User Creation
Email Password Migration
If you do not have access to your user's password hashes, you can use our guide for migrating them dynamically during login.
SuperTokens allows you to import users with password hashes generated with BCrypt, Argon2 and Firebase SCrypt with our import user API.
You can find the API spec here.
Migrating users With Argon2 or BCrypt Password hashes
For users with BCrypt or Argon2 password hashes you can use the following curl command to import your user.
curl --location --request POST '<CORE_API_ENDPOINT>/recipe/user/passwordhash/import' \
--header 'api-key: <YOUR_API_KEY>' \
--header 'Content-Type: application/json; charset=utf-8' \
--data-raw '{
"email": "[email protected]",
"passwordHash": "$argon2d$v=19$m=12,t=3,p=1$NWd0eGp4ZW91b3IwMDAwMA$57jcfXF19MyiUXSjkVBpEQ"
}'
SuperTokens accepts BCrypt and Argon2 hashes in standard format. When exporting password hashes from authentication providers the structure might be changed. For example, Auth0 prepends an identifier to the exported password hashes which needs to removed before importing into SuperTokens.
Sample password hashes for BCrypt and Argon2 in standard format:
- BCrypt:
$2a$10$GzEm3vKoAqnJCTWesRARCe/ovjt/07qjvcH9jbLUg44Fn77gMZkmm - Argon2:
$argon2id$v=19$m=16,t=2,p=1$VG1Oa1lMbzZLbzk5azQ2Qg$kjcNNtZ/b0t/8HgXUiQ76A
Migrating users with Firebase SCrypt Password hashes
Importing users from Firebases requires an update to your supertokens core config and formatting the input password hash.
Step 1: Retrive your Firebase password hashing parameters from your dashboard.
Step 2: Update the SuperTokens core to use the base64_signer_key
-
** For Managed Service **
-
Edit the core configuration in the SuperTokens Managed Service Dashboard.
-
Set the
firebase_password_hashing_signer_keyfield in the config to thebase64_signer_keyretrieved from your firebase hashing parameters.
docker run \
-p 3567:3567 \
// highlight-next-line
-e FIREBASE_PASSWORD_HASHING_SIGNER_KEY="gRhC3eDeQOdyEn4bMd9c6kxguWVmcIVq/HbJKnCXdWscZx0l2WbCJ1wbg==" \
-d registry.supertokens.io/supertokens/supertokens-<db_name>
Step 3: SuperTokens requires firebase password hashes to be in a specific format to be parsed.
For example:
Your exported firebase user has the following credentials:
{
"users": [
{
"localId": "userId",
"email": "[email protected]"
"passwordHash": "9Y8ICWcqbzmI42DxV1jpyEjbrJPG8EQ6nI6oC32JYz+/dd7aEjI/R7jG9P5kYh8v9gyqFKaXMDzMg7eLCypbOA==",
"salt": "/cj0jC1br5o4+w==",
}
]
}
The memory cost, rounds and salt separator retrived from the password hashing config are:
{
mem_cost: 14,
rounds: 8,
base64_salt_separator: "Bw=="
}
The password hash would be the following: $f_scrypt$9Y8ICWcqbzmI42DxV1jpyEjbrJPG8EQ6nI6oC32JYz+/dd7aEjI/R7jG9P5kYh8v9gyqFKaXMDzMg7eLCypbOA==$/cj0jC1br5o4+w==$m=14$r=8$s=Bw==
The example password hash is in the following format $f_scrypt$<passwordHash>$<salt>$m=<mem_cost>$r=<rounds>$s=<base64_salt_separator>
Step 4: Run the following curl command to import the user
curl --location --request POST '<CORE_API_ENDPOINT>/recipe/user/passwordhash/import' \
--header 'Content-Type: application/json; charset=utf-8' \
--header 'api-key: <YOUR_API_KEY>' \
--data-raw '{
"email": "[email protected]",
"passwordHash": "$f_scrypt$9Y8ICWcqbzmI42DxV1jpyEjbrJPG8EQ6nI6oC32JYz+/dd7aEjI/R7jG9P5kYh8v9gyqFKaXMDzMg7eLCypbOA==$/cj0jC1br5o4+w==$m=14$r=8$s=Bw==",
"hashingAlgorithm": "firebase_scrypt"
}'
Passwordless Migration
To migrate a Passwordless user from your previous authentication provider to SuperTokens, you will first need to generate a code for the user and then call the consume code API.
Generate passwordless code
With Email
curl --location --request POST '<CORE_API_ENDPOINT>/recipe/signinup/code' \
--header 'api-key: <YOUR_API_KEY>' \
--header 'Content-Type: application/json; charset=utf-8' \
--data-raw '{
"email": "[email protected]"
}'
With Phone Number
curl --location --request POST '<CORE_API_ENDPOINT>/recipe/signinup/code' \
--header 'api-key: <YOUR_API_KEY>' \
--header 'Content-Type: application/json; charset=utf-8' \
--data-raw '{
"phoneNumber": "+14155552671"
}'
On successfully generating the passwordless code you should see the following response
{
"status": "OK",
"preAuthSessionId": "d3Zpa9eoyV2Wr7uN5DLr6H1clzbwwGTc_0wIIXJT55M=",
"codeId": "4fe93f8e-a5da-4588-82e2-314c6993b345",
"deviceId": "+cWm1Y2EFxEPyHM7CAwYyAdkakBeoEDm6IOGT3xfa1U=",
"userInputCode": "463152",
"linkCode": "UlEb3-gbIYow61ce6RNzghkGN8qcHkpRwbhHbvMEjxY=",
"timeCreated": 1664283193059,
"codeLifetime": 900000
}
Consume the passwordless code to create the passwordless user
Retrieve the preAuthSessionId and linkCode from the previous response and set them as request body parameters for the consume code request.
curl --location --request POST '<CORE_API_ENDPOINT>/recipe/signinup/code/consume' \
--header 'api-key: <YOUR_API_KEY>' \
--header 'Content-Type: application/json; charset=utf-8' \
--data-raw '{
"preAuthSessionId": "d3Zpa9eoyV2Wr7uN5DLr6H1clzbwwGTc_0wIIXJT55M=",
"linkCode": "UlEb3-gbIYow61ce6RNzghkGN8qcHkpRwbhHbvMEjxY="
}'
If the user has both email and password associated with them, then you can call the update user API to associate the missing information
curl --location --request PUT '<CORE_API_ENDPOINT>/recipe/user' \
--header 'api-key: <YOUR_API_KEY>' \
--header 'rid: passwordless' \
--header 'Content-Type: application/json; charset=utf-8' \
--data-raw '{
"userId": "fa7a0841-b533-4478-95533-0fde890c3483",
"email": "[email protected]",
"phoneNumber": "+14155552671"
}'
ThirdParty Migration
To migrate users with social accounts we can simply call the SuperTokens Core's signInUp API with the provider Id and the user's third party userId.
For example:
If we were importing a user with Google as their provider with their third party userId being 106347997792363870000, we can run the following curl command to import the user.
curl --location --request POST '<CORE_API_ENDPOINT>/recipe/signinup' \
--header 'api-key: <YOUR_API_KEY>' \
--header 'Content-Type: application/json; charset=utf-8' \
--data-raw '{
"thirdPartyId": "google",
"thirdPartyUserId": "106347997792363870000",
"email": {
"id": "[email protected]",
"isVerified": true
}
}'