Users

Every end-user is scoped to a single environmentId (instance). Users own emails, phones, MFA credentials (TOTP, passkeys, backup codes), OAuth identities, and free-form metadata buckets.

User shape

type User = {
  id: string;                      // uuid
  externalId: string | null;       // your own system's id, if any
  username: string | null;
  email: string | null;            // primary email
  publicMetadata: Record<string, unknown>;  // visible to the user
  privateMetadata: Record<string, unknown>; // admin-only
  unsafeMetadata: Record<string, unknown>;  // writable from the frontend
  isBanned: boolean;
  banReason: string | null;
  createdAt: string;
  updatedAt: string;
};

Reading the current user

Client-side via the React SDK:

const { isLoaded, user } = useUser();

Server-side:

const claims = await verifySessionJwt(token, { jwksUrl, issuer });
const userId = claims.sub;
// then fetch your own projection from the API or mirror table

Dashboard controls

The dashboard exposes user management per app:

• List + search: /app/[appId]/users
• Detail view: /app/[appId]/users/[userId] — identity, emails, org memberships, active sessions, metadata.
• Ban / unban, delete, and metadata edits from the detail page.
• Inbound invitations list in the Invitations tab.

Metadata

• publicMetadata — visible to the user through useUser(). Good for avatars, display names.
• privateMetadata — backend-only. Never returned to the browser.
• unsafeMetadata — writable from the client. Useful for wizard progress; validate before trusting.