Method: accounts.update

Updates account-related information for the specified user by setting specific fields or applying action codes. Requests from administrators and end users are supported.

HTTP request

POST https://identitytoolkit.googleapis.com/v1/accounts:update

The URL uses gRPC Transcoding syntax.

Request body

The request body contains data with the following structure:

JSON representation
{
  "idToken": string,
  "localId": string,
  "displayName": string,
  "email": string,
  "password": string,
  "provider": [
    string
  ],
  "oobCode": string,
  "emailVerified": boolean,
  "upgradeToFederatedLogin": boolean,
  "captchaChallenge": string,
  "captchaResponse": string,
  "validSince": string,
  "disableUser": boolean,
  "instanceId": string,
  "delegatedProjectNumber": string,
  "photoUrl": string,
  "deleteAttribute": [
    enum (UserAttributeName)
  ],
  "returnSecureToken": boolean,
  "deleteProvider": [
    string
  ],
  "lastLoginAt": string,
  "createdAt": string,
  "phoneNumber": string,
  "customAttributes": string,
  "tenantId": string,
  "targetProjectId": string,
  "mfa": {
    object (MfaInfo)
  },
  "linkProviderUserInfo": {
    object (ProviderUserInfo)
  }
}
Fields
idToken

string

A valid Identity Platform ID token. Required when attempting to change user-related information.

localId

string

The ID of the user. Specifying this field requires a Google OAuth 2.0 credential with proper permissions. For requests from end-users, an ID token should be passed instead.

displayName

string

The user's new display name to be updated in the account's attributes. The length of the display name must be less than or equal to 256 characters.

email

string

The user's new email to be updated in the account's attributes. The length of email should be less than 256 characters and in the format of name@domain.tld. The email should also match the RFC 822 addr-spec production. If email enumeration protection is enabled, the email cannot be changed by the user without verifying the email first, but it can be changed by an administrator.

password

string

The user's new password to be updated in the account's attributes. The password must be at least 6 characters long.

provider[]

string

The Identity Providers that the account should be associated with.

oobCode

string

The out-of-band code to be applied on the user's account. The following out-of-band code types are supported: * VERIFY_EMAIL * RECOVER_EMAIL * REVERT_SECOND_FACTOR_ADDITION * VERIFY_AND_CHANGE_EMAIL

emailVerified

boolean

Whether the user's email has been verified. Specifying this field requires a Google OAuth 2.0 credential with proper permissions.

upgradeToFederatedLogin

boolean

Whether the account should be restricted to only using federated login.

captchaChallenge
(deprecated)

string

captchaResponse

string

The response from reCaptcha challenge. This is required when the system detects possible abuse activities.

validSince

string (int64 format)

Specifies the minimum timestamp in seconds for an Identity Platform ID token to be considered valid.

disableUser

boolean

If true, marks the account as disabled, meaning the user will no longer be able to sign-in.

instanceId
(deprecated)

string

delegatedProjectNumber
(deprecated)

string (int64 format)

photoUrl

string

The user's new photo URL for the account's profile photo to be updated in the account's attributes. The length of the URL must be less than or equal to 2048 characters.

deleteAttribute[]

enum (UserAttributeName)

The account's attributes to be deleted.

returnSecureToken

boolean

Whether or not to return an ID and refresh token. Should always be true.

deleteProvider[]

string

The Identity Providers to unlink from the user's account.

lastLoginAt

string (int64 format)

The timestamp in milliseconds when the account last logged in.

createdAt

string (int64 format)

The timestamp in milliseconds when the account was created.

phoneNumber

string

The phone number to be updated in the account's attributes.

customAttributes

string

JSON formatted custom attributes to be stored in the Identity Platform ID token. Specifying this field requires a Google OAuth 2.0 credential with proper permissions.

tenantId

string

The tenant ID of the Identity Platform tenant that the account belongs to. Requests from end users should pass an Identity Platform ID token rather than setting this field.

targetProjectId

string

The project ID for the project that the account belongs to. Specifying this field requires Google OAuth 2.0 credential with proper permissions. Requests from end users should pass an Identity Platform ID token instead.

Authorization requires the following IAM permission on the specified resource targetProjectId:

  • firebaseauth.users.update
mfa

object (MfaInfo)

The multi-factor authentication related information to be set on the user's account. This will overwrite any previous multi-factor related information on the account. Specifying this field requires a Google OAuth 2.0 credential with proper permissions.

Response body

If successful, the response body contains an instance of SetAccountInfoResponse.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.