Each user in PlusAuth is represented by a comprehensive and extensible user object. It contains core identity attributes, authentication credentials, connected identities, profile information, and customizable metadata. This schema powers user management in the dashboard and the /users
API endpoints.
Manage Users
You can manage users in PlusAuth through either the Dashboard or the Core REST API , depending on your workflow and automation needs.
Dashboard
Navigate to Dashboard > Users to access the user management panel. From here, you can:
- Create new users manually.
- Edit user attributes, profile details, and metadata.
- Assign or remove roles, role groups, and permissions.
- Block or delete accounts that should no longer have access.
- View the user's linked identities, last login, and verification status.
- Perform administrative actions such as resetting passwords or resetting MFA credentials.
All changes made here take effect immediately and propagate through your tenant.
REST API
You can also perform all user management operations programmatically via the Users API Endpoints . This is ideal for automation, integrations, or building your own admin UI.
User Schema
For the whole user profile please have a look at to User Response Schema .
Core Attributes
The core fields define the user's identity, state, and timestamps:
id
,created_at
,updated_at
– immutable identifiers and lifecycle timestamps.username
,email
andphone_number
– primary identifiers, with supporting verification flags (email_verified
,phone_number_verified
).blocked
– whentrue
, the user is prevented from authenticating.last_login
andlogin_attempts
– audit and security indicators used by PlusAuth to enforce throttling and account protection.
Profile
The profile
object follows the OpenID Connect Standard Claims , extending the user with human-readable and locale-aware information:
- Name fields:
given_name
,family_name
,middle_name
,nickname
, andname
. - Localization:
locale
andzoneinfo
determine language and time zone preferences. - Personal details:
birthdate
,gender
,website
, andprofile_page
. - Addresses: structured under
profile.addresses[]
, allowing multiple entries (e.g., billing, delivery) with proper regional components.
Profile fields are typically user-editable through self-service portals or administrative APIs.
Metadata
The metadata
object is a flexible, application-specific store for custom attributes such as preferences, attributes outside PlusAuth, or business data. It supports up to 10 keys, with simple value types (string
, number
, boolean
, or null
). Metadata is entirely managed by your application and never modified by PlusAuth automatically.
Credentials and Identities
The credentials
array stores authentication credentials linked to the user, such as password hashes or WebAuthn keys.
The identities
array tracks external or federated identities, describing how the user authenticates via third-party providers. Each identity includes:
provider
andconnection
– identify the external source (e.g., Google, LDAP, SMS).type
– defines the mechanism (social
,enterprise
,email
,sms
, etc.).details
– raw user data returned by the identity provider.
This structure allows a single PlusAuth user to link multiple login methods (for example, social and enterprise credentials).
Security and Access Control
User objects integrate tightly with PlusAuth's role and permission system. Assignments such as roles, permissions, and role groups are managed separately, but they influence how the user's effective scopes appear in issued tokens. See Access Control for more details.