Self-service policy settings

A self-service policy defines which account management features are available to customers without requiring help from support or administrators. With the right settings, you can let customers handle tasks like registration, account recovery, and consent management on their own, improving experience and reducing operational load.

🛑

Changes made to a policy in current use take immediate effect in your application's self-service accounts.

📘

Newly created self-service policies and the Default policy have every setting enabled.

Concepts

Verified identifier

An email or phone number is verified if it was used as an identifier and was successfully validated through an account activation step (OTP or magic link) or MFA enrollment.

A verified identifier:

• Is shown with a blue "verified" check icon in the Admin Console.
• Is only applicable to email or phone identifiers (not attributes in the identity store).
• Becomes verified after:
  • OTP or magic link is used during account activation.
  • OTP is used to confirm the identifier during MFA enrollment.

📘

In username-only identity stores, verified identifiers are not available, since the account doesn't include an email or phone identifier.

Confirmed attribute

A confirmed attribute is a profile field, like an email or phone number (not used as an identifier), that has been validated through MFA enrollment.

• Typically refers to:
  • The primaryEmail (mapped under emails.primaryEmail by default)
  • The primaryPhoneNumber (mapped under phoneNumbers.primaryPhoneNumber by default)
• Becomes confirmed when:
  • A customer enrolls an OTP-based email or phone authenticator tied to that attribute.
• These can be used for actions like password recovery, even if not the identifier.

📘

An account can have a verified email identifier and a different confirmed email attribute at the same time. In this case, the identifier takes precedence.

General settings

• Policy name: Set the internal name for your policy. This name appears in the self-service policy dropdown when assigning policies to applications and is used throughout the Admin Console.
• Description: Optionally add a description to help your team understand the purpose of the policy or how it differs from others. The description is internal-only and doesn't affect behavior.
• Policy tag: You can add one or more tags to help categorize and filter policies.
• Danger zone: Policies can be permanently deleted. This action cannot be undone.

Self-service functionality

Choose which self-service features you want to make available for customers. These features can be combined based on your brand's use case and customer experience goals.

Capabilities include:

• Self-service registration
• Account linking
• Customer invite registration
• Password and identifier recovery
• Promote passkey
• Self-service account management
• Application launcher

✅

Learn how self-service capabilities shape your customer experience, from account creation to managing consents and MFA preferences.

Link expiry

You can define how long different types of self-service links remain valid. Each link has a lifetime value, which sets how long a customer has to complete the action after receiving the link.

• Links expire once the customer completes the associated action.
• Links do not expire upon first click. Customers can reopen the same link until it expires or the action is completed.