Migrate to Kinde for user authentication
Get started
Migrate to Kinde from FusionAuth
Migrate your users from FusionAuth to Kinde. FusionAuth exports user details and password hashes together, so you can import everything in a single step — no separate password import required.
What you need
Link to this section- A Kinde account with Admin access
- A Kinde account configured to match your current auth provider — see before you migrate
- A FusionAuth account with user export permissions
Key considerations
Link to this section- Password hashes are supported — Kinde imports FusionAuth password hashes automatically. Users on supported schemes keep their existing password with no reset required.
- NDJSON format — user data must be in Newline Delimited JSON format, with one user object per line. File size must be 49MB or less. Split large exports into batches, or contact support for import help.
- Social identities are not supported — this importer covers email, username, and phone identities. Social and federated logins (Google, Apple, etc.) are stored separately in FusionAuth and are not included in this import.
- Username case sensitivity — Kinde treats usernames as case-insensitive. Before importing, check that all usernames are unique when letter casing is ignored.
Migration guide
Link to this section1. Export users from FusionAuth
Link to this sectionFusionAuth recommends exporting users as part of their offboarding process. There are two ways to produce the NDJSON file Kinde expects:
- Direct database export (recommended by FusionAuth) — produces snake_case field names (for example
first_name,mobile_phone,encryption_scheme). - FusionAuth API export — produces camelCase field names (for example
firstName,mobilePhone,encryptionScheme).
Kinde accepts both naming styles, so use whichever export method suits you. Each line in the file should be a single user object.
Kinde reads the following fields from each user record:
| FusionAuth field | Used for |
|---|---|
id | Stable external identifier — used to match records on re-import |
email | Email identity |
username | Username identity |
mobile_phone / mobilePhone | Phone identity |
first_name / firstName | Given name |
last_name / lastName | Family name |
verified | Whether the identity is verified |
encryption_scheme / encryptionScheme | Password hashing variant |
salt | Password salt (base64) |
factor / iterations | PBKDF2 iteration count |
password | Password hash (base64 derived key) |
Supported password hashing
Link to this sectionKinde imports FusionAuth password hashes automatically. The following schemes are supported:
salted-pbkdf2-hmac-sha256(PBKDF2, HMAC-SHA256, 256-bit)salted-pbkdf2-hmac-sha256-512(PBKDF2, HMAC-SHA256, 512-bit)salted-pbkdf2-hmac-sha512-512(PBKDF2, HMAC-SHA512, 512-bit)bcrypt
Users on an unsupported or custom hashing scheme import successfully but are prompted to reset their password on first sign-in.
How identities are treated on import
Link to this sectionKinde imports the email, username, and phone identities found on each FusionAuth user. Users can have more than one identity — these are listed under the user’s profile in Kinde.
2. Import into Kinde
Link to this section-
In Kinde, go to Users, then select Import users.
-
Select FusionAuth.
-
Follow the on-screen prompts to upload your NDJSON file (49MB or less).
-
Review any import errors reported after import. Fix the file and re-import to resolve them.
See the bulk import guide for more on file formats and post-import handling.
3. Test the migration
Link to this section- Sign in as a user from your FusionAuth export.
- Verify they can sign in with their existing FusionAuth credentials.
- Notify users of any changes to their sign-in experience before going live.
After import
Link to this sectionImpact on end users
Link to this sectionImporting users and passwords together should mean your end users won’t notice anything when they next sign in. However:
- If a user changes their password after the export and while the migration is in progress, they will be prompted to reset their password on next sign-in.
- If you set up a new authentication method as part of the migration (for example, going passwordless), users will be prompted to use the new method on sign-in.
- If you add or remove roles or permissions, users may gain or lose access to parts of your system.
Re-importing can update user info
Link to this sectionIf you import a user and they start authenticating via Kinde, a subsequent import with changes — for example, an updated name or a new permission — will update their record in Kinde. We do not recommend making ongoing user updates via import; manage updates via the Kinde admin or API instead.
Communication to users
Link to this sectionKinde does not send notifications or invitations when users are added via import. The goal is a seamless experience that feels like nothing has changed.
If you have changed the sign-in experience — for example, adding multi-factor authentication — consider contacting your users to let them know.
Get support
Link to this sectionIf you need help with your migration, contact Kinde support.