# Migrate a single user Migrate a user into your environment. Provide the required fields: user's email, tenantId, and metadata. You can also include additional properties such as the user's name, phone number, hashed password, and other optional attributes. Endpoint: POST /resources/migrations/v1/local Security: bearer ## Request fields (application/json): - `tenantId` (string, required) The tenant id of the user - `name` (string) The name of the user - `profilePictureUrl` (string) The profile picture url of the user - `passwordHash` (string) The password hash. For SCrypt should include the salt and key seperated by the salt separator - `passwordHashType` (string) Enum: "bcrypt", "scrypt", "firebase-scrypt", "pbkdf2", "argon2", "sha256", "sha1" - `passwordHashConfig` (string) Stringified JSON Hashing config for the migrated password. For SCrypt should be formatted as { saltSeparator, N, r, p, keyLen }. For FirebaseScrypt should be formatted as { memCost, rounds, saltSeparator, signerKey } - `authenticatorAppMfaSecret` (string) The authenticator app MFA secret - `phoneNumber` (string) phoneNumber can be used both for login with SMS and for MFA This auto-enrolls the user in MFA, prompting them at first login (regardless of tenant/vendor MFA settings). The required format is an area code + number, no spaces. For example: "+16037184056" The number must be unique - `phoneNumberType` (string) Enum: "auth", "mfa" - `provider` (string) Enum: "local", "saml", "google", "github", "facebook", "microsoft", "scim2", "slack", "apple" - `metadata` (string) Stringified JSON object - `roleIds` (array) Role ids of the migrated users. If not provided, the user will be assigned the default roles - `vendorMetadata` (string) Extra vendor-only data. stringified JSON object - `externalId` (string) The external id of the user - `username` (string) The username of the user. If not provided, the email is required. Maximum length is 255 characters. - `email` (string, required) The email of the user. If not provided, the username is required - `verifyUser` (boolean) Whether to verify the user as part of the migration process. If this is set to false, another call is required for the verify user API ## Response 201 fields (application/json): - `id` (string, required) - `email` (string, required) - `name` (string, required) - `profilePictureUrl` (string, required) - `sub` (string, required) - `verified` (boolean, required) - `mfaEnrolled` (boolean, required) - `mfaBypass` (boolean) - `phoneNumber` (string) - `roles` (array, required) - `roles.vendorId` (string, required) - `roles.tenantId` (string, required) - `roles.key` (string, required) - `roles.description` (string, required) - `roles.isDefault` (boolean, required) - `roles.firstUserRole` (boolean, required) - `roles.level` (number, required) - `roles.createdAt` (string, required) - `roles.updatedAt` (string, required) - `roles.permissions` (array, required) - `provider` (string, required) - `tenantIds` (array, required) - `activatedForTenant` (boolean) - `isLocked` (boolean) - `tenants` (array, required) - `tenants.temporaryExpirationDate` (string) - `tenants.isDisabled` (boolean) - `invisible` (boolean) - `superUser` (boolean) - `metadata` (string, required) - `vendorMetadata` (string, required) - `externalId` (string) - `lastLogin` (string, required) - `groups` (array) - `subAccountAccessAllowed` (boolean, required) - `managedBy` (string) Enum: "frontegg", "scim2", "external"