Adds an existing password to a User's email that doesn't have a password yet. We support migrating users from passwords stored with bcrypt, scrypt, argon2, MD-5, SHA-1, or PBKDF2. This endpoint has a rate limit of 100 requests per second.
Migrate Password
Body parameters
The email address of the end user.
The name of the user. Each field in the name object is optional.
The first name of the user.
The middle name(s) of the user.
The last name of the user.
The phone number of the user. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).
The trusted_metadata field contains an arbitrary JSON object of application-specific data. See the Metadata reference for complete field behavior details.
The untrusted_metadata field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and cannot be used to store critical information. See the Metadata reference for complete field behavior details.
The password hash. For a Scrypt or PBKDF2 hash, the hash needs to be a base64 encoded string.
The password hash used. Currently bcrypt, scrypt, argon_2i, argon_2id, md_5, sha_1, and pbkdf_2 are supported.
Required parameters if the scrypt is not provided in a PHC encoded form.
The salt value, which should be in a base64 encoded string form.
The N value, also known as the iterations count. It must be a power of two greater than 1 and less than 262,145. If your applicaiton's N parameter is larger than 262,144, please reach out to support@stytch.com
The r parameter, also known as the block size.
The p parameter, also known as the parallelism factor.
The key length, also known as the hash length.
Required parameters if the argon2 hex form, as opposed to the encoded form, is supplied.
The salt value.
The iteration amount.
The memory in kibibytes.
The thread value, also known as the parallelism factor.
The key length, also known as the hash length.
Optional parameters for MD-5 hash types.
The salt that should be prepended to the migrated password.
The salt that should be appended to the migrated password.
Optional parameters for SHA-1 hash types.
The salt that should be prepended to the migrated password.
The salt that should be appended to the migrated password.
Required additional parameters for PBKDF2 hash keys.
The salt value, which should be in a base64 encoded string form.
The iteration amount.
The key length, also known as the hash length.
The algorithm that was used to generate the HMAC hash. Accepted values are "sha512" and sha256". Defaults to sha256.
Whether to set the user's email as verified. This is a dangerous field, incorrect use may lead to users getting erroneously deduplicated into one User object. This flag should only be set if you can attest that the user owns the email address in question.
Whether to set the user's phone number as verified. This is a dangerous field, this flag should only be set if you can attest that the user owns the phone number in question.
Roles to explicitly assign to this User. See the RBAC guide for more information about role assignment.
If a new user is created, this will set an identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, ., _, -, or | characters with a maximum length of 128 characters.
Response fields
The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
The unique ID of the affected User.
The user object affected by this API call. See the Get user endpoint for complete response field details.
The unique ID of the affected User.
The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
The name of the User. Each field in the name object is optional.
The first name of the user.
The middle name(s) of the user.
The last name of the user.
The trusted_metadata field contains an arbitrary JSON object of application-specific data. See the Metadata reference for complete field behavior details.
The untrusted_metadata field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and cannot be used to store critical information. See the Metadata reference for complete field behavior details.
An array of email objects for the User.
The unique ID of a specific email address.
The email address.
The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.
An array of phone number objects linked to the User.
The unique ID for the phone number.
The phone number.
The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.
An array of OAuth provider objects linked to the User.
The unique ID for an OAuth registration.
The unique identifier for the User within a given OAuth provider. Also commonly called the "sub" or "Subject field" in OAuth protocols.
Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Facebook, GitHub etc.
If available, the profile_picture_url is a url of the User's profile picture set in OAuth identity the provider that the User has authenticated with, e.g. Facebook profile picture.
If available, the locale is the User's locale set in the OAuth identity provider that the user has authenticated with.
An array that contains a list of all Passkey or WebAuthn registrations for a given User in the Stytch API.
The unique ID for the Passkey or WebAuthn registration.
The domain on which Passkey or WebAuthn registration was started. This will be the domain of your app.
The user agent of the User.
The authenticator_type string displays the requested authenticator type of the Passkey or WebAuthn device. The two valid types are "platform" and "cross-platform". If no value is present, the Passkey or WebAuthn device was created without an authenticator type preference.
The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.
The name of the Passkey or WebAuthn registration.
An array that contains a list of all biometric registrations for a given User in the Stytch API.
The unique ID for a biometric registration.
The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.
An array containing a list of all TOTP instances for a given User in the Stytch API.
The unique ID for a TOTP instance.
The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.
An array contains a list of all crypto wallets for a given User in the Stytch API.
The unique ID for a crypto wallet
The actual blockchain address of the User's crypto wallet.
The blockchain that the User's crypto wallet operates on, e.g. Ethereum, Solana, etc.
The verified boolean denotes whether or not this send method, e.g. phone number, email address, etc., has been successfully authenticated by the User.
The password object is returned for users with a password.
The unique ID of a specific password
Indicates whether this password requires a password reset
Roles assigned to this User. See the RBAC guide for more information about role assignment.
The timestamp of the User's creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.
The status of the User. The possible values are pending and active.
The unique ID of a specific email address.
In login_or_create endpoints, this field indicates whether or not a User was just created.
const stytch = require('stytch');
const client = new stytch.Client({
project_id: 'PROJECT_ID',
secret: 'SECRET',
});
const params = {
email: "sandbox@stytch.com",
hash: "$2a$12$vefoDBbzuMb/NczV/fc9QemTizkNAZr9EO02pIUHPAAJibcYp0.ne",
hash_type: "bcrypt",
phone_number: "+12025550162",
external_id: "my-new-external-id",
};
client.passwords.migrate(params)
.then(resp => { console.log(resp) })
.catch(err => { console.log(err) });
{
"status_code": 200,
"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
"user_id": "user-test-16d9ba61-97a1-4ba4-9720-b03761dc50c6",
"email_id": "email-test-81bf03a8-86e1-4d95-bd44-bb3495224953",
"user_created": true
}
{
"status_code": 400,
"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
"error_type": "password_already_exists",
"error_message": "email already has a password associated with it.",
"error_url": "https://stytch.com/docs/api/errors/400"
}
{
"status_code": 429,
"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
"error_type": "too_many_requests",
"error_message": "Too many requests have been made.",
"error_url": "https://stytch.com/docs/api/errors/429"
}
{
"status_code": 500,
"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
"error_type": "internal_server_error",
"error_message": "Oops, something seems to have gone wrong, please reach out to support@stytch.com to let us know what went wrong.",
"error_url": "https://stytch.com/docs/api/errors/500"
}
Common Error Types
- duplicate_phone_number
- invalid_argon_2_salt
- invalid_base64_scrypt_hash
- invalid_bcrypt_cost
- invalid_bcrypt_hash
- invalid_email
- invalid_hash
- invalid_hash_type
- invalid_md_5_hash
- invalid_pbkdf_2_hash
- invalid_pbkdf_2_iteration_amount
- invalid_pbkdf_2_salt
- invalid_phone_number
- invalid_phpass_hash_prefix
- invalid_scrypt_salt_length
- invalid_sha_1_hash
- password_already_exists
- pbkdf_2_key_length_mismatch
- scrypt_key_length_mismatch
- too_many_unverified_factors