About organizations
Build on Kinde
Export your data
We know it’s really important that you can easily get your data out of Kinde when you need to. It’s equally important that your data - especially password data - is safe and cannot be easily accessed.
Important note: For security reasons, only team members who are Owners can export data.
You can download most of your Kinde data in a few steps, but if the export includes user passwords, this triggers an owner approval process to ensure that only authorized people can access them. See the fairly long but secure process outlined below.
Big disclaimer of course: Once you have downloaded your data, you are entirely responsible for protecting it.
Initiate a data export
Link to this section- Go to Settings > Business > Details to the Business Information page in Kinde.
- In the Export data section, select Export. Note, this section is only visible if you are an Owner.
- In the window that appears, select one of the export options.
- If you select All data (except passwords):
- Select Next. You will be sent an email with a confirmation code.
- Enter the code and select Next. The download file is generated.
- Download the file. Note that this is the only opportunity to download. To get the file again, you need to go back to step 2.
- If you select All data:
- Select Next. A request is sent to all business owners to approve the export.
- Read about the process below.
The export and approval process (when passwords are included)
Link to this sectionThere are a number of checks and validations done to enable password export. Unfortunately there is no way to avoid this being long and somewhat notification-heavy, as the aim is to prevent unauthorized access to passwords and other data.
Here’s how it works:
- An owner initiates a data export (including passwords) in Kinde. See above.
- All Kinde owners are notified by email of the export request (including any additional owners). They then have 24 hours to review it and ensure that it is a legitimate request. Note that this email is still sent if there is only one owner.
- If the request seems suspect, any owner can reject it immediately:
- Select Review in the email to open the request in Kinde.
- Select Reject in the far column of the data export table. This ends the export process.
- If the request is fine to approve, the notified owners have to wait 24 hours from the initial request for a new email which will allow them to approve the request in Kinde.
- The request can be approved by whichever notified owner responds first:
- Select View in the email.
- Select Approve in the right column of the data export table.
- Enter a one-time code to verify your identity and complete the approval.
- Approval triggers an email to the original requestor, who receives instructions on how to download the data. To download:
- In the email, select Download. This opens Kinde.
- Select the Download button in the export area. A confirmation window opens.
- Enter the one-time verification code sent to your email and select Next. The data starts to be prepared.
- After the data is generated, a window appears showing an encrypted .dat file for download, as well as a Key and an Initialization Vector for decrypting the file.
- Copy the Key and the Initialization Vector somewhere you can access it again later.
- Download the file. Note that this is the only opportunity to download. To get the file again, you need to request the data export again.
- An email is sent to the owner, advising them you have downloaded the data.
- Next, decrypt the downloaded file (see below).
We know this is a long process, especially since you are likely both the requestor and the owner, but we have made password security a top priority.
Decrypt your data export file
Link to this sectionTo decrypt the .dat file, you need to run a decryption command. You can use a tool like OpenSSL or a native command prompt.
-
Open a command prompt window.
-
Paste the following command.
openssl aes-256-ctr -d -e -in /path/to/kinde_export.dat -out /path/to/kinde_export.zip -nosalt -p -K YOUR_ENCRYPTION_KEY -iv YOUR_ENCRYPTION_IV -
Replace
YOUR_ENCRYPTION_KEYwith the Key you copied above. -
Replace
YOUR_ENCRYPTION_IVwith the Initialization Vector you copied above. -
Replace the -in path with the .dat file location (e.g.
-in ~/Downloads/kinde_export.dat), and update the -out path to where you would like the decrypted zip file to be generated (e.g.-out ~/Desktop/kinde_export.zip)Example of how the command might look:
openssl aes-256-ctr -d -e -in /Users/DriveName/Downloads/kinde_export.dat -out /Users/Drivename/Desktop/kinde_export.zip -nosalt -p -K 5f2xxxxxxx6b51ca282745852b0caxxxxxxxxxxxcd5832ecb97500956f3 -iv 4d4axxxxxxxxd2bd1994xxxxc698d3 -
Press Enter. The file decrypted kinde_export.zip file should appear in the specified -out location.
Cancel a request
Link to this sectionAt any time, the person who made the export request can cancel it by going to the Business Information page in Kinde and selecting Cancel request. This ends both the export and approval process.
What the exported data looks like
Link to this sectionData is exported in JSON format as separate user and business data files. If you have many records, there may be several JSON files in the batch.
Here’s what an exported record looks like.
{ "type": "object", "properties": { "users": { "type": "array", "items": { "type": "object", "properties": { "id": { "type": "string", "description": "Unique identifier for user" }, "external_id": { "type": "string", "description": "Imported external system id" }, "first_name": { "type": "string", "description": "First name" }, "last_name": { "type": "string", "description": "Last name" }, "email": { "type": "string", "description": "Email address", "format": "email" }, "email_verified": { "type": "boolean", "default": false, "description": "Indicates if the user has confirmed their email address" }, "social_logins": { "type": "object", "description": "Social login ids", "patternProperties": { ".*": { "type": "string" } } }, "business_code": { "type": "string", "description": "The business that the user belongs to" }, "organizations": { "type": "array", "description": "Organization codes that the user belongs to", "items": { "type": "string" } }, "created_on": { "type": "string", "description": "Timestamp that the user was created" } "password": { "type": "object", "description": "Hashed password", "properties": { "password_hash": { "type": "string", "description": "Hashed password" }, "hashing_algorithm": { "type": "string", "description": "Hashing algorithm" }, "hashing_config": { "type": "object", "description": "Algorithm specific configuration" }, } } } } }, "business": { "type": "object", "properties": { "code": { "type": "string", "description": "Unique identifier for business" }, "name": { "type": "string", "description": "Business name" }, "industry": { "type": "string", "description": "Industry that the business belongs to" }, "terms_url": { "type": "string", "description": "URL for business terms" }, "privacy_url": { "type": "string", "description": "URL for business privacy policy" }, "partner_code": { "type": "string", "description": "Partner code" }, "primary_email": { "type": "string", "description": "Primary email address for business" }, "primary_phone": { "type": "string", "description": "Primary phone number for business" } } }, "organizations": { "type": "array", "items": { "type": "object", "properties": { "organization_code": { "type": "string", "description": "Unique identifier for business" }, "name": { "type": "string", "description": "Organization name" }, "created_on": { "type": "string", "description": "Timestamp that the organization was created" }, "business_code": { "type": "string", "description": "Business code that the organization belongs to" } } } } }}How passwords are exported
Link to this sectionAs above, when passwords are exported, they appear as a hashed password, a hashing algorithm (e.g. bcrypt), and other hashing configuration details (e.g. salt and salt location). With this data you can authenticate against these credentials in another system using the same algorithm. Plain text passwords are never stored by Kinde for security purposes.
Considerations if switching to another provider
Link to this sectionKinde provides all your data in standard JSON files in a simple format. You will need to refer to the documentation of your new provider to establish what format the data needs to be in for importing.
Data security
Link to this sectionOnce your user data is exported and downloaded, it becomes your business’s responsibility to protect.
When we export the file containing passwords, it is encrypted using AES-256-CTR. The file can only be decrypted if you have the unique Key and Initialization Vector (IV) provided during download.
The encryption of the export file is designed to keep passwords secure during export, but once downloaded and decrypted, they become vulnerable.