Docs Menu
Docs Home
/ /
Atlas App Services

Manage User Accounts

On this page

  • Overview
  • Delete a User
  • Manually Delete a User
  • Delete a User in the SDK
  • Delete a User with a Custom Function
  • Disable a User
  • Enable a User

You can manage your application's user accounts with the App Services UI, App Services CLI, Admin API, or Realm SDKs.

You can completely remove a user from your application, including any metadata and authentication provider identities. Deleting a user also immediately ends any sessions associated with that user.


If you don't want to delete the user's account, you can disable their account to temporarily suspend their access.

You can use the App Services UI, CLI, or Admin API to manually remove a user account.


App Services does not automatically delete any data in your linked MongoDB Atlas cluster that you have associated with a deleted user. For example, if your application allows users to create data that linked to a user by including their ID in an owner_id field, deleting the user object does not delete the user-created linked data. To remove all traces of a deleted user, you must manually delete or modify any such documents.

You can give users the option to delete their own account from a client application when you use the Realm SDKs to delete users.

You can write a custom function to delete a user. You might want to do this if your SDK does not yet support the delete users API.

Create a function similar to our example below that uses Application Authentication. You might want to incorporate error handling in the event that the function does not successfully authenticate, or it cannot delete the calling user.

For this example function, we have created values and secrets for the adminApiPublicKey and adminApiPrivateKey. We would then add the Project and Application IDs to the apiUrl.

We can then call this function from the SDK. The example function below does not take any arguments, and deletes the user who calls the function.


If your app uses Email/Password Authentication, consider that you may want to delete pending users, which involves a second endpoint:

const apiUrl = "{insert-your-project-id}/apps/{insert-your-app-id}";
exports = async function(){
// This function deletes the user who calls it. It gets this user's ID
// from the user in the function context. This is safer than accepting
// a passed-in user ID, as the user can never delete any other user's account.
const callersUserId =
async function adminLogIn() {
const username = context.values.get("adminApiPublicKey");
const apiKey = context.values.get("adminApiPrivateKey");
const response = await{
url: "",
body: {username, apiKey},
encodeBodyAsJSON: true,
const body = EJSON.parse(response.body.text());
return body.access_token;
const token = await adminLogIn();
async function deleteUser(_id) {
await context.http.delete({
url: `${apiUrl}/users/${_id}`,
headers: {"Authorization": [`Bearer ${token}`]}
return _id;
return deleteUser(callersUserId);

You can temporarily disable a user, which prevents the user from logging in and invalidates any of the user's existing access and refresh tokens. You can enable a disabled user to let them log in again.

You can enable a disabled user to let them log in again.

← Read User Metadata