About organizations
Build on Kinde
We know it’s really important that you can easily get your data out of Kinde when you need to. It’s equally important that your data - especially password data - is safe and cannot be easily accessed.
Important note: For security reasons, only team members who are Owners can export data.
You can download most of your Kinde data in a few steps, but if the export includes user passwords, this triggers an owner approval process to ensure that only authorized people can access them. See the fairly long but secure process outlined below.
Big disclaimer of course: Once you have downloaded your data, you are entirely responsible for protecting it.
There are a number of checks and validations done to enable password export. Unfortunately there is no way to avoid this being long and somewhat notification-heavy, as the aim is to prevent unauthorized access to passwords and other data.
ℹ️ If a business has a sole owner, this might seem like a more complex process than it needs to be. But we implemented this process to maximize security. At some stage in future we may optimize it for the solo owner experience, but for now, this applies to all businesses.
Here’s how it works:
We know this is a long process, especially since you are likely both the requestor and the owner, but we have made password security a top priority.
To decrypt the .dat file, you need to run a decryption command. You can use a tool like OpenSSL or a native command prompt.
Open a command prompt window.
Paste the following command. openssl aes-256-ctr -d -e -in /path/to/kinde_export.dat -out /path/to/kinde_export.zip -nosalt -p -K YOUR_ENCRYPTION_KEY -iv YOUR_ENCRYPTION_IV
Replace YOUR_ENCRYPTION_KEY
with the Key you copied above.
Replace YOUR_ENCRYPTION_IV
with the Initialization Vector you copied above.
Replace the -in path with the .dat file location (e.g. -in ~/Downloads/kinde_export.dat
), and update the -out path to where you would like the decrypted zip file to be generated (e.g. -out ~/Desktop/kinde_export.zip
)
Example of how the command might look:
openssl aes-256-ctr -d -e -in /Users/DriveName/Downloads/kinde_export.dat -out /Users/Drivename/Desktop/kinde_export.zip -nosalt -p -K 5f2xxxxxxx6b51ca282745852b0caxxxxxxxxxxxcd5832ecb97500956f3 -iv 4d4axxxxxxxxd2bd1994xxxxc698d3
Press Enter. The file decrypted kinde_export.zip file should appear in the specified -out location.
At any time, the person who made the export request can cancel it by going to the Business Information page in Kinde and selecting Cancel request. This ends both the export and approval process.
Data is exported in JSON format as separate user and business data files. If you have many records, there may be several JSON files in the batch.
Here’s what an exported record looks like.
{ "type": "object", "properties": { "users": { "type": "array", "items": { "type": "object", "properties": { "id": { "type": "string", "description": "Unique identifier for user" }, "external_id": { "type": "string", "description": "Imported external system id" }, "first_name": { "type": "string", "description": "First name" }, "last_name": { "type": "string", "description": "Last name" }, "email": { "type": "string", "description": "Email address", "format": "email" }, "email_verified": { "type": "boolean", "default": false, "description": "Indicates if the user has confirmed their email address" }, "social_logins": { "type": "object", "description": "Social login ids", "patternProperties": { ".*": { "type": "string" } } }, "business_code": { "type": "string", "description": "The business that the user belongs to" }, "organizations": { "type": "array", "description": "Organization codes that the user belongs to", "items": { "type": "string" } }, "created_on": { "type": "string", "description": "Timestamp that the user was created" } "password": { "type": "object", "description": "Hashed password", "properties": { "password_hash": { "type": "string", "description": "Hashed password" }, "hashing_algorithm": { "type": "string", "description": "Hashing algorithm" }, "hashing_config": { "type": "object", "description": "Algorithm specific configuration" }, } } } } }, "business": { "type": "object", "properties": { "code": { "type": "string", "description": "Unique identifier for business" }, "name": { "type": "string", "description": "Business name" }, "industry": { "type": "string", "description": "Industry that the business belongs to" }, "terms_url": { "type": "string", "description": "Url for business terms" }, "privacy_url": { "type": "string", "description": "Url for business privacy policy" }, "partner_code": { "type": "string", "description": "Partner code" }, "primary_email": { "type": "string", "description": "Primary email address for business" }, "primary_phone": { "type": "string", "description": "Primary phone number for business" } } }, "organizations": { "type": "array", "items": { "type": "object", "properties": { "organization_code": { "type": "string", "description": "Unique identifier for business" }, "name": { "type": "string", "description": "Organization name" }, "created_on": { "type": "string", "description": "Timestamp that the organization was created" }, "business_code": { "type": "string", "description": "Business code that the organization belongs to" } } } } }}
As above, when passwords are exported, they appear as a hashed password, a hashing algorithm (e.g. bcrypt), and other hashing configuration details (e.g. salt and salt location). With this data you can authenticate against these credentials in another system using the same algorithm. Plain text passwords are never stored by Kinde for security purposes.
Kinde provides all your data in standard JSON files in a simple format. You will need to refer to the documentation of your new provider to establish what format the data needs to be in for importing.
Once your user data is exported and downloaded, it becomes your business’s responsibility to protect.
When we export the file containing passwords, it is encrypted using AES-256-CTR. The file can only be decrypted if you have the unique Key and Initialization Vector (IV) provided during download.
The encryption of the export file is designed to keep passwords secure during export, but once downloaded and decrypted, they become vulnerable.