Removing user identifiers

Learn how to remove user identifiers from Cloud Identity Plane (CIP).

About this tutorial

CIP provides APIs allowing you to remove user identifiers in two ways:

  • Remove all identifiers matching the values in the request, regardless of their type (UID, e-mail, mobile)

  • Remove only matching identifiers of a specific type - this approach mitigates the risk of deleting identifiers of a different type having the same value.

Following this tutorial, you can try it out both ways and learn the difference. Keep in mind that it’s not possible to use both options simultaneously.

Prerequisites

  • CIP up and running

  • Administrator account in CIP with the ADMIN_REMOVE_IDENTIFIERS entitlement

Remove user identifiers

  1. Authenticate to CIP as an administrator by sending a request to https://example.com/api/authn/identifierpassword (or use any of the available authentication methods).

    • Replace example.com with your actual CIP domain.

    • Set identifier and password to your own credentials.

    curl --verbose POST 'https://example.com/api/authn/identifierpassword' \
    --header 'Content-Type: application/json' \
    --data-raw '{
    "identifier": "YOUR_IDENTIFIER",
    "password": "t0ps3cr3t"
    }'
    

    Result

    Authorization token is returned in the response body (code 201 is returned). Save this token.

    < HTTP/2 201
    < date: Tue, 08 Jun 2021 12:41:01 GMT
    < content-type: application/json
    < content-length: 48
    < server: nginx
    < trace-id: 23b5a553fb95a19c
    < access-control-allow-credentials: true
    < access-control-allow-headers: *
    < access-control-allow-methods: *
    < access-control-max-age: 600
    <
    * Connection #0 to host example.com left intact
    {"token":"0d25bdba-009b-47a9-a985-554692572b1e"}* Closing connection 0
    

    More information

    You can read more about authentication options in the REST API authentication documentation.

  2. Send a request to the https://example.com/api/users/{identifier}/identifiers/remove endpoint. Provide the following data in the body:

    • To send a general identifier removal request, pass a list of identifiers in the identifiers array:
    curl --request POST \
    --url https://example.com/api/users/{identifier}/identifiers/remove \
    --header 'Authorization: Bearer 0d25bdba-009b-47a9-a985-554692572b1e' \
    --data '{"identifiers":["user1@example.com", "1555555555"]}'
    

    Result

    Identifiers matching the provided values are removed, regardless of their type. Note that, in theory, multiple identifiers can be removed this way by passing a given value, when different identifier types have the same value.

    • To send a type-specific request, provide type-value pairs as separate objects within the typedIdentifiers array:
    curl --request POST \
    --url https://example.com/api/users/{identifier}/identifiers/remove \
    --header 'Authorization: Bearer 0d25bdba-009b-47a9-a985-554692572b1e' \
    --data '{
    "typedIdentifiers": [
        {
        "identifierType": "email",
        "identifierValue": "user1@cloudentity.com"
        },
        {
        "identifierType": "mobile",
        "identifierValue": "15555555555"
        }
    ]
    }'
    

    Result

    Identifiers matching both the provided type and value are removed.

Having tried out the customer notification API, you might be interested in the reference API documentation about the removeIdentifiers endpoint.