User by ID
GET/resources/v3alpha/users/:id
Returns the user identified by the requested ID.
Request​
Path Parameters
unique identifier of the user.
Query Parameters
Responses​
- 200
- 403
- 404
- default
User successfully retrieved
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
Array [
- [email protected] (unique across organizations)
- gigi-giraffe (unique only inside the ZITADEL organization)
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
user
object
details
object
Details provide some base information (such as the last change date) of the user.
the timestamp of the first event applied to the object.
the timestamp of the last event applied to the object.
owner
object
the parent object representing the returned objects context.
Possible values: [OWNER_TYPE_UNSPECIFIED
, OWNER_TYPE_SYSTEM
, OWNER_TYPE_INSTANCE
, OWNER_TYPE_ORG
]
Default value: OWNER_TYPE_UNSPECIFIED
schema
object
The schema the user and it's data is based on.
The unique identifier of the user schema.
The human readable name of the user schema.
The revision the user's data is based on of the revision.
contact
object
Contact information for the user. ZITADEL will use this in case of internal notifications.
email
object
Email contact information of the user.
Email address of the user.
IsVerified states if the email address has been verified to belong to the user.
phone
object
Phone contact information of the user.
Phone number of the user.
IsVerified states if the phone number has been verified to belong to the user.
authenticators
object
The user's authenticators. They are used to identify and authenticate the user during the authentication process.
usernames
object[]
All of the user's usernames, which will be used for identification during authentication.
unique identifier of the username.
The user's unique username. It is used for identification during authentication.
By default usernames must be unique across all organizations in an instance. This option allow to restrict the uniqueness to the user's own organization. As a result, this username can only be used if the authentication is limited to the corresponding organization.
This can be useful if you provide multiple usernames for a single user, where one if specific to your organization, e.g.:
password
object
If the user has set a password, the time it was last changed will be returned.
States the time the password was last changed.
webAuthN
object[]
Meta information about the user's WebAuthN authenticators.
unique identifier of the WebAuthN authenticator.
Name of the WebAuthN authenticator. This is used for easier identification.
State whether the WebAuthN registration has been completed.
States if the user has been verified during the registration. Authentication with this device will be considered as multi-factor authentication (MFA) without the need to check a password (typically known as Passkeys). Without user verification it will be a second factor authentication (2FA), typically done after a password check.
More on WebAuthN User Verification: https://www.w3.org/TR/webauthn/#user-verification
totps
object[]
A list of the user's time-based one-time password (TOTP) authenticators, incl. the name for identification.
unique identifier of the time-based one-time password (TOTP) authenticator.
The name provided during registration. This is used for easier identification.
State whether the TOTP registration has been completed.
otpSms
object[]
A list of the user's one-time password (OTP) SMS authenticators.
unique identifier of the one-time password (OTP) SMS authenticator.
The phone number used for the OTP SMS authenticator.
State whether the OTP SMS registration has been completed.
otpEmail
object[]
A list of the user's one-time password (OTP) Email authenticators.
unique identifier of the one-time password (OTP) Email authenticator.
The email address used for the OTP Email authenticator.
State whether the OTP Email registration has been completed.
authenticationKeys
object[]
A list of the user's authentication keys. They can be used to authenticate e.g. by JWT Profile.
ID is the read-only unique identifier of the authentication key.
details
object
the timestamp of the first event applied to the object.
the timestamp of the last event applied to the object.
owner
object
the parent object representing the returned objects context.
Possible values: [OWNER_TYPE_UNSPECIFIED
, OWNER_TYPE_SYSTEM
, OWNER_TYPE_INSTANCE
, OWNER_TYPE_ORG
]
Default value: OWNER_TYPE_UNSPECIFIED
Possible values: [AUTHN_KEY_TYPE_UNSPECIFIED
, AUTHN_KEY_TYPE_JSON
]
Default value: AUTHN_KEY_TYPE_UNSPECIFIED
After the expiration date, the key will no longer be usable for authentication.
identityProviders
object[]
A list of the user's linked identity providers (IDPs).
IDP ID is the read-only unique identifier of the identity provider in ZITADEL.
IDP name is the name of the identity provider in ZITADEL.
The user ID represents the ID provided by the identity provider. This ID is used to link the user in ZITADEL with the identity provider.
The username represents the username provided by the identity provider.
Possible values: [USER_STATE_UNSPECIFIED
, USER_STATE_ACTIVE
, USER_STATE_INACTIVE
, USER_STATE_DELETED
, USER_STATE_LOCKED
]
Default value: USER_STATE_UNSPECIFIED
State of the user.
{
"user": {
"details": {
"id": "69629012906488334",
"created": "2025-01-06T09:05:16.106Z",
"changed": "2025-01-06T09:05:16.107Z",
"owner": "69629023906488334"
},
"schema": {
"id": "69629026806489455",
"type": "employees",
"revision": 7
},
"data": {
"name": "Gigi",
"description": "the giraffe"
},
"contact": {
"email": {
"address": "[email protected]",
"isVerified": true
},
"phone": {
"number": "+41791234567",
"isVerified": true
}
},
"authenticators": {
"usernames": [
{
"usernameId": "string",
"username": "gigi-giraffe",
"isOrganizationSpecific": true
}
],
"password": {
"lastChanged": "2019-04-01T08:45:00.000000Z"
},
"webAuthN": [
{
"webAuthNId": "69629023906488334",
"name": "fido key",
"isVerified": true,
"userVerified": true
}
],
"totps": [
{
"totpId": "69629023906488334",
"name": "Google Authenticator",
"isVerified": true
}
],
"otpSms": [
{
"otpSmsId": "69629023906488334",
"phone": "+41791234567",
"isVerified": true
}
],
"otpEmail": [
{
"otpEmailId": "69629023906488334",
"address": "[email protected]",
"isVerified": true
}
],
"authenticationKeys": [
{
"authenticationKeyId": "69629023906488334",
"details": {
"id": "69629012906488334",
"created": "2025-01-06T09:05:16.107Z",
"changed": "2025-01-06T09:05:16.107Z",
"owner": "69629023906488334"
},
"type": "KEY_TYPE_JSON",
"expirationDate": "3019-04-01T08:45:00.000000Z"
}
],
"identityProviders": [
{
"idpId": "69629023906488334",
"idpName": "google",
"userId": "as-12-df-89",
"username": "[email protected]"
}
]
},
"state": "USER_STATE_UNSPECIFIED"
}
}
- Schema
- Example (from schema)
Schema
Array [
- [email protected] (unique across organizations)
- gigi-giraffe (unique only inside the ZITADEL organization)
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
user
object
details
object
Details provide some base information (such as the last change date) of the user.
the timestamp of the first event applied to the object.
the timestamp of the last event applied to the object.
owner
object
the parent object representing the returned objects context.
Possible values: [OWNER_TYPE_UNSPECIFIED
, OWNER_TYPE_SYSTEM
, OWNER_TYPE_INSTANCE
, OWNER_TYPE_ORG
]
Default value: OWNER_TYPE_UNSPECIFIED
schema
object
The schema the user and it's data is based on.
The unique identifier of the user schema.
The human readable name of the user schema.
The revision the user's data is based on of the revision.
contact
object
Contact information for the user. ZITADEL will use this in case of internal notifications.
email
object
Email contact information of the user.
Email address of the user.
IsVerified states if the email address has been verified to belong to the user.
phone
object
Phone contact information of the user.
Phone number of the user.
IsVerified states if the phone number has been verified to belong to the user.
authenticators
object
The user's authenticators. They are used to identify and authenticate the user during the authentication process.
usernames
object[]
All of the user's usernames, which will be used for identification during authentication.
unique identifier of the username.
The user's unique username. It is used for identification during authentication.
By default usernames must be unique across all organizations in an instance. This option allow to restrict the uniqueness to the user's own organization. As a result, this username can only be used if the authentication is limited to the corresponding organization.
This can be useful if you provide multiple usernames for a single user, where one if specific to your organization, e.g.:
password
object
If the user has set a password, the time it was last changed will be returned.
States the time the password was last changed.
webAuthN
object[]
Meta information about the user's WebAuthN authenticators.
unique identifier of the WebAuthN authenticator.
Name of the WebAuthN authenticator. This is used for easier identification.
State whether the WebAuthN registration has been completed.
States if the user has been verified during the registration. Authentication with this device will be considered as multi-factor authentication (MFA) without the need to check a password (typically known as Passkeys). Without user verification it will be a second factor authentication (2FA), typically done after a password check.
More on WebAuthN User Verification: https://www.w3.org/TR/webauthn/#user-verification
totps
object[]
A list of the user's time-based one-time password (TOTP) authenticators, incl. the name for identification.
unique identifier of the time-based one-time password (TOTP) authenticator.
The name provided during registration. This is used for easier identification.
State whether the TOTP registration has been completed.
otpSms
object[]
A list of the user's one-time password (OTP) SMS authenticators.
unique identifier of the one-time password (OTP) SMS authenticator.
The phone number used for the OTP SMS authenticator.
State whether the OTP SMS registration has been completed.
otpEmail
object[]
A list of the user's one-time password (OTP) Email authenticators.
unique identifier of the one-time password (OTP) Email authenticator.
The email address used for the OTP Email authenticator.
State whether the OTP Email registration has been completed.
authenticationKeys
object[]
A list of the user's authentication keys. They can be used to authenticate e.g. by JWT Profile.
ID is the read-only unique identifier of the authentication key.
details
object
the timestamp of the first event applied to the object.
the timestamp of the last event applied to the object.
owner
object
the parent object representing the returned objects context.
Possible values: [OWNER_TYPE_UNSPECIFIED
, OWNER_TYPE_SYSTEM
, OWNER_TYPE_INSTANCE
, OWNER_TYPE_ORG
]
Default value: OWNER_TYPE_UNSPECIFIED
Possible values: [AUTHN_KEY_TYPE_UNSPECIFIED
, AUTHN_KEY_TYPE_JSON
]
Default value: AUTHN_KEY_TYPE_UNSPECIFIED
After the expiration date, the key will no longer be usable for authentication.
identityProviders
object[]
A list of the user's linked identity providers (IDPs).
IDP ID is the read-only unique identifier of the identity provider in ZITADEL.
IDP name is the name of the identity provider in ZITADEL.
The user ID represents the ID provided by the identity provider. This ID is used to link the user in ZITADEL with the identity provider.
The username represents the username provided by the identity provider.
Possible values: [USER_STATE_UNSPECIFIED
, USER_STATE_ACTIVE
, USER_STATE_INACTIVE
, USER_STATE_DELETED
, USER_STATE_LOCKED
]
Default value: USER_STATE_UNSPECIFIED
State of the user.
{
"user": {
"details": {
"id": "69629012906488334",
"created": "2025-01-06T09:05:16.110Z",
"changed": "2025-01-06T09:05:16.110Z",
"owner": "69629023906488334"
},
"schema": {
"id": "69629026806489455",
"type": "employees",
"revision": 7
},
"data": {
"name": "Gigi",
"description": "the giraffe"
},
"contact": {
"email": {
"address": "[email protected]",
"isVerified": true
},
"phone": {
"number": "+41791234567",
"isVerified": true
}
},
"authenticators": {
"usernames": [
{
"usernameId": "string",
"username": "gigi-giraffe",
"isOrganizationSpecific": true
}
],
"password": {
"lastChanged": "2019-04-01T08:45:00.000000Z"
},
"webAuthN": [
{
"webAuthNId": "69629023906488334",
"name": "fido key",
"isVerified": true,
"userVerified": true
}
],
"totps": [
{
"totpId": "69629023906488334",
"name": "Google Authenticator",
"isVerified": true
}
],
"otpSms": [
{
"otpSmsId": "69629023906488334",
"phone": "+41791234567",
"isVerified": true
}
],
"otpEmail": [
{
"otpEmailId": "69629023906488334",
"address": "[email protected]",
"isVerified": true
}
],
"authenticationKeys": [
{
"authenticationKeyId": "69629023906488334",
"details": {
"id": "69629012906488334",
"created": "2025-01-06T09:05:16.110Z",
"changed": "2025-01-06T09:05:16.110Z",
"owner": "69629023906488334"
},
"type": "KEY_TYPE_JSON",
"expirationDate": "3019-04-01T08:45:00.000000Z"
}
],
"identityProviders": [
{
"idpId": "69629023906488334",
"idpName": "google",
"userId": "as-12-df-89",
"username": "[email protected]"
}
]
},
"state": "USER_STATE_UNSPECIFIED"
}
}
- Schema
- Example (from schema)
Schema
Array [
- [email protected] (unique across organizations)
- gigi-giraffe (unique only inside the ZITADEL organization)
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
user
object
details
object
Details provide some base information (such as the last change date) of the user.
the timestamp of the first event applied to the object.
the timestamp of the last event applied to the object.
owner
object
the parent object representing the returned objects context.
Possible values: [OWNER_TYPE_UNSPECIFIED
, OWNER_TYPE_SYSTEM
, OWNER_TYPE_INSTANCE
, OWNER_TYPE_ORG
]
Default value: OWNER_TYPE_UNSPECIFIED
schema
object
The schema the user and it's data is based on.
The unique identifier of the user schema.
The human readable name of the user schema.
The revision the user's data is based on of the revision.
contact
object
Contact information for the user. ZITADEL will use this in case of internal notifications.
email
object
Email contact information of the user.
Email address of the user.
IsVerified states if the email address has been verified to belong to the user.
phone
object
Phone contact information of the user.
Phone number of the user.
IsVerified states if the phone number has been verified to belong to the user.
authenticators
object
The user's authenticators. They are used to identify and authenticate the user during the authentication process.
usernames
object[]
All of the user's usernames, which will be used for identification during authentication.
unique identifier of the username.
The user's unique username. It is used for identification during authentication.
By default usernames must be unique across all organizations in an instance. This option allow to restrict the uniqueness to the user's own organization. As a result, this username can only be used if the authentication is limited to the corresponding organization.
This can be useful if you provide multiple usernames for a single user, where one if specific to your organization, e.g.:
password
object
If the user has set a password, the time it was last changed will be returned.
States the time the password was last changed.
webAuthN
object[]
Meta information about the user's WebAuthN authenticators.
unique identifier of the WebAuthN authenticator.
Name of the WebAuthN authenticator. This is used for easier identification.
State whether the WebAuthN registration has been completed.
States if the user has been verified during the registration. Authentication with this device will be considered as multi-factor authentication (MFA) without the need to check a password (typically known as Passkeys). Without user verification it will be a second factor authentication (2FA), typically done after a password check.
More on WebAuthN User Verification: https://www.w3.org/TR/webauthn/#user-verification
totps
object[]
A list of the user's time-based one-time password (TOTP) authenticators, incl. the name for identification.
unique identifier of the time-based one-time password (TOTP) authenticator.
The name provided during registration. This is used for easier identification.
State whether the TOTP registration has been completed.
otpSms
object[]
A list of the user's one-time password (OTP) SMS authenticators.
unique identifier of the one-time password (OTP) SMS authenticator.
The phone number used for the OTP SMS authenticator.
State whether the OTP SMS registration has been completed.
otpEmail
object[]
A list of the user's one-time password (OTP) Email authenticators.
unique identifier of the one-time password (OTP) Email authenticator.
The email address used for the OTP Email authenticator.
State whether the OTP Email registration has been completed.
authenticationKeys
object[]
A list of the user's authentication keys. They can be used to authenticate e.g. by JWT Profile.
ID is the read-only unique identifier of the authentication key.
details
object
the timestamp of the first event applied to the object.
the timestamp of the last event applied to the object.
owner
object
the parent object representing the returned objects context.
Possible values: [OWNER_TYPE_UNSPECIFIED
, OWNER_TYPE_SYSTEM
, OWNER_TYPE_INSTANCE
, OWNER_TYPE_ORG
]
Default value: OWNER_TYPE_UNSPECIFIED
Possible values: [AUTHN_KEY_TYPE_UNSPECIFIED
, AUTHN_KEY_TYPE_JSON
]
Default value: AUTHN_KEY_TYPE_UNSPECIFIED
After the expiration date, the key will no longer be usable for authentication.
identityProviders
object[]
A list of the user's linked identity providers (IDPs).
IDP ID is the read-only unique identifier of the identity provider in ZITADEL.
IDP name is the name of the identity provider in ZITADEL.
The user ID represents the ID provided by the identity provider. This ID is used to link the user in ZITADEL with the identity provider.
The username represents the username provided by the identity provider.
Possible values: [USER_STATE_UNSPECIFIED
, USER_STATE_ACTIVE
, USER_STATE_INACTIVE
, USER_STATE_DELETED
, USER_STATE_LOCKED
]
Default value: USER_STATE_UNSPECIFIED
State of the user.
{
"user": {
"details": {
"id": "69629012906488334",
"created": "2025-01-06T09:05:16.116Z",
"changed": "2025-01-06T09:05:16.116Z",
"owner": "69629023906488334"
},
"schema": {
"id": "69629026806489455",
"type": "employees",
"revision": 7
},
"data": {
"name": "Gigi",
"description": "the giraffe"
},
"contact": {
"email": {
"address": "[email protected]",
"isVerified": true
},
"phone": {
"number": "+41791234567",
"isVerified": true
}
},
"authenticators": {
"usernames": [
{
"usernameId": "string",
"username": "gigi-giraffe",
"isOrganizationSpecific": true
}
],
"password": {
"lastChanged": "2019-04-01T08:45:00.000000Z"
},
"webAuthN": [
{
"webAuthNId": "69629023906488334",
"name": "fido key",
"isVerified": true,
"userVerified": true
}
],
"totps": [
{
"totpId": "69629023906488334",
"name": "Google Authenticator",
"isVerified": true
}
],
"otpSms": [
{
"otpSmsId": "69629023906488334",
"phone": "+41791234567",
"isVerified": true
}
],
"otpEmail": [
{
"otpEmailId": "69629023906488334",
"address": "[email protected]",
"isVerified": true
}
],
"authenticationKeys": [
{
"authenticationKeyId": "69629023906488334",
"details": {
"id": "69629012906488334",
"created": "2025-01-06T09:05:16.117Z",
"changed": "2025-01-06T09:05:16.117Z",
"owner": "69629023906488334"
},
"type": "KEY_TYPE_JSON",
"expirationDate": "3019-04-01T08:45:00.000000Z"
}
],
"identityProviders": [
{
"idpId": "69629023906488334",
"idpName": "google",
"userId": "as-12-df-89",
"username": "[email protected]"
}
]
},
"state": "USER_STATE_UNSPECIFIED"
}
}
Returned when the user does not have permission to access the resource.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
Returned when the resource does not exist.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
An unexpected error response.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}