User Import & Export
Auris provides a bulk import and export system for user data. Import is useful for migrating from an existing identity provider, onboarding a batch of employees from an HR system, or seeding users in a new tenant. Export is useful for creating backups, auditing your user base, or migrating to another system.
Both operations are asynchronous. Auris processes the file in the background and exposes a job status endpoint so you can poll for completion or display a progress indicator.
Import Formats
Auris accepts two file formats for user import.
CSV Format
The first row must be a header row. Column order does not matter, but column names must match exactly.
email,username,firstName,lastName,password,roles
[email protected],alice,Alice,Rossi,TempPass123!,member
[email protected],bob,Bob,Marley,,member|billing-admin
[email protected],,Carol,White,,,Column reference:
| Column | Required | Notes |
|---|---|---|
email | Yes | Must be unique within the tenant |
username | No | Defaults to the local part of the email if omitted |
firstName | No | |
lastName | No | |
password | No | If omitted, user is created without credentials and must reset via email |
roles | No | Pipe-separated list of role names: member|admin |
JSON Format
The file must contain a JSON array of user objects. Fields match the CSV column names.
[
{
"email": "[email protected]",
"username": "alice",
"firstName": "Alice",
"lastName": "Rossi",
"password": "TempPass123!",
"roles": ["member"]
},
{
"email": "[email protected]",
"roles": ["member", "billing-admin"]
}
]Passwords provided in import files are transmitted over HTTPS and hashed server-side before storage. The plaintext password is never persisted. For production imports of real user data, prefer omitting passwords and forcing a password-reset flow instead.
Import Process
Upload the file
Submit the file via the Console drag-and-drop interface (Settings → Import/Export) or via the API:
/api/users/importRequires: manage:usersAccepts a multipart/form-data request with a file field containing a CSV or JSON file. Returns the created import job.
curl -X POST https://auth.yourapp.com/api/users/import \
-H "Authorization: Bearer $TOKEN" \
-H "x-tenant: your-tenant" \
-F "[email protected]"Response:
{
"ok": true,
"data": {
"id": "import_01HX...",
"fileName": "users.csv",
"format": "CSV",
"status": "PENDING",
"totalRows": 0,
"processedRows": 0,
"successCount": 0,
"errorCount": 0,
"createdAt": "2025-06-10T14:00:00Z"
}
}Track job progress
Poll the job detail endpoint until status is no longer PENDING or PROCESSING.
/api/users/import/[id]Requires: manage:usersReturns the current state of an import job including row counts and per-row errors.
Job statuses:
| Status | Meaning |
|---|---|
PENDING | Job is queued and has not started processing yet |
PROCESSING | Auris is actively reading and creating users |
COMPLETED | All rows processed successfully |
PARTIAL | Processing finished but some rows failed — see errors |
FAILED | The entire job failed (e.g., invalid file format, unreadable data) |
Review results
A completed or partial job response includes error details:
{
"ok": true,
"data": {
"id": "import_01HX...",
"status": "PARTIAL",
"totalRows": 150,
"processedRows": 150,
"successCount": 147,
"errorCount": 3,
"errors": [
{
"row": 12,
"email": "[email protected]",
"reason": "Email address already exists in this tenant"
},
{
"row": 67,
"reason": "Missing required field: email"
},
{
"row": 103,
"email": "bad-email",
"reason": "Invalid email address format"
}
]
}
}Import Behavior
Understanding how Auris handles edge cases during import:
Duplicate emails: If a user with the same email already exists in the tenant, the row is skipped and counted as an error. The existing user record is not modified.
Missing passwords: Users created without a password are provisioned in a disabled-credentials state. They must use the “Forgot Password” flow or receive an admin-triggered password reset email to gain access.
Role assignment: Roles listed in the import file are assigned after user creation. If a role name does not exist in the tenant, the row is marked as a partial error — the user is created, but the role assignment fails.
Keycloak sync: Each successfully imported user is created in both the Auris database and the underlying Keycloak realm. The two records are linked by keycloakId.
Transaction model: Auris processes rows individually rather than in a single transaction. A failure on row 50 does not roll back rows 1–49.
Listing Import Jobs
/api/users/importRequires: manage:usersReturns a paginated list of all import jobs for the tenant, sorted by creation date descending.
Exporting Users
User export generates a file containing all active (non-deleted) users in the tenant. The operation is asynchronous: you trigger the export, then download the file when generation is complete.
Trigger an export
/api/users/exportRequires: manage:usersStarts an export job. Accepts format in the request body: "CSV" or "JSON". Returns the export job record.
{
"format": "JSON"
}Response:
{
"ok": true,
"data": {
"id": "export_01HX...",
"format": "JSON",
"status": "PENDING",
"totalUsers": 0,
"expiresAt": "2025-06-17T14:00:00Z",
"createdAt": "2025-06-10T14:00:00Z"
}
}Poll for completion
/api/users/exportRequires: manage:usersReturns a list of all export jobs, including status and expiry.
Download the file
/api/users/export/[id]/downloadRequires: manage:usersReturns the export file as a binary response. Set Accept: text/csv or Accept: application/json to control the response content type, or rely on the job’s configured format.
curl https://auth.yourapp.com/api/users/export/export_01HX.../download \
-H "Authorization: Bearer $TOKEN" \
-H "x-tenant: your-tenant" \
-o users-export.jsonExport files are stored temporarily and expire after a configured duration (default: 7 days). Download the file before the expiresAt timestamp. After expiry, you must trigger a new export.
Exported fields
The export includes:
| Field | Notes |
|---|---|
id | Auris user ID |
email | |
username | |
firstName | |
lastName | |
enabled | true / false |
roles | Array of role names |
createdAt | ISO 8601 timestamp |
lastLogin | ISO 8601 timestamp, or null if the user has never logged in |
metadata | Full metadata object |
Password hashes are never included in exports. If you are migrating to another IdP, users will need to reset their passwords after the migration.
Console Walkthrough
The Console import/export interface is available at Settings → Import/Export.
Importing:
- Drag and drop a
.csvor.jsonfile onto the upload zone, or click to open the file picker. - The Console shows a preview of the first 10 rows for validation before submission.
- After submission, a progress bar tracks processing. The bar updates every few seconds via polling.
- When the job finishes, a results summary shows success count, error count, and a link to the error details dialog.
Exporting:
- Select the export format (CSV or JSON).
- Click “Export Users”. The Console shows the job status.
- When export is complete, a “Download” button appears. Click it to save the file.
- Previous exports are listed with their status, creation date, and expiry date.
Required Permissions
| Operation | Permission |
|---|---|
| List import jobs | manage:users |
| Upload import file | manage:users |
| Get import job detail | manage:users |
| Trigger export | manage:users |
| Download export file | manage:users |
Related Pages
- Managing Users — Individual user CRUD via API and Console
- SCIM 2.0 Provisioning — Automated ongoing sync from an external IdP
- Console: Import/Export — Full Console walkthrough with screenshots