Skip to main content

Documentation Index

Fetch the complete documentation index at: https://stytch.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Stytch offers user impersonation functionality that allows you to log into your application as a specific end user in order to troubleshoot and debug securely.

Enabling user impersonation for your Stytch project

User impersonation is disabled by default for each of your Stytch projects. In order to enable it, a member of your team with the Admin role in the Stytch Dashboard should navigate to the Password and User Policies page and toggle on the Allow user impersonation setting. Be sure to click Save after modifying the setting. Enabling user impersonation

Generating a user impersonation token

Once user impersonation has been enabled for your project, team members with the Admin, Developer, or Support Manager roles can begin the user impersonation flow by selecting the User they’d like to impersonate on the Users page, scrolling down, and clicking Impersonate user. Impersonating a User Your team member will be asked to provide a reason for impersonating the user, which will be available later on for auditing purposes. They’ll then click Launch in new tab, which initiates the user impersonation flow in a new browser tab at your project’s default login redirect URL with an impersonation token appended to the query parameters. Here’s an example: 
https://yourdomain/authenticate?stytch_token_type=impersonation&token=O3c65CBJXdCrej_PdwuNM7npoUzzCBVKgIxxpqMpB1oF
Note that it is not possible to generate a user impersonation token programmatically. If that is a requirement for your use case, see the Programmatic user impersonation section below.

Authenticating a user impersonation token

Your application should then retrieve the impersonation token from your login redirect URL’s query parameters and authenticate it via the Authenticate impersonation token endpoint. If you’re using our frontend JavaScript SDK, you can authenticate the token via the authenticateByUrl method. However, you’ll first need to enable the Authenticate user impersonation tokens setting on the Frontend SDK Configuration page in the Stytch Dashboard. At this point, you’ll receive a new Stytch Session for the target user. Stytch Sessions created through user impersonation always have a duration of one hour, and can be explicitly revoked via the Revoke Session endpoint. They contain a single factor in their authentication_factors array of type impersonated that includes the impersonator’s email address. Here’s an example Stytch Session that was created through user impersonation: 
"session": {
    "attributes": {...},
    "authentication_factors": [
        {
            "created_at": "2026-04-28T16:14:26Z",
            "delivery_method": "impersonation",
            "impersonated_factor": {
                "impersonator_email_address": "email@example.com",
                "impersonator_id": "member-live-..."
            },
            "last_authenticated_at": "2026-04-28T16:14:26Z",
            "type": "impersonated",
            "updated_at": "2026-04-28T16:14:26Z"
        }
    ],
    "custom_claims": {...},
    "expires_at": "2026-04-28T17:14:26Z",
    "last_accessed_at": "2026-04-28T16:15:27Z",
    "roles": [...],
    "session_id": "session-live-...",
    "started_at": "2026-04-28T16:14:26Z",
    "user_id": "user-live-..."
}
Sessions created through user impersonation can be authenticated via the Authenticate session endpoints or SDK methods using the session_token or session_jwt values from the Authenticate user impersonation token response.

Audit logging

After a user impersonation token is authenticated, you’ll find an event in the Stytch Dashboard’s Activity tab with an action value of AuthenticateImpersonationToken. This event will contain additional details about the user impersonation, such as the user_id, the impersonator’s email address, and the reason that the impersonator provided for the impersonation. If you take advantage of our Event log streaming feature, the user impersonation logs are available there as well. Impersonation event log We also emit a webhook with an event type of direct.user.impersonate whenever a User is impersonated.

Programmatic user impersonation

For security purposes, we do not provide an API endpoint that generates user impersonation tokens. However, programmatic user impersonation may be desirable for some use cases. If you understand and accept the security implications, it is possible to use our Trusted Auth Tokens feature to programmatically generate a Stytch Session on behalf of a User. See our Custom auth factors guide for implementation instructions. If you choose to use Trusted Auth Tokens for user impersonation, you will be responsible for maintaining your own access controls, audit logs, and other security guardrails.
If implemented improperly or without sufficient protections against misuse, user impersonation can introduce serious security risks in your application.