About organizations
Build on Kinde
We know it’s really important that you can easily get your data out of Kinde when you need to. It’s equally important that your data - especially password data - is safe and cannot be easily accessed.
Important note: For security reasons, only team members who are Owners can export data.
You can download most of your Kinde data in a few steps, but if the export includes user passwords, this triggers an owner approval process to ensure that only authorized people can access them. See the fairly long but secure process outlined below.
Big disclaimer of course: Once you have downloaded your data, you are entirely responsible for protecting it.
There are a number of checks and validations done to enable password export. Unfortunately there is no way to avoid this being long and somewhat notification-heavy, as the aim is to prevent unauthorized access to passwords and other data.
If a business has a sole owner, this might seem like a more complex process than it needs to be. But we implemented this process to maximize security. At some stage in future we may optimize it for the solo owner experience, but for now, this applies to all businesses.
Here’s how it works:
We know this is a long process, especially since you are likely both the requestor and the owner, but we have made password security a top priority.
To decrypt the .dat file, you need to run a decryption command. You can use a tool like OpenSSL or a native command prompt.
Open a command prompt window.
Paste the following command. openssl aes-256-ctr -d -e -in /path/to/kinde_export.dat -out /path/to/kinde_export.zip -nosalt -p -K YOUR_ENCRYPTION_KEY -iv YOUR_ENCRYPTION_IV
Replace YOUR_ENCRYPTION_KEY
with the Key you copied above.
Replace YOUR_ENCRYPTION_IV
with the Initialization Vector you copied above.
Replace the -in path with the .dat file location (e.g. -in ~/Downloads/kinde_export.dat
), and update the -out path to where you would like the decrypted zip file to be generated (e.g. -out ~/Desktop/kinde_export.zip
)
Example of how the command might look:
openssl aes-256-ctr -d -e -in /Users/DriveName/Downloads/kinde_export.dat -out /Users/Drivename/Desktop/kinde_export.zip -nosalt -p -K 5f2xxxxxxx6b51ca282745852b0caxxxxxxxxxxxcd5832ecb97500956f3 -iv 4d4axxxxxxxxd2bd1994xxxxc698d3
Press Enter. The file decrypted kinde_export.zip file should appear in the specified -out location.
At any time, the person who made the export request can cancel it by going to the Business Information page in Kinde and selecting Cancel request. This ends both the export and approval process.
Data is exported in NDJSON format, with separate data files for users and organizations.
Here’s an example of users.ndjson
.
{ "$schema": "http://json-schema.org/draft-07/schema#", "type": "object", "properties": { "id": { "type": "string", "description": "Unique identifier for the object" }, "email": { "type": ["string", "null"], "format": "email", "description": "Email address of the user" }, "phone": { "type": ["string", "null"], "description": "Phone number of the user, if available" }, "username": { "type": ["string", "null"], "description": "Username of the user, if available" }, "last_name": { "type": ["string", "null"], "description": "Last name of the user, if available" }, "created_on": { "type": "string", "format": "date-time", "description": "Timestamp when the user was created" }, "first_name": { "type": ["string", "null"], "description": "First name of the user, if available" }, "identities": { "type": "array", "items": { "type": "object", "properties": { "type": { "type": "string", "description": "Type of identity (e.g., email)" }, "identity": { "type": "string", "description": "Identity value (e.g., email address)" }, "provider": { "type": ["string", "null"], "description": "Provider associated with the identity, if any" } }, "required": ["type", "identity"] }, "description": "List of identities associated with the user" }, "external_id": { "type": ["string", "null"], "description": "External identifier for the user, if available" }, "business_code": { "type": "string", "description": "Code representing the associated business" }, "organizations": { "type": "array", "items": { "type": "string" }, "description": "List of organizations the user belongs to" }, "email_verified": { "type": "boolean", "description": "Indicates if the email address is verified" }, "password": { "type": "object", "properties": { "hashing_config": { "type": "object" }, "hashed_password": { "type": "string" }, "hashing_algorithm": { "type": ["string", "null"] } }, "required": ["hashing_config", "hashed_password"] } }, "required": ["id", "email", "created_on", "identities", "business_code", "organizations", "email_verified"], "additionalProperties": false}
Here’s an example of organizations.ndjson
.
{ "$schema": "http://json-schema.org/draft-07/schema#", "type": "object", "properties": { "name": { "type": "string", "description": "Name of the organization" }, "created_on": { "type": "string", "format": "date-time", "description": "Timestamp when the organization was created" }, "business_code": { "type": "string", "description": "Code representing the associated business" }, "organization_code": { "type": "string", "description": "Code representing the organization" } }, "required": ["name", "created_on", "business_code", "organization_code"], "additionalProperties": false}
As above, when passwords are exported, they appear as a hashed password, a hashing algorithm (e.g. bcrypt), and other hashing configuration details (e.g. salt and salt location). With this data you can authenticate against these credentials in another system using the same algorithm. Plain text passwords are never stored by Kinde for security purposes.
Kinde provides all your data in standard JSON files in a simple format. You will need to refer to the documentation of your new provider to establish what format the data needs to be in for importing.
Once your user data is exported and downloaded, it becomes your business’s responsibility to protect.
When we export the file containing passwords, it is encrypted using AES-256-CTR. The file can only be decrypted if you have the unique Key and Initialization Vector (IV) provided during download.
The encryption of the export file is designed to keep passwords secure during export, but once downloaded and decrypted, they become vulnerable.