User Schema

Platform users with authentication, permissions, and profile information

The User schema defines the structure and properties of user objects in the Payload API. Users represent individuals with access to the platform, including authentication, permissions, and profile information.

User Object Properties

Complete reference for all properties available in the User schema

account_accessAccountAccess

array

No description

attrs

object

Custom attributes for extending the resource with additional key-value pairs. Maximum length is 255 characters when serialized.

created_at

string (date-time)Read-only

Timestamp when the resource was created. Automatically set by the system and immutable.

current

booleanRead-only

Whether this user is the currently authenticated user making the request. Read-only field useful for UI highlighting and conditional display logic.

email

string (email)

The user's email address. Used for authentication, communication, and account identification. Must be unique across the system. Required for person-type users.

Max length: 100

Required if: type=null

email_confirmed

boolean

Whether the user's email address has been verified via confirmation link. Read-only on creation. Users must confirm their email to activate their account and access full functionality.

Read-only on: create

first_name

string

The user's first name. Required for person-type users unless full_name is provided. Used for personalization and identification throughout the system.

Max length: 100

Required if: Undocumented

full_name

string

The user's full name as a single string. Alternative to providing first_name and last_name separately. Will be automatically split into first and last name components upon creation.

Required if: Undocumented

id

stringRead-only

Unique identifier for the resource. Automatically generated upon creation and cannot be modified. (ID prefix: usr)

Pattern: ^usr_[A-Za-z0-9]+$

last_name

string

The user's last name. Required for person-type users unless full_name is provided. Combined with first_name for display purposes.

Max length: 100

Required if: Undocumented

modified_at

string (date-time)Read-only

Timestamp when the resource was last modified. Automatically updated whenever any field changes.

object

enum[string]Read-only

String representing the object type for this resource.

Values: user

otp_auth_enabled

boolean

Whether two-factor authentication (2FA) via SMS is enabled for this user. When enabled, users must verify their identity with a code sent to their phone during login. Enhances account security and may be required for certain roles.

permissions

objectRead-only

List of permission strings granted to this user based on their assigned roles. Read-only field computed from role assignments. Used for authorization checks and UI feature gating.

phone

string

The user's phone number in E.164 format (e.g., +12125551234). Required for SMS-based two-factor authentication. Partially masked when confirmed for security. Changing this number requires recent authentication and resets confirmation status.

Pattern: ^[0-9]{10}$

Max length: 16

phone_confirmed

booleanRead-only

Whether the user's phone number has been verified. Read-only field that returns true if the phone has been confirmed via OTP verification. Required for SMS-based 2FA to function.

prod_access

boolean

Whether this user has access to the production environment. When true, the user can process real transactions and access live data. Requires appropriate permissions to grant.

rolesRole

array

Collection of all roles assigned to this user. Expanded by default to show the user's complete set of permissions and access levels.

status

stringRead-only

The current status of this user account. Possible values: "active" (fully enabled and confirmed), "invited" (created but not yet activated), "disabled" (account deactivated), or "otp_auth_pending" (awaiting 2FA verification). Read-only.

Max length: 8

test_access

boolean

Whether this user has access to the test/sandbox environment. When true, the user can interact with test data and sandbox features. Essential for safely testing integrations without affecting production.

type

string

The type of user account. Possible values: "person" (standard human user), "api" (programmatic access account), or other system types. Determines authentication methods and default permissions.

Max length: 6

AccountAccess