Authenticate Impersonation Token

POST
https://test.stytch.com/v1/b2b/impersonation/authenticate

Authenticate an impersonation token to impersonate a Member. This endpoint requires an impersonation token that is not expired or previously used. A Stytch session will be created for the impersonated member with a 60 minute duration. Impersonated sessions cannot be extended.

Prior to this step, you can generate an impersonation token by visiting the Stytch Dashboard, viewing a member, and clicking the Impersonate Member button.


Body parameters


impersonation_token*string

The Member Impersonation token to authenticate. Expires in 5 minutes by default.


Response fields


request_idstring

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.


status_codeint

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.


member_idstring

Globally unique UUID that identifies a specific Member.


member_sessionobject
member_session_idstring

Globally unique UUID that identifies a specific Session.

member_idstring

Globally unique UUID that identifies a specific Member.

authentication_factorsarray[objects]

An array of different authentication factors that comprise a Session. An impersonated Session will always have exactly one authentication factor of type impersonated. No other factors can exist on or be added to impersonated sessions.

typestring

The type of authentication factor. For impersonated sessions, the type is impersonated.

delivery_methodstring

The method that was used to deliver the authentication factor. The possible values depend on the type: impersonated – Only impersonation.

created_attimestamp

The timestamp when the factor was initially authenticated.

last_authenticated_attimestamp

The timestamp when the factor was last authenticated.

updated_attimestamp

The timestamp when the factor was last updated.

sequence_orderstring

Either PRIMARY or SECONDARY. The impersonated factor is a primary factor.

impersonated_factorobject

Information about the impersonated factor.

impersonator_email_addressstring

The email address of the impersonator.

impersonator_idstring

For impersonated sessions initiated via the Stytch Dashboard, the impersonator_id will be the impersonator's Stytch Dashboard member_id.

organization_idstring

Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value.

organization_slugstring

The unique URL slug of the Organization. The slug only accepts alphanumeric characters and the following reserved characters: - . _ ~. Must be between 2 and 128 characters in length. Wherever an organization_id is expected in a path or request parameter, you may also use the organization_slug as a convenience.

started_atstring

The timestamp when the Session was created. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

last_accessed_atstring

The timestamp when the Session was last accessed. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

expires_atstring

The timestamp when the Session expires. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

custom_claimsmap<string, any>

The custom claims map for a Session. Claims can be added to a session during a Sessions authenticate call.


member_session_idstring

Globally unique UUID that identifies a specific Session.


session_tokenstring

A secret token for a given Stytch Session.


session_jwtstring

The JSON Web Token (JWT) for a given Stytch Session.


intermediate_session_tokenstring

Successfully authenticating an impersonation token will never result in an intermediate session. If the token is valid, a full session will be created.


member_authenticatedboolean

The member will always be fully authenticated if an impersonation token is successfully authenticated.


mfa_requiredobject

MFA will not be required when authenticating impersonation tokens.


organization_idstring

Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value.


memberobject
organization_idstring

Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.

member_idstring

Globally unique UUID that identifies a specific Member. The member_id is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.

external_idstring

The ID of the member given by the identity provider.

email_addressstring

The email address of the Member.

email_address_verifiedboolean

Whether or not the Member's email address is verified.

statusstring

The status of the Member. The possible values are: pending, invited, active, or deleted.

namestring

The name of the Member.

sso_registrationsarray[objects]
connection_idstring

Globally unique UUID that identifies a specific SSO connection_id for a Member.

registration_idstring

The unique ID of an SSO Registration.

external_idstring

The ID of the member given by the identity provider.

sso_attributesobject

An object for storing SSO attributes brought over from the identity provider.

scim_registrationobject

A scim member registration, referencing a SCIM Connection object in use for the Member creation.

connection_idstring

The ID of the SCIM connection.

registration_idstring

The unique ID of a SCIM Registration.

external_idstring

The ID of the member given by the identity provider.

scim_attributesobject

An object for storing SCIM attributes brought over from the identity provider.

is_breakglassboolean

Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings. A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the Organization object and its auth_methods and allowed_auth_methods fields for more details.

member_password_idstring

Globally unique UUID that identifies a Member's password.

oauth_registrationsarray[object]

A list of OAuth registrations for this member.

provider_typestring

Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Microsoft, GitHub etc.

provider_subjectstring

The unique identifier for the User within a given OAuth provider. Also commonly called the sub or "Subject field" in OAuth protocols.

profile_picture_urlstring

If available, the profile_picture_url is a URL of the User's profile picture set in OAuth identity the provider that the User has authenticated with, e.g. Google profile picture.

localestring

If available, the locale is the Member's locale set in the OAuth identity provider that the user has authenticated with.

member_oauth_registration_idstring

The unique ID of an OAuth registration.

mfa_enrolledboolean

Sets whether the Member is enrolled in MFA. If true, the Member must complete an MFA step whenever they wish to log in to their Organization. If false, the Member only needs to complete an MFA step if the Organization's MFA policy is set to REQUIRED_FOR_ALL.

mfa_phone_numberstring

The Member's phone number. A Member may only have one phone number. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).

mfa_phone_number_verifiedboolean

Whether or not the Member's phone number is verified.

retired_email_addressesarray[object]

A list of retired email addresses for this member. A previously active email address can be marked as retired in one of two ways:

  • It's replaced with a new primary email address during an explicit Member update.
  • A new email address is surfaced by an OAuth, SAML or OIDC provider. In this case the new email address becomes the Member's primary email address and the old primary email address is retired.

A retired email address cannot be used by other Members in the same Organization. However, unlinking retired email addresses allows them to be subsequently re-used by other Organization Members. Retired email addresses can be unlinked using the Unlink Retired Email endpoint.

email_idstring

The globally unique UUID of a Member's email.

email_addressstring

The email address of the Member.

trusted_metadataobject

An arbitrary JSON object for storing application-specific data or identity-provider-specific data.

untrusted_metadataobject

An arbitrary JSON object of application-specific data. These fields can be edited directly by the frontend SDK, and should not be used to store critical information. See the Metadata resource for complete field behavior details.

rolesarray[objects]

Explicit or implicit Roles assigned to this Member, along with details about the role assignment source. See the RBAC guide for more information about role assignment.

role_idstring

The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.

Reserved role_ids that are predefined by Stytch include:

  • stytch_member
  • stytch_admin

Check out the guide on Stytch default Roles for a more detailed explanation.

sourcesarray[objects]

A list of sources for this role assignment. A role assignment can come from multiple sources - for example, the Role could be both explicitly assigned and implicitly granted from the Member's email domain.

typestring

The type of role assignment. The possible values are: direct_assignment – an explicitly assigned Role.

Directly assigned roles can be updated by passing in the roles argument to the Update Member endpoint. email_assignment – an implicit Role granted by the Member's email domain, regardless of their login method.

Email implicit role assignments can be updated by passing in the rbac_email_implicit_role_assignments argument to the Update Organization endpoint. sso_connection – an implicit Role granted by the Member's SSO connection. This is currently only available for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given connection, this role assignment will appear in the list. However, for authorization check purposes (in sessions authenticate or in any endpoint that enforces RBAC with session headers), the Member will only be granted the Role if their session contains an authentication factor with the specified SAML connection.

SAML connection implicit role assignments can be updated by passing in the saml_connection_implicit_role_assignments argument to the Update SAML connection endpoint. sso_connection_group – an implicit Role granted by the Member's SSO connection and group. This is currently only available for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given connection, and belongs to a specific group within the IdP, this role assignment will appear in the list. However, for authorization check purposes (in sessions authenticate or in any endpoint that enforces RBAC with session headers), the Member will only be granted the role if their session contains an authentication factor with the specified SAML connection.

SAML group implicit role assignments can be updated by passing in the saml_group_implicit_role_assignments argument to the Update SAML connection endpoint.

scim_connection_group – an implicit Role granted by the Member's SCIM connection and group. If the Member has a SCIM Member registration with the given connection, and belongs to a specific group within the IdP, this role assignment will appear in the list.

SCIM group implicit role assignments can be updated by passing in the scim_group_implicit_role_assignments argument to the Update SCIM connection endpoint.

detailsobject

An object containing additional metadata about the source assignment. The fields will vary depending on the role assignment type as follows: direct_assignment – no additional details. email_assignment – will contain the email domain that granted the assignment. sso_connection – will contain the connection_id of the SAML connection that granted the assignment. sso_connection_group – will contain the connection_id of the SAML connection and the name of the group that granted the assignment. scim_connection_group – will contain the connection_id of the SAML connection and the group_id that granted the assignment.

is_adminboolean

Whether or not the Member has the stytch_admin Role. This Role is automatically granted to Members who create an Organization through the discovery flow. See the RBAC guide for more details on this Role.

created_atstring

The timestamp of the Member's creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

updated_atstring

The timestamp of when the Member was last updated. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.


organizationobject
organization_idstring

Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.

organization_namestring

The name of the Organization. Must be between 1 and 128 characters in length.

organization_logo_urlstring

The image URL of the Organization logo.

organization_slugstring

The unique URL slug of the Organization. The slug only accepts alphanumeric characters and the following reserved characters: - . _ ~. Must be between 2 and 128 characters in length. Wherever an organization_id is expected in a path or request parameter, you may also use the organization_slug as a convenience.

organization_external_idstring

A unique identifier for the organization.

sso_jit_provisioningstring

The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted values are: ALL_ALLOWED – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's sso_active_connections. RESTRICTED – only new Members with SSO logins that comply with sso_jit_provisioning_allowed_connections can be provisioned upon authentication. NOT_ALLOWED – disable JIT provisioning via SSO.

sso_jit_provisioning_allowed_connectionsarray[strings]

An array of connection_ids that reference SAML Connection objects. Only these connections will be allowed to JIT provision Members via SSO when sso_jit_provisioning is set to RESTRICTED.

sso_active_connectionsarray[objects]
connection_idstring

Globally unique UUID that identifies a specific SSO connection_id for a Member.

display_namestring

A human-readable display name for the connection.

scim_active_connectionobject
connection_idstring

The ID of the SCIM connection.

display_namestring

A human-readable display name for the connection.

email_allowed_domainsarray[strings]

An array of email domains that allow invites or JIT provisioning for new Members. This list is enforced when either email_invites or email_jit_provisioning is set to RESTRICTED. Common domains such as gmail.com are not allowed. See the common email domains resource for the full list.

email_jit_provisioningstring

The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are: RESTRICTED – only new Members with verified emails that comply with email_allowed_domains can be provisioned upon authentication via Email Magic Link or OAuth. NOT_ALLOWED – the default setting, disables JIT provisioning via Email Magic Link and OAuth.

email_invitesstring

The authentication setting that controls how a new Member can be invited to an organization by email. The accepted values are: ALL_ALLOWED – any new Member can be invited to join via email. RESTRICTED – only new Members with verified emails that comply with email_allowed_domains can be invited via email. NOT_ALLOWED – disable email invites.

auth_methodsstring

The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are: ALL_ALLOWED – the default setting which allows all authentication methods to be used. RESTRICTED – only methods that comply with allowed_auth_methods can be used for authentication. This setting does not apply to Members with is_breakglass set to true.

allowed_auth_methodsarray[strings]

An array of allowed authentication methods. This list is enforced when auth_methods is set to RESTRICTED. The list's accepted values are: sso, magic_link, email_otp, password, google_oauth, microsoft_oauth, slack_oauth, github_oauth, and hubspot_oauth.

mfa_methodsstring

The setting that controls which MFA methods can be used by Members of an Organization. The accepted values are: ALL_ALLOWED – the default setting which allows all authentication methods to be used. RESTRICTED – only methods that comply with allowed_mfa_methods can be used for authentication. This setting does not apply to Members with is_breakglass set to true.

allowed_mfa_methodsarray[strings]

An array of allowed MFA authentication methods. This list is enforced when mfa_methods is set to RESTRICTED. The list's accepted values are: sms_otp and totp.

trusted_metadataobject

An arbitrary JSON object for storing application-specific data or identity-provider-specific data.

sso_default_connection_idstring

The default connection used for SSO when there are multiple active connections.

rbac_email_implicit_role_assignmentsarray[object]

Implicit role assignments based off of email domains. For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the associated Role, regardless of their login method. See the RBAC guide for more information about role assignment.

domainstring

Email domain that grants the specified Role.

role_idstring

The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.

Reserved role_ids that are predefined by Stytch include:

  • stytch_member
  • stytch_admin

Check out the guide on Stytch default Roles for a more detailed explanation.

oauth_tenant_jit_provisioningstring

The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are: RESTRICTED – only new Members with tenants in allowed_oauth_tenants can JIT provision via tenant. NOT_ALLOWED – the default setting, disables JIT provisioning by OAuth Tenant.

allowed_oauth_tenantsobject

A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack", "hubspot", and "github".

first_party_connected_apps_allowed_typestring

The authentication setting that sets the Organization's policy towards first party Connected Apps. The accepted values are: ALL_ALLOWED – the default setting, any first party Connected App in the Project is permitted for use by Members. RESTRICTED – only first party Connected Apps with IDs in allowed_first_party_connected_apps can be used by Members. NOT_ALLOWED – no first party Connected Apps are permitted.

allowed_first_party_connected_appsarray[strings]

An array of first party Connected App IDs that are allowed for the Organization. Only used when the Organization's first_party_connected_apps_allowed_type is RESTRICTED.

third_party_connected_apps_allowed_typestring

The authentication setting that sets the Organization's policy towards third party Connected Apps. The accepted values are: ALL_ALLOWED – the default setting, any third party Connected App in the Project is permitted for use by Members. RESTRICTED – only third party Connected Apps with IDs in allowed_first_party_connected_apps can be used by Members. NOT_ALLOWED – no third party Connected Apps are permitted.

allowed_third_party_connected_appsarray[strings]

An array of third party Connected App IDs that are allowed for the Organization. Only used when the Organization's third_party_connected_apps_allowed_type is RESTRICTED.

created_atstring

The timestamp of the Organization's creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

updated_atstring

The timestamp of when the Organization was last updated. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

const stytch = require('stytch');

const client = new stytch.B2BClient({
  project_id: 'PROJECT_ID',
  secret: 'SECRET',
});

const params = {
  impersonation_token: "SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4=",
};

client.impersonation.authenticate(params)
  .then(resp => { console.log(resp) })
  .catch(err => { console.log(err) });
RESPONSE 200
{
  "status_code": 200,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "member_id": "member-test-32fc5024-9c09-4da3-bd2e-c9ce4da9375f",
  "organization_id": "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
  "session_jwt": "example_jwt",
  "session_token": "mZAYn5aLEqKUlZ_Ad9U_fWr38GaAQ1oFAhT8ds245v7Q",
  "intermediate_session_token": "",
  "member_authenticated": true,
  "mfa_required": null,
  "primary_required": null,
  "member_session": {...},
  "member": {...},
  "organization": {...}
}
RESPONSE 401
{
  "status_code": 401,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "unauthorized_credentials",
  "error_message": "Unauthorized credentials.",
  "error_url": "https://stytch.com/docs/api/errors/401"
}
RESPONSE 429
{
  "status_code": 429,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "too_many_requests",
  "error_message": "Too many requests have been made.",
  "error_url": "https://stytch.com/docs/api/errors/429"
}
RESPONSE 500
{
  "status_code": 500,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "internal_server_error",
  "error_message": "Oops, something seems to have gone wrong, please reach out to support@stytch.com to let us know what went wrong.",
  "error_url": "https://stytch.com/docs/api/errors/500"
}

Common Error Types