The Account service allows you to authenticate and manage a user account. You can use the account service to update user information, retrieve the user sessions across different devices, and fetch the user security logs with his or her recent activity.
Register new user accounts with the Create Account, Create Magic URL session, or Create Phone session endpoint. You can authenticate the user account by using multiple sign-in methods available. Once the user is authenticated, a new session object will be created to allow the user to access his or her private data and settings.
This service also exposes an endpoint to save and read the user preferences as a key-value object. This feature is handy if you want to allow extra customization in your app. Common usage for this feature may include saving the user's preferred locale, timezone, or custom app theme.
https://cloud.appwrite.io/v1
GET /account
query {
accountGet {
_id
_createdAt
_updatedAt
name
password
hash
hashOptions
registration
status
labels
passwordUpdate
email
phone
emailVerification
phoneVerification
mfa
prefs {
data
}
targets {
_id
_createdAt
_updatedAt
name
userId
providerId
providerType
identifier
}
accessedAt
}
}
Create account
Use this endpoint to allow a new user to register a new account in your project. After the user registration completes successfully, you can use the /account/verfication route to start verifying the user email address. To allow the new user to login to their new account, you need to create a new account session.
Request
userId string requiredUser ID. Choose a custom ID or generate a random ID with
ID.unique(). Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can't start with a special char. Max length is 36 chars.email string requiredUser email.
password string requiredNew user password. Must be between 8 and 256 chars.
name string User name. Max length: 128 chars.
Response
201 application/json
Rate limits
This endpoint is rate limited. You can only make a limited number of request to his endpoint within a specific time frame.
The limit is applied for each unique limit key.
Time frameAttemptsKey60 minutes 10 requests URL + IP
POST /account
mutation {
accountCreate(
userId: "<USER_ID>",
email: "email@example.com",
password: "",
name: "<NAME>"
) {
_id
_createdAt
_updatedAt
name
password
hash
hashOptions
registration
status
labels
passwordUpdate
email
phone
emailVerification
phoneVerification
mfa
prefs {
data
}
targets {
_id
_createdAt
_updatedAt
name
userId
providerId
providerType
identifier
}
accessedAt
}
}
Update email
Update currently logged in user account email address. After changing user address, the user confirmation status will get reset. A new confirmation email is not sent automatically however you can use the send confirmation email endpoint again to send the confirmation email. For security measures, user password is required to complete this request. This endpoint can also be used to convert an anonymous account to a normal one, by passing an email address and a new password.
Request
email string requiredUser email.
password string requiredUser password. Must be at least 8 chars.
Response
200 application/json
PATCH /account/email
mutation {
accountUpdateEmail(
email: "email@example.com",
password: "password"
) {
_id
_createdAt
_updatedAt
name
password
hash
hashOptions
registration
status
labels
passwordUpdate
email
phone
emailVerification
phoneVerification
mfa
prefs {
data
}
targets {
_id
_createdAt
_updatedAt
name
userId
providerId
providerType
identifier
}
accessedAt
}
}
List Identities
Get the list of identities for the currently logged in user.
Request
queries array Array of query strings generated using the Query class provided by the SDK. Learn more about queries. Maximum of 100 queries are allowed, each 4096 characters long. You may filter on the following attributes: userId, provider, providerUid, providerEmail, providerAccessTokenExpiry
Response
200 application/json
GET /account/identities
query {
accountListIdentities(
queries: []
) {
total
identities {
_id
_createdAt
_updatedAt
userId
provider
providerUid
providerEmail
providerAccessToken
providerAccessTokenExpiry
providerRefreshToken
}
}
}
Delete identity
Delete an identity by its unique ID.
Request
identityId string requiredIdentity ID.
Response
204 application/json
DELETE /account/identities/{identityId}
mutation {
accountDeleteIdentity(
identityId: "<IDENTITY_ID>"
) {
status
}
}
Create JWT
Use this endpoint to create a JSON Web Token. You can use the resulting JWT to authenticate on behalf of the current user when working with the Appwrite server-side API and SDKs. The JWT secret is valid for 15 minutes from its creation and will be invalid if the user will logout in that time frame.
Response
201 application/json
Rate limits
This endpoint is rate limited. You can only make a limited number of request to his endpoint within a specific time frame.
The limit is applied for each unique limit key.
Time frameAttemptsKey60 minutes 100 requests URL + USER ID
POST /account/jwt
mutation {
accountCreateJWT {
jwt
}
}
List logs
Get the list of latest security activity logs for the currently logged in user. Each log returns user IP address, location and date and time of log.
Request
queries array Array of query strings generated using the Query class provided by the SDK. Learn more about queries. Only supported methods are limit and offset
Response
200 application/json
GET /account/logs
query {
accountListLogs(
queries: []
) {
total
logs {
event
userId
userEmail
userName
mode
ip
time
osCode
osName
osVersion
clientType
clientCode
clientName
clientVersion
clientEngine
clientEngineVersion
deviceName
deviceBrand
deviceModel
countryCode
countryName
}
}
}
Update MFA
Enable or disable MFA on an account.
Request
mfa boolean requiredEnable or disable MFA.
Response
200 application/json
PATCH /account/mfa
mutation {
accountUpdateMFA(
mfa: false
) {
_id
_createdAt
_updatedAt
name
password
hash
hashOptions
registration
status
labels
passwordUpdate
email
phone
emailVerification
phoneVerification
mfa
prefs {
data
}
targets {
_id
_createdAt
_updatedAt
name
userId
providerId
providerType
identifier
}
accessedAt
}
}
Create Authenticator
Add an authenticator app to be used as an MFA factor. Verify the authenticator using the verify authenticator method.
Request
type string requiredType of authenticator. Must be
totp
Response
200 application/json
POST /account/mfa/authenticators/{type}
mutation {
accountCreateMfaAuthenticator(
type: "totp"
) {
secret
uri
}
}
Verify Authenticator
Verify an authenticator app after adding it using the add authenticator method.
Request
type string requiredType of authenticator.
otp string requiredValid verification token.
Response
200 application/json
PUT /account/mfa/authenticators/{type}
mutation {
accountUpdateMfaAuthenticator(
type: "totp",
otp: "<OTP>"
) {
_id
_createdAt
_updatedAt
name
password
hash
hashOptions
registration
status
labels
passwordUpdate
email
phone
emailVerification
phoneVerification
mfa
prefs {
data
}
targets {
_id
_createdAt
_updatedAt
name
userId
providerId
providerType
identifier
}
accessedAt
}
}
Delete Authenticator
Delete an authenticator for a user by ID.
Request
type string requiredType of authenticator.
otp string requiredValid verification token.
Response
204 application/json
DELETE /account/mfa/authenticators/{type}
mutation {
accountDeleteMfaAuthenticator(
type: "totp",
otp: "<OTP>"
) {
status
}
}
Create MFA Challenge
Begin the process of MFA verification after sign-in. Finish the flow with updateMfaChallenge method.
Request
factor string requiredFactor used for verification. Must be one of following:
email,phone,totp,recoveryCode.
Response
201 application/json
Rate limits
This endpoint is rate limited. You can only make a limited number of request to his endpoint within a specific time frame.
The limit is applied for each unique limit key.
Time frameAttemptsKey60 minutes 10 requests URL + TOKEN
POST /account/mfa/challenge
mutation {
accountCreateMfaChallenge(
factor: "email"
) {
_id
_createdAt
userId
expire
}
}
Create MFA Challenge (confirmation)
Complete the MFA challenge by providing the one-time password. Finish the process of MFA verification by providing the one-time password. To begin the flow, use createMfaChallenge method.
Request
challengeId string requiredID of the challenge.
otp string requiredValid verification token.
Response
204 application/json
Rate limits
This endpoint is rate limited. You can only make a limited number of request to his endpoint within a specific time frame.
The limit is applied for each unique limit key.
Time frameAttemptsKey60 minutes 10 requests USER ID
PUT /account/mfa/challenge
mutation {
accountUpdateMfaChallenge(
challengeId: "<CHALLENGE_ID>",
otp: "<OTP>"
) {
status
}
}
List Factors
List the factors available on the account to be used as a MFA challange.
Response
200 application/json
GET /account/mfa/factors
query {
accountListMfaFactors {
totp
phone
email
recoveryCode
}
}
Get MFA Recovery Codes
Get recovery codes that can be used as backup for MFA flow. Before getting codes, they must be generated using createMfaRecoveryCodes method. An OTP challenge is required to read recovery codes.
Response
200 application/json
GET /account/mfa/recovery-codes
query {
accountGetMfaRecoveryCodes {
recoveryCodes
}
}
Create MFA Recovery Codes
Generate recovery codes as backup for MFA flow. It's recommended to generate and show then immediately after user successfully adds their authehticator. Recovery codes can be used as a MFA verification type in createMfaChallenge method.
Response
201 application/json
POST /account/mfa/recovery-codes
mutation {
accountCreateMfaRecoveryCodes {
recoveryCodes
}
}
Regenerate MFA Recovery Codes
Regenerate recovery codes that can be used as backup for MFA flow. Before regenerating codes, they must be first generated using createMfaRecoveryCodes method. An OTP challenge is required to regenreate recovery codes.
Response
200 application/json
PATCH /account/mfa/recovery-codes
mutation {
accountUpdateMfaRecoveryCodes {
recoveryCodes
}
}
Update name
Update currently logged in user account name.
Request
name string requiredUser name. Max length: 128 chars.
Response
200 application/json
PATCH /account/name
mutation {
accountUpdateName(
name: "<NAME>"
) {
_id
_createdAt
_updatedAt
name
password
hash
hashOptions
registration
status
labels
passwordUpdate
email
phone
emailVerification
phoneVerification
mfa
prefs {
data
}
targets {
_id
_createdAt
_updatedAt
name
userId
providerId
providerType
identifier
}
accessedAt
}
}
Update password
Update currently logged in user password. For validation, user is required to pass in the new password, and the old password. For users created with OAuth, Team Invites and Magic URL, oldPassword is optional.
Request
password string requiredNew user password. Must be at least 8 chars.
oldPassword string Current user password. Must be at least 8 chars.
Response
200 application/json
Rate limits
This endpoint is rate limited. You can only make a limited number of request to his endpoint within a specific time frame.
The limit is applied for each unique limit key.
Time frameAttemptsKey60 minutes 10 requests URL + IP
PATCH /account/password
mutation {
accountUpdatePassword(
password: "",
oldPassword: "password"
) {
_id
_createdAt
_updatedAt
name
password
hash
hashOptions
registration
status
labels
passwordUpdate
email
phone
emailVerification
phoneVerification
mfa
prefs {
data
}
targets {
_id
_createdAt
_updatedAt
name
userId
providerId
providerType
identifier
}
accessedAt
}
}
Update phone
Update the currently logged in user's phone number. After updating the phone number, the phone verification status will be reset. A confirmation SMS is not sent automatically, however you can use the POST /account/verification/phone endpoint to send a confirmation SMS.
Request
phone string requiredPhone number. Format this number with a leading '+' and a country code, e.g., +16175551212.
password string requiredUser password. Must be at least 8 chars.
Response
200 application/json
PATCH /account/phone
mutation {
accountUpdatePhone(
phone: "+12065550100",
password: "password"
) {
_id
_createdAt
_updatedAt
name
password
hash
hashOptions
registration
status
labels
passwordUpdate
email
phone
emailVerification
phoneVerification
mfa
prefs {
data
}
targets {
_id
_createdAt
_updatedAt
name
userId
providerId
providerType
identifier
}
accessedAt
}
}
Get account preferences
Get the preferences as a key-value object for the currently logged in user.
Response
200 application/json
GET /account/prefs
query {
accountGetPrefs {
data
}
}
Update preferences
Update currently logged in user account preferences. The object you pass is stored as is, and replaces any previous value. The maximum allowed prefs size is 64kB and throws error if exceeded.
Request
prefs object requiredPrefs key-value JSON object.
Response
200 application/json
PATCH /account/prefs
mutation {
accountUpdatePrefs(
prefs: "{}"
) {
_id
_createdAt
_updatedAt
name
password
hash
hashOptions
registration
status
labels
passwordUpdate
email
phone
emailVerification
phoneVerification
mfa
prefs {
data
}
targets {
_id
_createdAt
_updatedAt
name
userId
providerId
providerType
identifier
}
accessedAt
}
}
Create password recovery
Sends the user an email with a temporary secret key for password reset. When the user clicks the confirmation link he is redirected back to your app password reset URL with the secret key and email address values attached to the URL query string. Use the query string params to submit a request to the PUT /account/recovery endpoint to complete the process. The verification link sent to the user's email address is valid for 1 hour.
Request
email string requiredUser email.
url string requiredURL to redirect the user back to your app from the recovery email. Only URLs from hostnames in your project platform list are allowed. This requirement helps to prevent an open redirect attack against your project API.
Response
201 application/json
Rate limits
This endpoint is rate limited. You can only make a limited number of request to his endpoint within a specific time frame.
The limit is applied for each unique limit key.
Time frameAttemptsKey60 minutes 10 requests URL + EMAIL 60 minutes 10 requests URL + IP
POST /account/recovery
mutation {
accountCreateRecovery(
email: "email@example.com",
url: "https://example.com"
) {
_id
_createdAt
userId
secret
expire
phrase
}
}
Create password recovery (confirmation)
Use this endpoint to complete the user account password reset. Both the userId and secret arguments will be passed as query parameters to the redirect URL you have provided when sending your request to the POST /account/recovery endpoint.
Please note that in order to avoid a Redirect Attack the only valid redirect URLs are the ones from domains you have set when adding your platforms in the console interface.
Request
userId string requiredUser ID.
secret string requiredValid reset token.
password string requiredNew user password. Must be between 8 and 256 chars.
Response
200 application/json
Rate limits
This endpoint is rate limited. You can only make a limited number of request to his endpoint within a specific time frame.
The limit is applied for each unique limit key.
Time frameAttemptsKey60 minutes 10 requests URL + USER ID
PUT /account/recovery
mutation {
accountUpdateRecovery(
userId: "<USER_ID>",
secret: "<SECRET>",
password: ""
) {
_id
_createdAt
userId
secret
expire
phrase
}
}
List sessions
Get the list of active sessions across different devices for the currently logged in user.
Response
200 application/json
GET /account/sessions
query {
accountListSessions {
total
sessions {
_id
_createdAt
_updatedAt
userId
expire
provider
providerUid
providerAccessToken
providerAccessTokenExpiry
providerRefreshToken
ip
osCode
osName
osVersion
clientType
clientCode
clientName
clientVersion
clientEngine
clientEngineVersion
deviceName
deviceBrand
deviceModel
countryCode
countryName
current
factors
secret
mfaUpdatedAt
}
}
}
Delete sessions
Delete all sessions from the user account and remove any sessions cookies from the end client.
Response
204 application/json
Rate limits
This endpoint is rate limited. You can only make a limited number of request to his endpoint within a specific time frame.
The limit is applied for each unique limit key.
Time frameAttemptsKey60 minutes 100 requests URL + IP
DELETE /account/sessions
mutation {
accountDeleteSessions {
status
}
}
Create anonymous session
Use this endpoint to allow a new user to register an anonymous account in your project. This route will also create a new session for the user. To allow the new user to convert an anonymous account to a normal account, you need to update its email and password or create an OAuth2 session.
Response
201 application/json
Rate limits
This endpoint is rate limited. You can only make a limited number of request to his endpoint within a specific time frame.
The limit is applied for each unique limit key.
Time frameAttemptsKey60 minutes 50 requests IP
POST /account/sessions/anonymous
mutation {
accountCreateAnonymousSession {
_id
_createdAt
_updatedAt
userId
expire
provider
providerUid
providerAccessToken
providerAccessTokenExpiry
providerRefreshToken
ip
osCode
osName
osVersion
clientType
clientCode
clientName
clientVersion
clientEngine
clientEngineVersion
deviceName
deviceBrand
deviceModel
countryCode
countryName
current
factors
secret
mfaUpdatedAt
}
}
Create email password session
Allow the user to login into their account by providing a valid email and password combination. This route will create a new session for the user.
A user is limited to 10 active sessions at a time by default. Learn more about session limits.
Request
email string requiredUser email.
password string requiredUser password. Must be at least 8 chars.
Response
201 application/json
Rate limits
This endpoint is rate limited. You can only make a limited number of request to his endpoint within a specific time frame.
The limit is applied for each unique limit key.
Time frameAttemptsKey60 minutes 10 requests URL + EMAIL
POST /account/sessions/email
mutation {
accountCreateEmailPasswordSession(
email: "email@example.com",
password: "password"
) {
_id
_createdAt
_updatedAt
userId
expire
provider
providerUid
providerAccessToken
providerAccessTokenExpiry
providerRefreshToken
ip
osCode
osName
osVersion
clientType
clientCode
clientName
clientVersion
clientEngine
clientEngineVersion
deviceName
deviceBrand
deviceModel
countryCode
countryName
current
factors
secret
mfaUpdatedAt
}
}
Update magic URL session
Use this endpoint to create a session from token. Provide the userId and secret parameters from the successful response of authentication flows initiated by token creation. For example, magic URL and phone login.
Request
userId string requiredUser ID. Choose a custom ID or generate a random ID with
ID.unique(). Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can't start with a special char. Max length is 36 chars.secret string requiredValid verification token.
Response
201 application/json
Rate limits
This endpoint is rate limited. You can only make a limited number of request to his endpoint within a specific time frame.
The limit is applied for each unique limit key.
Time frameAttemptsKey60 minutes 10 requests IP + USER ID
PUT /account/sessions/magic-url
mutation {
accountUpdateMagicURLSession(
userId: "<USER_ID>",
secret: "<SECRET>"
) {
_id
_createdAt
_updatedAt
userId
expire
provider
providerUid
providerAccessToken
providerAccessTokenExpiry
providerRefreshToken
ip
osCode
osName
osVersion
clientType
clientCode
clientName
clientVersion
clientEngine
clientEngineVersion
deviceName
deviceBrand
deviceModel
countryCode
countryName
current
factors
secret
mfaUpdatedAt
}
}
Update phone session
Use this endpoint to create a session from token. Provide the userId and secret parameters from the successful response of authentication flows initiated by token creation. For example, magic URL and phone login.
Request
userId string requiredUser ID. Choose a custom ID or generate a random ID with
ID.unique(). Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can't start with a special char. Max length is 36 chars.secret string requiredValid verification token.
Response
201 application/json
Rate limits
This endpoint is rate limited. You can only make a limited number of request to his endpoint within a specific time frame.
The limit is applied for each unique limit key.
Time frameAttemptsKey60 minutes 10 requests IP + USER ID
PUT /account/sessions/phone
mutation {
accountUpdatePhoneSession(
userId: "<USER_ID>",
secret: "<SECRET>"
) {
_id
_createdAt
_updatedAt
userId
expire
provider
providerUid
providerAccessToken
providerAccessTokenExpiry
providerRefreshToken
ip
osCode
osName
osVersion
clientType
clientCode
clientName
clientVersion
clientEngine
clientEngineVersion
deviceName
deviceBrand
deviceModel
countryCode
countryName
current
factors
secret
mfaUpdatedAt
}
}
Create session
Use this endpoint to create a session from token. Provide the userId and secret parameters from the successful response of authentication flows initiated by token creation. For example, magic URL and phone login.
Request
userId string requiredUser ID. Choose a custom ID or generate a random ID with
ID.unique(). Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can't start with a special char. Max length is 36 chars.secret string requiredSecret of a token generated by login methods. For example, the
createMagicURLTokenorcreatePhoneTokenmethods.
Response
201 application/json
Rate limits
This endpoint is rate limited. You can only make a limited number of request to his endpoint within a specific time frame.
The limit is applied for each unique limit key.
Time frameAttemptsKey60 minutes 10 requests IP + USER ID
POST /account/sessions/token
mutation {
accountCreateSession(
userId: "<USER_ID>",
secret: "<SECRET>"
) {
_id
_createdAt
_updatedAt
userId
expire
provider
providerUid
providerAccessToken
providerAccessTokenExpiry
providerRefreshToken
ip
osCode
osName
osVersion
clientType
clientCode
clientName
clientVersion
clientEngine
clientEngineVersion
deviceName
deviceBrand
deviceModel
countryCode
countryName
current
factors
secret
mfaUpdatedAt
}
}
Get session
Use this endpoint to get a logged in user's session using a Session ID. Inputting 'current' will return the current session being used.
Request
sessionId string requiredSession ID. Use the string 'current' to get the current device session.
Response
200 application/json
GET /account/sessions/{sessionId}
query {
accountGetSession(
sessionId: "<SESSION_ID>"
) {
_id
_createdAt
_updatedAt
userId
expire
provider
providerUid
providerAccessToken
providerAccessTokenExpiry
providerRefreshToken
ip
osCode
osName
osVersion
clientType
clientCode
clientName
clientVersion
clientEngine
clientEngineVersion
deviceName
deviceBrand
deviceModel
countryCode
countryName
current
factors
secret
mfaUpdatedAt
}
}
Update session
Use this endpoint to extend a session's length. Extending a session is useful when session expiry is short. If the session was created using an OAuth provider, this endpoint refreshes the access token from the provider.
Request
sessionId string requiredSession ID. Use the string 'current' to update the current device session.
Response
200 application/json
Rate limits
This endpoint is rate limited. You can only make a limited number of request to his endpoint within a specific time frame.
The limit is applied for each unique limit key.
Time frameAttemptsKey60 minutes 10 requests URL + IP
PATCH /account/sessions/{sessionId}
mutation {
accountUpdateSession(
sessionId: "<SESSION_ID>"
) {
_id
_createdAt
_updatedAt
userId
expire
provider
providerUid
providerAccessToken
providerAccessTokenExpiry
providerRefreshToken
ip
osCode
osName
osVersion
clientType
clientCode
clientName
clientVersion
clientEngine
clientEngineVersion
deviceName
deviceBrand
deviceModel
countryCode
countryName
current
factors
secret
mfaUpdatedAt
}
}
Delete session
Logout the user. Use 'current' as the session ID to logout on this device, use a session ID to logout on another device. If you're looking to logout the user on all devices, use Delete Sessions instead.
Request
sessionId string requiredSession ID. Use the string 'current' to delete the current device session.
Response
204 application/json
Rate limits
This endpoint is rate limited. You can only make a limited number of request to his endpoint within a specific time frame.
The limit is applied for each unique limit key.
Time frameAttemptsKey60 minutes 100 requests URL + IP
DELETE /account/sessions/{sessionId}
mutation {
accountDeleteSession(
sessionId: "<SESSION_ID>"
) {
status
}
}
Update status
Block the currently logged in user account. Behind the scene, the user record is not deleted but permanently blocked from any access. To completely delete a user, use the Users API instead.
Response
200 application/json
PATCH /account/status
mutation {
accountUpdateStatus {
_id
_createdAt
_updatedAt
name
password
hash
hashOptions
registration
status
labels
passwordUpdate
email
phone
emailVerification
phoneVerification
mfa
prefs {
data
}
targets {
_id
_createdAt
_updatedAt
name
userId
providerId
providerType
identifier
}
accessedAt
}
}
Create push target
Request
targetId string requiredTarget ID. Choose a custom ID or generate a random ID with
ID.unique(). Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can't start with a special char. Max length is 36 chars.identifier string requiredThe target identifier (token, email, phone etc.)
providerId string Provider ID. Message will be sent to this target from the specified provider ID. If no provider ID is set the first setup provider will be used.
Response
201 application/json
POST /account/targets/push
mutation {
accountCreatePushTarget(
targetId: "<TARGET_ID>",
identifier: "<IDENTIFIER>",
providerId: "<PROVIDER_ID>"
) {
_id
_createdAt
_updatedAt
name
userId
providerId
providerType
identifier
}
}
Update push target
Request
targetId string requiredTarget ID.
identifier string requiredThe target identifier (token, email, phone etc.)
Response
200 application/json
PUT /account/targets/{targetId}/push
mutation {
accountUpdatePushTarget(
targetId: "<TARGET_ID>",
identifier: "<IDENTIFIER>"
) {
_id
_createdAt
_updatedAt
name
userId
providerId
providerType
identifier
}
}
DELETE /account/targets/{targetId}/push
mutation {
accountDeletePushTarget(
targetId: "<TARGET_ID>"
) {
status
}
}
Create email token (OTP)
Sends the user an email with a secret key for creating a session. If the provided user ID has not be registered, a new user will be created. Use the returned user ID and secret and submit a request to the POST /v1/account/sessions/token endpoint to complete the login process. The secret sent to the user's email is valid for 15 minutes.
A user is limited to 10 active sessions at a time by default. Learn more about session limits.
Request
userId string requiredUser ID. Choose a custom ID or generate a random ID with
ID.unique(). Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can't start with a special char. Max length is 36 chars.email string requiredUser email.
phrase boolean Toggle for security phrase. If enabled, email will be send with a randomly generated phrase and the phrase will also be included in the response. Confirming phrases match increases the security of your authentication flow.
Response
201 application/json
Rate limits
This endpoint is rate limited. You can only make a limited number of request to his endpoint within a specific time frame.
The limit is applied for each unique limit key.
Time frameAttemptsKey60 minutes 10 requests URL + EMAIL
POST /account/tokens/email
mutation {
accountCreateEmailToken(
userId: "<USER_ID>",
email: "email@example.com",
phrase: false
) {
_id
_createdAt
userId
secret
expire
phrase
}
}
Create magic URL token
Sends the user an email with a secret key for creating a session. If the provided user ID has not been registered, a new user will be created. When the user clicks the link in the email, the user is redirected back to the URL you provided with the secret key and userId values attached to the URL query string. Use the query string parameters to submit a request to the POST /v1/account/sessions/token endpoint to complete the login process. The link sent to the user's email address is valid for 1 hour. If you are on a mobile device you can leave the URL parameter empty, so that the login completion will be handled by your Appwrite instance by default.
A user is limited to 10 active sessions at a time by default. Learn more about session limits.
Request
userId string requiredUnique Id. Choose a custom ID or generate a random ID with
ID.unique(). Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can't start with a special char. Max length is 36 chars.email string requiredUser email.
url string URL to redirect the user back to your app from the magic URL login. Only URLs from hostnames in your project platform list are allowed. This requirement helps to prevent an open redirect attack against your project API.
phrase boolean Toggle for security phrase. If enabled, email will be send with a randomly generated phrase and the phrase will also be included in the response. Confirming phrases match increases the security of your authentication flow.
Response
201 application/json
Rate limits
This endpoint is rate limited. You can only make a limited number of request to his endpoint within a specific time frame.
The limit is applied for each unique limit key.
Time frameAttemptsKey60 minutes 60 requests URL + EMAIL 60 minutes 60 requests URL + IP
POST /account/tokens/magic-url
mutation {
accountCreateMagicURLToken(
userId: "<USER_ID>",
email: "email@example.com",
url: "https://example.com",
phrase: false
) {
_id
_createdAt
userId
secret
expire
phrase
}
}
Create phone token
Sends the user an SMS with a secret key for creating a session. If the provided user ID has not be registered, a new user will be created. Use the returned user ID and secret and submit a request to the POST /v1/account/sessions/token endpoint to complete the login process. The secret sent to the user's phone is valid for 15 minutes.
A user is limited to 10 active sessions at a time by default. Learn more about session limits.
Request
userId string requiredUnique Id. Choose a custom ID or generate a random ID with
ID.unique(). Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can't start with a special char. Max length is 36 chars.phone string requiredPhone number. Format this number with a leading '+' and a country code, e.g., +16175551212.
Response
201 application/json
Rate limits
This endpoint is rate limited. You can only make a limited number of request to his endpoint within a specific time frame.
The limit is applied for each unique limit key.
Time frameAttemptsKey60 minutes 10 requests URL + PHONE 60 minutes 10 requests URL + IP
POST /account/tokens/phone
mutation {
accountCreatePhoneToken(
userId: "<USER_ID>",
phone: "+12065550100"
) {
_id
_createdAt
userId
secret
expire
phrase
}
}
Create email verification
Use this endpoint to send a verification message to your user email address to confirm they are the valid owners of that address. Both the userId and secret arguments will be passed as query parameters to the URL you have provided to be attached to the verification email. The provided URL should redirect the user back to your app and allow you to complete the verification process by verifying both the userId and secret parameters. Learn more about how to complete the verification process. The verification link sent to the user's email address is valid for 7 days.
Please note that in order to avoid a Redirect Attack, the only valid redirect URLs are the ones from domains you have set when adding your platforms in the console interface.
Request
url string requiredURL to redirect the user back to your app from the verification email. Only URLs from hostnames in your project platform list are allowed. This requirement helps to prevent an open redirect attack against your project API.
Response
201 application/json
Rate limits
This endpoint is rate limited. You can only make a limited number of request to his endpoint within a specific time frame.
The limit is applied for each unique limit key.
Time frameAttemptsKey60 minutes 10 requests URL + USER ID
POST /account/verification
mutation {
accountCreateVerification(
url: "https://example.com"
) {
_id
_createdAt
userId
secret
expire
phrase
}
}
Create email verification (confirmation)
Use this endpoint to complete the user email verification process. Use both the userId and secret parameters that were attached to your app URL to verify the user email ownership. If confirmed this route will return a 200 status code.
Request
userId string requiredUser ID.
secret string requiredValid verification token.
Response
200 application/json
Rate limits
This endpoint is rate limited. You can only make a limited number of request to his endpoint within a specific time frame.
The limit is applied for each unique limit key.
Time frameAttemptsKey60 minutes 10 requests URL + USER ID
PUT /account/verification
mutation {
accountUpdateVerification(
userId: "<USER_ID>",
secret: "<SECRET>"
) {
_id
_createdAt
userId
secret
expire
phrase
}
}
Create phone verification
Use this endpoint to send a verification SMS to the currently logged in user. This endpoint is meant for use after updating a user's phone number using the accountUpdatePhone endpoint. Learn more about how to complete the verification process. The verification code sent to the user's phone number is valid for 15 minutes.
Response
201 application/json
Rate limits
This endpoint is rate limited. You can only make a limited number of request to his endpoint within a specific time frame.
The limit is applied for each unique limit key.
Time frameAttemptsKey60 minutes 10 requests URL + USER ID 60 minutes 10 requests URL + IP
POST /account/verification/phone
mutation {
accountCreatePhoneVerification {
_id
_createdAt
userId
secret
expire
phrase
}
}
Update phone verification (confirmation)
Use this endpoint to complete the user phone verification process. Use the userId and secret that were sent to your user's phone number to verify the user email ownership. If confirmed this route will return a 200 status code.
Request
userId string requiredUser ID.
secret string requiredValid verification token.
Response
200 application/json
Rate limits
This endpoint is rate limited. You can only make a limited number of request to his endpoint within a specific time frame.
The limit is applied for each unique limit key.
Time frameAttemptsKey60 minutes 10 requests USER ID
PUT /account/verification/phone
mutation {
accountUpdatePhoneVerification(
userId: "<USER_ID>",
secret: "<SECRET>"
) {
_id
_createdAt
userId
secret
expire
phrase
}
}