# Create users

You can create human users and bot users.

When you create new users, you specify the following information:

- Alias, for example, an email address.
- Roles.
- Public key.
- Login providers: an internal login, plus any external identity providers, if applicable.


Additionally, you must respect the following guidelines:

- Users within a domain cannot have the same alias.
- Users with the same public key in different domains must have the same alias.


## Prerequisites

Before you create your user, you need the following:

| Prerequisite | Additional information |
|  --- | --- |
| Details of the user roles available | [Get known user roles](/products/custody/v1.34/api/reference/openapi/users/getknownuserroles)You can also use new roles, if required. |
| The following new IDs, in a standard UUID format:A user IDAn intent ID |  |
| The user's public key | This is provided to you by the user during registration. For more information, see [Register](/products/custody/v1.34/api/get-started/register). |
| If you want to configure single sign-on, details of the external provider user aliases and provider IDs. | Request details from your Ripple liaison. |


## Create a user

System change process
All new requests to change the system state follow the same process. To familiarize yourself with this process first, follow the [Request a change with an intent](/products/custody/v1.34/resources/tutorials/intent) tutorial.

To create a user, follow the steps in [Request a change with an intent](/products/custody/v1.34/resources/tutorials/intent), with a payload similar one of the following examples.

### Payload examples

The following example shows an internal login only:


```json User with internal login
"payload": {
   "id": "61aaa805-f9b8-11eb-b158-dcfb48cfb3cb",
   "alias": "op1@ripple.com",
   "publicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7ItVC+y2KerttcRjPLDs8QmDVz7yI7ElQA70Sz+cLcBI6041aObPvcNqps8eTYe2jhc2Kb5qgNgoACB3SqpYIA==",
   "roles": [
      "manager"
   ],
   "loginIds": [
      {
         "id": "op1@harmonize.com",
         "providerId": "harmonize"
      }
   ],
   "lock": "Unlocked",
   "description": "A user with role manager",
   "customProperties": {},
   "type": "v0_CreateUser" 
},
```

The following example shows a user with two login options:

- Internal login.
- Azure AD external identity provider.


You can only use external identity providers that are pre-configured for your environment by Ripple.


```json User with single sign-on providers
"payload": {
   "id": "61aaa805-f9b8-11eb-b158-dcfb48cfb3cb",
   "alias": "op1@ripple.com",
   "publicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7ItVC+y2KerttcRjPLDs8QmDVz7yI7ElQA70Sz+cLcBI6041aObPvcNqps8eTYe2jhc2Kb5qgNgoACB3SqpYIA==",
   "roles": [
      "manager"
   ],
   "loginIds": [
      {
         "id": "op1@company.com",
         "providerId": "harmonize"
      },
      {
         "id": "op1@company.com",
         "providerId": "azure-ad"
      }
   ],
   "lock": "Unlocked",
   "description": "A user with role manager",
   "customProperties": {},
   "type": "v0_CreateUser" 
},
```

Fields of the `payload` block to note are as follows:

| Field | Description |
|  --- | --- |
| `type` | `v0_CreateUser` |
| `id` | A new user ID in a valid UUID format. |
| `lock` | You can set this to `Locked` to create an inactive user and unlock it later. For more information, see [Update users](/products/custody/v1.34/api/environment/user/update). |
| `publicKey` | The public key belonging to the user. |
| `roles` | One or more user roles. For more information, see [User roles](/products/custody/v1.34/api/environment/user#user-roles). |
| `loginIds` | A list of login options.At a minimum, you must specify the internal login details. You can also add SSO logins if configured for your environment.This is to ensure the user can always log in, even if SSO providers become unavailable.Each login is made up of the following fields:`id`: The user alias configured for the identity provider. For:Default internal login, this is the user email address.External identity providers, must match the identity provider alias configured for you by Ripple.`providerId`: A string that identifies the provider. ForInternal login, must be `harmonize`.External identity providers, must be one of the providers configured for you by Ripple. |


The user is created when the user creation intent is successfully approved and executed.