Skip to main content
The users resource represents a person who accesses Marqeta-administered funds via a Marqeta card (whether physical or virtual). This endpoint enables you to create and manage users on the Marqeta platform. This resource stores user attributes such as name, address, and date of birth, as well as financial information such as balances. By default, every user automatically has a general purpose account (GPA) that is used for the funding of transfers and is therefore an account holder. Note that account balances reside at the account holder level — there are no separate account or balance objects. You can use the /users endpoint to create parent-child relationships between two users (where one user is the parent and the other is the child) or between a business and a user (where the business is the parent and the user is the child). This relationship provides reporting to the parent about how cards of children are used and enables the parent to monitor and even restrict card usage.
Note
A user can simultaneously be a child of a business and a parent of other users if the user is not configured to use a parent’s account balances and the user’s child is configured to use a parent’s account balances. For more information on account holders, see About Account Holders.

Create user

Action: POST
Endpoint: /users
This endpoint enables you to create a user. A new user’s initial status depends on the Know Your Customer (KYC) requirements of the program or associated account holder group.
Note
Use the /usertransitions endpoints to transition user resources between statuses and to view the history of a user’s status. Do not set the value of the user.active field directly. For more information on status changes, see Create User Transition.
To perform KYC verification on users, the user object must have the following fields configured:
  • first_name (legal first name only, no prefixes)
  • last_name (legal last name only, no suffixes)
  • address1 (cannot be a PO Box)
  • city
  • state
  • postal_code
  • country
  • birth_date
  • identifications
  • phone (required in some cases)
  • email (required in some cases)
Note
The identifications requirement depends on your program’s configuration. To determine if you should provide a full or abbreviated identification number, contact your Marqeta representative. KYC verification requires the full Social Security Number (SSN) or Individual Taxpayer Identification Number (ITIN) of the user.
To create a child user, you must identify the parent user or business and determine whether the child user shares an account with the parent. The parent must be an existing user or business. On the child user, set the parent_token field to the value of the parent’s token field. If either the parent or the grandparent is a business, a business_token field is added to the user. This field’s value is set to the token of either the parent or grandparent (whichever is the business). The uses_parent_account field determines whether the child shares balances with the parent (true) or whether the child balances are independent of the parent (false). If you do not specify a value for uses_parent_account, it is set to false by default (the user does not share the parent’s balance) and returned in the response body. This field cannot be updated, so you must decide upon creation whether the child user shares the parent balance. Sharing an account with a parent user affects how the child user interacts with cards as follows:
  • A child user cannot spend funds if its parent is not active.
  • An active child user can activate cards, whether the parent is active or not.

Request body

Sample request body

JSON

Response body

Sample response body

JSON

List users

Action: GET
Endpoint: /users
To return an array of all of a program’s users, send a GET request to the /users endpoint. This endpoint supports field filtering and pagination. To narrow your result set to users that match certain criteria, see the Search users endpoint. The business_token field is conditionally returned in the response (it cannot be set through the API). You can use this field in conjunction with the parent_token field to determine whether the user has a parent or grandparent that is a business:

URL query parameters

Response body

Sample response body

JSON

Retrieve user

Action: GET
Endpoint: /users/{token}
To retrieve a specific user, send a GET request to the /users/{token} endpoint. Include the user token path parameter to specify the user to return. The business_token field is conditionally returned in the response (it cannot be set through the API). You can use this field in conjunction with the parent_token field to determine whether the user has a parent or grandparent that is a business: This endpoint supports field filtering.

URL path parameters

URL query parameters

Response body

Sample response body

JSON

Update user

Action: PUT
Endpoint: /users/{token}
To update a specific user resource, send a PUT request to the /users/{token} endpoint. Include the user token path parameter to specify the user to update. To unlink a child user account from a parent account, pass a null value to the parent_token field of the child user resource.

URL path parameters

Request body

Sample request body

JSON

Response body

Sample response body

JSON

Update user password

Action: POST
Endpoint: /users/auth/changepassword
To change a user password, send a POST request to the /users/auth/changepassword endpoint and include the current_password and new_password in JSON format in the body of the request. This endpoint operates in the context of a currently logged-in user. A successful password change returns an empty response body with a response code of 204 No Content.

Request body

Sample request body

JSON

Create client access token

Action: POST
Endpoint: /users/auth/clientaccesstoken
Each time you want to display a virtual card’s sensitive data (for example, when using marqeta.js), you must first request a new, single-use client access token from the Marqeta platform by sending a POST request to the /users/auth/clientaccesstoken endpoint. Unredeemed client access tokens expire after five minutes.

Request body

Sample request body

JSON

Response body

Sample response body

JSON

Retrieve client access token

Action: GET
Endpoint: /users/auth/clientaccesstoken/{token}
To retrieve application and card information using a client access token, send a GET request to the /users/auth/clientaccesstoken/{token} endpoint.

URL path parameters

URL query parameters

Response body

Sample response body

JSON

Log in user

Action: POST
Endpoint: /users/auth/login
To log in a user and return a user access token, send a POST request to the /users/auth/login endpoint and include the user details in JSON format in the body of the request.
Tip
To check a user’s credentials without logging out the user, call the /users/auth/onetime endpoint.

Request body

Sample request body

JSON

Response body

Sample response body

JSON

Log out user

Action: POST
Endpoint: /users/auth/logout
To log out a user, send a POST request to the /users/auth/logout endpoint. A successful logout returns an empty response body with a response code of 204 No Content.

Create single-use token

Action: POST
Endpoint: /users/auth/onetime
This endpoint returns a single-use access token. This type of token authorizes a single request to access API endpoints and data associated with a particular user. A single-use access token differs from a user access token (as returned by POST /users/auth/login) only in the number of times it can be used. To return a single-use access token, send a POST request to the /users/auth/onetime endpoint. Provide one of these sets of input data:
  • Case #1 – Application token and user access token
  • Case #2 – Application token, admin access token, and user token
  • Case #3 – Application token, user’s Marqeta password, and user’s email address
In each case, provide the application token as the HTTP Basic Authentication username in the request header’s Authorization field. When applicable, provide the user access token or admin access token as the HTTP Basic Authentication password. When applicable, provide the user token or user’s Marqeta password and email address in JSON format in the request body. Before instantiating an embedded Marqeta widget, call this endpoint to obtain the single-use access token required as input (cases #1 and #2). This endpoint is also useful when you want to check a user’s credentials before performing a sensitive operation without having to log out the user (case #3).
Note
Calling this endpoint and returning a single-use access token does not invalidate the user’s current user access token.

Request body

Sample request body

Case 1: Authorization: Basic my_application_token:my_user_access_token
JSON
Case 2: Authorization: Basic my_application_token:my_admin_access_token
JSON
Case 3: Authorization: Basic my_application_token
JSON

Response body

Sample response body

JSON

Request user password reset token

Action: POST
Endpoint: /users/auth/resetpassword
Use this endpoint to generate a password reset token for a user. Send a POST request to the /users/auth/resetpassword endpoint and include the user’s email address in JSON format in the body of the request. This request generates and sends an email message containing the user_token and password_reset_token to the user’s email address. You must customize the email message with a link that passes the user_token and password_reset_token to a web page where a subsequent request updates the password. A successful request returns an empty response body with a response code of 204 No Content.

Request body

Sample request body

JSON

Reset user password

Action: POST
Endpoint: /users/auth/resetpassword/{token}
To reset the user’s password, send a POST request to the /users/auth/resetpassword/{token} endpoint that includes a password reset token generated using the POST /users/auth/resetpassword operation. Include the user_token and new_password in JSON format in the body of the request. Include the password_reset_token as a path parameter. A successful password reset returns an empty response body with a response code of 204 No Content.

URL path parameters

Request body

Sample request body

JSON

Request email verification token

Action: POST
Endpoint: /users/auth/verifyemail
Send a POST request to the /users/auth/verifyemail endpoint to request an email verification token. No input parameters are required because this operation is performed in the context of an authenticated user. This initial request generates and sends an email message containing the email verification token to the cardholder’s email address. This email message must include a link that passes the email verification token to a web page where a subsequent request verifies the email address. A successful request returns an empty response body with a response code of 204 No Content.

Verify email address

Action: POST
Endpoint: /users/auth/verifyemail/{token}
To verify a user’s email address, send a POST request to the /users/auth/verifyemail/{email_verification_token} endpoint that includes an email_verification_token generated using the POST /users/auth/verifyemail operation. Include the email_verification_token as a path parameter. A successful email verification returns an empty response body with a response code of 204 No Content.

URL path parameters

Search users

Action: POST
Endpoint: /users/lookup
To search for one or more users, send a POST request to the /users/lookup endpoint. Include in the message body any parameters by which you want to query. This endpoint supports field filtering and pagination.

URL query parameters

Request body

Sample request body

JSON

Response body

Sample response body

JSON

List user child accounts

Action: GET
Endpoint: /users/{parent_token}/children
To retrieve users who are children of a parent user or business, send a GET request to the /users/{parent_token}/children endpoint. Include the parent’s user or business token as a URL path parameter. The business_token field is conditionally returned in the response (it cannot be set through the API). You can use this field in conjunction with the parent_token field to determine whether the user has a parent or grandparent that is a business: This endpoint supports field filtering.

URL path parameters

URL query parameters

Response body

Sample response body

JSON

Retrieve user identification number

Action: GET
Endpoint: /users/{token}/ssn
To retrieve the government-issued identification number for a user, send a GET request to the /users/{token}/ssn endpoint. Include the token path parameter to specify the user whose identification number (SSN, ITIN, TIN, NIN, SIN) you wish to return. You can indicate whether to return the full number or the last four digits only.

URL path parameters

URL query parameters

Response body

Sample response body

JSON