Home Documentation Authentication and User Management Service User and Group Features

User and Group Features

Last updated: January 2026

The Agglestone Authentication and User Management Service provides powerful user and group management capabilities that let you organize your users and control access to your applications. All features are accessible through REST APIs, making it easy to build user management directly into your own applications.

User Management

Email and Username

Every user in the system must have an email address—this is required for password resets, notifications, and account recovery. But users can also have a separate, non-email username if your application model supports it. This gives you flexibility: use email addresses for login, usernames for display, or both depending on your needs.

Force Password Reset

Sometimes you need a user to change their password on their next login. Maybe it’s a new user account, or maybe you’ve detected a security issue. You can set a flag that forces password reset during the next login attempt. The user will be prompted to set a new password before they can access your application, ensuring they start with a fresh, secure password.

Individual MFA Control

Multi-factor authentication isn’t one-size-fits-all. The Agglestone Authentication and User Management Service lets you enable or disable MFA for each user individually. This means you can require MFA for administrators and high-privilege users while keeping it optional for others, or gradually roll out MFA to your user base.

If a user needs to reset their MFA (maybe they lost their device or want to switch authenticator apps), you can easily set them to reset MFA on their next login. They’ll go through the QR code setup process again, and they’re back in business.

Revoke All Sessions

When security is a concern—maybe a user’s account was compromised, or they’ve left your organization—you can immediately revoke all refresh tokens for that user. This forces them to log in again on all devices, effectively signing them out everywhere at once. It’s a powerful tool for quickly responding to security incidents.

Login History

Every login attempt is automatically tracked and recorded, giving you complete visibility into who’s accessing your application and from where. The Agglestone Authentication and User Management Service maintains a comprehensive history of all authentication events, including successful logins and failed attempts.

For each login attempt, the Agglestone Authentication and User Management Service records:

  • IP Address – Where the login originated from
  • Timestamp – Exactly when the login occurred
  • Success or Failure – Whether the authentication succeeded
  • User Information – Which user attempted to log in

This login history serves multiple purposes. It provides detailed audit trails for compliance and security investigations. You can identify unusual access patterns, detect potential security threats, and investigate incidents with complete visibility into authentication events.

The login history also powers security features like IP address restrictions for refresh tokens. When a user tries to refresh their token from a new location, the Agglestone Authentication and User Management Service checks their login history to determine if that IP address has been used for successful logins before. This adds an extra layer of security while maintaining a smooth experience for legitimate users.

Access this information through the REST APIs to build your own security dashboards, compliance reports, or monitoring tools. The complete audit trail is always available when you need it.

Group Management

Organize Users into Groups

Groups are a powerful way to organize your users and control access. Create groups that represent roles, departments, permission levels, or any other organizational structure that makes sense for your application.

Groups in JWTs

When a user is added to a group, that group automatically appears in their JWT (JSON Web Token). This means every time the user authenticates, their group memberships are included in the token, ready for your application to use.

Access Control in Your Application

Use the group information in JWTs to control access in your own application. Check which groups a user belongs to and grant or restrict access to features, data, or functionality based on their group membership. This gives you fine-grained access control without needing to make additional API calls—the information is right there in the token.

For example, you might have groups like “Administrators,” “Managers,” and “Employees.” In your application, you can check if a user has the “Administrators” group in their JWT and grant them access to admin features. Or check for the “Managers” group to allow access to management dashboards.

The groups are included as standard claims in the JWT, making them easy to access in any application that can verify and decode JWTs. No custom logic needed—just check the groups claim and make your access control decisions.

Want to learn more about authentication? Check out Authentication Features.