The email address of the end user.

The password hash. For a Scrypt or PBKDF2 hash, the hash needs to be a base64 encoded string.

The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details.

The `untrusted_metadata` field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details.

Whether to set the user's email as verified. This is a dangerous field, incorrect use may lead to users getting erroneously deduplicated into one User object. This flag should only be set if you can attest that the user owns the email address in question.

The phone number of the user. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).

Whether to set the user's phone number as verified. This is a dangerous field, this flag should only be set if you can attest that the user owns the phone number in question.

If a new user is created, this will set an identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters.

Roles to explicitly assign to this User. See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment.