SAP Customer Data Cloud Positions

accounts.setAccountInfo REST

Skip to end of metadata
Go to start of metadata



Note: This method is part of the Customer Identity and the Profile Management - IDS packages. Both packages are premium platforms that require separate activation. If neither are part of your site package, please contact your Gigya Customer Engagement Executive or contact us by filling in a support form on our site. You can also access the support page by clicking "Support" on the upper menu of Gigya's site.


This method sets account data into a user's account. The method accepts a list of optional parameters each defining a field/object in the account. The parameters that are passed in the request modify the relevant fields, and the other fields remain unchanged.


Do not use this API to create new fields within your site schema, use accounts.setSchema for consistent results. Fields created with setAccountInfo have their write permissions automatically set to serverOnly, and must be manually changed using accounts.setSchema to clientModify if you want to access these fields via client-side Web SDK calls.

The properties listed on this page apply to full accounts, note that Lite accounts only have access to a subset of these properties. For detailed information on Lite Accounts, see the Lite Registration documentation.


Request URL

Where <Data_Center> is:
  • - For the US data center.
  • - For the European data center.
  • - For the Australian data center.
  • - For the Russian data center.
  • - For the Chinese data center.

If you are not sure of your site's data center, see Finding Your Data Center.




The unique ID of the user for which to set account data. Use either this parameter or regToken .

* You are required to pass only one of the parameters either UID or regToken.


The regToken  returned from accounts.initRegistrationaccounts.register or accounts.login API calls when the registration process has not been finalized. Please note that the regToken  you receive from Gigya is valid for only one hour. Calls passing a regToken are handled as client-side calls by the server: fields with a writeAccess permission of "server only" will be inaccessible. 

** When passing regToken , the call must be made over HTTPS .

addLoginEmailsstring A comma-separated list of emails that should be added to the user's login identifiers list, and can be used for login purposes.
conflictHandlingstringHow the server handles a "login identifier exists" conflict on a new account:
  • fail - (default) returns a "login identifier exists" error.
  • saveProfileAndFail - profile data is saved before returning error "OK with error login identifier exists".
dataJSON object

An object containing custom data. Any data that you want to store regarding the user which isn't part of the profile object can be stored here.

Note that when using this parameter for users that already have custom data stored, it is not necessary to set all the fields again. Just include the fields you want to change or add. For example, the following code adds a "car" field to the user's custom data with the value "Suzuki Alto", or, if a "car" field already exists, its value is changed to "Suzuki Alto". Any other fields in the custom data objects remain unchanged.

{'car':'Suzuki Alto'}

This parameter allows disabling the account. This is only permitted when calling this method from server-side, attempting to disable an account from a client SDK will return an error.

If an account's isActive state is false, a user attempting to login will receive an 'Account is disabled' error, and if email is the site's Login Identifier, the same email can not be used to create a new account.

isLockedOutBooleanThis parameter has been deprecated. Use accounts.rba.unlock REST instead.

Indicates whether the account email(s) are verified.

*If you pass the value 'true', all unverified email addresses in the account will be flagged as verified.

Once an account has been verified it is immutable and can not be 'unverified'.

langstringThe language/locale of the current end-user. This is an incoming parameter of the setAccountInfo API and not a settable field for the user. When setting a user's Consent preferences this parameter is used and required if a consent that is being agreed to or updated has a Purpose Document defined and attaches the user consent to the correct localized consent version. You can find a list of supported language codes in Advanced Customizations and Localization.
muteWebhooksBooleanWhen set to true, no webhooks are triggered by the API call. The default value is false.
newPasswordstringThe new password to replace the old one. Use this parameter with  password . When passing the  securityQuestion  or  securityAnswer  parameters the  password  parameter is required.
Note: If this parameter is passed then the method must be called using HTTPS.
passwordstringThe old password to be changed. Use this parameter with  newPassword .
Note: If this parameter is passed then the method must be called using HTTPS.

The phone number login identifier, if the account uses Phone Number Login. The supported phone number formatting is E.164.

When using accounts.setAccountInfo, this parameter cannot be updated using client-side calls.

preferencesJSON object

A  Preferences  Object containing consent data for this user. When manually passing subscription information for a user using this method, you can change only the value of the isConsentGranted Boolean parameter and tags (only when accompanied by a status change of isConsentGranted). When setting or updating a user's Consent you must pass the lang parameter also.

Note, however, that it is not necessary to pass the lang parameter when setting preferences via the Web SDK as it is passed implicitly by the SDK.

Passing this as an array is not supported.

profileProfile objectThe user's profile information as described in the Profile object. You may add data to the predefined Gigya fields. To add your own custom profile fields, use the data object.
removeLoginEmailsstringA comma-separated list of emails to be removed from the user's login identifiers list .
requirePasswordChangeBooleanWhen set to true the server will require a password change on the next login.
secretAnswerstringA secret answer to the secret question that can be used for verification. Use this parameter with  secretQuestion C hanging the secret answer will not work without providing the existing password ( password  parameter). This field is hashed and can not be extracted.
secretQuestionstringA secret question that can be used for verification. Use this parameter with secretAnswer . Changing the secret question will not work without providing the existing password ( password  parameter).
securityOverrideBooleanThe default value is "false". When set to "true", the API call does not require the oldPassword for setting the newPassword . It also does not require a password validation when setting the secret question and answer for the first time. Only users with _sites permissions are allowed to pass this parameter. Read more about Console Administration.
subscriptionsJSON objectA Subscriptions Object containing subscription data for this user. When manually passing subscription information for a user using this method, you can change only the value of the isSubscribed and tags parameters.
rbaJSON object

Sets the specified user's rba policy. Available properties include: 

  • riskPolicy - Determines the rule set from the defined rulesSets configured in accounts.rba.setPolicy or one of the default policies.
  • riskPolicyLocked - Determines whether the user can change their own riskPolicy. If true, only an admin can change the user's riskPolicy.

If accounts.rba.setPolicy.allowOverride is set to  no , this will return an error. You can delete a previously set override by setting the accounts.rba.setPolicy REST allowOverride value to  null .

Code example:

rba: {
      "riskPolicy": "low",
      "riskPolicyLocked": true

For setting a site's RBA Policy, see Accounts RBA Policy Object.

usernamestringThe user's new username that can be used as a login identifier, if the site's Login Identifier Policy allow that.
createddateThe UTC time the account was created in ISO 8601 format, e.g. "2014-07-16T19:20:30Z". This property is set internally by Gigya and can not be edited.
regSourcestringA string representing the source of the registration. Can be used to set varying destination pages in accounts.setPolicies. For additional information, see WebSDK Configuration. This property can not be edited once it is set.
format string Determines the format of the response. The options are:
  • json (default)
  • jsonp - if the format is jsonp then you are required to define a callback method (see parameter below).
callback string This parameter is required only when the format parameter is set to jsonp (see above). In such cases this parameter should define the name of the callback method to be called in the response, along with the jsonp response data.
context string/JSON This parameter may be used to pass data through the current method and return it, unchanged, within the response.
ignoreInterruptions Boolean This may be used in some cases to suppress logic applied by the Web SDK, such as automatic opening of screens (e.g., in a registration completion scenario). This parameter may not be used with REST APIs.
httpStatusCodes Boolean The default value of this parameter is false, which means that the HTTP status code in Gigya's response is always 200 (OK), even if an error occurs. The error code and message is given within the response data (see below). If this parameter is set to true, the HTTP status code in Gigya's response would reflect an error, if one occurred.
oldPasswordBoolean Deprecated . Use the password parameter instead.

Authorization Parameters

Each REST API request must contain identification and authorization parameters.

Some REST APIs may function without these authorization parameters, however, when that occurs, these calls are treated as client-side calls and all client-side rate limits will apply. In order to not reach client-side IP rate limits that may impact your implementation when using server-to-server REST calls, it is Recommended Best Practice to always sign the request or use a secret. A non-exhaustive list of REST APIs that this may apply to are as follows:

  • accounts.login
  • socialize.login
  • accounts.notifyLogin
  • socialize.notifyLogin
  • accounts.finalizeRegistration
  • accounts.linkAccounts

Please refer to the Authorization Parameters section for details. 

Sample Requests


Response Data


In case of a data validation errors (errorCode 400006), you will receive this field as an array of error objects. Each object represents a validation error regarding one of the following fields:  username, password, secretQuestion, secretAnswer, email. For example:

validationErrors: [
      "errorCode": 400006,
      "message": "invalid password - minimum length of 6 characters is required",
      "fieldName": "password"
      "errorCode": 400006,
      "message": "wrong format",
      "fieldName": ""
UIDstringWhen using a Lite User regToken, the user's UID is returned in the response.
apiVersion integer Defines the API version that returned the response and may not always be returned.
callId string Unique identifier of the transaction, for debugging purposes.
errorCode integer The result code of the operation. Code '0' indicates success, any other number indicates failure. For a complete list of error codes, see the Error Codes table.
errorDetails string This field will appear in the response only in case of an error and will contain the exception info, if available.
errorMessage string A short textual description of an error, associated with the errorCode, for logging purposes. This field will appear in the response only in case of an error.
fullEventName string The full name of the event that triggered the response. This is an internally used parameter that is not always returned and should not be relied upon by your implementation.
time string The time of the response represented in ISO 8601 format, i.e., yyyy-mm-dd-Thh:MM:ss.SSSZ or
statusCode integer The HTTP response code of the operation. Code '200' indicates success.
This property is deprecated and only returned for backward compatibility.
statusReason string A brief explanation of the status code.
This property is deprecated and only returned for backward compatibility.


A field that does not contain data will not appear in the response.

Response Example

    "statusCode": 200,
    "errorCode": 0,
    "statusReason": "OK",
    "callId": "ddb3f8e144c84cb5b1bc5f010bddab2b",
    "time": "2015-03-22T11:42:25.943Z"


Gigya defines specific error codes and messages that are used with the Accounts API. These errors are returned with the APIs, indicating that some information is incorrect or missing. 

This section describes the errors that are related to this API, the reasons for each error, and the expected next step.

  • Unique identifier exists (error code 400003) - returned when the email or the username already exist in the accounts database when a user tries to register or to set the account info. The expected next step: call this API method again with a different identifier that does not exist in the account database.
  • Invalid loginID (error code 403042) - returned when a user tries to perform an action that requires a login identifier (username or email) and the login ID doesn't exist in our accounts database. It is also returned if the password that is passed in the API is incorrect.
  • Login identifier exists (error code 403043) - returned when email is defined as the loginIdentifier  in the accountOptions policy, and the email address received from the provider exists in the system but is associated with a different user. The expected next step: call accounts.linkAccounts to merges between the account identified by the provided UID and the account identified by the provided login credentials (loginID + password).
  • Validation errors - the validationErrors object is an array of validation errors; each validation error is made up of an  errorCode , a  message , and a fieldName . The errorCode and message specify what error occured and the fieldName specifies which field had a validation error. When an invalid field type is used, i.e. a string instead of an integer, or if a wrong format is used, i.e. an email address that is not in a correct format, an "Invalid parameter value" error is returned (error code 400006). A validation error is returned whenever there is a data validation error regarding one of the following required fields: username, password, secretQuestion, secretAnswer, email. The expected next step is: Call the API method again with the missing info.