Method: accounts.update

HTTP request
Request body
- JSON representation
Response body
Authorization scopes
Try it!

Updates account-related information for the specified user by setting specific fields or applying action codes. Requests from administrators and end users are supported.

HTTP request

POST https://identitytoolkit.googleapis.com/v1/accounts:update

The URL uses gRPC Transcoding syntax.

Request body

The request body contains data with the following structure:

JSON representation

JSON representation
{ "idToken": string, "localId": string, "displayName": string, "email": string, "password": string, "provider": [ string ], "oobCode": string, "emailVerified": boolean, "upgradeToFederatedLogin": boolean, "captchaChallenge": string, "captchaResponse": string, "validSince": string, "disableUser": boolean, "instanceId": string, "delegatedProjectNumber": string, "photoUrl": string, "deleteAttribute": [ enum (`UserAttributeName`) ], "returnSecureToken": boolean, "deleteProvider": [ string ], "lastLoginAt": string, "createdAt": string, "phoneNumber": string, "customAttributes": string, "tenantId": string, "targetProjectId": string, "mfa": { object (`MfaInfo`) }, "linkProviderUserInfo": { object (`ProviderUserInfo`) } }

{
  "idToken": string,
  "localId": string,
  "displayName": string,
  "email": string,
  "password": string,
  "provider": [
    string
  ],
  "oobCode": string,
  "emailVerified": boolean,
  "upgradeToFederatedLogin": boolean,
  "captchaChallenge": string,
  "captchaResponse": string,
  "validSince": string,
  "disableUser": boolean,
  "instanceId": string,
  "delegatedProjectNumber": string,
  "photoUrl": string,
  "deleteAttribute": [
    enum (UserAttributeName)
  ],
  "returnSecureToken": boolean,
  "deleteProvider": [
    string
  ],
  "lastLoginAt": string,
  "createdAt": string,
  "phoneNumber": string,
  "customAttributes": string,
  "tenantId": string,
  "targetProjectId": string,
  "mfa": {
    object (MfaInfo)
  },
  "linkProviderUserInfo": {
    object (ProviderUserInfo)
  }
}

Fields
`idToken`	`string` A valid Identity Platform ID token. Required when attempting to change user-related information.
`localId`	`string` The ID of the user. Specifying this field requires a Google OAuth 2.0 credential with proper permissions. For requests from end-users, an ID token should be passed instead.
`displayName`	`string` The user's new display name to be updated in the account's attributes. The length of the display name must be less than or equal to 256 characters.
`email`	`string` The user's new email to be updated in the account's attributes. The length of email should be less than 256 characters and in the format of `name@domain.tld`. The email should also match the RFC 822 addr-spec production. If email enumeration protection is enabled, the email cannot be changed by the user without verifying the email first, but it can be changed by an administrator.
`password`	`string` The user's new password to be updated in the account's attributes. The password must be at least 6 characters long.
`provider[]`	`string` The Identity Providers that the account should be associated with.
`oobCode`	`string` The out-of-band code to be applied on the user's account. The following out-of-band code types are supported: * VERIFY_EMAIL * RECOVER_EMAIL * REVERT_SECOND_FACTOR_ADDITION * VERIFY_AND_CHANGE_EMAIL
`emailVerified`	`boolean` Whether the user's email has been verified. Specifying this field requires a Google OAuth 2.0 credential with proper permissions.
`upgradeToFederatedLogin`	`boolean` Whether the account should be restricted to only using federated login.
`captchaChallenge (deprecated)`	`string`
`captchaResponse`	`string` The response from reCaptcha challenge. This is required when the system detects possible abuse activities.
`validSince`	`string (int64 format)` Specifies the minimum timestamp in seconds for an Identity Platform ID token to be considered valid.
`disableUser`	`boolean` If true, marks the account as disabled, meaning the user will no longer be able to sign-in.
`instanceId (deprecated)`	`string`
`delegatedProjectNumber (deprecated)`	`string (int64 format)`
`photoUrl`	`string` The user's new photo URL for the account's profile photo to be updated in the account's attributes. The length of the URL must be less than or equal to 2048 characters.
`deleteAttribute[]`	`enum (UserAttributeName)` The account's attributes to be deleted.
`returnSecureToken`	`boolean` Whether or not to return an ID and refresh token. Should always be true.
`deleteProvider[]`	`string` The Identity Providers to unlink from the user's account.
`lastLoginAt`	`string (int64 format)` The timestamp in milliseconds when the account last logged in.
`createdAt`	`string (int64 format)` The timestamp in milliseconds when the account was created.
`phoneNumber`	`string` The phone number to be updated in the account's attributes.
`customAttributes`	`string` JSON formatted custom attributes to be stored in the Identity Platform ID token. Specifying this field requires a Google OAuth 2.0 credential with proper permissions.
`tenantId`	`string` The tenant ID of the Identity Platform tenant that the account belongs to. Requests from end users should pass an Identity Platform ID token rather than setting this field.
`targetProjectId`	`string` The project ID for the project that the account belongs to. Specifying this field requires Google OAuth 2.0 credential with proper permissions. Requests from end users should pass an Identity Platform ID token instead. Authorization requires the following IAM permission on the specified resource `targetProjectId`: `firebaseauth.users.update`
`mfa`	`object (MfaInfo)` The multi-factor authentication related information to be set on the user's account. This will overwrite any previous multi-factor related information on the account. Specifying this field requires a Google OAuth 2.0 credential with proper permissions.
`linkProviderUserInfo`	`object (ProviderUserInfo)` The provider to be linked to the user's account. Specifying this field requires a Google OAuth 2.0 credential with proper permissions.

Response body

If successful, the response body contains an instance of SetAccountInfoResponse.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.