User import without password hashes

Problem statement

When importing user data, such as through management API, what happens if I import users without password hashes at first and then try to update their passwords in the second import attempt?


After we imported a user, it is not possible to update the password_hash attribute. Please check the “Upsert During Import?” column in the below doc.

The custom_password_hash attribute, on the other hand, is updateable. A second import could help to update the hash. But unfortunately, when you don’t specify the custom_password_hash in your initial user import, the endpoint assumes password_hash was used. Since password_hash is also not provided, the user is created with no password, but that information is saved in password_hash, which can be set only at initial import.

If you provided the custom_password_hash during the first import, you could override the existing password with a new hash if the users didn’t log in yet. At this point, the only options are to delete the users or the connection where the users were imported into. Deleting and creating the connection would be the easiest option, but this would delete all users in the connection. So it may not be a feasible option for all the use cases.