How do you reset a user's password upon their first login?

Is it possible to set all users to have the passwordChangeRequired status set to true by default, so they are forced to reset their password upon their first login? Additionally, can we set a default password format as company{username}? For example, a user with the username 1234 would have the default password company1234.

We’re integrating FusionAuth with our system and want to verify users’ phone numbers during registration, but we’re not ready to enable two-factor authentication (2FA). Is there a recommended way to implement phone number verification via SMS during registration without enabling 2FA? Ideally, we’d like users to enter their phone number and verify it before completing the registration process.

Our FusionAuth instance only lists 11 Lambdas by default, and JWT Populate is not one of them. How can we create a JWT Populate Lambda?

Does FusionAuth provide an API to import roles for an application?

We are using the /api/user/forgot-password API for password resets, with sendForgotPasswordEmail set to false since we send our own email. However, users are now receiving two emails: our custom email and a password reset email from FusionAuth using our template. This issue occurs only in our pre-live and production environments, not in the local Dockerized version. What could be causing this?

You’re correct—there is no fixed limit on the number of hosted FusionAuth instances you can have.
However, since your account is on invoiced billing, new hosted deployments cannot be created directly through the Account Portal. That functionality is only available for self-serve billing accounts.

Next Steps

• Our Customer Success team will reach out to you via email.
• They’ll help provision the additional non-production instances and add them to your existing order.

Once that’s complete, you’ll have access to the new hosted deployments without needing to manage them through the portal yourself.

I’m reviewing the Hosting page in the FusionAuth Account Portal but don’t see an option to create a new hosted instance.

Based on the documentation and what I’ve found so far, there doesn’t appear to be a hard limit on the number of hosted instances. Is there a different process for creating additional hosted deployments, or is something preventing this option from appearing in the portal?
Ultimately, we’re looking to add at least two additional non-production instances.

Yes, you can mix API clients and end-user logins within the same tenant. Tenant-level controls such as MFA do not prevent this when the authentication flows are properly separated.

Recommended Approach: Use Entities for API Clients

The most common and recommended pattern is to use Entities for API authentication:

• End users authenticate using the Authorization Code grant, which can enforce MFA and other user-facing security requirements.
• API clients authenticate using the Client Credentials grant via Entities.
• Because these are different OAuth grants and flows, tenant-level requirements like MFA apply to users but do not apply to API clients using client credentials.

This allows both authentication types to coexist cleanly within the same tenant while maintaining appropriate security boundaries.

Cost and Licensing

There are no additional licensing or cost implications for using this approach:

• Entities and the Client Credentials flow are included in FusionAuth plans.
• API clients authenticated via Entities do not count as end users for MAU-based billing.

Additional Resources

These resources provide detailed guidance and examples:

• API Authorization with FusionAuth
• Entity Management Concepts
• Using Entities for API Authorization (Video)

This setup is widely used and should cover your use case well.

We are evaluating FusionAuth for JWT-based API authentication and would like to better understand how this fits alongside end-user authentication.

Specifically:

1. Is it possible to authenticate API clients and end users within the same tenant, given that some controls (such as MFA) are configured at the tenant level?
2. If so, what is the recommended approach for structuring API authentication separately from end-user authentication?
3. Are there any licensing or cost implications associated with these approaches (for example, using separate tenants, applications, or service accounts)?

FusionAuth doesn’t support uploading a CSV to retrieve last-login timestamps. However, you can do this efficiently with the Search for Users API and return lastLoginInstant for many users at once.

How to do it (batch via API)

1. Use the User Search endpoint
   POST /api/user/search (set your X-FusionAuth-TenantId and Authorization headers).

2. Send an Elasticsearch query using terms to match a batch of emails/usernames, and read lastLoginInstant from each returned user:

 {
  "search": {
    "query": "{\"terms\":{\"email\":[\"a@example.com\",\"b@example.com\",\"c@example.com\"]}}",
    "numberOfResults": 500,
    "startRow": 0
  }
}

• Swap email for username if that’s what you have.
• If your list is large, chunk it (e.g., 200–500 logins per request) and paginate with startRow / numberOfResults.

3. (Optional) Filter by last-login date with a range query on lastLoginInstant:

 {
  "search": {
    "query": "{\"range\":{\"lastLoginInstant\":{\"gte\":\"2025-10-01T00:00:00Z\"}}}"
  }
}

You can also query by epoch millis if you prefer.

4. Map results
   Each user object includes lastLoginInstant (epoch millis). Convert to your desired timezone/format in your script and write out a CSV.

Tips

• If you need all users in a tenant (not just your list), you can search with a wildcard or a match-all query and page through results, then filter locally.
• For ongoing metrics, consider subscribing to user.login.success webhooks and recording last logins as they happen.

Docs:

• Search for Users API (Elasticsearch): https://fusionauth.io/docs/apis/users#elasticsearch-search-engine

We have ~8,000 usernames/emails and want to look up each user’s last login date. The UI seems to allow searching only one email at a time. Is there a way to upload a CSV of usernames and get all of their lastLoginInstant values?

You can work around this by passing the IDs directly in your request. Here’s an example of how to structure the request correctly:

from fusionauth.fusionauth_client import FusionAuthClient

api_key = 'your-fusionauth-api-key'
base_url = 'https://your-fusionauth-instance.com'
group_id = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
user_ids_to_remove = [
    'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy',
    'zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz'
]

client = FusionAuthClient(api_key, base_url)
member_delete_request = {'members': {group_id: user_ids_to_remove}}
response = client.delete_group_members(member_delete_request)

if response.was_successful():
    print("Successfully removed users from group!")
else:
    print(f"Error: {response.error_response}")

This approach correctly formats the request for the API to process and delete the specified users from the group.

I tried using delete_group_members() to remove users from a group, but each request failed with a “could not find memberId” error. I tried passing in both the group ID and user ID, but it didn’t work. I was only able to get it to work manually by passing a members_delete_request directly to the client. Is there a way to get delete_group_members() to work properly, or does it have a bug?

This issue was addressed in version 1.56.0. Make sure your FusionAuth instance is updated to the latest version, as several reporting-related fixes have been released that resolve this specific problem.

When tracking daily active users and registration numbers, the data for the last day of each month is missing regardless of the number of days in that month. The last day’s data is missing from both the UI and the API response. Is there a way to determine why this is happening?