Self-service policy settings

A self-service policy defines which account management features are available to customers without requiring help from support or administrators. With the right settings, you can let customers handle tasks like registration, account recovery, and consent management on their own, improving experience and reducing operational load.

🛑

Changes made to a policy in current use take immediate effect in your application's self-service accounts.

Concepts

Verified identifier

An email or phone number is verified if ownership of that identifier has been confirmed through an account activation step or through MFA enrollment using the same email address or phone number.

A verified identifier:

• Is shown with a blue "verified" check icon in the Admin Console.
• Is only applicable to email or phone identifiers (not attributes in the identity store).
• Becomes verified after:
  • An OTP or magic link is successfully used during account activation.
  • The same email address or phone number is enrolled as an MFA method during registration or self-service.

📘

When an identifier is verified through MFA enrollment, an additional activation verification step is not required. A confirmation email may still be sent to notify the customer that their account is active.

📘

In username-only identity stores, verified identifiers are not available, since the account doesn't include an email or phone identifier.

Confirmed attribute

A confirmed attribute is a profile field, like an email or phone number (not used as an identifier), that has been validated through MFA enrollment.

• Typically refers to:
  • The primaryEmail (mapped under emails.primaryEmail by default)
  • The primaryPhoneNumber (mapped under phoneNumbers.primaryPhoneNumber by default)
• Becomes confirmed when:
  • A customer enrolls an OTP-based email or phone authenticator tied to that attribute.
• These can be used for actions like password recovery, even if not the identifier.

📘

An account can have a verified email identifier and a different confirmed email attribute at the same time. In this case, the email identifier takes precedence during account recovery journeys.

General settings

• Policy name: Set the internal name for your policy. This name appears in the self-service policy dropdown when assigning policies to applications and is used throughout the Admin Console.
• Description: Optionally add a description to help your team understand the purpose of the policy or how it differs from others. The description is internal-only and doesn't affect behavior.
• Policy tag: You can add one or more tags to help categorize and filter policies.
• Danger zone: Policies can be permanently deleted. This action cannot be undone.

Self-service functionality

Choose which self-service features you want to make available for customers. These features can be combined based on your brand's use case and customer experience goals.

Capabilities include:

• Self-service registration
• Account linking
• Customer invite registration
• Password and identifier recovery
• Promote passkey
• Self-service account management
• Application launcher

✅

Learn how self-service capabilities shape your customer experience, from account creation to managing consents and MFA preferences.

Link expiry

You can define how long different types of self-service links remain valid. Each link has a lifetime value, which sets how long a customer has to complete the action after receiving the link.

• Links expire once the customer completes the associated action.
• Links do not expire upon first click. Customers can reopen the same link until it expires or the action is completed.