Create User
Admin creates user with preset password. User receives login link via email.
Purpose and Benefits
What is User Creation?
User creation allows administrators to directly create user accounts in cidaas with admin-set passwords. Unlike invitations, created users are immediately active and searchable in the system, making this ideal for automated provisioning and bulk imports.
Key Benefits
| Benefit | Description |
|---|---|
| Immediate Activation | User account is created and searchable immediately - no registration step required |
| Admin Control | Admin sets initial password, enabling automated provisioning and bulk imports |
| Backend Automation | Perfect for system-to-system integration and bulk user imports |
| OAuth2 Compliance | Uses initiate_login_uri from app configuration to ensure proper OAuth2 flow with client-side generated parameters (state, code_verifier for PKCE), enabling seamless login after user creation |
| Email/SMS Templates | Customize welcome messages with branded templates (USER_CREATED or USER_CREATED_VERIFY depending on email verification status) |
| Instant Access | User can login immediately with provided credentials |
| Password Security | Option to force password change on first login (need_reset_password) for enhanced security |
When to Use User Creation
- Backend Automation: Import users from external systems (HR, CRM, etc.)
- Bulk Provisioning: Create multiple users programmatically
- Automated Onboarding: System-generated accounts for new employees
- Migration: Import existing user databases
- Admin-Managed Accounts: When admin needs to control initial passwords
Quick Comparison
| Aspect | Create User | Invite User |
|---|---|---|
| Password Set By | Admin (set in request) | User (during registration) |
| User Action Required | Login only | Registration + Login |
| User Status | Created immediately | Created only after registration |
| Use Case | Automated provisioning, bulk imports | Team onboarding, customer invitations |
| Searchable | Immediately searchable | Only after registration |
Prerequisites
Before creating users:
- Field Settings configured
- User Groups created (if needed)
- User Roles defined (if needed)
- App Settings configured
initiate_login_uriconfigured in app settings (recommended for OAuth2 compliance)
User Creation Flow
The following sequence diagram illustrates the complete user creation process from creation to user login:
Flow Steps Explained
-
Admin Creates User
- Admin calls
POST /users-srv/user/create/byadminwith user data and password - API Reference: See Create User API for request examples
- Admin calls
-
User Account Created
- User account is created immediately with
sub(unique identifier) - User is immediately searchable in user search APIs
- Groups and roles are assigned during creation
- If
need_reset_password: true, password reset is configured for first login
- User account is created immediately with
-
Login Link Generation
- If
initiate_login_uriis configured in app settings, it's used (recommended for OAuth2 compliance) - Otherwise, an authz URL is generated using
client_id,redirect_uri, andresponse_type - URL is shortened with 24-hour lifetime
- If
-
Notification Sent
- Email/SMS sent using
USER_CREATEDtemplate (orUSER_CREATED_VERIFYif email not verified) - Contains login link and password
- Template variables:
{{name}},{{login_link}},{{password}},{{account_name}}
- Email/SMS sent using
-
User Logs In
- User clicks login link (redirects to client login page from
initiate_login_uri) - Client generates OAuth2 parameters (state, code_verifier for PKCE) client-side
- User enters credentials and completes OAuth2 flow
- If
need_reset_password: true, user is forced to change password on first login
- User clicks login link (redirects to client login page from
Important Create User Fields
| Field | Required | Description | Example |
|---|---|---|---|
userEntity.email | Yes* | User email address | [email protected] |
userEntity.mobile_number | Yes* | User mobile number | +491234567890 |
userEntity.username | Yes* | Username | johndoe |
userEntity.password | Conditional | User password (required unless generate_password: true) | SecurePass123! |
userEntity.given_name | No | User's first name | John |
userEntity.family_name | No | User's last name | Doe |
userEntity.userStatus | No | User status (default: VERIFIED) | VERIFIED or PENDING |
userEntity.email_verified | No | Email verification status | true |
userEntity.groups | No | Groups to assign user to | [{groupId: "CIDAAS_USERS", roles: ["USER"]}] |
userEntity.need_reset_password | No | Force password change on first login | true |
client_id | No | App client ID | uuid-here |
notify_user | No | Send welcome email/SMS (default: true) | true |
generate_password | No | Auto-generate password | true |
initiate_login_uri | No | Login URI from app config (recommended) | https://yourapp.com/login |
Note: At least one identifier (email, mobile_number, or username) is required.
Important: For OAuth2 compliance, configure initiate_login_uri in your app settings. This ensures the client can generate OAuth2 parameters (state, code_verifier for PKCE) client-side for seamless login after user creation.
Important Details
Required Permissions
- Scope:
cidaas:users_write - Roles:
admin,secondary_admin,super_admin, oruser_create(inCIDAAS_ADMINSgroup)
Field Validations
- At least one identifier must be provided:
email,mobile_number, orusername - Password must meet password policy requirements (unless
generate_password: true) - Email format must be valid (if provided)
- Mobile number format must be valid (if provided)
- Groups must exist and be allowed in app settings
- Custom fields must be configured in Field Settings
User Status
- User account is created immediately with status
VERIFIED(or as specified) - User is immediately searchable in user search APIs
- User can login immediately with provided credentials
Create User Email Templates
The welcome email/SMS uses the USER_CREATED template by default, or USER_CREATED_VERIFY if email is not verified.
Template Key: USER_CREATED
Used when notify_user: true and email is verified.
Template Variables:
{{name}}- User's full name{{login_link}}- Shortened login URL (24-hour lifetime){{password}}- User's password{{account_name}}- Organization/tenant name{{user_name}}- Email or mobile number
Locale Support:
- Set via
Accept-LanguageHTTP header (e.g.,Accept-Language: de) - Templates are localized based on user's locale
Template Key: USER_CREATED_VERIFY
Used when notify_user: true and email is not verified.
Template Variables:
{{name}}- User's full name{{verify_link}}- Account verification URL{{password}}- User's password{{account_name}}- Organization/tenant name
What the User Receives
- Personalized email/SMS with their name
- Clickable login link (or verification link if email not verified)
- Password (if not auto-generated, password is included)
- Account/organization name
Webhooks and Facts
When users are created, fact events (webhooks) are sent:
Event Types
ACCOUNT_CREATED_WITH_CIDAAS_IDENTITY: User created with self provider (email/password)ACCOUNT_CREATED_WITH_SOCIAL_IDENTITY: User created with social providerACCOUNT_CIDAASIDENTITY_ADDED: Additional cidaas identity added (for subsequent identities)ACCOUNT_SOCIALIDENTITY_ADDED: Additional social identity added (for subsequent identities)
Fact Event Structure
- Object Type:
users - Object ID: The
sub(unique user identifier) - Webhook Attributes:
["provider", "requestId", "sub"] - Use Case: Track user creation events, monitor onboarding, integrate with external systems
The sub allows you to:
- Link webhook events to specific users
- Track which user triggered each event
- Monitor user lifecycle in external systems
Groups & Roles
Assigning Groups
- Assign Groups: Groups assigned during creation
- App Settings: Groups must be allowed in app settings (
operations_allowed_groups) - User Status: User account is immediately active and searchable
Required Roles
| Operation | Required Roles |
|---|---|
| Create User | admin, secondary_admin, super_admin, user_create |
Field Configuration
System Fields
Stored in Identity object:
given_name,family_nameemail,mobile_numberusername
Custom Fields
Stored at account level:
- Business-specific attributes
- Must be configured in Field Settings
Related: Account Structure
Admin Dashboard: Create User
Required Roles: admin, secondary_admin, super_admin, or user_create
Create Admin User
- Navigate to Users > Create User
- Select Admin usertype
- Enter identifiers (email, mobile, or username)
- Set password (or generate automatically)
- Configure groups and roles
- Click Create User
Result: User receives email with login link and password.
Create Normal User
- Navigate to Users > Create User
- Select User usertype
- Select client app (redirect URL auto-filled)
- Enter identifiers
- Configure user info and groups
- Click Create User
Result: User receives email with login link and password.
Technical Integration
| Endpoint | Method | Description | Link |
|---|---|---|---|
| Create User | POST | Create a new user with admin-set password | POST /users-srv/user/create/byadmin |
Related Topics
| Topic | Description | Link |
|---|---|---|
| Invite User | User sets password during registration | Invite User |
| Register User | Self-service registration | Register User |
| Update Account | Modify user profile | Update Account |
| User Groups | Access control | User Groups |
| Account Structure | User data model | Account Structure |
Need Support?
Please contact us directly on our support page.