Skip to Content
GuidesUser ManagementImport & Export

User Import & Export

Auris provides a bulk import and export system for user data. Import is useful for migrating from an existing identity provider, onboarding a batch of employees from an HR system, or seeding users in a new tenant. Export is useful for creating backups, auditing your user base, or migrating to another system.

Both operations are asynchronous. Auris processes the file in the background and exposes a job status endpoint so you can poll for completion or display a progress indicator.


Import Formats

Auris accepts two file formats for user import.

CSV Format

The first row must be a header row. Column order does not matter, but column names must match exactly.

email,username,firstName,lastName,password,roles [email protected],alice,Alice,Rossi,TempPass123!,member [email protected],bob,Bob,Marley,,member|billing-admin [email protected],,Carol,White,,,

Column reference:

ColumnRequiredNotes
emailYesMust be unique within the tenant
usernameNoDefaults to the local part of the email if omitted
firstNameNo
lastNameNo
passwordNoIf omitted, user is created without credentials and must reset via email
rolesNoPipe-separated list of role names: member|admin

JSON Format

The file must contain a JSON array of user objects. Fields match the CSV column names.

[ { "email": "[email protected]", "username": "alice", "firstName": "Alice", "lastName": "Rossi", "password": "TempPass123!", "roles": ["member"] }, { "email": "[email protected]", "roles": ["member", "billing-admin"] } ]

Passwords provided in import files are transmitted over HTTPS and hashed server-side before storage. The plaintext password is never persisted. For production imports of real user data, prefer omitting passwords and forcing a password-reset flow instead.


Import Process

Upload the file

Submit the file via the Console drag-and-drop interface (Settings → Import/Export) or via the API:

POST/api/users/importRequires: manage:users

Accepts a multipart/form-data request with a file field containing a CSV or JSON file. Returns the created import job.

curl -X POST https://auth.yourapp.com/api/users/import \ -H "Authorization: Bearer $TOKEN" \ -H "x-tenant: your-tenant" \ -F "[email protected]"

Response:

{ "ok": true, "data": { "id": "import_01HX...", "fileName": "users.csv", "format": "CSV", "status": "PENDING", "totalRows": 0, "processedRows": 0, "successCount": 0, "errorCount": 0, "createdAt": "2025-06-10T14:00:00Z" } }

Track job progress

Poll the job detail endpoint until status is no longer PENDING or PROCESSING.

GET/api/users/import/[id]Requires: manage:users

Returns the current state of an import job including row counts and per-row errors.

Job statuses:

StatusMeaning
PENDINGJob is queued and has not started processing yet
PROCESSINGAuris is actively reading and creating users
COMPLETEDAll rows processed successfully
PARTIALProcessing finished but some rows failed — see errors
FAILEDThe entire job failed (e.g., invalid file format, unreadable data)

Review results

A completed or partial job response includes error details:

{ "ok": true, "data": { "id": "import_01HX...", "status": "PARTIAL", "totalRows": 150, "processedRows": 150, "successCount": 147, "errorCount": 3, "errors": [ { "row": 12, "email": "[email protected]", "reason": "Email address already exists in this tenant" }, { "row": 67, "reason": "Missing required field: email" }, { "row": 103, "email": "bad-email", "reason": "Invalid email address format" } ] } }

Import Behavior

Understanding how Auris handles edge cases during import:

Duplicate emails: If a user with the same email already exists in the tenant, the row is skipped and counted as an error. The existing user record is not modified.

Missing passwords: Users created without a password are provisioned in a disabled-credentials state. They must use the “Forgot Password” flow or receive an admin-triggered password reset email to gain access.

Role assignment: Roles listed in the import file are assigned after user creation. If a role name does not exist in the tenant, the row is marked as a partial error — the user is created, but the role assignment fails.

Keycloak sync: Each successfully imported user is created in both the Auris database and the underlying Keycloak realm. The two records are linked by keycloakId.

Transaction model: Auris processes rows individually rather than in a single transaction. A failure on row 50 does not roll back rows 1–49.


Listing Import Jobs

GET/api/users/importRequires: manage:users

Returns a paginated list of all import jobs for the tenant, sorted by creation date descending.


Exporting Users

User export generates a file containing all active (non-deleted) users in the tenant. The operation is asynchronous: you trigger the export, then download the file when generation is complete.

Trigger an export

POST/api/users/exportRequires: manage:users

Starts an export job. Accepts format in the request body: "CSV" or "JSON". Returns the export job record.

{ "format": "JSON" }

Response:

{ "ok": true, "data": { "id": "export_01HX...", "format": "JSON", "status": "PENDING", "totalUsers": 0, "expiresAt": "2025-06-17T14:00:00Z", "createdAt": "2025-06-10T14:00:00Z" } }

Poll for completion

GET/api/users/exportRequires: manage:users

Returns a list of all export jobs, including status and expiry.

Download the file

GET/api/users/export/[id]/downloadRequires: manage:users

Returns the export file as a binary response. Set Accept: text/csv or Accept: application/json to control the response content type, or rely on the job’s configured format.

curl https://auth.yourapp.com/api/users/export/export_01HX.../download \ -H "Authorization: Bearer $TOKEN" \ -H "x-tenant: your-tenant" \ -o users-export.json

Export files are stored temporarily and expire after a configured duration (default: 7 days). Download the file before the expiresAt timestamp. After expiry, you must trigger a new export.

Exported fields

The export includes:

FieldNotes
idAuris user ID
email
username
firstName
lastName
enabledtrue / false
rolesArray of role names
createdAtISO 8601 timestamp
lastLoginISO 8601 timestamp, or null if the user has never logged in
metadataFull metadata object

Password hashes are never included in exports. If you are migrating to another IdP, users will need to reset their passwords after the migration.


Console Walkthrough

The Console import/export interface is available at Settings → Import/Export.

Importing:

  1. Drag and drop a .csv or .json file onto the upload zone, or click to open the file picker.
  2. The Console shows a preview of the first 10 rows for validation before submission.
  3. After submission, a progress bar tracks processing. The bar updates every few seconds via polling.
  4. When the job finishes, a results summary shows success count, error count, and a link to the error details dialog.

Exporting:

  1. Select the export format (CSV or JSON).
  2. Click “Export Users”. The Console shows the job status.
  3. When export is complete, a “Download” button appears. Click it to save the file.
  4. Previous exports are listed with their status, creation date, and expiry date.

Required Permissions

OperationPermission
List import jobsmanage:users
Upload import filemanage:users
Get import job detailmanage:users
Trigger exportmanage:users
Download export filemanage:users