{
"type": "object",
"properties": {
"email": {
"type": "string",
"description": "The user's email address.",
"format": "email"
},
"email_verified": {
"type": "boolean",
"default": false,
"description": "Indicates whether the user has verified their email address."
},
"user_id": {
"type": "string",
"description": "The user's unique identifier. This will be prepended by the connection strategy."
},
"username": {
"type": "string",
"description": "The user's username."
},
"given_name": {
"type": "string",
"description": "The user's given name."
},
"family_name": {
"type": "string",
"description": "The user's family name."
},
"name": {
"type": "string",
"description": "The user's full name."
},
"nickname": {
"type": "string",
"description": "The user's nickname."
},
"picture": {
"type": "string",
"description": "URL pointing to the user's profile picture."
},
"blocked": {
"type": "boolean",
"description": "Indicates whether the user has been blocked."
},
"password_hash": {
"type": "string",
"description": "Hashed password for the user. Passwords should be hashed using bcrypt $2a$ or $2b$ and have 10 saltRounds."
},
"custom_password_hash": {
"type": "object",
"description": "A more generic way to provide the users password hash. This can be used in lieu of the password_hash field when the users password hash was created with an alternate algorithm. Note that this field and password_hash are mutually exclusive.",
"properties": {
"algorithm": {
"type": "string",
"enum": [
"argon2",
"bcrypt",
"hmac",
"ldap",
"md4",
"md5",
"sha1",
"sha256",
"sha512",
"pbkdf2",
"scrypt"
],
"description": "The algorithm that was used to hash the password."
},
"hash": {
"type": "object",
"properties": {
"value": {
"type": "string",
"description": "The password hash."
},
"encoding": {
"type": "string",
"enum": [
"base64",
"hex",
"utf8"
],
"description": "The encoding of the provided hash. Note that both upper and lower case hex variants are supported, as well as url-encoded base64."
},
"digest": {
"type": "string",
"description": "The algorithm that was used to generate the HMAC hash",
"enum": [
"md4",
"md5",
"ripemd160",
"sha1",
"sha224",
"sha256",
"sha384",
"sha512",
"whirlpool"
]
},
"key": {
"type": "object",
"description": "The key that was used to generate the HMAC hash",
"required": [
"value"
],
"properties": {
"value": {
"type": "string",
"description": "The key value"
},
"encoding": {
"type": "string",
"enum": [
"base64",
"hex",
"utf8"
],
"default": "utf8",
"description": "The key encoding"
}
}
}
}
},
"salt": {
"type": "object",
"properties": {
"value": {
"type": "string",
"description": "The salt value used to generate the hash."
},
"encoding": {
"type": "string",
"enum": [
"base64",
"hex",
"utf8"
],
"default": "utf8",
"description": "The encoding of the provided salt. Note that both upper and lower case hex variants are supported, as well as url-encoded base64."
},
"position": {
"type": "string",
"enum": [
"prefix",
"suffix"
],
"default": "prefix",
"description": "The position of the salt when the hash was calculated. For example; MD5('salt' + 'password') = '67A1E09BB1F83F5007DC119C14D663AA' would have \"position\":\"prefix\"."
}
},
"required": [
"value"
]
},
"password": {
"type": "object",
"properties": {
"encoding": {
"type": "string",
"enum": [
"ascii",
"utf8",
"utf16le",
"ucs2",
"latin1",
"binary"
],
"default": "utf8",
"description": "The encoding of the password used to generate the hash. On login, the user-provided password will be transcoded from utf8 before being checked against the provided hash. For example; if your hash was generated from a ucs2 encoded string, then you would supply \"encoding\":\"ucs2\"."
}
}
},
"keylen" : {
"type": "integer",
"description": "Desired key length in bytes for the scrypt hash. Must be an integer greater than zero. Required when algorithm is set to scrypt."
},
"cost" : {
"type": "integer",
"default": 16384,
"description": "CPU/memory cost parameter used for the scrypt hash. Must be a power of two greater than one. Only used when algorithm is set to scrypt."
},
"blockSize" : {
"type": "integer",
"default": 8,
"description": "Block size parameter used for the scrypt hash. Must be a positive integer. Only used when algorithm is set to scrypt."
},
"parallelization" : {
"type": "integer",
"default": 1,
"description": "Parallelization parameter used for the scrypt hash. Must be a positive integer. Only used when algorithm is set to scrypt."
}
},
"required": [
"algorithm",
"hash"
],
"additionalProperties": false
},
"app_metadata": {
"type": "object",
"description": "Data related to the user that does affect the application's core functionality."
},
"user_metadata": {
"type": "object",
"description": "Data related to the user that does not affect the application's core functionality."
},
"mfa_factors": {
"type": "array",
"items": {
"type": "object",
"properties": {
"totp": {
"type": "object",
"properties": {
"secret": {
"type": "string",
"pattern": "^[A-Z2-7]+$",
"description": "The OTP secret is used with authenticator apps (Google Authenticator, Microsoft Authenticator, Authy, 1Password, LastPass). It must be supplied in un-padded Base32 encoding, such as: JBTWY3DPEHPK3PNP"
}
},
"additionalProperties": false,
"required": [
"secret"
]
},
"phone": {
"type": "object",
"properties": {
"value": {
"type": "string",
"pattern": "^\\+[0-9]{1,15}$",
"description": "The phone number for SMS MFA. The phone number should include a country code and begin with +, such as: +12125550001"
}
},
"additionalProperties": false,
"required": [
"value"
]
},
"email": {
"type": "object",
"properties": {
"value": {
"type": "string",
"format": "email",
"description": "The email address for MFA"
}
},
"additionalProperties": false,
"required": [
"value"
]
}
},
"maxProperties": 1,
"additionalProperties": false
},
"minItems": 1,
"maxItems": 10
}
},
"required": [
"email"
],
"additionalProperties": false
}
