Migrate to Kinde for user authentication
Get started
You can import users in bulk, from CSV or from other files provided by your previous authentication service, such as Auth0.
If you’ve got large user sets (over 5MB) or are concerned about file size limits, contact us to ensure the import goes smoothly.
Note: Importing users from Azure Set up the MS Entra ID connection in Kinde before you import your users. Then when you import, Kinde will match users to the relevant connection based on their email address.
Kinde treats usernames as case-insensitive. In other words, we ignore case. We do this because it eliminates the possibility of auth issues and fraud when two usernames are identical in every aspect except the case of one of their letters.
We are happy to support users choosing an aesthetically pleasing username combination, like RosyRose
or BuilderBob
. We just don’t also support separate identities for rosYrosE
and BUilderbob
. Before importing users, we recommend checking that all usernames are unique in more than just case.
When you export user details from Auth0:
identities
field to the import list.Identities
data distinguishes the type of identity, e.g. username, phone, GitHub, Google, etc.
Social identities without an email can be imported, and are identified by the identity type. You can import users with multiple identities, these will be listed under the user’s profile.
Kinde supports migrating the following authentication methods from Auth0: Usernames, Email, Phone, Google, Apple, Microsoft, Facebook, GitHub, Twitch, Bitbucket. If you need to migrate another authentication type from Auth0 please get in touch with support.
When importing users from Auth0 NDJSON files, you have three options:
When exporting data from another auth system or your own system via CSV, the file needs to be set up with specific headings and formats for the data you are importing. These are detailed below.
If you are migrating from Auth0, see the Prepare JSON data (for Auth0 imports) section.
email
or phone
- minimum required identity informationexternal_organization_id
- Only required if you are importing roles and permissionsThe more data that you include for import, the easier we can set up your users in Kinde. Kinde will not duplicate users with existing email addresses.
first_name
and last_name
id
(also referred to as provided_id
) - unique to the auth provider and helps us match records as they are imported.
username
- if usernames are part of a user’s identity
phone
- in the E.164 format [+][country code][number]. For example, +6155511555. Required for phone authentication.
phone_verified
- phone number verification status: TRUE or FALSE
email
- the user’s email address
email_verified
- email verification status: TRUE
or FALSE
. TRUE only applies if you are also importing the user’s password. If they have not set a password and you set this to TRUE
, they will be prompted to set one using a one-time code the first time they sign in. This verifies their identity.
role_key
- the role key for the role a user will be assigned on import. If the user is to be assigned more than one role, use a comma separated list.
permission_key
- the permissions key for the permission a user will be assigned (that is not included in their role). If the user is to be assigned more than one permission, use a comma separated list.
external_organization_id
- the third-party supplied ID of the organizations you want the user to be imported into. Only required if you are importing roles and permissions with user data. If the user belongs to more than one organization, use a comma separated list.
Note that this is NOT the same as the Organization code in Kinde, which is a Kinde-supplied ID.
hashed_password
- the user’s password encrypted using a hashing method or algorithm.hashing_method
- the name of the algorithm used to encrypt the user’s password. Currently crypt, bcrypt, sha256, md5, and wordpress are supported. Contact us if you need a different method.salt
- extra characters added to passwords to make them strongersalt_position
- position of salt in password string. E.g. prefix (before) or suffix (after).salt_format
- format of the salt, e.g. hex, string, etc.Please note if you are importing bcrypt hashes with the $2b variant, Kinde will substitute this for the $2a variant. These are interchangeable as long as you were not running OpenBSD at the time the hashes were generated.
Provide the hash in hex format. Import the salt using the salt
column. For the salt_format
, specify how the salt should be interpreted: e.g. hex for a hex-encoded string (68656c6c6f for hello). By default, the salt is treated as a plain string, and escape sequences (like \n or \v) are treated as literal characters.
Hashing method | Salt | Salt position |
---|---|---|
md5 | Optional | required if salt included |
bcrypt | ||
crypt | Optional | |
wordpress | Optional | |
sha256 | Optional | required if salt included |
If you’re importing users who belong to multiple organizations and they have different roles in those organizations, you can set up the CSV to duplicate the user on a separate line for each organization they belong to, with the relevant roles to match. For example:
Alternatively, you can import your users first, then import their roles and organizations in a separate file:
Importing all your existing users and passwords should mean that your end users won’t notice anything when they next sign in. This is the optimal experience. However:
When you import passwords via CSV, Kinde does not check for password strength. However, if you do not also include a TRUE
in the password_verified
column of the CSV, Kinde will send a one-time password to the user the first time they try to sign in, in order to verify their identity.
In future, we may add the ability to check password strength and initiate a password change if it’s deemed to weak by standard password criteria.
If you add a user via import and they start authenticating via Kinde, and then you import their records again with changes - for example, a name change or a new email - that information will not be updated in Kinde.
Similarly, if a user has changed the spelling of their name or has new permissions, and you import data from a CSV containing outdated information, the older data will NOT override their current record in Kinde.
We recommend managing updates to user information via the Kinde admin, or via API.
Kinde does not send any notifications or invitations to users when they are added to Kinde via import. The idea is that your users have a seamless experience that feels (almost) like it always has in your app.
Similarly, if you add users via API, Kinde does not send an email or notification to the user.
If you’ve made changes to their sign in experience — for example adding multi-factor authentication — then consider contacting your users to let them know their sign in experience will be changed.