> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# User impersonation
> Learn about Stytch's built-in user impersonation functionality.
Stytch offers user impersonation functionality that allows you to log into your application as a specific end user
in order to troubleshoot and debug securely.
## Enabling user impersonation for your Stytch project
User impersonation is disabled by default for each of your Stytch projects. In order to enable it, a member of your team with the
Admin role in the Stytch Dashboard should navigate to the [Password and User Policies page](https://stytch.com/dashboard/password-strength-config)
and toggle on the **Allow user impersonation** setting. Be sure to click **Save** after modifying the setting.
## Generating a user impersonation token
Once user impersonation has been enabled for your project, team members with the Admin, Developer, or Support Manager [roles](/resources/workspace-management/dashboard-roles-and-permissions)
can begin the user impersonation flow by selecting the User they'd like to impersonate on the [Users page](https://stytch.com/dashboard/user-management),
scrolling down, and clicking **Impersonate user**.
Your team member will be asked to provide a reason for impersonating the user, which will be available later on for auditing purposes. They'll then click
**Launch in new tab**, which initiates the user impersonation flow in a new browser tab at your project's default login redirect URL
with an impersonation token appended to the query parameters. Here's an example:
```
https://yourdomain/authenticate?stytch_token_type=impersonation&token=O3c65CBJXdCrej_PdwuNM7npoUzzCBVKgIxxpqMpB1oF
```
Note that it is **not** possible to generate a user impersonation token programmatically. If that is a requirement for your
use case, see the [Programmatic user impersonation](/consumer-auth/authentication/user-impersonation#programmatic-user-impersonation) section below.
## Authenticating a user impersonation token
Your application should then retrieve the impersonation token from your login redirect URL's query parameters and authenticate it via the
[Authenticate impersonation token endpoint](/api-reference/consumer/api/impersonation/authenticate-token).
If you're using our frontend JavaScript SDK, you can authenticate the token via the [authenticateByUrl method](/api-reference/consumer/frontend-sdks/vanilla-js/methods/impersonation/authenticate).
However, you'll first need to enable the **Authenticate user impersonation tokens** setting on the [Frontend SDK Configuration page](https://stytch.com/dashboard/sdk-configuration) in the Stytch Dashboard.
At this point, you'll receive a new Stytch Session for the target user. Stytch Sessions created through user impersonation always have a duration of one hour, and can be explicitly revoked via the
[Revoke Session endpoint](/api-reference/consumer/api/sessions/revoke-session). They contain a single factor in their `authentication_factors` array of type `impersonated` that includes the impersonator's email address.
Here's an example Stytch Session that was created through user impersonation:
```json theme={null}
"session": {
"attributes": {...},
"authentication_factors": [
{
"created_at": "2026-04-28T16:14:26Z",
"delivery_method": "impersonation",
"impersonated_factor": {
"impersonator_email_address": "email@example.com",
"impersonator_id": "member-live-..."
},
"last_authenticated_at": "2026-04-28T16:14:26Z",
"type": "impersonated",
"updated_at": "2026-04-28T16:14:26Z"
}
],
"custom_claims": {...},
"expires_at": "2026-04-28T17:14:26Z",
"last_accessed_at": "2026-04-28T16:15:27Z",
"roles": [...],
"session_id": "session-live-...",
"started_at": "2026-04-28T16:14:26Z",
"user_id": "user-live-..."
}
```
Sessions created through user impersonation can be authenticated via the [Authenticate session](/api-reference/consumer/api/sessions/authenticate-session)
endpoints or SDK methods using the `session_token` or `session_jwt` values from the Authenticate user impersonation token response.
## Audit logging
After a user impersonation token is authenticated, you'll find an event in the Stytch Dashboard's [Activity tab](https://stytch.com/dashboard/activity) with
an `action` value of `AuthenticateImpersonationToken`. This event will contain additional details about the user impersonation,
such as the `user_id`, the impersonator's email address, and the reason that the impersonator provided for the
impersonation. If you take advantage of our [Event log streaming](/resources/workspace-management/event-log-streaming) feature,
the user impersonation logs are available there as well.
We also emit a [webhook](https://stytch.com/dashboard/webhooks) with an event type of `direct.user.impersonate` whenever
a User is impersonated.
## Programmatic user impersonation
For security purposes, we do not provide an API endpoint that generates user impersonation tokens. However, programmatic user
impersonation may be desirable for some use cases.
If you understand and accept the security implications, it is possible to use our Trusted Auth Tokens feature to programmatically
generate a Stytch Session on behalf of a User. See our [Custom auth factors](/consumer-auth/authentication/trusted-auth-tokens/custom-factors)
guide for implementation instructions.
If you choose to use Trusted Auth Tokens for user impersonation, you will be responsible for maintaining your own access controls, audit logs,
and other security guardrails.
If implemented improperly or without sufficient protections against misuse, user impersonation can introduce serious security
risks in your application.