Skip to main content
POST
/
v1
/
passwords
/
migrate
C#
// POST /v1/passwords/migrate
const stytch = require('stytch');

const client = new stytch.Client({
  project_id: '${projectId}',
  secret: '${secret}',
});

const params = {
  email: "${email}",
  hash: "${examplePasswordBcryptHash}",
  hash_type: "bcrypt",
  phone_number: "${examplePhoneNumber}",
  external_id: "my-new-external-id",
};

client.Passwords.Migrate(params)
  .then(resp => { console.log(resp) })
  .catch(err => { console.log(err) });
{
  "request_id": "<string>",
  "user_id": "<string>",
  "email_id": "<string>",
  "user_created": true,
  "user": {
    "user_id": "<string>",
    "emails": [
      {
        "email_id": "<string>",
        "email": "<string>",
        "verified": true
      }
    ],
    "status": "<string>",
    "phone_numbers": [
      {
        "phone_id": "<string>",
        "phone_number": "<string>",
        "verified": true
      }
    ],
    "webauthn_registrations": [
      {
        "webauthn_registration_id": "<string>",
        "domain": "<string>",
        "user_agent": "<string>",
        "verified": true,
        "authenticator_type": "<string>",
        "name": "<string>"
      }
    ],
    "providers": [
      {
        "provider_type": "<string>",
        "provider_subject": "<string>",
        "profile_picture_url": "<string>",
        "locale": "<string>",
        "oauth_user_registration_id": "<string>"
      }
    ],
    "totps": [
      {
        "totp_id": "<string>",
        "verified": true
      }
    ],
    "crypto_wallets": [
      {
        "crypto_wallet_id": "<string>",
        "crypto_wallet_address": "<string>",
        "crypto_wallet_type": "<string>",
        "verified": true
      }
    ],
    "biometric_registrations": [
      {
        "biometric_registration_id": "<string>",
        "verified": true
      }
    ],
    "is_locked": true,
    "roles": [
      "<string>"
    ],
    "name": {
      "first_name": "<string>",
      "middle_name": "<string>",
      "last_name": "<string>"
    },
    "created_at": "<string>",
    "password": {
      "password_id": "<string>",
      "requires_reset": true
    },
    "trusted_metadata": {},
    "untrusted_metadata": {},
    "external_id": "<string>",
    "lock_created_at": "<string>",
    "lock_expires_at": "<string>"
  },
  "status_code": 123
}
We support migrating users from passwords stored with bcrypt, scrypt, argon2, MD-5, SHA-1, SHA-512, or PBKDF2.
This endpoint has a rate limit of 100 requests per second.

Authorizations

Authorization
string
header
required

Basic authentication header of the form Basic <encoded-value>, where <encoded-value> is the base64-encoded string username:password.

Body

application/json

Request type

email
string
required

The email address of the end user.

hash
string
required

The password hash. For a Scrypt or PBKDF2 hash, the hash needs to be a base64 encoded string.

hash_type
enum<string>
required

The password hash used. Currently bcrypt, scrypt, argon_2i, argon_2id, md_5, sha_1, sha_512, and pbkdf_2 are supported.

Available options:
bcrypt,
md_5,
argon_2i,
argon_2id,
sha_1,
sha_512,
scrypt,
phpass,
pbkdf_2
md_5_config
object

Optional parameters for MD-5 hash types.

argon_2_config
object

Required parameters if the argon2 hex form, as opposed to the encoded form, is supplied.

sha_1_config
object

Optional parameters for SHA-1 hash types.

sha_512_config
object

Optional parameters for SHA-512 hash types.

scrypt_config
object

Required parameters if the scrypt is not provided in a PHC encoded form.

pbkdf_2_config
object

Required additional parameters for PBKDF2 hash keys.

trusted_metadata
object

The trusted_metadata field contains an arbitrary JSON object of application-specific data. See the Metadata reference for complete field behavior details.

untrusted_metadata
object

The untrusted_metadata field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and cannot be used to store critical information. See the Metadata reference for complete field behavior details.

set_email_verified
boolean

Whether to set the user's email as verified. This is a dangerous field, incorrect use may lead to users getting erroneously deduplicated into one User object. This flag should only be set if you can attest that the user owns the email address in question.

name
object

The name of the user. Each field in the name object is optional.

phone_number
string

The phone number of the user. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).

set_phone_number_verified
boolean

Whether to set the user's phone number as verified. This is a dangerous field, this flag should only be set if you can attest that the user owns the phone number in question.

external_id
string

If a new user is created, this will set an identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, ., _, -, or | characters with a maximum length of 128 characters.

roles
string[]

Roles to explicitly assign to this User. See the RBAC guide for more information about role assignment.

Response

Successful response

request_id
string
required

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

user_id
string
required

The unique ID of the affected User.

email_id
string
required

The unique ID of a specific email address.

user_created
boolean
required

In login_or_create endpoints, this field indicates whether or not a User was just created.

user
object
required

The user object affected by this API call. See the Get user endpoint for complete response field details.

status_code
integer<int32>
required

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.