Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Query for User Information

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Query for User Information

            A connected app can query the UserInfo endpoint for information about the user associated with the connected app’s access token. Salesforce returns basic personal information about the user and important endpoints that the connected app can talk to, such as photos and accessible API endpoints. This UserInfo endpoint provides access to information only for the current user. It doesn’t give access to other users in the org.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: All Editions

            The UserInfo endpoint is a RESTful API defined by OpenID Connect. The format of the endpoint’s URL is: https://login.salesforce.com/services/oauth2/userinfo.

            Note
            Note For a sandbox, login.salesforce.com is replaced with test.salesforce.com. For an Experience Cloud site, login.salesforce.com is replaced with the site’s URL, such as MyDomainName.my.site.com/.well-known/openid-configuration. The URL must be HTTPS.

            Here’s the flow for querying the UserInfo Endpoint.

            1. The connected app sends a query to the Salesforce UserInfo endpoint. The query must contain the connected app’s access token.
            2. Salesforce responds with the user’s information.

            Query the UserInfo Endpoint

            Use these parameters to query the UserInfo endpoint. You can use the access token in an authorization request header or in a request with the oauth_token parameter.

            Important
            Important When developing OAuth integrations, always pass sensitive information in the body of a POST request or in a request header. Don't use GET parameters in the URL query string to pass sensitive information. Sensitive information includes but isn't limited to usernames, passwords, OAuth tokens, client secrets, and any personally identifiable information. For more information on security best practices, see Storing Sensitive Data in the Secure Coding Guide.
            Parameter Description
            oauth_token OAuth token that a connected app uses to request access to a protected resource on behalf of the client application. Additional permissions in the form of scopes can accompany the access token.
            format

            Optional. Specify the format of the returned output. Values are:

            • json
            • xml

            The client can also specify the returned format in an accept-request header using one of the following formats.

            • Accept: application/json
            • Accept: application/xml
            • Accept: application/x-www-form-urlencoded

            The request header also supports the following.

            • The */* wildcard is accepted and returns JSON.
            • A list of values, which is checked left to right. For example: application/xml,application/json,application/html,*/* returns XML.

            The format parameter takes precedence over the access request header.
            version Optional. Specify a SOAP API version number or the literal string latest. If this value isn’t specified, the returned API URLs contain the literal value {version} in place of the version number. If the value is specified as latest, the most recent API version is used.
            PrettyPrint Optional. Accepted only in a header and not as a URL parameter. Specify this parameter to optimize the returned XML or JSON output for readability rather than size. For example, use the following in a header: X-PrettyPrint:1.
            callback

            Optional. Specify a valid JavaScript function name. You can use this parameter when the specified format is JSON. The output is wrapped in this function name (JSONP). For example, if a request to https://server/id/orgid/userid/ returns {"function":"name"}, a request to https://server/id/orgid/userid/?callback=baz returns baz({"function":"name"});.

            Note
            Note JSONP is no longer returned for Identity Service requests due to strict MIME typing. Your requests must add 'format=jsonp' with the callback parameter so that the Identity Service returns JavaScript. When the Identity Service detects the JSONP format, it returns the required JavaScript type ('application/javascript').
            is_salesforce_integration_user Optional. Specify this parameter to determine if the user has the Salesforce Integration user license.

            Salesforce UserInfo Endpoint Responds

            After making a valid request, Salesforce returns the information in JSON format by default, or the format specified in the format parameter.

            The response includes values listed in the OpenID Connect Basic Client Profile, Salesforce user ID, org ID, feed, and profile URLs.

            In the response, the email_verified attribute reflects whether users verify their email after this scenario occurs: For example, a Salesforce admin creates the user Roberta Smith. Roberta receives a “Welcome to Salesforce” email message with a link to verify her account. After she clicks the link, the email_verified value is set to true.

            • They change their email address
            • They change their password, or a Salesforce admin resets their password
            • They verify their identity when logging in from a new device or browser
            • A Salesforce admin creates them as a new user

            The following is a response in JSON format.

            {"sub":"https://login.salesforce.com/id/00Dx000.../005x000...",
"user_id":"005x000...",
"organization_id":"00Dx000...",
"name":"yourInstance LastName",
"email":"user1@1135222488950007.com",
"email_verified":true,"given_name":"yourInstance","family_name":"LastName",
"zoneinfo":"America/Los_Angeles",
"photos":{"picture":"https://yourInstance.salesforce.com/profilephoto/005/F","thumbnail":"https://yourInstance.salesforce.com/profilephoto/005/T"},
"profile":"https://yourInstance.salesforce.com/005x000...",
"picture":"https://yourInstance.salesforce.com/profilephoto/005/F",
"address":{"country":"us"},
"urls":{"enterprise":"https://yourInstance.salesforce.com/services/Soap/c/{version}/00Dx00...",
"partner":"https://yourInstance.salesforce.com/services/Soap/u/{version}/00Dx00...",
"rest":"https://yourInstance.salesforce.com/services/data/v{version}/",
"sobjects":"https://yourInstance.salesforce.com/services/data/v{version}/sobjects/",
"search":"https://yourInstance.salesforce.com/services/data/v{version}/search/",
"query":"https://yourInstance.salesforce.com/services/data/v{version}/query/",
"recent":"https://yourInstance.salesforce.com/services/data/v{version}/recent/",
"profile":"https://yourInstance.salesforce.com/005x000...",
"feeds":"https://yourInstance.salesforce.com/services/data/v{version}/chatter/feeds",
"groups":"https://yourInstance.salesforce.com/services/data/v{version}/chatter/groups",
"users":"https://yourInstance.salesforce.com/services/data/v{version}/chatter/users",
"feed_items":"https://yourInstance.salesforce.com/services/data/v{version}/chatter/feed-items"},
"active":true,"user_type":"STANDARD","language":"en_US","locale":"en_US",
"utcOffset":-28800000,"updated_at":"2013-12-02T18:46:42Z"}

            The following is a response in XML format.

            <?xml version="1.0" encoding="UTF-8"?>
<user>
<sub>https://login.salesforce.com/id/00Dx000.../005x000...</sub>
<user_id>005x000...</user_id>
<organization_id>00Dx000...</organization_id>
<preferred_username>user1@1135222488950007.com</preferred_username>
<nickname>user1.3860098879512678E12</nickname>
<name>user1 LastName</name>
<email>user1@1135222488950007.com</email>
<email_verified>true</email_verified>
<given_name>user1</given_name>
<family_name>LastName</family_name>
<zoneinfo>America/Los_Angeles</zoneinfo>
<photos>
<picture>https://yourInstance.salesforce.com/profilephoto/005/F</picture>
<thumbnail>https://yourInstance.salesforce.com/profilephoto/005/T</thumbnail></photos>
<profile>https://yourInstance.salesforce.com/005x000...</profile>
<picture>https://yourInstance.salesforce.com/profilephoto/005/F</picture>
<address>
<country>us</country>
</address>
<urls>
<enterprise>https://yourInstance.salesforce.com/services/Soap/c/{version}/00Dx0000002rIh1</enterprise>
<metadata>https://yourInstance.salesforce.com/services/Soap/m/{version}/00Dx0000002rIh1</metadata>
<partner>https://yourInstance.salesforce.com/services/Soap/u/{version}/00Dx0000002rIh1</partner>
<rest>https://yourInstance.salesforce.com/services/data/v{version}/</rest>
<sobjects>https://yourInstance.salesforce.com/services/data/v{version}/sobjects/</sobjects>
<search>https://yourInstance.salesforce.com/services/data/v{version}/search/</search>
<query>https://yourInstance.salesforce.com/services/data/v{version}/query/</query>
<recent>https://yourInstance.salesforce.com/services/data/v{version}/recent/</recent>
<profile>https://yourInstance.salesforce.com/005x000...</profile>
<feeds>https://yourInstance.salesforce.com/services/data/v{version}/chatter/feeds</feeds>
<groups>https://yourInstance.salesforce.com/services/data/v{version}/chatter/groups</groups>
<users>https://yourInstance.salesforce.com/services/data/v{version}/chatter/users</users>
<feed_items>https://yourInstance.salesforce.com/services/data/v{version}/chatter/feed-items</feed_items>
</urls>
<active>true</active>
<user_type>STANDARD</user_type>
<language>en_US</language>
<locale>en_US</locale>
<utcOffset>-28800000</utcOffset>
<updated_at>2013-12-02T18:46:42.000Z</updated_at>
</user>

            Here are descriptions for the returned parameters.

            Parameter Description
            sub The URL for the UserInfo endpoint, which is the same URL that was queried.
            user_id User ID of the queried user.
            organization_id ID of the queried user’s Salesforce org.
            preferred_username Username of the queried user.
            nickname Experience Cloud nickname of the queried user.
            name Display name (full name) of the queried user.
            email Email address of the queried user.
            email_verified

            Indicates whether the queried user’s email was verified by clicking a link in the “Welcome to Salesforce” email.

            The email_verified value is set to true when users click a link in the email they receive after this scenario occurs: For example, a Salesforce admin creates the user Roberta Smith. Roberta receives a “Welcome to Salesforce” email message with a link to verify her account. After she clicks the link, the email_verified value is set to true.

            • They change their email address
            • They change their password, or a Salesforce admin resets their password
            • They verify their identity when logging in from a new device or browser
            • A Salesforce admin creates them as a new user
            given_name First name of the queried user.
            family_name Family name of the queried user.
            zoneinfo Time zone specified in the queried user’s settings
            photos

            Map of URLs to the queried user’s profile pictures, specified as picture, thumbnail, or profile.

            Note
            Note Accessing these URLs requires passing an access token.
            address Address of the queried user, which can include the user’s street, city, state, country, and ZIP code.
            mobile_phone Mobile phone number specified in the queried user’s settings.
            mobile_phone_verified Queried user confirmed that the mobile phone number is valid,
            urls

            Map containing various API endpoints that can be used with the queried user

            Note
            Note Accessing the REST endpoints requires passing an access token.
            • enterprise (SOAP)
            • metadata (SOAP)
            • partner (SOAP)
            • rest (REST)
            • sobjects (REST)
            • search (REST)
            • query (REST)
            • recent (REST)
            • profile
            • feeds (Chatter)
            • feed-items (Chatter)
            • groups (Chatter)
            • users (Chatter)
            • custom_domain

              If the org doesn’t have a custom domain configured and propagated, this value is omitted.
            active Boolean specifying whether the queried user is active.
            user_type Type of the queried user.
            language Language of the queried user.
            locale Locale of the queried user.
            utcOffset Offset from UTC of the queried user’s time zone, in milliseconds.
            updated_at xsd datetime format of the last modification of the user, for example, 2010-06-28T20:54:09.000Z.
            is_app_installed Value is true when the connected app is installed in the user’s org, and the user’s access token was created using an OAuth flow. If the connected app isn’t installed, the response doesn’t contain this value. When parsing the response, check for the existence and value of this property.
            mobile_policy

            Specific values for managing a mobile connected app. These values are available only when the connected app is installed in the current user’s org, the app has a defined session timeout value, and the mobile PIN has a length value defined.

            • screen_lock—Length of time to wait to lock the screen after inactivity.
            • pin_length—Length of the identification number required to gain access to the mobile app.
            push_service_type

            Set to apple if the connected app is registered with Apple Push Notification Service (APNS) for iOS push notifications. Set to androidGcm if it’s registered with Google Cloud Messaging (GCM) for Android push notifications.

            The response value type is an array.
            custom_permissions

            When a request includes the custom_permissions scope parameter, the response includes a map containing custom permissions in the org associated with the connected app. If the connected app isn’t installed in the org or has no associated custom permissions, the response doesn’t contain a custom_permissions map.

            Here’s an example request.

            http://MyDomainName.my.salesforce.com/services/oauth2/authorize?response_type=token&client_
          id=3MVG9lKcPoNINVBKV6EgVJiF.snSDwh6_2wSS7BrOhHGEJkC_&redirect_uri=http://www.example.org/qa/security/oauth
          /useragent_flow_callback.jsp&scope=api%20id%20custom_permissions

            Here’s the JSON block in the identity URL response.

            "custom_permissions":
           {
           "Email.View":true,
           "Email.Create":false,
           "Email.Delete":false
           }

            The following are possible responses from Salesforce to an invalid request.

            Error Code Request Problem
            403 (forbidden) — HTTPS_Required HTTP
            403 (forbidden) — Missing_OAuth_Token Missing access token
            403 (forbidden) — Bad_OAuth_Token Invalid access token
            403 (forbidden) — Wrong_Org Users in a different org
            404 (not found) — Bad_Id Invalid or bad user or org ID
            404 (not found) — Inactive Deactivated user or inactive org
            404 (not found) — No_Access User lacks proper access to org or information
            404 (not found) — No_Site_Endpoint Request to an invalid endpoint of a site
            404 (not found) — Internal Error No response from server
            406 (not acceptable) — Invalid_Version Invalid version
            406 (not acceptable) — Invalid_Callback Invalid callback
             
            Loading
            Salesforce Help | Article