Adds an existing password to a User's email that doesn't have a password yet. We support migrating users from passwords stored with bcrypt, scrypt, argon2, MD-5, SHA-1, or PBKDF2. This endpoint has a rate limit of 100 requests per second.
Migrate Password
POST
https://test.stytch.com/v1/passwords/migrateBody parameters
email* string
The email address of the end user.
name object
The name of the user. Each field in the name object is optional.
first_name string
The first name of the user.
middle_name string
The middle name(s) of the user.
last_name string
The last name of the user.
phone_number string
The phone number of the user. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).
trusted_metadata object
The trusted_metadata field contains an arbitrary JSON object of application-specific data. See the Metadata reference for complete field behavior details.
untrusted_metadata object
The untrusted_metadata field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and cannot be used to store critical information. See the Metadata reference for complete field behavior details.
hash* string
The password hash. For a Scrypt or PBKDF2 hash, the hash needs to be a base64 encoded string.
hash_type* string
The password hash used. Currently bcrypt, scrypt, argon_2i, argon_2id, md_5, sha_1, and pbkdf_2 are supported.
scrypt_config object
Required parameters if the scrypt is not provided in a PHC encoded form.
salt string
The salt value, which should be in a base64 encoded string form.
n_parameter int
The N value, also known as the iterations count. It must be a power of two greater than 1 and less than 262,145. If your applicaiton's N parameter is larger than 262,144, please reach out to support@stytch.com
r_parameter int
The r parameter, also known as the block size.
p_parameter int
The p parameter, also known as the parallelism factor.
key_length int
The key length, also known as the hash length.
argon_2_config object
Required parameters if the argon2 hex form, as opposed to the encoded form, is supplied.
salt string
The salt value.
iteration_amount int
The iteration amount.
memory int
The memory in kibibytes.
threads int
The thread value, also known as the parallelism factor.
key_length int
The key length, also known as the hash length.
md_5_config object
Optional parameters for MD-5 hash types.
prepend_salt string
The salt that should be prepended to the migrated password.
append_salt string
The salt that should be appended to the migrated password.
sha_1_config object
Optional parameters for SHA-1 hash types.
prepend_salt string
The salt that should be prepended to the migrated password.
append_salt string
The salt that should be appended to the migrated password.
pbkdf_2_config object
Required additional parameters for PBKDF2 hash keys.
salt string
The salt value, which should be in a base64 encoded string form.
iteration_amount int
The iteration amount.
key_length int
The key length, also known as the hash length.
algorithm string
The algorithm that was used to generate the HMAC hash. Accepted values are "sha512" and sha256". Defaults to sha256.
set_email_verified boolean
Whether to set the user's email as verified. This is a dangerous field, incorrect use may lead to users getting erroneously deduplicated into one User object. This flag should only be set if you can attest that the user owns the email address in question.
set_phone_number_verified boolean
Whether to set the user's phone number as verified. This is a dangerous field, this flag should only be set if you can attest that the user owns the phone number in question.
roles array[strings]
Roles to explicitly assign to this User. See the RBAC guide for more information about role assignment.
external_id string
If a new user is created, this will set an identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, ., _, -, or | characters with a maximum length of 128 characters.
Response fields
status_code int
The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
request_id string
Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
user_id string
The unique ID of the affected User.
user object
The user object affected by this API call. See the Get user endpoint for complete response field details.
user_id string
The unique ID of the affected User.
status_code int
The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
request_id string
Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
name object
The name of the User. Each field in the name object is optional.
first_name string
The first name of the user.
middle_name string
The middle name(s) of the user.
last_name string
The last name of the user.
trusted_metadata object
The trusted_metadata field contains an arbitrary JSON object of application-specific data. See the Metadata reference for complete field behavior details.
untrusted_metadata object
The untrusted_metadata field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and cannot be used to store critical information. See the Metadata reference for complete field behavior details.
emails array[objects]
An array of email objects for the User.
email_id string
The unique ID of a specific email address.
email string
The email address.
verified boolean
The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.
phone_numbers array[objects]
An array of phone number objects linked to the User.
phone_id string
The unique ID for the phone number.
phone_number string
The phone number.
verified boolean
The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.
providers array[objects]
An array of OAuth provider objects linked to the User.
oauth_user_registration_id string
The unique ID for an OAuth registration.
provider_subject string
The unique identifier for the User within a given OAuth provider. Also commonly called the "sub" or "Subject field" in OAuth protocols.
provider_type string
Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Facebook, GitHub etc.
profile_picture_url string
If available, the profile_picture_url is a url of the User's profile picture set in OAuth identity the provider that the User has authenticated with, e.g. Facebook profile picture.
locale string
If available, the locale is the User's locale set in the OAuth identity provider that the user has authenticated with.
webauthn_registrations array[objects]
An array that contains a list of all Passkey or WebAuthn registrations for a given User in the Stytch API.
webauthn_registration_id string
The unique ID for the Passkey or WebAuthn registration.
domain string
The domain on which Passkey or WebAuthn registration was started. This will be the domain of your app.
user_agent string
The user agent of the User.
authenticator_type string
The authenticator_type string displays the requested authenticator type of the Passkey or WebAuthn device. The two valid types are "platform" and "cross-platform". If no value is present, the Passkey or WebAuthn device was created without an authenticator type preference.
verified boolean
The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.
name string
The name of the Passkey or WebAuthn registration.
biometric_registrations array[objects]
An array that contains a list of all biometric registrations for a given User in the Stytch API.
biometric_registration_id string
The unique ID for a biometric registration.
verified boolean
The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.
totps array[objects]
An array containing a list of all TOTP instances for a given User in the Stytch API.
totp_id string
The unique ID for a TOTP instance.
verified boolean
The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.
crypto_wallets array[objects]
An array contains a list of all crypto wallets for a given User in the Stytch API.
crypto_wallet_id string
The unique ID for a crypto wallet
crypto_wallet_address string
The actual blockchain address of the User's crypto wallet.
crypto_wallet_type string
The blockchain that the User's crypto wallet operates on, e.g. Ethereum, Solana, etc.
verified boolean
The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.
password object
The password object is returned for users with a password.
password_id string
The unique ID of a specific password
requires_reset boolean
Indicates whether this password requires a password reset
roles array[strings]
Roles assigned to this User. See the RBAC guide for more information about role assignment.
created_at string
The timestamp of the User's creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.
status string
The status of the User. The possible values are pending and active.
email_id string
The unique ID of a specific email address.
user_created boolean
In login_or_create endpoints, this field indicates whether or not a User was just created.
const stytch = require('stytch');
const client = new stytch.Client({
project_id: 'PROJECT_ID',
secret: 'SECRET',
});
const params = {
email: "sandbox@stytch.com",
hash: "$2a$12$vefoDBbzuMb/NczV/fc9QemTizkNAZr9EO02pIUHPAAJibcYp0.ne",
hash_type: "bcrypt",
phone_number: "+12025550162",
external_id: "my-new-external-id",
};
client.passwords.migrate(params)
.then(resp => { console.log(resp) })
.catch(err => { console.log(err) });RESPONSE 200
200
{
"status_code": 200,
"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
"user_id": "user-test-16d9ba61-97a1-4ba4-9720-b03761dc50c6",
"email_id": "email-test-81bf03a8-86e1-4d95-bd44-bb3495224953",
"user_created": true
}RESPONSE 400
200
{
"status_code": 400,
"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
"error_type": "password_already_exists",
"error_message": "email already has a password associated with it.",
"error_url": "https://stytch.com/docs/api/errors/400"
}RESPONSE 429
200
{
"status_code": 429,
"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
"error_type": "too_many_requests",
"error_message": "Too many requests have been made.",
"error_url": "https://stytch.com/docs/api/errors/429"
}RESPONSE 500
200
{
"status_code": 500,
"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
"error_type": "internal_server_error",
"error_message": "Oops, something seems to have gone wrong, please reach out to support@stytch.com to let us know what went wrong.",
"error_url": "https://stytch.com/docs/api/errors/500"
}Common Error Types
- duplicate_phone_number
- invalid_argon_2_salt
- invalid_base64_scrypt_hash
- invalid_bcrypt_cost
- invalid_bcrypt_hash
- invalid_email
- invalid_hash
- invalid_hash_type
- invalid_md_5_hash
- invalid_pbkdf_2_hash
- invalid_pbkdf_2_iteration_amount
- invalid_pbkdf_2_salt
- invalid_phone_number
- invalid_phpass_hash_prefix
- invalid_scrypt_salt_length
- invalid_sha_1_hash
- password_already_exists
- pbkdf_2_key_length_mismatch
- scrypt_key_length_mismatch
- too_many_unverified_factors