GET /users
Retrieve a paginated list of users with optional filtering by recipe, search, and time ordering.Query Parameters
- includeRecipeIds (string, optional): Comma-separated list of recipe IDs to filter by (e.g., “emailpassword,thirdparty”)
- limit (number, optional): Number of users to return per page. Default: 100, Max: 1000 (500 with search)
- paginationToken (string, optional): Token from previous response for pagination
- timeJoinedOrder (string, optional): Sort order by join time. Values: “ASC” (default) or “DESC”
- email (string, optional): Semicolon-separated list of emails to search for
- phone (string, optional): Semicolon-separated list of phone numbers to search for
- provider (string, optional): Semicolon-separated list of third-party provider IDs to search for
Response
Response Fields
- status (string): “OK” for success
- users (array): List of user objects (see Get User by ID for user object structure)
- nextPaginationToken (string, optional): Token to fetch the next page. Absent if this is the last page
Example Usage
List All Users
List Email/Password Users Only
List Multiple Recipe Users
Search by Email
Search Multiple Emails
Search by Phone Number
Search by Third-party Provider
Combined Search
Pagination
Sort by Join Time (Newest First)
Implementation Details
- Located in:
src/main/java/io/supertokens/webserver/api/core/UsersAPI.java:47 - This is a tenant-specific API
- Returns users within the current tenant context
- Search tags (email, phone, provider) are normalized to lowercase and trimmed
- Multiple search tags are separated by semicolons
- External user IDs are populated when user ID mapping is configured
Recipe IDs
Available recipe IDs for filtering:- emailpassword: Email and password authentication
- passwordless: Passwordless (magic link or OTP) authentication
- thirdparty: Social login (Google, Facebook, etc.)
Pagination
The pagination token is a Base64-encoded JSON object containing:- The last user’s join time
- The last user’s ID
- Sort order and other parameters
- Make initial request without
paginationToken - If response includes
nextPaginationToken, make another request with that token - Repeat until response doesn’t include
nextPaginationToken
Pagination Example
Search Behavior
Email Search
- Case-insensitive
- Searches across all email fields in user login methods
- Partial matches are not supported (must be exact email)
- Multiple emails can be searched using semicolon separator
Phone Number Search
- Exact match required
- Must be URL-encoded (e.g.,
+becomes%2B) - Searches across all phone numbers in user login methods
- Multiple phone numbers can be searched using semicolon separator
Provider Search
- Searches for users who authenticated with specific third-party providers
- Provider IDs: “google”, “facebook”, “github”, “apple”, etc.
- Case-insensitive
- Multiple providers can be searched using semicolon separator
Limits
- Default limit: 100 users per page
- Maximum limit without search: 1000 users per page
- Maximum limit with search: Determined by AuthRecipe.USER_PAGINATION_LIMIT
- Minimum limit: 1 user per page
Use Cases
Admin Dashboard User List
Find User by Email
Export All Users
Count Users by Recipe
Error Responses
Invalid Recipe ID
Invalid Time Joined Order
Invalid Limit
Invalid Pagination Token
Best Practices
- Use appropriate page sizes based on your use case (smaller for UI, larger for exports)
- Implement search on the backend rather than fetching all users
- Cache user lists when appropriate
- Use
includeRecipeIdsto filter by authentication method - Handle pagination tokens properly - don’t hardcode them
- Use
timeJoinedOrder=DESCto show newest users first
Related Endpoints
- Get User by ID - Get detailed information about a specific user
- Delete User - Delete a user