User Model
Fields
Section titled “Fields”| Field | Type | Description |
|---|---|---|
id | UUID string | Unique user identifier — used as the sub claim in tokens |
username | string | Login name; must be unique; length controlled by validation settings |
password | string | bcrypt hash of the password; never stored in plaintext |
email | string | Optional email address; required if validation_email_required is true |
role | string | user or admin |
created_at | timestamp | When the account was created |
failed_login_attempts | integer | Number of consecutive failed login attempts; resets on success |
locked_until | timestamp (nullable) | If set, the account is locked until this time |
totp_secret | string | TOTP shared secret (base32); empty until enrolled |
totp_verified | boolean | Whether the user has completed TOTP enrollment |
is_email_verified | boolean | Whether the email address has been verified |
deactivated_at | timestamp (nullable) | If set, the account is deactivated and cannot log in |
API representation
Section titled “API representation”The admin API returns users in a safe representation that excludes the password hash and TOTP secret:
{ "id": "a3f4e5b6-1234-5678-abcd-ef1234567890", "username": "alice", "email": "alice@example.com", "role": "user", "created_at": "2024-01-15T10:30:00Z", "failed_login_attempts": 0, "locked_until": null, "totp_verified": true, "is_email_verified": true}Token claims
Section titled “Token claims”The user id is the sub claim in access tokens and ID tokens. The username maps to name, and email maps to email (when the email scope is requested).