Account

SERVER

The Account service allows you to authenticate and manage a user account. You can use the account service to update user information, retrieve the user sessions across different devices, and fetch the user security logs with his or her recent activity.

Register new user accounts with the Create Account, Create Magic URL session, or Create Phone session endpoint. You can authenticate the user account by using multiple sign-in methods available. Once the user is authenticated, a new session object will be created to allow the user to access his or her private data and settings.

This service also exposes an endpoint to save and read the user preferences as a key-value object. This feature is handy if you want to allow extra customization in your app. Common usage for this feature may include saving the user's preferred locale, timezone, or custom app theme.

Base URL
https://cloud.appwrite.io/v1

Get account

Get the currently logged in user.

  • Response
    • 200 application/json
Endpoint
GET /account
GraphQL
query {
    accountGet {
        _id
        _createdAt
        _updatedAt
        name
        password
        hash
        hashOptions
        registration
        status
        labels
        passwordUpdate
        email
        phone
        emailVerification
        phoneVerification
        mfa
        prefs {
            data
        }
        targets {
            _id
            _createdAt
            _updatedAt
            name
            userId
            providerId
            providerType
            identifier
        }
        accessedAt
    }
}

Create account

Use this endpoint to allow a new user to register a new account in your project. After the user registration completes successfully, you can use the /account/verfication route to start verifying the user email address. To allow the new user to login to their new account, you need to create a new account session.

  • Request
    • userId string
      required

      User ID. Choose a custom ID or generate a random ID with ID.unique(). Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can't start with a special char. Max length is 36 chars.

    • email string
      required

      User email.

    • password string
      required

      New user password. Must be between 8 and 256 chars.

    • name string

      User name. Max length: 128 chars.

  • Response
    • 201 application/json
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    60 minutes 10 requests URL + IP
Endpoint
POST /account
GraphQL
mutation {
    accountCreate(
        userId: "<USER_ID>",
        email: "email@example.com",
        password: "",
        name: "<NAME>"
    ) {
        _id
        _createdAt
        _updatedAt
        name
        password
        hash
        hashOptions
        registration
        status
        labels
        passwordUpdate
        email
        phone
        emailVerification
        phoneVerification
        mfa
        prefs {
            data
        }
        targets {
            _id
            _createdAt
            _updatedAt
            name
            userId
            providerId
            providerType
            identifier
        }
        accessedAt
    }
}

Update email

Update currently logged in user account email address. After changing user address, the user confirmation status will get reset. A new confirmation email is not sent automatically however you can use the send confirmation email endpoint again to send the confirmation email. For security measures, user password is required to complete this request. This endpoint can also be used to convert an anonymous account to a normal one, by passing an email address and a new password.

  • Request
    • email string
      required

      User email.

    • password string
      required

      User password. Must be at least 8 chars.

  • Response
    • 200 application/json
Endpoint
PATCH /account/email
GraphQL
mutation {
    accountUpdateEmail(
        email: "email@example.com",
        password: "password"
    ) {
        _id
        _createdAt
        _updatedAt
        name
        password
        hash
        hashOptions
        registration
        status
        labels
        passwordUpdate
        email
        phone
        emailVerification
        phoneVerification
        mfa
        prefs {
            data
        }
        targets {
            _id
            _createdAt
            _updatedAt
            name
            userId
            providerId
            providerType
            identifier
        }
        accessedAt
    }
}

List Identities

Get the list of identities for the currently logged in user.

  • Request
    • queries array

      Array of query strings generated using the Query class provided by the SDK. Learn more about queries. Maximum of 100 queries are allowed, each 4096 characters long. You may filter on the following attributes: userId, provider, providerUid, providerEmail, providerAccessTokenExpiry

  • Response
Endpoint
GET /account/identities
GraphQL
query {
    accountListIdentities(
        queries: []
    ) {
        total
        identities {
            _id
            _createdAt
            _updatedAt
            userId
            provider
            providerUid
            providerEmail
            providerAccessToken
            providerAccessTokenExpiry
            providerRefreshToken
        }
    }
}

Delete identity

Delete an identity by its unique ID.

  • Request
    • identityId string
      required

      Identity ID.

  • Response
    • 204 application/json
Endpoint
DELETE /account/identities/{identityId}
GraphQL
mutation {
    accountDeleteIdentity(
        identityId: "<IDENTITY_ID>"
    ) {
        status
    }
}

Create JWT

Use this endpoint to create a JSON Web Token. You can use the resulting JWT to authenticate on behalf of the current user when working with the Appwrite server-side API and SDKs. The JWT secret is valid for 15 minutes from its creation and will be invalid if the user will logout in that time frame.

  • Response
    • 201 application/json
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    60 minutes 100 requests URL + USER ID
Endpoint
POST /account/jwt
GraphQL
mutation {
    accountCreateJWT {
        jwt
    }
}

List logs

Get the list of latest security activity logs for the currently logged in user. Each log returns user IP address, location and date and time of log.

  • Request
    • queries array

      Array of query strings generated using the Query class provided by the SDK. Learn more about queries. Only supported methods are limit and offset

  • Response
Endpoint
GET /account/logs
GraphQL
query {
    accountListLogs(
        queries: []
    ) {
        total
        logs {
            event
            userId
            userEmail
            userName
            mode
            ip
            time
            osCode
            osName
            osVersion
            clientType
            clientCode
            clientName
            clientVersion
            clientEngine
            clientEngineVersion
            deviceName
            deviceBrand
            deviceModel
            countryCode
            countryName
        }
    }
}

Update MFA

Enable or disable MFA on an account.

  • Request
    • mfa boolean
      required

      Enable or disable MFA.

  • Response
    • 200 application/json
Endpoint
PATCH /account/mfa
GraphQL
mutation {
    accountUpdateMFA(
        mfa: false
    ) {
        _id
        _createdAt
        _updatedAt
        name
        password
        hash
        hashOptions
        registration
        status
        labels
        passwordUpdate
        email
        phone
        emailVerification
        phoneVerification
        mfa
        prefs {
            data
        }
        targets {
            _id
            _createdAt
            _updatedAt
            name
            userId
            providerId
            providerType
            identifier
        }
        accessedAt
    }
}

Create Authenticator

Add an authenticator app to be used as an MFA factor. Verify the authenticator using the verify authenticator method.

  • Request
    • type string
      required

      Type of authenticator. Must be totp

  • Response
Endpoint
POST /account/mfa/authenticators/{type}
GraphQL
mutation {
    accountCreateMfaAuthenticator(
        type: "totp"
    ) {
        secret
        uri
    }
}

Verify Authenticator

Verify an authenticator app after adding it using the add authenticator method.

  • Request
    • type string
      required

      Type of authenticator.

    • otp string
      required

      Valid verification token.

  • Response
    • 200 application/json
Endpoint
PUT /account/mfa/authenticators/{type}
GraphQL
mutation {
    accountUpdateMfaAuthenticator(
        type: "totp",
        otp: "<OTP>"
    ) {
        _id
        _createdAt
        _updatedAt
        name
        password
        hash
        hashOptions
        registration
        status
        labels
        passwordUpdate
        email
        phone
        emailVerification
        phoneVerification
        mfa
        prefs {
            data
        }
        targets {
            _id
            _createdAt
            _updatedAt
            name
            userId
            providerId
            providerType
            identifier
        }
        accessedAt
    }
}

Delete Authenticator

Delete an authenticator for a user by ID.

  • Request
    • type string
      required

      Type of authenticator.

    • otp string
      required

      Valid verification token.

  • Response
    • 204 application/json
Endpoint
DELETE /account/mfa/authenticators/{type}
GraphQL
mutation {
    accountDeleteMfaAuthenticator(
        type: "totp",
        otp: "<OTP>"
    ) {
        status
    }
}

Create MFA Challenge

Begin the process of MFA verification after sign-in. Finish the flow with updateMfaChallenge method.

  • Request
    • factor string
      required

      Factor used for verification. Must be one of following: email, phone, totp, recoveryCode.

  • Response
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    60 minutes 10 requests URL + TOKEN
Endpoint
POST /account/mfa/challenge
GraphQL
mutation {
    accountCreateMfaChallenge(
        factor: "email"
    ) {
        _id
        _createdAt
        userId
        expire
    }
}

Create MFA Challenge (confirmation)

Complete the MFA challenge by providing the one-time password. Finish the process of MFA verification by providing the one-time password. To begin the flow, use createMfaChallenge method.

  • Request
    • challengeId string
      required

      ID of the challenge.

    • otp string
      required

      Valid verification token.

  • Response
    • 204 application/json
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    60 minutes 10 requests USER ID
Endpoint
PUT /account/mfa/challenge
GraphQL
mutation {
    accountUpdateMfaChallenge(
        challengeId: "<CHALLENGE_ID>",
        otp: "<OTP>"
    ) {
        status
    }
}

List Factors

List the factors available on the account to be used as a MFA challange.

Endpoint
GET /account/mfa/factors
GraphQL
query {
    accountListMfaFactors {
        totp
        phone
        email
        recoveryCode
    }
}

Get MFA Recovery Codes

Get recovery codes that can be used as backup for MFA flow. Before getting codes, they must be generated using createMfaRecoveryCodes method. An OTP challenge is required to read recovery codes.

Endpoint
GET /account/mfa/recovery-codes
GraphQL
query {
    accountGetMfaRecoveryCodes {
        recoveryCodes
    }
}

Create MFA Recovery Codes

Generate recovery codes as backup for MFA flow. It's recommended to generate and show then immediately after user successfully adds their authehticator. Recovery codes can be used as a MFA verification type in createMfaChallenge method.

Endpoint
POST /account/mfa/recovery-codes
GraphQL
mutation {
    accountCreateMfaRecoveryCodes {
        recoveryCodes
    }
}

Regenerate MFA Recovery Codes

Regenerate recovery codes that can be used as backup for MFA flow. Before regenerating codes, they must be first generated using createMfaRecoveryCodes method. An OTP challenge is required to regenreate recovery codes.

Endpoint
PATCH /account/mfa/recovery-codes
GraphQL
mutation {
    accountUpdateMfaRecoveryCodes {
        recoveryCodes
    }
}

Update name

Update currently logged in user account name.

  • Request
    • name string
      required

      User name. Max length: 128 chars.

  • Response
    • 200 application/json
Endpoint
PATCH /account/name
GraphQL
mutation {
    accountUpdateName(
        name: "<NAME>"
    ) {
        _id
        _createdAt
        _updatedAt
        name
        password
        hash
        hashOptions
        registration
        status
        labels
        passwordUpdate
        email
        phone
        emailVerification
        phoneVerification
        mfa
        prefs {
            data
        }
        targets {
            _id
            _createdAt
            _updatedAt
            name
            userId
            providerId
            providerType
            identifier
        }
        accessedAt
    }
}

Update password

Update currently logged in user password. For validation, user is required to pass in the new password, and the old password. For users created with OAuth, Team Invites and Magic URL, oldPassword is optional.

  • Request
    • password string
      required

      New user password. Must be at least 8 chars.

    • oldPassword string

      Current user password. Must be at least 8 chars.

  • Response
    • 200 application/json
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    60 minutes 10 requests URL + IP
Endpoint
PATCH /account/password
GraphQL
mutation {
    accountUpdatePassword(
        password: "",
        oldPassword: "password"
    ) {
        _id
        _createdAt
        _updatedAt
        name
        password
        hash
        hashOptions
        registration
        status
        labels
        passwordUpdate
        email
        phone
        emailVerification
        phoneVerification
        mfa
        prefs {
            data
        }
        targets {
            _id
            _createdAt
            _updatedAt
            name
            userId
            providerId
            providerType
            identifier
        }
        accessedAt
    }
}

Update phone

Update the currently logged in user's phone number. After updating the phone number, the phone verification status will be reset. A confirmation SMS is not sent automatically, however you can use the POST /account/verification/phone endpoint to send a confirmation SMS.

  • Request
    • phone string
      required

      Phone number. Format this number with a leading '+' and a country code, e.g., +16175551212.

    • password string
      required

      User password. Must be at least 8 chars.

  • Response
    • 200 application/json
Endpoint
PATCH /account/phone
GraphQL
mutation {
    accountUpdatePhone(
        phone: "+12065550100",
        password: "password"
    ) {
        _id
        _createdAt
        _updatedAt
        name
        password
        hash
        hashOptions
        registration
        status
        labels
        passwordUpdate
        email
        phone
        emailVerification
        phoneVerification
        mfa
        prefs {
            data
        }
        targets {
            _id
            _createdAt
            _updatedAt
            name
            userId
            providerId
            providerType
            identifier
        }
        accessedAt
    }
}

Get account preferences

Get the preferences as a key-value object for the currently logged in user.

Endpoint
GET /account/prefs
GraphQL
query {
    accountGetPrefs {
        data
    }
}

Update preferences

Update currently logged in user account preferences. The object you pass is stored as is, and replaces any previous value. The maximum allowed prefs size is 64kB and throws error if exceeded.

  • Request
    • prefs object
      required

      Prefs key-value JSON object.

  • Response
    • 200 application/json
Endpoint
PATCH /account/prefs
GraphQL
mutation {
    accountUpdatePrefs(
        prefs: "{}"
    ) {
        _id
        _createdAt
        _updatedAt
        name
        password
        hash
        hashOptions
        registration
        status
        labels
        passwordUpdate
        email
        phone
        emailVerification
        phoneVerification
        mfa
        prefs {
            data
        }
        targets {
            _id
            _createdAt
            _updatedAt
            name
            userId
            providerId
            providerType
            identifier
        }
        accessedAt
    }
}

Create password recovery

Sends the user an email with a temporary secret key for password reset. When the user clicks the confirmation link he is redirected back to your app password reset URL with the secret key and email address values attached to the URL query string. Use the query string params to submit a request to the PUT /account/recovery endpoint to complete the process. The verification link sent to the user's email address is valid for 1 hour.

  • Request
    • email string
      required

      User email.

    • url string
      required

      URL to redirect the user back to your app from the recovery email. Only URLs from hostnames in your project platform list are allowed. This requirement helps to prevent an open redirect attack against your project API.

  • Response
    • 201 application/json
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    60 minutes 10 requests URL + EMAIL
    60 minutes 10 requests URL + IP
Endpoint
POST /account/recovery
GraphQL
mutation {
    accountCreateRecovery(
        email: "email@example.com",
        url: "https://example.com"
    ) {
        _id
        _createdAt
        userId
        secret
        expire
        phrase
    }
}

Create password recovery (confirmation)

Use this endpoint to complete the user account password reset. Both the userId and secret arguments will be passed as query parameters to the redirect URL you have provided when sending your request to the POST /account/recovery endpoint.

Please note that in order to avoid a Redirect Attack the only valid redirect URLs are the ones from domains you have set when adding your platforms in the console interface.

  • Request
    • userId string
      required

      User ID.

    • secret string
      required

      Valid reset token.

    • password string
      required

      New user password. Must be between 8 and 256 chars.

  • Response
    • 200 application/json
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    60 minutes 10 requests URL + USER ID
Endpoint
PUT /account/recovery
GraphQL
mutation {
    accountUpdateRecovery(
        userId: "<USER_ID>",
        secret: "<SECRET>",
        password: ""
    ) {
        _id
        _createdAt
        userId
        secret
        expire
        phrase
    }
}

List sessions

Get the list of active sessions across different devices for the currently logged in user.

Endpoint
GET /account/sessions
GraphQL
query {
    accountListSessions {
        total
        sessions {
            _id
            _createdAt
            _updatedAt
            userId
            expire
            provider
            providerUid
            providerAccessToken
            providerAccessTokenExpiry
            providerRefreshToken
            ip
            osCode
            osName
            osVersion
            clientType
            clientCode
            clientName
            clientVersion
            clientEngine
            clientEngineVersion
            deviceName
            deviceBrand
            deviceModel
            countryCode
            countryName
            current
            factors
            secret
            mfaUpdatedAt
        }
    }
}

Delete sessions

Delete all sessions from the user account and remove any sessions cookies from the end client.

  • Response
    • 204 application/json
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    60 minutes 100 requests URL + IP
Endpoint
DELETE /account/sessions
GraphQL
mutation {
    accountDeleteSessions {
        status
    }
}

Create anonymous session

Use this endpoint to allow a new user to register an anonymous account in your project. This route will also create a new session for the user. To allow the new user to convert an anonymous account to a normal account, you need to update its email and password or create an OAuth2 session.

  • Response
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    60 minutes 50 requests IP
Endpoint
POST /account/sessions/anonymous
GraphQL
mutation {
    accountCreateAnonymousSession {
        _id
        _createdAt
        _updatedAt
        userId
        expire
        provider
        providerUid
        providerAccessToken
        providerAccessTokenExpiry
        providerRefreshToken
        ip
        osCode
        osName
        osVersion
        clientType
        clientCode
        clientName
        clientVersion
        clientEngine
        clientEngineVersion
        deviceName
        deviceBrand
        deviceModel
        countryCode
        countryName
        current
        factors
        secret
        mfaUpdatedAt
    }
}

Create email password session

Allow the user to login into their account by providing a valid email and password combination. This route will create a new session for the user.

A user is limited to 10 active sessions at a time by default. Learn more about session limits.

  • Request
    • email string
      required

      User email.

    • password string
      required

      User password. Must be at least 8 chars.

  • Response
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    60 minutes 10 requests URL + EMAIL
Endpoint
POST /account/sessions/email
GraphQL
mutation {
    accountCreateEmailPasswordSession(
        email: "email@example.com",
        password: "password"
    ) {
        _id
        _createdAt
        _updatedAt
        userId
        expire
        provider
        providerUid
        providerAccessToken
        providerAccessTokenExpiry
        providerRefreshToken
        ip
        osCode
        osName
        osVersion
        clientType
        clientCode
        clientName
        clientVersion
        clientEngine
        clientEngineVersion
        deviceName
        deviceBrand
        deviceModel
        countryCode
        countryName
        current
        factors
        secret
        mfaUpdatedAt
    }
}

Update magic URL session

Use this endpoint to create a session from token. Provide the userId and secret parameters from the successful response of authentication flows initiated by token creation. For example, magic URL and phone login.

  • Request
    • userId string
      required

      User ID. Choose a custom ID or generate a random ID with ID.unique(). Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can't start with a special char. Max length is 36 chars.

    • secret string
      required

      Valid verification token.

  • Response
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    60 minutes 10 requests IP + USER ID
Endpoint
PUT /account/sessions/magic-url
GraphQL
mutation {
    accountUpdateMagicURLSession(
        userId: "<USER_ID>",
        secret: "<SECRET>"
    ) {
        _id
        _createdAt
        _updatedAt
        userId
        expire
        provider
        providerUid
        providerAccessToken
        providerAccessTokenExpiry
        providerRefreshToken
        ip
        osCode
        osName
        osVersion
        clientType
        clientCode
        clientName
        clientVersion
        clientEngine
        clientEngineVersion
        deviceName
        deviceBrand
        deviceModel
        countryCode
        countryName
        current
        factors
        secret
        mfaUpdatedAt
    }
}

Update phone session

Use this endpoint to create a session from token. Provide the userId and secret parameters from the successful response of authentication flows initiated by token creation. For example, magic URL and phone login.

  • Request
    • userId string
      required

      User ID. Choose a custom ID or generate a random ID with ID.unique(). Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can't start with a special char. Max length is 36 chars.

    • secret string
      required

      Valid verification token.

  • Response
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    60 minutes 10 requests IP + USER ID
Endpoint
PUT /account/sessions/phone
GraphQL
mutation {
    accountUpdatePhoneSession(
        userId: "<USER_ID>",
        secret: "<SECRET>"
    ) {
        _id
        _createdAt
        _updatedAt
        userId
        expire
        provider
        providerUid
        providerAccessToken
        providerAccessTokenExpiry
        providerRefreshToken
        ip
        osCode
        osName
        osVersion
        clientType
        clientCode
        clientName
        clientVersion
        clientEngine
        clientEngineVersion
        deviceName
        deviceBrand
        deviceModel
        countryCode
        countryName
        current
        factors
        secret
        mfaUpdatedAt
    }
}

Create session

Use this endpoint to create a session from token. Provide the userId and secret parameters from the successful response of authentication flows initiated by token creation. For example, magic URL and phone login.

  • Request
    • userId string
      required

      User ID. Choose a custom ID or generate a random ID with ID.unique(). Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can't start with a special char. Max length is 36 chars.

    • secret string
      required

      Secret of a token generated by login methods. For example, the createMagicURLToken or createPhoneToken methods.

  • Response
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    60 minutes 10 requests IP + USER ID
Endpoint
POST /account/sessions/token
GraphQL
mutation {
    accountCreateSession(
        userId: "<USER_ID>",
        secret: "<SECRET>"
    ) {
        _id
        _createdAt
        _updatedAt
        userId
        expire
        provider
        providerUid
        providerAccessToken
        providerAccessTokenExpiry
        providerRefreshToken
        ip
        osCode
        osName
        osVersion
        clientType
        clientCode
        clientName
        clientVersion
        clientEngine
        clientEngineVersion
        deviceName
        deviceBrand
        deviceModel
        countryCode
        countryName
        current
        factors
        secret
        mfaUpdatedAt
    }
}

Get session

Use this endpoint to get a logged in user's session using a Session ID. Inputting 'current' will return the current session being used.

  • Request
    • sessionId string
      required

      Session ID. Use the string 'current' to get the current device session.

  • Response
Endpoint
GET /account/sessions/{sessionId}
GraphQL
query {
    accountGetSession(
        sessionId: "<SESSION_ID>"
    ) {
        _id
        _createdAt
        _updatedAt
        userId
        expire
        provider
        providerUid
        providerAccessToken
        providerAccessTokenExpiry
        providerRefreshToken
        ip
        osCode
        osName
        osVersion
        clientType
        clientCode
        clientName
        clientVersion
        clientEngine
        clientEngineVersion
        deviceName
        deviceBrand
        deviceModel
        countryCode
        countryName
        current
        factors
        secret
        mfaUpdatedAt
    }
}

Update session

Use this endpoint to extend a session's length. Extending a session is useful when session expiry is short. If the session was created using an OAuth provider, this endpoint refreshes the access token from the provider.

  • Request
    • sessionId string
      required

      Session ID. Use the string 'current' to update the current device session.

  • Response
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    60 minutes 10 requests URL + IP
Endpoint
PATCH /account/sessions/{sessionId}
GraphQL
mutation {
    accountUpdateSession(
        sessionId: "<SESSION_ID>"
    ) {
        _id
        _createdAt
        _updatedAt
        userId
        expire
        provider
        providerUid
        providerAccessToken
        providerAccessTokenExpiry
        providerRefreshToken
        ip
        osCode
        osName
        osVersion
        clientType
        clientCode
        clientName
        clientVersion
        clientEngine
        clientEngineVersion
        deviceName
        deviceBrand
        deviceModel
        countryCode
        countryName
        current
        factors
        secret
        mfaUpdatedAt
    }
}

Delete session

Logout the user. Use 'current' as the session ID to logout on this device, use a session ID to logout on another device. If you're looking to logout the user on all devices, use Delete Sessions instead.

  • Request
    • sessionId string
      required

      Session ID. Use the string 'current' to delete the current device session.

  • Response
    • 204 application/json
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    60 minutes 100 requests URL + IP
Endpoint
DELETE /account/sessions/{sessionId}
GraphQL
mutation {
    accountDeleteSession(
        sessionId: "<SESSION_ID>"
    ) {
        status
    }
}

Update status

Block the currently logged in user account. Behind the scene, the user record is not deleted but permanently blocked from any access. To completely delete a user, use the Users API instead.

  • Response
    • 200 application/json
Endpoint
PATCH /account/status
GraphQL
mutation {
    accountUpdateStatus {
        _id
        _createdAt
        _updatedAt
        name
        password
        hash
        hashOptions
        registration
        status
        labels
        passwordUpdate
        email
        phone
        emailVerification
        phoneVerification
        mfa
        prefs {
            data
        }
        targets {
            _id
            _createdAt
            _updatedAt
            name
            userId
            providerId
            providerType
            identifier
        }
        accessedAt
    }
}

Create email token (OTP)

Sends the user an email with a secret key for creating a session. If the provided user ID has not be registered, a new user will be created. Use the returned user ID and secret and submit a request to the POST /v1/account/sessions/token endpoint to complete the login process. The secret sent to the user's email is valid for 15 minutes.

A user is limited to 10 active sessions at a time by default. Learn more about session limits.

  • Request
    • userId string
      required

      User ID. Choose a custom ID or generate a random ID with ID.unique(). Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can't start with a special char. Max length is 36 chars.

    • email string
      required

      User email.

    • phrase boolean

      Toggle for security phrase. If enabled, email will be send with a randomly generated phrase and the phrase will also be included in the response. Confirming phrases match increases the security of your authentication flow.

  • Response
    • 201 application/json
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    60 minutes 10 requests URL + EMAIL
Endpoint
POST /account/tokens/email
GraphQL
mutation {
    accountCreateEmailToken(
        userId: "<USER_ID>",
        email: "email@example.com",
        phrase: false
    ) {
        _id
        _createdAt
        userId
        secret
        expire
        phrase
    }
}

Create magic URL token

Sends the user an email with a secret key for creating a session. If the provided user ID has not been registered, a new user will be created. When the user clicks the link in the email, the user is redirected back to the URL you provided with the secret key and userId values attached to the URL query string. Use the query string parameters to submit a request to the POST /v1/account/sessions/token endpoint to complete the login process. The link sent to the user's email address is valid for 1 hour. If you are on a mobile device you can leave the URL parameter empty, so that the login completion will be handled by your Appwrite instance by default.

A user is limited to 10 active sessions at a time by default. Learn more about session limits.

  • Request
    • userId string
      required

      Unique Id. Choose a custom ID or generate a random ID with ID.unique(). Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can't start with a special char. Max length is 36 chars.

    • email string
      required

      User email.

    • url string

      URL to redirect the user back to your app from the magic URL login. Only URLs from hostnames in your project platform list are allowed. This requirement helps to prevent an open redirect attack against your project API.

    • phrase boolean

      Toggle for security phrase. If enabled, email will be send with a randomly generated phrase and the phrase will also be included in the response. Confirming phrases match increases the security of your authentication flow.

  • Response
    • 201 application/json
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    60 minutes 60 requests URL + EMAIL
    60 minutes 60 requests URL + IP
Endpoint
POST /account/tokens/magic-url
GraphQL
mutation {
    accountCreateMagicURLToken(
        userId: "<USER_ID>",
        email: "email@example.com",
        url: "https://example.com",
        phrase: false
    ) {
        _id
        _createdAt
        userId
        secret
        expire
        phrase
    }
}

Create phone token

Sends the user an SMS with a secret key for creating a session. If the provided user ID has not be registered, a new user will be created. Use the returned user ID and secret and submit a request to the POST /v1/account/sessions/token endpoint to complete the login process. The secret sent to the user's phone is valid for 15 minutes.

A user is limited to 10 active sessions at a time by default. Learn more about session limits.

  • Request
    • userId string
      required

      Unique Id. Choose a custom ID or generate a random ID with ID.unique(). Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can't start with a special char. Max length is 36 chars.

    • phone string
      required

      Phone number. Format this number with a leading '+' and a country code, e.g., +16175551212.

  • Response
    • 201 application/json
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    60 minutes 10 requests URL + PHONE
    60 minutes 10 requests URL + IP
Endpoint
POST /account/tokens/phone
GraphQL
mutation {
    accountCreatePhoneToken(
        userId: "<USER_ID>",
        phone: "+12065550100"
    ) {
        _id
        _createdAt
        userId
        secret
        expire
        phrase
    }
}

Create email verification

Use this endpoint to send a verification message to your user email address to confirm they are the valid owners of that address. Both the userId and secret arguments will be passed as query parameters to the URL you have provided to be attached to the verification email. The provided URL should redirect the user back to your app and allow you to complete the verification process by verifying both the userId and secret parameters. Learn more about how to complete the verification process. The verification link sent to the user's email address is valid for 7 days.

Please note that in order to avoid a Redirect Attack, the only valid redirect URLs are the ones from domains you have set when adding your platforms in the console interface.

  • Request
    • url string
      required

      URL to redirect the user back to your app from the verification email. Only URLs from hostnames in your project platform list are allowed. This requirement helps to prevent an open redirect attack against your project API.

  • Response
    • 201 application/json
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    60 minutes 10 requests URL + USER ID
Endpoint
POST /account/verification
GraphQL
mutation {
    accountCreateVerification(
        url: "https://example.com"
    ) {
        _id
        _createdAt
        userId
        secret
        expire
        phrase
    }
}

Create email verification (confirmation)

Use this endpoint to complete the user email verification process. Use both the userId and secret parameters that were attached to your app URL to verify the user email ownership. If confirmed this route will return a 200 status code.

  • Request
    • userId string
      required

      User ID.

    • secret string
      required

      Valid verification token.

  • Response
    • 200 application/json
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    60 minutes 10 requests URL + USER ID
Endpoint
PUT /account/verification
GraphQL
mutation {
    accountUpdateVerification(
        userId: "<USER_ID>",
        secret: "<SECRET>"
    ) {
        _id
        _createdAt
        userId
        secret
        expire
        phrase
    }
}

Create phone verification

Use this endpoint to send a verification SMS to the currently logged in user. This endpoint is meant for use after updating a user's phone number using the accountUpdatePhone endpoint. Learn more about how to complete the verification process. The verification code sent to the user's phone number is valid for 15 minutes.

  • Response
    • 201 application/json
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    60 minutes 10 requests URL + USER ID
    60 minutes 10 requests URL + IP
Endpoint
POST /account/verification/phone
GraphQL
mutation {
    accountCreatePhoneVerification {
        _id
        _createdAt
        userId
        secret
        expire
        phrase
    }
}

Update phone verification (confirmation)

Use this endpoint to complete the user phone verification process. Use the userId and secret that were sent to your user's phone number to verify the user email ownership. If confirmed this route will return a 200 status code.

  • Request
    • userId string
      required

      User ID.

    • secret string
      required

      Valid verification token.

  • Response
    • 200 application/json
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    60 minutes 10 requests USER ID
Endpoint
PUT /account/verification/phone
GraphQL
mutation {
    accountUpdatePhoneVerification(
        userId: "<USER_ID>",
        secret: "<SECRET>"
    ) {
        _id
        _createdAt
        userId
        secret
        expire
        phrase
    }
}