elasticsearch/docs/reference/rest-api/security/activate-user-profile.asciidoc

[role="xpack"]
[[security-api-activate-user-profile]]
=== Activate user profile API
++++
<titleabbrev>Activate user profile</titleabbrev>
++++

NOTE: The user profile feature is designed only for use by {kib} and
Elastic’s {observability}, {ents}, and {elastic-sec} solutions. Individual
users and external applications should not call this API directly. Elastic reserves
the right to change or remove this feature in future releases without prior notice.

Creates or updates a user profile on behalf of another user.

[[security-api-activate-user-profile-request]]
==== {api-request-title}

`POST /_security/profile/_activate`

[[security-api-activate-user-profile-prereqs]]
==== {api-prereq-title}

* To use this API, you must have the `manage_user_profile` cluster privilege.

[[security-api-activate-user-profile-desc]]
==== {api-description-title}

The activate user profile API creates or updates a profile document for end
users with information that is extracted from the user's authentication object,
including `username`, `full_name`, `roles`, and the authentication realm.

When updating a profile document, the API enables the document if it was
disabled. Any updates do not change existing content for either the `labels` or
`data` fields.

This API is intended only for use by applications (such as {kib}) that need to
create or update profiles for end users.

IMPORTANT: The calling application must have either an `access_token`, or a
combination of `username` and `password` for the user that the profile document
is intended for.

[role="child_attributes"]
[[security-api-activate-user-profile-request-body]]
==== {api-request-body-title}

`access_token`::
(Required*, string)
The user's access token. If you specify the `access_token` grant type, this
parameter is required. It is not valid with other grant types.

`grant_type`::
(Required, string)
The type of grant.
+
.Valid values for `grant_type`
[%collapsible%open]
====
`access_token`::
(Required*, string)
In this type of grant, you must supply an access token that was created by the
{es} token service. For more information, see
<<security-api-get-token>> and <<token-service-settings>>.

`password`::
(Required*, string)
In this type of grant, you must supply the `username` and `password` for the
user that you want to create the API key for.
====

`password`::
(Optional*, string)
The user's password. If you specify the `password` grant type, this parameter is
required. It is not valid with other grant types.

`username`::
(Optional*, string)
The username that identifies the user. If you specify the `password` grant type,
this parameter is required. It is not valid with other grant types.

*Indicates that the setting is required in some, but not all situations.

[[security-api-activate-user-profile-response-body]]
==== {api-response-body-title}

A successful activate user profile API call returns a JSON structure that contains
the profile unique ID, user information, timestamp for the operation and version
control numbers.

[[security-api-activate-user-profile-example]]
==== {api-examples-title}

[source,console]
----
POST /_security/profile/_activate
{
  "grant_type": "password",
  "username" : "jacknich",
  "password" : "l0ng-r4nd0m-p@ssw0rd"
}
----
// TEST[setup:jacknich_user]

The API returns the following response:

[source,console-result]
----
{
  "uid": "u_79HkWkwmnBH5gqFKwoxggWPjEBOur1zLPXQPEl1VBW0_0",
  "enabled": true,
  "last_synchronized": 1642650651037,
  "user": {
    "username": "jacknich",
    "roles": [
      "admin", "other_role1"
    ],
    "realm_name": "native",
    "full_name": "Jack Nicholson",
    "email": "jacknich@example.com"
  },
  "labels": {},
  "data": {},
  "_doc": {
    "_primary_term": 88,
    "_seq_no": 66
  }
}
----
// TESTRESPONSE[s/1642650651037/$body.last_synchronized/]
// TESTRESPONSE[s/88/$body._doc._primary_term/]
// TESTRESPONSE[s/66/$body._doc._seq_no/]