[role="xpack"]
[[security-api-activate-user-profile]]
=== Activate user profile API
++++
Activate user profile
++++
NOTE: The user profile feature is designed only for use by {kib} and
Elastic’s {observability}, {ents}, and {elastic-sec} solutions. Individual
users and external applications should not call this API directly. Elastic reserves
the right to change or remove this feature in future releases without prior notice.
Creates or updates a user profile on behalf of another user.
[[security-api-activate-user-profile-request]]
==== {api-request-title}
`POST /_security/profile/_activate`
[[security-api-activate-user-profile-prereqs]]
==== {api-prereq-title}
* To use this API, you must have the `manage_user_profile` cluster privilege.
[[security-api-activate-user-profile-desc]]
==== {api-description-title}
The activate user profile API creates or updates a profile document for end
users with information that is extracted from the user's authentication object,
including `username`, `full_name`, `roles`, and the authentication realm.
For example, in the JWT `access_token` case, the profile user's `username` is
extracted from the JWT token claim pointed to by the `claims.principal`
setting of the JWT realm that authenticated the token.
When updating a profile document, the API enables the document if it was
disabled. Any updates do not change existing content for either the `labels` or
`data` fields.
This API is intended only for use by applications (such as {kib}) that need to
create or update profiles for end users.
IMPORTANT: The calling application must have either an `access_token`, or a
combination of `username` and `password` for the user that the profile document
is intended for.
[role="child_attributes"]
[[security-api-activate-user-profile-request-body]]
==== {api-request-body-title}
`access_token`::
(Required*, string)
The user's <>, or JWT. Both <> and
<> JWT token types are supported, and they depend on the underlying JWT realm configuration.
If you specify the `access_token` grant type, this parameter is required. It is not valid with other grant types.
include::client-authentication.asciidoc[]
`grant_type`::
(Required, string)
The type of grant.
+
.Valid values for `grant_type`
[%collapsible%open]
====
`access_token`::
In this type of grant, you must supply either an access token, that was created by the
{es} token service (see <> and <>),
or a <> (either a JWT `access_token` or a JWT `id_token`).
`password`::
In this type of grant, you must supply the `username` and `password` for the
user that you want to create the API key for.
====
`password`::
(Required*, string)
The user's password. If you specify the `password` grant type, this parameter is
required. It is not valid with other grant types.
`username`::
(Required*, string)
The username that identifies the user. If you specify the `password` grant type,
this parameter is required. It is not valid with other grant types.
*Indicates that the setting is required in some, but not all situations.
[[security-api-activate-user-profile-response-body]]
==== {api-response-body-title}
A successful activate user profile API call returns a JSON structure that contains
the profile unique ID, user information, timestamp for the operation and version
control numbers.
[[security-api-activate-user-profile-example]]
==== {api-examples-title}
[source,console]
----
POST /_security/profile/_activate
{
"grant_type": "password",
"username" : "jacknich",
"password" : "l0ng-r4nd0m-p@ssw0rd"
}
----
// TEST[setup:jacknich_user]
The API returns the following response:
[source,console-result]
----
{
"uid": "u_79HkWkwmnBH5gqFKwoxggWPjEBOur1zLPXQPEl1VBW0_0",
"enabled": true,
"last_synchronized": 1642650651037,
"user": {
"username": "jacknich",
"roles": [
"admin", "other_role1"
],
"realm_name": "native",
"full_name": "Jack Nicholson",
"email": "jacknich@example.com"
},
"labels": {},
"data": {},
"_doc": {
"_primary_term": 88,
"_seq_no": 66
}
}
----
// TESTRESPONSE[s/1642650651037/$body.last_synchronized/]
// TESTRESPONSE[s/88/$body._doc._primary_term/]
// TESTRESPONSE[s/66/$body._doc._seq_no/]