Common Questions About User Management

Q: Are migrated users treated as new signups?

A: We only consider successfully logged-in users as active. For migrated users, they would have to log in to be counted. All of the calculations are monthly.

Q: Are social users treated as new signups?

A: Yes.

Q: When a new account is created via Management API , does that increase signup count?

A: Yes.

Q: When a social account is linked to a database account, does the signup count change?

A: If a user signs in with username/password and later signs in with a social connection, the merge rule is triggered on the same email, and the identities will be merged into a single record. However, the rule is triggered after authentication, so the logs show 2 Active users, and do not take into account the fact that the users were merged. Thus 2 active users for the first month, then 1 active user for subsequent months using either ID.

Q: What events trigger the active user count?

A: We consider a user to be active in a given month if they have generated a log of user activity with its user_id under one of the following events:

  • s: Successful login
  • sepft: Successful exchange of password for token
  • ssa: Successful silent authentication
  • seoobft: Successful exchange of Password and OOB Challenge for Access Token
  • seotpft: Successful exchange of Password and OTP Challenge for Access Token
  • sercft: Successful exchange of Password and MFA Recovery code for Access Token
  • sertft: Successful exchange of Refresh Token for Access Token
  • seacft: Successful exchange of authorization code for Access Token
  • scoa: Success cross-origin authentication
  • sens: Successful native social exchange

This article explains the log event types codes.

Q: Can we add a user’s permission in the ID token?

A: By definition ID tokens are used for authentication purposes only and Access tokens should ideally be used for Authorization services. Therefore, we don’t have an automatic way to include the user permissions in the ID token.

Q: Can we generate access_token for a user based on user id?

A: This type of functionality to obtain user tokens without authenticating the user was deprecated due to security concerns and is no longer available.

Q: Can we have unique user_id across tenants?

A: We can only guarantee user_ids are unique within a tenant.

Q: Can we check user blocked status in an Action?

A: We can not, because if the user is blocked, they cannot login, the rule would not run.

1 Like