The Kinvey instance represents a full deployment of the Kinvey platform. Based on your license and location you are using either one of the multi-tenant Kinvey instances, or a single-tenant Kinvey instance dedicated to your company.

Each instance has an instance identifier, which is used to work with Kinvey applications hosted on that instance. You can find the instance identifier for your instance from the Web Console, when you open an application environment.

User Accounts

In order to use Kinvey as an administrator or collaborator you need to have a user account. User accounts are managed on instance level.

Note, that those accounts are for accessing the management functionalities of Kinvey. They are completely different from the user management features available for the end users of applications hosted in Kinvey.

The standard way of creating a new user account is by registering a new user from the Kinvey Web Console. This approach utilizes the Kinvey Built-In User Management.

For single-tenant instances it is also possible to configure integration with an external identity provider. After a successful log in through the external identity provider, a linked Kinvey user account will be created automatically. For more information, please look in the External Identity Provider section.

User accounts can be given instance-level permissions or can be invited to collaborate in organizations. Various collaboration options are available on organization level.

Built-In User Management

Kinvey has a built-in user management functionality. It includes user registration, profile management, password recovery and other standard user-related functions.

Registering User Accounts

Registration of a new Kinvey account is done from the Kinvey Web Console. It is available to everyone. Depending on the instance configuration, some limitations on the registration functionality might be in place.


Kinvey provides a way to invite people to create user accounts and collaborate in Kinvey. Invitation is done by specifying the email address of the user. It sends an invitation email to that address with a link for creating an account.


The Kinvey built-in user management functionality supports several configuration options. Those options can only be changed by an administrator. The configuration options are:

  • Require admin approval for user accounts
    Specifies whether an approval from administrators is required for new users in the instance.

  • Require email verification
    Specifies whether users need to verify their email before they can log in with their account.

  • Require two-factor authentication
    Specifies whether users are required to set up 2FA before they can log in to the instance.

  • Allowed email addresses
    Specifies domains that are allowed to register on the instance. This setting is useful on single tenant instances if you want to limit registrations only to people with email addresses in your company domain. Note, that you also need to enable email verification to fully benefit of this feature.

Personal Access Tokens

Registered Kinvey users can create personal access tokens to use as an alternative to the password-authentication method when authenticating to the Management API. The token has the same permissions as the user at the time of its usage - i.e. if you grant the user a new role and use a previously created personal access token, the token will provide access that includes the new role's abilities.

To create a personal access token, navigate to Profile > Personal Access Tokens. It is recommended to give each token a descriptive name so that it is clear where it is used/what is its purpose. To provide additional security, we highly recommend adding expiration to your personal access tokens. If you try to use an already expired token, Kinvey will automatically delete it.

Make sure to copy and store the value of the generated personal access token at the time you create it, as this value would be hidden and not available after that.

Tokens should be treated like passwords and they should remain a secret. When working with the API, use tokens as environment variables instead of hardcoding them into your programs.

External Identity Providers

As an alternative to using the Kinvey built-in user management, you could also integrate with an external SAML/ADFS identity provider. The external identity providers can be used to access the Kinvey Web Console, CLI and Management API.

Using an external identity provider results in better security and improved convenience for the users. Users will not need to remember additional set of credentials for Kinvey and the actual user management (including disabling access for a user) will happens only in the identity provider (already handled by your IT team).

For more information on setting up external identity providers, please see the Single Sign-On section.

The Single Sign-On feature is only available for single-tenant instances.

Instance User Roles

The following user roles are available on instance level:

Role nameDescriptionLegacy name
ViewerGrants Viewer access to all organizations.N/A
CollaboratorGrants Collaborator access to all organizations.N/A
DeveloperGrants Developer access to all organizations.N/A
AdministratorGrants full access to manage the instance configuration and all organizations.Admin
Kinvey AdministratorA system role used by the Kinvey Support team to manage the Kinvey instance.Kinvey Admin
Kinvey SupportA system role used by Kinvey Support Team to diagnose issues and help with customer requests.N/A

For more information on Viewer, Collaborator and Developer access, please check organization-level roles.

Other Configuration Settings

Kinvey supports the following additional configuration settings on instance level:

  • User session timeout
    The default session time for application users. This setting can also be overridden on organization and application level.