Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
Member object
Fields
Globally unique UUID that identifies a specific Member. The member_id is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.
An identifier that can be used in most API calls where a member_id is expected. This is a string consisting of alphanumeric, ., _, -, or | characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project.
The email address of the Member.
Whether or not the Member's email address is verified.
The status of the Member. The possible values are: pending, invited, active, or deleted.
Sets whether the Member is enrolled in MFA. If true, the Member must complete an MFA step whenever they wish to log in to their Organization. If false, the Member only needs to complete an MFA step if the Organization's MFA policy is set to REQUIRED_FOR_ALL.
The Member's phone number. A Member may only have one phone number. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).
Whether or not the Member's phone number is verified.
The Member's default MFA method. This value is used to determine which secondary MFA method to use in the case of multiple methods registered for a Member. The current possible values are sms_otp and totp.
A list of retired email addresses for this member. A previously active email address can be marked as retired in one of two ways:
- It's replaced with a new primary email address during an explicit Member update.
- A new email address is surfaced by an OAuth, SAML or OIDC provider. In this case the new email address becomes the Member's primary email address and the old primary email address is retired.
A retired email address cannot be used by other Members in the same Organization. However, unlinking retired email addresses allows them to be subsequently re-used by other Organization Members. Retired email addresses can be unlinked using the Unlink Retired Email endpoint.
The globally unique UUID of a Member's email.
The email address of the Member.
The name of the Member.
An arbitrary JSON object for storing application-specific data or identity-provider-specific data.
An arbitrary JSON object of application-specific data. These fields can be edited directly by the frontend SDK, and should not be used to store critical information. See the Metadata resource for complete field behavior details.
An array of registered SAML Connection or OIDC Connection objects the Member has authenticated with.
Globally unique UUID that identifies a specific SSO connection_id for a Member.
The unique ID of an SSO Registration.
The ID of the member given by the identity provider.
An object for storing SSO attributes brought over from the identity provider.
A list of OAuth registrations for this member.
Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Microsoft, GitHub etc.
The unique identifier for the User within a given OAuth provider. Also commonly called the sub or "Subject field" in OAuth protocols.
If available, the profile_picture_url is a URL of the User's profile picture set in OAuth identity the provider that the User has authenticated with, e.g. Google profile picture.
If available, the locale is the Member's locale set in the OAuth identity provider that the user has authenticated with.
The unique ID of an OAuth registration.
A scim member registration, referencing a SCIM Connection object in use for the Member creation.
The ID of the SCIM connection.
The unique ID of a SCIM Registration.
The ID of the member given by the identity provider.
An object for storing SCIM attributes brought over from the identity provider.
Globally unique UUID that identifies a Member's password.
Globally unique UUID that identifies a TOTP instance.
Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings. A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the Organization object and its auth_methods and allowed_auth_methods fields for more details.
Explicit or implicit Roles assigned to this Member, along with details about the role assignment source. See the RBAC guide for more information about role assignment.
The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.
Reserved role_ids that are predefined by Stytch include:
- stytch_member
- stytch_admin
Check out the guide on Stytch default Roles for a more detailed explanation.
A list of sources for this role assignment. A role assignment can come from multiple sources - for example, the Role could be both explicitly assigned and implicitly granted from the Member's email domain.
The type of role assignment. The possible values are: direct_assignment – an explicitly assigned Role.
Directly assigned roles can be updated by passing in the roles argument to the Update Member endpoint. email_assignment – an implicit Role granted by the Member's email domain, regardless of their login method.
Email implicit role assignments can be updated by passing in the rbac_email_implicit_role_assignments argument to the Update Organization endpoint. sso_connection – an implicit Role granted by the Member's SSO connection. This is currently only available for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given connection, this role assignment will appear in the list. However, for authorization check purposes (in sessions authenticate or in any endpoint that enforces RBAC with session headers), the Member will only be granted the Role if their session contains an authentication factor with the specified SAML connection.
SAML connection implicit role assignments can be updated by passing in the saml_connection_implicit_role_assignments argument to the Update SAML connection endpoint. sso_connection_group – an implicit Role granted by the Member's SSO connection and group. This is currently only available for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given connection, and belongs to a specific group within the IdP, this role assignment will appear in the list. However, for authorization check purposes (in sessions authenticate or in any endpoint that enforces RBAC with session headers), the Member will only be granted the role if their session contains an authentication factor with the specified SAML connection.
SAML group implicit role assignments can be updated by passing in the saml_group_implicit_role_assignments argument to the Update SAML connection endpoint.
scim_connection_group – an implicit Role granted by the Member's SCIM connection and group. If the Member has a SCIM Member registration with the given connection, and belongs to a specific group within the IdP, this role assignment will appear in the list.
SCIM group implicit role assignments can be updated by passing in the scim_group_implicit_role_assignments argument to the Update SCIM connection endpoint.
An object containing additional metadata about the source assignment. The fields will vary depending on the role assignment type as follows: direct_assignment – no additional details. email_assignment – will contain the email domain that granted the assignment. sso_connection – will contain the connection_id of the SAML connection that granted the assignment. sso_connection_group – will contain the connection_id of the SAML connection and the name of the group that granted the assignment. scim_connection_group – will contain the connection_id of the SAML connection and the group_id that granted the assignment.
Whether or not the Member has the stytch_admin Role. This Role is automatically granted to Members who create an Organization through the discovery flow. See the RBAC guide for more details on this Role.
The timestamp of the Member's creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.
The timestamp of when the Member was last updated. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.
{
"member": {
"email_address": "sandbox@stytch.com",
"email_address_verified": true,
"member_password_id": "member-password-test-51861cbc-d3b9-428b-9761-227f5fb12be9",
"member_id": "member-test-32fc5024-9c09-4da3-bd2e-c9ce4da9375f",
"external_id": "",
"name": "Test Member",
"organization_id": "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
"status": "active",
"is_breakglass": false,
"is_admin": false,
"mfa_enrolled": true,
"mfa_phone_number": "+12025550162",
"mfa_phone_number_verified": true,
"default_mfa_method": "totp",
"retired_email_addresses": [{
"email_id": "email-test-81bf03a8-86e1-4d95-bd44-bb3495224953",
"email_address": "sandbox@stytch.com"
}],
"totp_registration_id": "member-totp-test-41920359-8bbb-4fe8-8fa3-aaa83f35f02c",
"trusted_metadata": {
"role": "admin",
"teams": ["tech", "support"]
},
"untrusted_metadata": {
"job_title": "Business Analyst",
"preferred_locales": ["en", "es"]
},
"oauth_registrations": [{
"member_oauth_registration_id": "oauth-user-test-de86770c-911d-463f-80e7-f1b089cead14",
"provider_subject": "10769150350006150715113082367",
"provider_type": "Google",
"profile_picture_url": "example.com",
"locale": "en"
}],
"roles": [
{
"role_id": "reader",
"sources": [
{
"type": "email_assignment",
"details": { "email_domain": "example.com" }
}
]
},
{
"role_id": "contributor",
"sources": [
{
"type": "sso_connection_group",
"details": { "connection_id": "saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9", "group": "admins" }
}
]
},
{
"role_id": "reviewer",
"sources": [
{
"type": "scim_connection_group",
"details": {
"connection_id": "scim-connection-test-cdd5415a-c470-42be-8369-5c90cf7762dc",
"group_id": "scim-group-test-5c44cc6a-8af7-48d6-8da7-ea821342f5a6"
}
}
}
]
},
{
"role_id": "editor",
"sources": [
{
"type": "direct_assignment",
"details": {}
},
{
"type": "sso_connection",
"details": { "connection_id": "saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9" }
}
]
},
{
"role_id": "stytch_member",
"sources": [
{
"type": "direct_assignment",
"details": {}
}
]
}
],
"sso_registrations": [{
"connection_id": "saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9",
"external_id": "sandbox@stytch.com",
"registration_id": "saml-member-registration-test-9a6d293d-d8b3-42e8-abb4-220cc2060e93",
"sso_attributes": {
"email": ["sandbox@stytch.com"],
"first_name": ["Test"],
"last_name": ["Member"]
}
}],
"scim_registration": [{
"connection_id": "scim-connection-test-cdd5415a-c470-42be-8369-5c90cf7762dc",
"external_id": "00u8am9px8Ye2R0T55d2'
"registration_id": "scim-registration-test-ase5425a-jh52-14jk-9324-era3swqw",
"scim_attributes": {
"active": true,
"externalId": "00u8am9px8Ye2R0T55d2",
"id": "member-test-32fc5024-9c09-4da3-bd2e-c9ce4da9375f",
"userName": "${exampleEmail}"
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
...
}
}],
"created_at": "2023-01-01T00:00:00Z",
"updated_at": "2024-01-01T00:00:00Z"
}
}