RE: Upgrading 1.64.1 to 1.65.0 never boots

@mqwirtnuf How's it going? Can you share your upgrade process?

Lots of options!

• Self-service password recovery — SMS or Email based forgot password flows out of the box, with hosted pages that require no custom UI. If a user's login ID is a phone number, the reset is delivered via SMS automatically.
• API-driven recovery — The full forgot password flow is triggerable via POST /api/user/forgot-password with an email, phone, or username as the login ID, giving teams complete control over the UI and recovery experience.
• Admin and support-assisted recovery — Support staff can trigger resets or force password changes directly from the admin UI, no email required.
• Admins can also remove MFA methods directly from the user record.
• MFA recovery — Recovery codes generated at MFA enrollment let users bypass a lost second factor.
• Self-service MFA configuration — Users can add, remove, and manage their own MFA methods (TOTP, SMS, email) from a hosted self-service account page without any admin involvement. Removing a method requires completing an MFA challenge first, which prevents unauthorized removal. If an admin removes a user's MFA method and the tenant or application policy is set to Required, the user will be prompted to set up MFA again on next login.
• Webhooks and event-driven recovery — FusionAuth fires events like user.login.failed and user.password.reset that your backend can listen to and act on, enabling custom recovery logic, audit trails, and downstream notifications.
• Account linking and IdP recovery — For users who log in via a social or enterprise IdP, FusionAuth can be configured to link that identity to a FusionAuth user record. If the IdP connection is the issue, the user can still go through the standard forgot password flow as long as an phone number or email is on their account, so recovery isn't solely dependent on the IdP being available.

What are account recovery options available with FusionAuth?

You want to use search parameters like those outlined in this sample script.

• use a key limited to POST on /api/user/search
• set accurateTotal on the request
• set numberOfResults to 1 on the request

In the response, look at the total field.

This will let you get exact numbers while reducing load on your instance.

How can I get an exact number of users with some attributes? I'm using elasticsearch.

Beginning in version 1.65.0, FusionAuth offers Complete Registration. Full docs here.

How this would work:

• enable a registration form for the application your users are logging into
• select certain attributes as required. If you are using a basic form, you could select 'birth date'. If you are using an advanced form, you can select whatever profile attributes you need
• set the Registration mode to Complete registration. This setting means that users cannot self-register, but can complete missing information from an existing registration.
• save the application

Now, your admin user can create a user with a minimal amount of data (perhaps just an email address).

The user will, at first login, be prompted to fill out their profile data, including all fields you've marked required.

This is not full progressive registration, but can be useful in certain circumstances.

How can I collect additional profile attributes at login after a user has been created and registered?

I'm using the hosted login pages. My admin user creates an account, but I want to collect other profile attributes from the user afterwards.

@kevin-doran This is a great question to ask FusionAuth support.

Have you opened a ticket?

Thank you for letting us know.

This is an open issue. To see when this is resolved, you can follow along with the github issue here: https://github.com/FusionAuth/fusionauth-issues/issues/3439

The cleanest way to do it is with asymmetric JWT verification plus a bounded offline grace period.** Here's the pattern.

FusionAuth signs JWTs with a private key it holds. The matching public key is published at the JWKS endpoint (/.well-known/jwks.json). Your mobile app — or any resource server — can verify a token's signature locally, with zero network calls, as long as it has that public key. You can even bundle the public key with the application and avoid the retrieving it.

That's the property that makes offline auth possible. You're not asking "is this token still good?" over the wire; you're asking "did FusionAuth sign this, and has it expired?" using math the device can do on its own.

See JWT signing configuration and the JWKS endpoint docs.

The Flow

1. First login (online, required). The user authenticates against FusionAuth via OAuth with the offline_access scope, or via the Login API with loginId + password + applicationId. You get back two things:

• A short-lived access token (signed JWT, RS256, EdDSA, or ES256)
• A long-lived refresh token (opaque, default 30 days, configurable per tenant or application)

Refresh token details are in the refresh token settings docs.

2. Cache the JWKS on the device. Fetch /.well-known/jwks.json once and store it. You'll match incoming tokens to the right key using the kid in the JWT header. For fully air-gapped scenarios, you can bundle the JWKS into the app at build time — see the air-gapping article.

3. Online operation. The app uses the access token for API calls. When it expires, the app calls the Refresh a JWT API with the refresh token to mint a new access token.

4. Offline operation. The app validates the cached access token locally:

• Find the key in the JWKS where kid matches the JWT header
• Verify the signature with that public key
• Check exp, iss, aud, and any custom claims you care about

If the token is past exp but the device is offline, allow a bounded grace period (e.g., 24 hours past expiration). After that, degrade functionality until the device reconnects and refreshes. For instance, you could allow read operations but nothing that changes data.

5. On reconnect. Refresh immediately. If the refresh token has been revoked server-side, the call will fail and the user must re-authenticate.

Token lifetime tuning

This is where you make your security/availability tradeoff explicit. FusionAuth lets you tune both lifetimes per tenant or per application:

• Access token TTL (ttl_seconds set this short for online use (5–15 minutes is typical), but if you want longer offline windows without the grace-period workaround, you can extend it. Whatever you pick is the maximum revocation lag for compromised tokens.
• Refresh token duration: default is ~30 days. Use a Sliding Window with Maximum Lifetime policy if you want active devices to keep working but inactive ones to expire automatically.
• One-Time Use refresh tokens: rotates the token value on every refresh. Strongly recommended — if a refresh token is stolen and used, the legitimate device's next refresh will fail and the theft is detected.

What FusionAuth gives you for revocation

Refresh tokens can be revoked automatically on password change, MFA enrollment, or any action that prevents login. You can also call the Revoke Refresh Tokens API directly. The catch: revocation only takes effect the next time the device tries to refresh. Already-issued access tokens remain valid until their exp.

Tradeoffs you're signing up for

Be honest with yourself about this approach. These aren't FusionAuth limitations, they're inherent to offline auth:

• Delayed revocation. A stolen device retains access until the access token expires and the offline grace period elapses. Shorter access token TTLs mean faster revocation but more refresh traffic and shorter offline windows. Pick where on that curve you want to sit.
• Clock trust. Offline exp checks rely on the device clock, which the user controls. If that matters for your threat model, store a "last known server time" on each refresh and refuse to validate tokens if the clock has moved backward.
• Stale claims. If a user's roles or permissions change, the old claims persist in the cached token until the next refresh. Acceptable for most apps, not for high-stakes authorization.
• Local credential storage. If you want users to "log in" while offline (PIN/biometric to unlock the cached session), you're storing something derivable from their credential on the device. Use the platform secure storage (iOS Keychain, Android Keystore) and a slow KDF like Argon2id for any password-derived material.
• Key rotation. If you bundle JWKS into the app, you have to ship app updates ahead of key rotations (or plan to create a bunch of keys ahead of time). If you fetch JWKS dynamically, you need a cache strategy and a fallback when the cache is stale and the network is down.
• MFA degrades offline. Push and SMS-based factors require connectivity. Offline auth typically falls back to device-bound factors (the refresh token + a local PIN/biometric), which is different than your online MFA flow. Decide whether that's acceptable.

Practical starting point

Here's an example of the configuration:

• Access token TTL: 15 minutes
• Refresh token: 30 days, sliding window, one-time use
• Offline grace period (app-enforced): 24 hours past exp
• JWKS: fetched on first launch, refreshed weekly when online, with a bundled fallback
• Mandatory online check-in: every 7 days (refuse to operate offline beyond this)

Tighten the numbers for higher-sensitivity apps, loosen them for field-work apps where availability matters more than instant revocation.

Some further reading for you:

• Building a Secure JWT
• Revoking JWTs
• Token storage best practices
• Air-gapping FusionAuth

The short version: FusionAuth gives you all the primitives:

• asymmetric signing
• JWKS
• configurable lifetimes
• refresh token revocation

The offline policy is yours to design, and the design is mostly about choosing how much revocation lag you can tolerate in exchange for how much offline runway your users need.