Skip to content

User Management

User management in the dashboard lets you view all profiles in a sector, invite new users, and manage access.

Navigate to your sector and click Users to see a list of all profiles. Each row shows the user’s email, registration date, and authentication methods enrolled.

When self sign-up is disabled, or when you want to pre-provision accounts, use the invite flow:

  1. Click Invite User
  2. Enter the user’s email address
  3. Click Send Invite

SpartanAuth handles the rest — the user receives an email with a one-time link to complete registration.

Use Bulk Import when migrating an existing app onto SpartanAuth with a large existing user base.

  1. Click Bulk Import in the Users panel.
  2. Either upload a CSV/TSV file or paste rows directly into the text area.
  3. Review the parsed row count, then click Import Users.
  4. A per-row results table shows each user as ✓ created, ⚠ skipped (email already exists), or ✗ error.

The first row must be a header row. Column names are case-insensitive.

ColumnRequiredDescription
emailYesLogin identifier for the user
nameNoFull display name
given_nameNoFirst name
family_nameNoLast name
phone_numberNoE.164-formatted phone number
localeNoBCP-47 locale tag (e.g. en-US)
email_verifiedNotrue or false
hashed_passwordNoPre-hashed credential from the source system
password_hash_algorithmNoAlgorithm used (e.g. bcrypt, argon2id); required when hashed_password is set
send_inviteNotrue to email an invite link to this user

Example:

email,name,email_verified,send_invite
[email protected],Alice Smith,true,false
[email protected],Bob Jones,false,true

If your source system stored passwords as bcrypt hashes, you can migrate them directly:

email,name,hashed_password,password_hash_algorithm
[email protected],Alice Smith,$2a$12$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,bcrypt

Note: Only bcrypt hashes can be verified at login today. If you import users with a different algorithm (e.g. argon2id, scrypt), their accounts will be created but login will fail until that algorithm is supported. Set send_invite=true for those users instead so they are prompted to set a new password via the invite flow.

The endpoint is also available for programmatic imports:

POST /api/v1/sectors/{sectorID}/users/bulk-import
Authorization: Bearer <admin-token>
Content-Type: application/json
{
"users": [
{
"email": "[email protected]",
"name": "Alice Smith",
"emailVerified": true,
"hashedPassword": "$2a$12$...",
"passwordHashAlgorithm": "bcrypt"
},
{
"email": "[email protected]",
"name": "Bob Jones",
"sendInvite": true
}
]
}

The response includes per-user results and summary counts:

{
"results": [
{ "email": "[email protected]", "sub": "...", "status": "created" },
{ "email": "[email protected]", "sub": "...", "status": "created" }
],
"total": 2,
"created": 2,
"skipped": 0,
"errors": 0
}

Clicking on a user opens their profile, which shows:

  • Basic info (email, username, name)
  • Enrolled authentication methods (password, passkeys, MFA registrations)
  • Account status and creation date

Deleting a profile is a soft delete — the user’s PII (email, name, etc.) is cleared, but their sub (user ID) is retained for referential integrity in your database. This prevents orphaned records if your backend uses sub as a foreign key.

A user with isAdmin: true in their JWT claims can access administrative API endpoints (e.g., listing all sector users, creating invites programmatically). Admin status is set per sector.