is not passed, the default reset password redirect URL that you set in your Dashboard is used. If you have not set a default reset password redirect URL, an error is returned.

Set the expiration for the password reset, in minutes. By default, it expires in 30 minutes. The minimum expiration is 5 minutes and the maximum is 7 days (10080 mins).

Provided attributes help with fraud detection. When authenticating a user's token, you can require the IP address and/or the user agent to match that user's attributes when they originated the initial authentication request. To enable this functionality, you can use the options parameter in /v1/passwords/email/reset.

The token to authenticate.

The new password for the user.

Specify optional security settings

Provided attributes help with fraud detection. You can require the IP address and/or the user agent to match the request used to send the password reset using the options parameter.

Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist, returning both an opaque session_token and session_jwt for this session. Remember that the session_jwt will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time.

This value must be a minimum of 5 and a maximum of 129600 minutes (90 days).

If a session_token or session_jwt is provided then a successful authentication will continue to extend the session this many minutes.

Reuse an existing session instead of creating a new one. If you provide us with a session_jwt, then we'll update the session represented by this JWT with this crypto wallet factor. If this session_jwt belongs to a different user than the one tied to the address, the session_jwt will be ignored. This endpoint will error if both session_token and session_jwt are provided.

Reuse an existing session instead of creating a new one. If you provide us with a session_token, then we'll update the session represented by this session token with this crypto wallet factor. If this session_token belongs to a different user than the one tied to the address, the session_token will be ignored. This endpoint will error if both session_token and session_jwt are provided.

The password to strength check.

The email assoicated with the password. Provide this for a more acurate strength check.

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

States whether the password passes our password validation. Our validation requires a 3 or higher score that's calculated using zxcvbn. We also require that the password hasn't been pwned using built-in breach detection powered HaveIBeenPwned.

The score of the password determined by zxcvbn.

Determines if the password has been breached using HaveIBeenPwned.

Feedback for how to improve the password's strength using zxcvbn.