diff --git a/astro/src/components/api/APIField.astro b/astro/src/components/api/APIField.astro
index 0c18a31ea0..e3818a1943 100644
--- a/astro/src/components/api/APIField.astro
+++ b/astro/src/components/api/APIField.astro
@@ -22,20 +22,23 @@ const { name, description, type, required, optional, immutable, since, defaults,
 ---
 {/*If you put the API field inside a conditional block it can break the markdown parsing, `renderif` solves that problem  */}
 {/* Note: if you use a description parameter instead of a body, you'll get a single-line version */}
-{ renderif && <div class='border-t border-slate-300 dark:border-slate-800'>
-  <div class="flex flex-wrap mt-6 space-x-3 items-baseline">
-    <code class="api-field-name">{ name }</code>
-    { type && <span class="dark:text-gray-400 text-gray-500 text-sm pt-1">{type}</span> }
-    { description && <span class="px-3">{description}</span> }
-    { required && <span class="px-[6px] py-1 rounded-md text-orange-500 border-orange-500 border-2 dark:font-semibold font-bold uppercase text-xs dark:text-[10px]">required</span> }
-    { defaults && <span class="pt-1 dark:text-gray-400 text-gray-500 text-sm justify-center">Defaults to {defaults}</span> }
-    { show_since && since && <AvailableSince since={since} /> }
-    { immutable && <span class="px-3 text-orange-500 text-sm font-semibold uppercase">Immutable</span> }
-    { deprecated && <span class="text-red-700 text-sm">DEPRECATED</span> }
-    { readonly && <ReadOnly /> }
-  </div>
-  <div class="ml-4 mb-7 font-normal text-sm">
-    <slot></slot>
-  </div>
+{ renderif && <div class='border-t border-slate-300 dark:border-slate-800 pb-6'>
+  <details class="group">
+    <summary class="flex flex-wrap mt-6 space-x-3 items-baseline cursor-pointer list-none [&::-webkit-details-marker]:hidden">
+      <span class="text-slate-400 dark:text-slate-500 text-xs mr-1 group-open:rotate-90 transition-transform inline-block">▶</span>
+      <code class="api-field-name">{ name }</code>
+      { type && <span class="dark:text-gray-400 text-gray-500 text-sm pt-1">{type}</span> }
+      { description && <span class="px-3">{description}</span> }
+      { required && <span class="px-[6px] py-1 rounded-md text-orange-500 border-orange-500 border-2 dark:font-semibold font-bold uppercase text-xs dark:text-[10px]">required</span> }
+      { defaults && <span class="pt-1 dark:text-gray-400 text-gray-500 text-sm justify-center">Defaults to {defaults}</span> }
+      { show_since && since && <AvailableSince since={since} /> }
+      { immutable && <span class="px-3 text-orange-500 text-sm font-semibold uppercase">Immutable</span> }
+      { deprecated && <span class="text-red-700 text-sm">DEPRECATED</span> }
+      { readonly && <ReadOnly /> }
+    </summary>
+    <div class="ml-4 mt-3 font-normal text-sm">
+      <slot></slot>
+    </div>
+  </details>
 </div>
 }
diff --git a/astro/src/content/docs/apis/_user-request-body.mdx b/astro/src/content/docs/apis/_user-request-body.mdx
index 3982fd181f..e65789864b 100644
--- a/astro/src/content/docs/apis/_user-request-body.mdx
+++ b/astro/src/content/docs/apis/_user-request-body.mdx
@@ -25,7 +25,7 @@ You must specify either the **email** or the **username** or both for the User.
   <APIField name="disableDomainBlock" type="Boolean" optional defaults="false" since="1.30.0">
     A tenant has the option to configure one or more email domains to be blocked in order to restrict email domains during user create or update.
 
-    Setting this property equal to `true` will override the tenant configuration. See <InlineField>tenant.registrationConfiguration.blockedDomains</InlineField> in the [Tenant API](tenants).
+    Setting this property equal to `true` will override the tenant configuration. See <InlineField>tenant.registrationConfiguration.blockedDomains</InlineField> in the [Tenant API](/docs/apis/tenants).
   </APIField>
 
   { props.http_method === 'POST' &&
diff --git a/astro/src/content/docs/apis/users/bulk-delete.mdx b/astro/src/content/docs/apis/users/bulk-delete.mdx
new file mode 100644
index 0000000000..f5334a45d7
--- /dev/null
+++ b/astro/src/content/docs/apis/users/bulk-delete.mdx
@@ -0,0 +1,103 @@
+---
+title: Bulk Delete Users
+description: API documentation for the FusionAuth Bulk Delete Users API.
+order: 6
+---
+import APIBlock from 'src/components/api/APIBlock.astro';
+import APIField from 'src/components/api/APIField.astro';
+import API from 'src/components/api/API.astro';
+import Aside from 'src/components/Aside.astro';
+import InlineField from 'src/components/InlineField.astro';
+import JSON from 'src/components/JSON.astro';
+import SearchPreprocessingWarning from "src/content/docs/_shared/_search-preprocessing-warning.mdx";
+import StandardDeleteResponseCodes from 'src/content/docs/apis/_standard-delete-response-codes.astro';
+import UserBulkDeleteRequestBody from 'src/content/docs/apis/_user-bulk-delete-request-body.mdx';
+import UserBulkDeleteResponseBody from 'src/content/docs/apis/_user-bulk-delete-response-body.mdx';
+import XFusionauthTenantIdHeaderScopedOperation from 'src/content/docs/apis/_x-fusionauth-tenant-id-header-scoped-operation.mdx';
+
+This API is used to deactivate or delete multiple users in a single request.
+
+<Aside type="note">
+This API has some limitations when FusionAuth is configured to use the database as the user search engine.  These limitations are noted on the impacted request parameters below.
+</Aside>
+
+## Request
+
+<API method="DELETE" uri="/api/user/bulk?userId={userId}&userId={userId}" authentication={["api-key"]} title="Deactivate Users by User Id"/>
+
+<API method="DELETE" uri="/api/user/bulk?queryString={queryString}&dryRun=false&limit=10000" authentication={["api-key"]} title="Deactivate Users by Search Query String"/>
+
+<API method="DELETE" uri="/api/user/bulk?query={query}&dryRun=false&limit=10000" authentication={["api-key"]} title="Deactivate Users by Raw JSON Search Query"/>
+
+<API method="DELETE" uri="/api/user/bulk?userId={userId}&userId={userId}&hardDelete=true" authentication={["api-key"]} title="Permanently Delete Users by User Id"/>
+
+<API method="DELETE" uri="/api/user/bulk?queryString={queryString}&hardDelete=true&dryRun=false&limit=10000" authentication={["api-key"]} title="Permanently Delete Users by Search Query String"/>
+
+<API method="DELETE" uri="/api/user/bulk?query={query}&hardDelete=true&dryRun=false&limit=10000" authentication={["api-key"]} title="Permanently Delete Users by Raw JSON Search Query"/>
+
+### Request Parameters
+
+<APIBlock>
+  <APIField name="dryRun" type="Boolean" optional defaults="false">
+    To preview the user Ids to be deleted by the request without applying the requested action set this value to `true`.
+  </APIField>
+  <APIField name="hardDelete" type="Boolean" optional defaults="false">
+    To Permanently delete a user from FusionAuth set this value to `true`. Once a user has been permanently deleted, the action cannot be undone. When this value is set to `false` the user is marked as inactive and the user will be unable log into FusionAuth. This action may be undone by reactivating the user.
+  </APIField>
+  <APIField name="limit" type="Integer" optional defaults="10,000" since="1.48.0">
+    The maximum number of users to delete in one call.
+
+    You may use this parameter to process deletes in batches in order to limit individual request processing time and the number of user Ids on the response.
+  </APIField>
+  <APIField name="query" type="String" optional since="1.13.0">
+    The raw JSON Elasticsearch query that is used to search for Users. The <InlineField>userId</InlineField>, <InlineField>query</InlineField>, and <InlineField>queryString</InlineField>  parameters are mutually exclusive, they are listed here in order of precedence.
+
+    It is necessary to use the <InlineField>query</InlineField> parameter when querying against `registrations` in order to achieve expected results, as this field is defined as a [nested datatype](https://www.elastic.co/guide/en/elasticsearch/reference/6.3/nested.html) in the Elasticsearch mapping.
+
+    <Aside type="note" title="Database search engine">
+      This parameter is not compatible with the database search engine, it may only be used when Elasticsearch is configured as the user search engine.
+    </Aside>
+  </APIField>
+</APIBlock>
+
+<APIField name="queryString" type="String" optional since="1.13.0">
+  The Elasticsearch query string that is used to search for Users to be deleted. The <InlineField>userId</InlineField>, <InlineField>query</InlineField>, and <InlineField>queryString</InlineField>  parameters are mutually exclusive, they are listed here in order of precedence.
+
+  <SearchPreprocessingWarning/>
+
+  <Aside type="note" title="Database search engine">
+    The Elasticsearch query string DSL is not supported for the database search engine.  Database search limits effective queries to single search terms that may match the following fields on the User:
+    * `firstName`
+    * `lastName`
+    * `fullName`
+    * `email`
+    * `username`
+
+    The following is an example bulk delete request with a `queryString` value that is compatible with the database search engine:
+
+    `DELETE /api/user/bulk?queryString=jared%40fusionauth.io`
+  </Aside>
+</APIField>
+
+
+<APIField name="userId" type="UUID" optional>
+  The Id of the User to delete. Repeat this parameter for each user to be deleted. The <InlineField>userId</InlineField>, <InlineField>query</InlineField>, and <InlineField>queryString</InlineField>  parameters are mutually exclusive, they are listed here in order of precedence.
+</APIField>
+
+<XFusionauthTenantIdHeaderScopedOperation />
+
+### Using request body
+
+<API method="DELETE" uri="/api/user/bulk" authentication={["api-key"]} title="Bulk delete using the request body. This allows for larger requests than are possible using request parameters."/>
+
+<XFusionauthTenantIdHeaderScopedOperation />
+
+<UserBulkDeleteRequestBody />
+
+## Response
+
+The response for this API contains the information for the Users that were affected by the request.
+
+<StandardDeleteResponseCodes success_code="200" success_message="The request was successful. The response will contain a JSON body." webhook_event />
+
+<UserBulkDeleteResponseBody />
diff --git a/astro/src/content/docs/apis/users/change-password.mdx b/astro/src/content/docs/apis/users/change-password.mdx
new file mode 100644
index 0000000000..2cf871c27a
--- /dev/null
+++ b/astro/src/content/docs/apis/users/change-password.mdx
@@ -0,0 +1,193 @@
+---
+title: Change a User's Password
+description: API documentation for the FusionAuth Change a User's Password API.
+order: 17
+---
+import APIBlock from 'src/components/api/APIBlock.astro';
+import APIField from 'src/components/api/APIField.astro';
+import API from 'src/components/api/API.astro';
+import Aside from 'src/components/Aside.astro';
+import DeprecatedSince from 'src/components/api/DeprecatedSince.astro';
+import InlineField from 'src/components/InlineField.astro';
+import LoginIdField from 'src/content/docs/apis/_login-id-field.mdx';
+import LoginIdTypeField from 'src/content/docs/apis/_login-id-type-field.mdx';
+import JSON from 'src/components/JSON.astro';
+import XFusionauthTenantIdHeaderAmbiguousOperation from 'src/content/docs/apis/_x-fusionauth-tenant-id-header-ambiguous-operation.mdx';
+import XFusionauthTenantIdHeaderScopedOperation from 'src/content/docs/apis/_x-fusionauth-tenant-id-header-scoped-operation.mdx';
+import ChangePassPostResponseCodes from 'src/content/docs/apis/_change-pass-post-response-codes.astro';
+
+This API is used to change the User's password.
+
+This API may be used as the second part of the [Start Forgot Password workflow](#start-forgot-password-workflow). For example, after the User is sent an email or SMS message that contains a link to a web form that allows them to update their password you will call this API with the `changePasswordId` and their updated password. If the `changePasswordId` is valid then the User's password will be updated.
+
+This API may also be used separately from the [Start Forgot Password workflow](#start-forgot-password-workflow) by omitting the `changePasswordId` and using the `loginId` instead.
+
+By default the `changePasswordId` is valid for 10 minutes after it was generated. If a `404` is returned when using the change password Id, the workflow will need to be started again to generate a new identifier. This duration can be modified using the [Tenant API](/docs/apis/tenants) or in the admin UI.
+
+
+<Aside type="note">
+When this API successfully completes, all refresh tokens and outstanding Change Password Ids (i.e. `changePasswordId`) currently assigned to the user will be expired or revoked. This means
+that if a user is using a refresh token they will be forced to re-authenticate with their new password.
+</Aside>
+
+
+## Request
+
+This usage is generally intended to be part of an email or SMS workflow and does not require authentication. The `changePasswordId` used on this API request will have been previously generated by the [Start Forgot Password workflow](#start-forgot-password-workflow) or by using the Forgot Password workflow on the FusionAuth login page.
+
+
+### Using a change password ID
+
+<API method="POST" uri="/api/user/change-password" authentication={["none"]} title="Change a User’s password using the change password Id"/>
+<API method="POST" uri="/api/user/change-password/{changePasswordId}" authentication={["none"]} title="Change a User’s password using the change password Id"/>
+
+
+#### Request Parameters
+
+<APIBlock>
+  <APIField name="changePasswordId" type="String" required deprecated>
+    The `changePasswordId` that is used to identify the user after the [Start Forgot Password workflow](#start-forgot-password-workflow) has been initiated.
+
+    If this `changePasswordId` was sent via an email to the User by FusionAuth during User create in order to set up a new password, or as part of a Forgot Password request, then successful use of this identifier to change the User's password will implicitly complete Email Verification if not already verified and the Tenant configuration has enabled implicit email verification.
+
+    <DeprecatedSince since="1.33.0">
+    This value can still be provided on the URL segment as shown in the above example, but it is recommended you send this value in the request body instead using the <InlineField>changePasswordId</InlineField> field. If the value is provided in the URL segment and in the request body, the value provided in the request body will be preferred.
+    </DeprecatedSince>
+  </APIField>
+</APIBlock>
+
+<XFusionauthTenantIdHeaderScopedOperation />
+
+#### Request Body
+
+<APIBlock>
+  <APIField name="changePasswordId" type="String" required since="1.33.0">
+    The `changePasswordId` that is used to identify the user after the [Start Forgot Password workflow](#start-forgot-password-workflow) has been initiated.
+
+    If this `changePasswordId` was sent via an email to the User by FusionAuth during User create in order to set up a new password, or as part of a Forgot Password request, then successful use of this identifier to change the User's password will implicitly complete Email Verification if not already verified and the Tenant configuration has enabled implicit email verification.
+
+    If the <InlineField>changePasswordId</InlineField> is provided in the URL segment and in the request body, the value provided in the request body will be preferred.
+  </APIField>
+  <APIField name="currentPassword" type="String" optional>
+    The User's current password. When this parameter is provided the current password will be verified to be correct.
+  </APIField>
+  <APIField name="password" type="String" required>
+    The User's new password.
+  </APIField>
+  <APIField name="trustChallenge" type="String" optional since="1.33.0">
+    This field is marked optional because it is only required when the user has enabled two-factor authentication, and a `trustChallenge` was provided on the Two-Factor Start API request. When a user has enabled two-factor authentication this field becomes required if a `trustChallenge` was provided on the Two-Factor Start API request. When required, this value must be equal to the value provided to the Two-Factor Start API.
+  </APIField>
+  <APIField name="trustToken" type="String" optional since="1.33.0">
+    This field is marked optional, because it is only required when the user has enabled two-factor authentication. When a user has enabled two-factor authentication this field becomes required when attempting to change a password using the `changePasswordId`.
+  </APIField>
+</APIBlock>
+
+<JSON title="Example JSON Request" src="users/change-password-request.json" />
+
+This usage requires an API key and allows you to change any user's password if you have a unique login Id.
+
+
+### Using a login ID
+
+<API method="POST" uri="/api/user/change-password" authentication={["api-key"]} title="Changes a User's password using a login Id."/>
+
+<XFusionauthTenantIdHeaderAmbiguousOperation />
+
+
+#### Request Body
+
+<APIBlock>
+  <APIField name="applicationId" type="UUID" optional since="1.30.0">
+    An optional Application Id. When this value is provided, it will be used to resolve an application specific email or message template if you have configured transactional notifications such as setup password, email verification and others.
+
+    If not provided, only the tenant configuration will be used when resolving templates.
+  </APIField>
+  <APIField name="currentPassword" type="String" optional>
+    The User's current password. When this parameter is provided the current password will be verified to be correct.
+  </APIField>
+  <LoginIdField
+    hide_canonical_details
+    login_id_type_field="loginIdTypes"
+    required
+    footer={
+      <span>When this value is provided it should be in place of the `changePasswordId` request parameter. If both the `changePasswordId` and `loginId` are provided on the request, the `changePasswordId` will take precedence.</span>
+    }
+  />
+  <LoginIdTypeField plural optional />
+  <APIField name="password" type="String" required>
+    The User's new password.
+  </APIField>
+  <APIField name="trustChallenge" type="String" optional since="1.33.0">
+    This field is marked optional because it is only required when the user has enabled two-factor authentication, and a `trustChallenge` was provided on the Two-Factor Start API request. When a user has enabled two-factor authentication this field becomes required if a `trustChallenge` was provided on the Two-Factor Start API request. When required, this value must be equal to the value provided to the Two-Factor Start API.
+  </APIField>
+  <APIField name="trustToken" type="String" optional since="1.33.0">
+    This field is marked optional, because it is only required when the user has enabled two-factor authentication. When a user has enabled two-factor authentication this field becomes required when attempting to change a password using the `changePasswordId`.
+  </APIField>
+</APIBlock>
+
+<JSON title="Example JSON Request" src="users/change-password-request-api-key.json" />
+
+<Aside type="version">
+Available Since Version 1.5.0
+</Aside>
+
+This API will use a JWT as authentication. See [JWT Authentication](/docs/apis/authentication#jwt-authentication) for examples of how you can send the JWT to FusionAuth.
+
+A common use case for using this API with a JWT will be if you want to allow the user to change their own password. Specifically if you are attempting to perform this request in a frontend  browser that cannot store an API key.
+
+Because changing a User's password will revoke all existing refresh tokens if you allow the user to change their password they will need to re-authenticate to stay logged into your application if you are utilizing JWTs and Refresh Tokens.
+
+For this reason, this API will return a `oneTimePassword` that is intended to be used programatically after a Change Password request completes to keep the user logged in and provide a better user experience. A successful login will return you a new access token (JWT) and a refresh token. This will allow you to make the change password workflow seamless to the user.
+
+
+### Using a JWT
+
+<API method="POST" uri="/api/user/change-password" authentication={["jwt"]} title="Change a User's password using a JWT"/>
+
+<XFusionauthTenantIdHeaderScopedOperation />
+
+
+#### Request Body
+
+<APIBlock>
+  <APIField name="currentPassword" type="String" required>
+    The User's current password. This is required when using a JWT to change your password.
+  </APIField>
+  <APIField name="password" type="String" required>
+    The User's new password.
+  </APIField>
+  <APIField name="refreshToken" type="String" optional>
+    The user's existing refresh token. If you have access to your current refresh token, it can be provided in the request body using this parameter. If the `refresh_token` cookie also exists and is present on the request it will take precedence over this parameter.
+
+    This parameter is used to determine if the `oneTimePassword` that is returned from this API will be eligible to request a refresh token when used by the Login API. If this parameter is not provided and no cookie is found on the request, a refresh token will not be provided on the Login response when using the returned `oneTimePassword`.
+  </APIField>
+  <APIField name="trustChallenge" type="String" optional since="1.33.0">
+    This field is marked optional because it is only required when the user has enabled two-factor authentication, and a `trustChallenge` was provided on the Two-Factor Start API request. When a user has enabled two-factor authentication this field becomes required if a `trustChallenge` was provided on the Two-Factor Start API request. When required, this value must be equal to the value provided to the Two-Factor Start API.
+  </APIField>
+  <APIField name="trustToken" type="String" optional since="1.33.0">
+    This field is marked optional, because it is only required when the user has enabled two-factor authentication. When a user has enabled two-factor authentication this field becomes required when attempting to change a password using the `changePasswordId`.
+  </APIField>
+</APIBlock>
+
+<JSON title="Example JSON Request" src="users/change-password-request.json" />
+
+## Response
+
+<ChangePassPostResponseCodes />
+
+### Response Body
+
+This JSON response body will only be returned when using a `changePasswordId` parameter or a JWT to change the password.
+
+When calling this API with an API key no response body will be returned.
+
+<APIBlock>
+  <APIField name="oneTimePassword" type="String" since="1.5.0">
+    A one time password that can be used as a substitute for your `loginId` and `password` on the Login API.
+  </APIField>
+  <APIField name="state" type="Object" since="1.5.0">
+    An optional object that is returned un-modified when the forgot password request is completed. This may be useful to return the user to particular state once they complete the password change.
+  </APIField>
+</APIBlock>
+
+<JSON title="Example Response JSON" src="users/change-password-response.json" />
diff --git a/astro/src/content/docs/apis/users/create.mdx b/astro/src/content/docs/apis/users/create.mdx
new file mode 100644
index 0000000000..bd84bdde90
--- /dev/null
+++ b/astro/src/content/docs/apis/users/create.mdx
@@ -0,0 +1,40 @@
+---
+title: Create a User
+description: API documentation for the FusionAuth Create a User API.
+order: 2
+---
+import APIBlock from 'src/components/api/APIBlock.astro';
+import APIField from 'src/components/api/APIField.astro';
+import API from 'src/components/api/API.astro';
+import StandardPostResponseCodes from 'src/content/docs/apis/_standard-post-response-codes.astro';
+import UserRequestBody from 'src/content/docs/apis/_user-request-body.mdx';
+import UserResponseBody from 'src/content/docs/apis/_user-response-body.mdx';
+import XFusionauthTenantIdHeaderCreateOperation from 'src/content/docs/apis/_x-fusionauth-tenant-id-header-create-operation.mdx';
+
+This API is used to create a new User.
+
+## Request
+
+<API method="POST" uri="/api/user" authentication={["api-key"]} title="Create a User with a randomly generated Id"/>
+
+<API method="POST" uri="/api/user/{userId}" authentication={["api-key"]} title="Create a User with the provided unique Id"/>
+
+<XFusionauthTenantIdHeaderCreateOperation />
+
+### Request Parameters
+
+<APIBlock>
+  <APIField name="userId" type="UUID" optional immutable defaults="secure random UUID">
+    The Id to use for the new User. If not specified a secure random UUID will be generated.
+  </APIField>
+</APIBlock>
+
+<UserRequestBody http_method="POST" />
+
+## Response
+
+The response for this API contains the User that was just created. The password, salt and other sensitive fields will not be returned on the API response.
+
+<StandardPostResponseCodes webhook_event create_user />
+
+<UserResponseBody create_user />
diff --git a/astro/src/content/docs/apis/users/delete.mdx b/astro/src/content/docs/apis/users/delete.mdx
new file mode 100644
index 0000000000..d96b9683f3
--- /dev/null
+++ b/astro/src/content/docs/apis/users/delete.mdx
@@ -0,0 +1,41 @@
+---
+title: Delete a User
+description: API documentation for the FusionAuth Delete a User API.
+order: 5
+---
+import APIBlock from 'src/components/api/APIBlock.astro';
+import APIField from 'src/components/api/APIField.astro';
+import API from 'src/components/api/API.astro';
+import JSON from 'src/components/JSON.astro';
+import StandardDeleteResponseCodes from 'src/content/docs/apis/_standard-delete-response-codes.astro';
+import XFusionauthTenantIdHeaderScopedOperation from 'src/content/docs/apis/_x-fusionauth-tenant-id-header-scoped-operation.mdx';
+
+This API is used to delete a User. You must specify the Id of the User on the URI. You can also specify whether or not the User is soft or hard deleted. A soft delete deactivates the User. A hard delete permanently deletes a User's data.
+
+Soft deleted users are marked as inactive but not deleted from FusionAuth. Deactivated users have their data retained but they are unable to authenticate. Users who have been deactivated can be reactivated; see [Reactivate a User](#reactivate-a-user) for more.
+
+The data of a User who has been hard deleted is permanently removed from FusionAuth. The User's data cannot be restored via the FusionAuth API or the administrative user interface. If you need to restore the User's data, you must retrieve it from a database backup.
+
+## Request
+
+<API method="DELETE" uri="/api/user/{userId}" authentication={["api-key"]} title="Deactivate a User (Soft Delete)"/>
+<API method="DELETE" uri="/api/user/{userId}?hardDelete=true" authentication={["api-key"]} title="Permanently Delete a User"/>
+
+### Request Parameters
+
+<APIBlock>
+  <APIField name="userId" type="UUID" required>
+    The Id of the User to delete.
+  </APIField>
+  <APIField name="hardDelete" type="Boolean" optional defaults="false">
+    To Permanently delete a user from FusionAuth set this value to `true`. Once a user has been permanently deleted, the action cannot be undone. When this value is set to `false` the user is marked as inactive and the user will be unable log into FusionAuth. This action may be undone by reactivating the user.
+  </APIField>
+</APIBlock>
+
+<XFusionauthTenantIdHeaderScopedOperation />
+
+## Response
+
+This API does not return a JSON response body.
+
+<StandardDeleteResponseCodes webhook_event />
diff --git a/astro/src/content/docs/apis/users/flush-search.mdx b/astro/src/content/docs/apis/users/flush-search.mdx
new file mode 100644
index 0000000000..c302fa98be
--- /dev/null
+++ b/astro/src/content/docs/apis/users/flush-search.mdx
@@ -0,0 +1,21 @@
+---
+title: Flush the Search Engine
+description: API documentation for the FusionAuth Flush the Search Engine API.
+order: 11
+---
+import API from 'src/components/api/API.astro';
+import StandardPostResponseCodes from 'src/content/docs/apis/_standard-post-response-codes.astro';
+
+This API is used to issue a flush request to the FusionAuth Search. This will cause any cached data to be written to disk. In practice it is unlikely
+ you'll find a need for this API in production unless you are performing search requests immediately following an operation that modifies the index and
+  expecting to see the results immediately.
+
+## Request
+
+<API method="PUT" uri="/api/user/search" authentication={["api-key"]} title="Flushes the Search Engine"/>
+
+## Response
+
+The response does not contain a body. It only contains one of the status codes below.
+
+<StandardPostResponseCodes />
diff --git a/astro/src/content/docs/apis/users/forgot-password.mdx b/astro/src/content/docs/apis/users/forgot-password.mdx
new file mode 100644
index 0000000000..3151b3a711
--- /dev/null
+++ b/astro/src/content/docs/apis/users/forgot-password.mdx
@@ -0,0 +1,128 @@
+---
+title: Start Forgot Password Workflow
+description: API documentation for the FusionAuth Start Forgot Password Workflow API.
+order: 15
+---
+import APIBlock from 'src/components/api/APIBlock.astro';
+import APIField from 'src/components/api/APIField.astro';
+import API from 'src/components/api/API.astro';
+import Aside from 'src/components/Aside.astro';
+import DeprecatedSince from 'src/components/api/DeprecatedSince.astro';
+import InlineField from 'src/components/InlineField.astro';
+import LoginIdField from 'src/content/docs/apis/_login-id-field.mdx';
+import LoginIdTypeField from 'src/content/docs/apis/_login-id-type-field.mdx';
+import JSON from 'src/components/JSON.astro';
+import XFusionauthTenantIdHeaderAmbiguousOperation from 'src/content/docs/apis/_x-fusionauth-tenant-id-header-ambiguous-operation.mdx';
+import Breadcrumb from 'src/components/Breadcrumb.astro';
+
+This API is used to start the forgot password workflow for a single User.
+
+For example, on your login form you may have a button for _Forgot your password_. This would be the API you would call to initiate the request for the user. If the email configuration is complete, the user will be sent the forgot password email containing a link containing the `changePasswordId`. The provided link should take the user to a form that allows them to change their password. This form should contain a hidden field for the `changePasswordId` generated by this API.
+
+By default the `changePasswordId` is valid to be used with the [Change Password](#change-a-users-password) API for 10 minutes. If a `404` is returned when using this Id to change the password, the workflow
+will need to be started again to generate a new identifier. This duration can be modified using the Tenant API or in the FusionAuth UI.
+
+You may optionally authenticate this request with an API key to allow for some additional request parameters and the generated `changePasswordId` will be returned in the JSON body. This may be helpful if you wish to use your own email system or you have an alternative method to call the [Change Password](#change-a-users-password) API.
+
+<Aside type="note">
+If FusionAuth sends an email to the user, it will either use the `email` top level property on the user or it will use a custom data attribute named `email` as well (i.e. `data.email`). This allows you to have a user that has no email address for login or allow distinct users to share email addresses.
+</Aside>
+
+## Request
+
+Calling this API without an API key always attempts to send a message to the user. If FusionAuth is unable to deliver a message based on the resolved identity and tenant configuration, a forgot password workflow will not be started.
+
+
+### Without an API key
+
+<API method="POST" uri="/api/user/forgot-password" authentication={["none"]} title="Start the forgot password workflow without an API Key."/>
+
+<XFusionauthTenantIdHeaderAmbiguousOperation />
+
+
+#### Request Body
+
+<APIBlock>
+  <APIField name="applicationId" type="UUID" optional since="1.21.0">
+    The Id of the application. If valid, the email or message template configured in the Application settings will be used, if present. If not present, the template configured in the Tenant settings will be used. In either case, the corresponding Application object will be available to the template.
+  </APIField>
+  <LoginIdField hide_canonical_details login_id_type_field="loginIdTypes" required />
+  <LoginIdTypeField plural optional />
+  <APIField name="state" type="Object" optional>
+    An optional object that will be returned un-modified when you complete the forgot password request using the [Change a User's Password API](#change-a-users-password). This may be useful to return the user to particular state once they complete the password change.
+  </APIField>
+</APIBlock>
+
+<JSON title="Example Request JSON" src="users/forgot-password-request.json" />
+
+
+### Using an API key
+
+<API method="POST" uri="/api/user/forgot-password" authentication={["api-key"]} title="Start the forgot password workflow using an API key"/>
+
+<XFusionauthTenantIdHeaderAmbiguousOperation />
+
+
+#### Request Body
+
+<APIBlock>
+  <APIField name="applicationId" type="UUID" optional since="1.21.0">
+    The Id of the application. If valid, the email or message template configured in the Application settings will be used, if present. If not present, the template configured in the Tenant settings will be used. In either case, the corresponding Application object will be available to the template.
+  </APIField>
+  <APIField name="changePasswordId" type="String" optional>
+    The optional change password Id to be used on the [Change a User's Password](#change-a-users-password) API.
+
+    It is recommended to omit this parameter and allow FusionAuth to generate the identifier. Use this parameter only if you must supply your own value for integration into existing systems.
+  </APIField>
+  <LoginIdField hide_canonical_details login_id_type_field="loginIdTypes" required />
+  <LoginIdTypeField plural optional />
+  <APIField name="sendForgotPasswordEmail" type="Boolean" optional defaults="true" deprecated>
+    Whether or not calling this API should attempt to send the user an email using the configured Forgot Password email template. Setting this to `false` will begin the Forgot Password workflow without sending an email and only create the `changePasswordId`, this may be useful if you want to send an email outside of FusionAuth, or complete this workflow without the use of email.
+
+    <Aside type="version" title="Available since 1.43.0">
+      When setting this to `false` you will not be required to have configured the Forgot Password email template in the FusionAuth tenant. Prior to `1.43.0`, even when setting this to `false`, the Tenant would be required to have configured the Forgot Password email template.
+    </Aside>
+
+    <DeprecatedSince since="1.59.0">Prefer using the new <InlineField>sendForgotPasswordMessage</InlineField> field.</DeprecatedSince>
+  </APIField>
+  <APIField name="sendForgotPasswordMessage" type="Boolean" optional defaults="true" since="1.59.0">
+    Determines whether a forgot password message is sent to the user. Setting this to `true` will cause a message to be sent. Setting this to `false` will begin the Forgot Password workflow without sending a message and only create the `changePasswordId`, which may be useful if you want to send a message outside of FusionAuth, or complete this workflow without the use of email/SMS.
+
+    The template and delivery method are based on the type of the identity resolved by the request.
+
+    * FusionAuth will attempt to deliver the message via SMS when the provided login Id and type resolve to a phone number identity. This requires <InlineField>tenant.phoneConfiguration.forgotPasswordTemplateId</InlineField> to be configured, otherwise the request will fail.
+    * If the provided login Id and type resolve to an email or username identity, FusionAuth will attempt to deliver the message via email. This requires <InlineField>tenant.emailConfiguration.forgotPasswordEmailTemplateId</InlineField> to be configured, otherwise the request will fail.
+  </APIField>
+  <APIField name="state" type="Object" optional>
+    An optional object that will be returned un-modified when you complete the forgot password request. This may be useful to return the user to particular state once they complete the password change.
+  </APIField>
+</APIBlock>
+
+<JSON title="Example Request JSON" src="users/forgot-password-request-advanced.json" />
+
+## Response
+
+{/*
+this 'response codes' header has extra spacing, but to fix we'd have to convert the below table into a HTML table inside an astro component, like we did with astro/src/content/docs/apis/_change-pass-response-codes.astro
+*/}
+__Response Codes__
+|Code |Description |
+| --- | --- |
+|200 |The request was successful. A JSON response body will be provided when authenticated using an API key, when the API key has been omitted from the request, no response body is provided. |
+|400 |The request was invalid and/or malformed. The response will contain an [Errors](/docs/apis/errors) JSON Object with the specific errors. |
+|401 |You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See [Authentication](/docs/apis/authentication). |
+|403 |The forgot password functionality has been disabled. This is caused by an administrator setting the Forgot Password Email Template to the option _Feature Disabled. No template selected._ in the Tenant Email configuration. See <Breadcrumb>Tenants -> Email -> Template settings</Breadcrumb> in the FusionAuth admin UI. |
+|404 |The User could not be found. |
+|422 |The User does not have an email address, this request cannot be completed. Before attempting the request again add an email address to the user. |
+|500 |There was an internal error. A stack trace is provided and logged in the FusionAuth log files. |
+|503 |The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.| |
+
+### Response Body
+
+<APIBlock>
+  <APIField name="changePasswordId" type="String">
+    The change password Id that was generated by this API request. This identifier may be used by the [Change a User's Password](#change-a-users-password) API. This field is only returned in the JSON response body if the request was authenticated using an API key, if an API key is not used no response body is returned.
+  </APIField>
+</APIBlock>
+
+<JSON title="Example Response JSON" src="users/forgot-password-response.json" />
diff --git a/astro/src/content/docs/apis/users/import-refresh-tokens.mdx b/astro/src/content/docs/apis/users/import-refresh-tokens.mdx
new file mode 100644
index 0000000000..a46ba6b2df
--- /dev/null
+++ b/astro/src/content/docs/apis/users/import-refresh-tokens.mdx
@@ -0,0 +1,32 @@
+---
+title: Import Refresh Tokens
+description: API documentation for the FusionAuth Import Refresh Tokens API.
+order: 9
+---
+import API from 'src/components/api/API.astro';
+import Aside from 'src/components/Aside.astro';
+import StandardGetResponseCodes from 'src/content/docs/apis/_standard-get-response-codes.astro';
+import UsersRefreshTokensRequestBody from 'src/content/docs/apis/_users-refresh-tokens-request-body.mdx';
+import XFusionauthTenantIdHeaderCreateOperation from 'src/content/docs/apis/_x-fusionauth-tenant-id-header-create-operation.mdx';
+
+<Aside type="version">
+Available Since Version 1.19.0
+</Aside>
+
+This API is used to import refresh tokens from an external system, this would generally be done during an initial user import or as an auxiliary step during a migration strategy.
+
+Before using this API, create the Users, Applications and User Registrations. A validation error will be returned if the user does not exist, or is not registered for the application.
+
+## Request
+
+<API method="POST" uri="/api/user/refresh-token/import" authentication={["api-key"]} title="Import Refresh Tokens"/>
+
+<XFusionauthTenantIdHeaderCreateOperation />
+
+<UsersRefreshTokensRequestBody />
+
+## Response
+
+The response does not contain a body, the HTTP status code will indicate the result of the request.
+
+<StandardGetResponseCodes never_missing never_search_error success_code="200" success_message="The request was successful." />
diff --git a/astro/src/content/docs/apis/users/import.mdx b/astro/src/content/docs/apis/users/import.mdx
new file mode 100644
index 0000000000..e92b7b1a0f
--- /dev/null
+++ b/astro/src/content/docs/apis/users/import.mdx
@@ -0,0 +1,69 @@
+---
+title: Import Users
+description: API documentation for the FusionAuth Import Users API.
+order: 8
+---
+import API from 'src/components/api/API.astro';
+import ImportUsersRequestBody from 'src/content/docs/apis/_import-users-request-body.mdx';
+import InlineField from 'src/components/InlineField.astro';
+import JSON from 'src/components/JSON.astro';
+import RemoteCode from 'src/components/RemoteCode.astro';
+import StandardPostResponseCodes from 'src/content/docs/apis/_standard-post-response-codes.astro';
+import XFusionauthTenantIdHeaderCreateOperation from 'src/content/docs/apis/_x-fusionauth-tenant-id-header-create-operation.mdx';
+
+This API is used to bulk import multiple Users into FusionAuth. Each User must have at least an **email** or a **username**, and a **password** (plaintext or hash). If you don't have the User's password, you can set this field to a long random string and require the User to reset their password at their next login. This request is useful for migrating data from an existing database into FusionAuth. Additionally, you can provide an Id for each User inside the JSON User object of the request body. When using this API, the recommended batch size per request is dependent on deployment scale (note: 100,000 users per request is a reasonable batch size for a production capable deployment). After completing an import, you should [reindex the Elasticsearch database](/docs/lifecycle/manage-users/search#reindexing-elasticsearch) as well.
+
+You should not make multiple calls to this API in parallel. Multiple sequential calls to this API are fine.
+
+## Request
+
+<API method="POST" uri="/api/user/import" authentication={["api-key"]} title="Import Multiple Users"/>
+
+<XFusionauthTenantIdHeaderCreateOperation />
+
+<ImportUsersRequestBody />
+
+## Response
+
+Only a status code is available on the Import API, no JSON body will be returned.
+
+<StandardPostResponseCodes webhook_event />
+
+
+## Password Hashes
+
+Password hashes can be imported into FusionAuth. This allows users to transparently use their old passwords while at no time exposing the plaintext password. This section contains details about importing specific password hashes.
+
+You can also learn more about hashes in the [password hashing reference](/docs/reference/password-hashes), and you can [implement your own custom hash](/docs/extend/code/password-hashes/custom-password-hashing) as well.
+
+## Encoding
+
+The standard FusionAuth password hashing schemes require the password hash to be a base64 encoded string.  If your password hashes are encoded in a different format, they will need to either be converted and imported as base64, or you can create a custom plugin using an alternative encoding.  You can see an example of converting below.
+
+It is recommended to use a base64 encoded string, but if importing hashes from a legacy system that uses base16, base32, or another encoding, import the hash in the same format the plugin produces.
+
+<RemoteCode lang="ruby" title="Example of Converting a Base16 Password Hash Value to Base64"
+            url="https://raw.githubusercontent.com/FusionAuth/fusionauth-example-scripts/main/import-helpers/convert-md5-hexadecimal-to-base64.rb" />
+
+## Bcrypt
+
+When importing a bcrypt hash, you may have a value such as:
+
+`$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy`
+
+This single string represents the bcrypt version, factor, salt and hash.
+
+The number before the final `$` is the factor, the 22 characters after the final `$` is the salt and the last 31 characters are the hash.
+
+For the above bcrypt hash, `10` is the factor and should be placed in the <InlineField>factor</InlineField> field.  `N9qo8uLOickgx2ZMRZoMye` is the salt and should be placed in the <InlineField>salt</InlineField> field.  `IjZAgcfl7p92ldGxad68LJZdL17lhWy` is the hash value and should be placed in the <InlineField>password</InlineField> field.
+
+## MD5
+
+When importing an MD5 password hash, you may not have a salt. If this is the case, use the empty string, `''`, as the salt. You may still use the salted MD5 plugin provided by FusionAuth.
+
+MD5 is commonly stored in hexadecimal format, such as `25d55ad283aa400af464c76d713c07ad`. The FusionAuth Import Users API requires imported password hashes to be base64 encoded. Convert any hexadecimal values to base64 before importing, or the import will not work.
+
+Here is an example ruby script to convert hexadecimal values to base64 encoded:
+
+<RemoteCode lang="ruby" title="Convert a Hexadecimal Password Hash Value to Base64"
+            url="https://raw.githubusercontent.com/FusionAuth/fusionauth-example-scripts/main/import-helpers/convert-md5-hexadecimal-to-base64.rb" />
diff --git a/astro/src/content/docs/apis/users/index.mdx b/astro/src/content/docs/apis/users/index.mdx
new file mode 100644
index 0000000000..96eaac8bb3
--- /dev/null
+++ b/astro/src/content/docs/apis/users/index.mdx
@@ -0,0 +1,26 @@
+---
+title: User API
+description: Learn how to integrate with the FusionAuth User API. This documentation provides a comprehensive reference for managing users.
+order: 1
+---
+
+This page contains all of the APIs for managing users.
+
+| Operation | Method | Endpoint |
+|---|---|---|
+| [Create a User](/docs/apis/users/create) | `POST` | `/api/user` |
+| [Retrieve a User](/docs/apis/users/retrieve) | `GET` | `/api/user` |
+| [Update a User](/docs/apis/users/update) | `PUT` | `/api/user/{userId}` |
+| [Delete a User](/docs/apis/users/delete) | `DELETE` | `/api/user/{userId}` |
+| [Bulk Delete Users](/docs/apis/users/bulk-delete) | `DELETE` | `/api/user/bulk` |
+| [Reactivate a User](/docs/apis/users/reactivate) | `PUT` | `/api/user/{userId}?reactivate=true` |
+| [Import Users](/docs/apis/users/import) | `POST` | `/api/user/import` |
+| [Import Refresh Tokens](/docs/apis/users/import-refresh-tokens) | `POST` | `/api/user/refresh-token/import` |
+| [Search for Users](/docs/apis/users/search) | `GET` / `POST` | `/api/user/search` |
+| [Flush the Search Engine](/docs/apis/users/flush-search) | `PUT` | `/api/user/search` |
+| [Retrieve Recent Logins](/docs/apis/users/recent-logins) | `GET` | `/api/user/recent-login` |
+| [Verify a User's Email](/docs/apis/users/verify-email) | `POST` | `/api/user/verify-email` |
+| [Resend Verification Email](/docs/apis/users/resend-verification) | `PUT` | `/api/user/verify-email` |
+| [Start Forgot Password Workflow](/docs/apis/users/forgot-password) | `POST` | `/api/user/forgot-password` |
+| [Validate a Password Change](/docs/apis/users/validate-password-change) | `GET` | `/api/user/change-password` |
+| [Change a User's Password](/docs/apis/users/change-password) | `POST` | `/api/user/change-password` |
diff --git a/astro/src/content/docs/apis/users/reactivate.mdx b/astro/src/content/docs/apis/users/reactivate.mdx
new file mode 100644
index 0000000000..d5f739bd26
--- /dev/null
+++ b/astro/src/content/docs/apis/users/reactivate.mdx
@@ -0,0 +1,35 @@
+---
+title: Reactivate a User
+description: API documentation for the FusionAuth Reactivate a User API.
+order: 7
+---
+import APIBlock from 'src/components/api/APIBlock.astro';
+import APIField from 'src/components/api/APIField.astro';
+import API from 'src/components/api/API.astro';
+import StandardPutResponseCodes from 'src/content/docs/apis/_standard-put-response-codes.astro';
+import UserResponseBody from 'src/content/docs/apis/_user-response-body.mdx';
+import XFusionauthTenantIdHeaderScopedOperation from 'src/content/docs/apis/_x-fusionauth-tenant-id-header-scoped-operation.mdx';
+
+This API is used to reactivate an inactive Users. You must specify the Id of the User on the URI.
+
+## Request
+
+<API method="PUT" uri="/api/user/{userId}?reactivate=true" authentication={["api-key"]} title="Reactivate the User"/>
+
+### Request Parameters
+
+<APIBlock>
+  <APIField name="userId" type="UUID" required>
+    The Id of the User to reactivate.
+  </APIField>
+</APIBlock>
+
+<XFusionauthTenantIdHeaderScopedOperation />
+
+## Response
+
+The response for this API contains the information for the User that was reactivated.
+
+<StandardPutResponseCodes webhook_event />
+
+<UserResponseBody />
diff --git a/astro/src/content/docs/apis/users/recent-logins.mdx b/astro/src/content/docs/apis/users/recent-logins.mdx
new file mode 100644
index 0000000000..f007bd1a6a
--- /dev/null
+++ b/astro/src/content/docs/apis/users/recent-logins.mdx
@@ -0,0 +1,106 @@
+---
+title: Retrieve Recent Logins
+description: API documentation for the FusionAuth Retrieve Recent Logins API.
+order: 12
+---
+import APIBlock from 'src/components/api/APIBlock.astro';
+import APIField from 'src/components/api/APIField.astro';
+import API from 'src/components/api/API.astro';
+import Aside from 'src/components/Aside.astro';
+import JSON from 'src/components/JSON.astro';
+import EnterprisePlanBlurbApi from 'src/content/docs/_shared/_enterprise-plan-blurb-api.astro';
+import StandardGetResponseCodes from 'src/content/docs/apis/_standard-get-response-codes.astro';
+
+<Aside type="version">
+Available Since Version 1.4.0
+</Aside>
+
+This API is used to retrieve recent logins.
+
+## Request
+
+<API method="GET" uri="/api/user/recent-login?limit={limit}&offset={offset}&userId={userId}" authentication={["global-api-key"]} title="Retrieve recent logins"/>
+
+### Request Parameters
+
+<APIBlock>
+  <APIField name="limit" type="Integer" optional defaults="10">
+    This parameter indicates the maximum amount of logins to return for a single request.
+  </APIField>
+  <APIField name="offset" type="Integer" optional defaults="0">
+    This parameter provides the offset into the result set. Generally speaking if you wish to paginate the results, you will increment this parameter on subsequent API request by the size of the `limit` parameter.
+  </APIField>
+  <APIField name="userId" type="UUID" optional>
+    This parameter will narrow the results to only logins for a particular user. When this parameter is omitted, the most recent logins for all of FusionAuth will be returned.
+  </APIField>
+</APIBlock>
+
+## Response
+
+The response will contain recent logins containing no more than the value set by the `limit` parameter. By design, this API does not return the total number of results and only lets paginate through the results from newest to oldest.
+
+<StandardGetResponseCodes />
+
+### Response Body
+
+<APIBlock>
+  <APIField name="logins" type="Array">
+    A list of recent logins.
+  </APIField>
+  <APIField name="logins[x].applicationId" type="UUID">
+    The unique Id of the application that is represented by this login record.
+  </APIField>
+  <APIField name="logins[x].applicationName" type="String">
+    The name of the application at the time this record was created.
+  </APIField>
+  <APIField name="logins[x].instant" type="Long">
+    The [instant](/docs/reference/data-types#instants) this login occurred.
+  </APIField>
+  <APIField name="logins[x].ipAddress" type="String">
+    The IP address if provided during the login request.
+  </APIField>
+  <APIField name="logins[x].location.city" type="String" since="1.30.0">
+    The city where the login request originated.
+
+<EnterprisePlanBlurbApi feature="login location" />
+
+  </APIField>
+  <APIField name="logins[x].location.country" type="String" since="1.30.0">
+    The country where the login request originated.
+
+<EnterprisePlanBlurbApi feature="login location" />
+
+  </APIField>
+  <APIField name="logins[x].location.latitude" type="Double" since="1.30.0">
+    The latitude where the login request originated.
+
+<EnterprisePlanBlurbApi feature="login location" />
+
+  </APIField>
+  <APIField name="logins[x].location.longitude" type="Double" since="1.30.0">
+    The longitude where the login request originated.
+
+<EnterprisePlanBlurbApi feature="login location" />
+
+  </APIField>
+  <APIField name="logins[x].location.region" type="String" since="1.30.0">
+    The geographic location where the login request originated.
+
+<EnterprisePlanBlurbApi feature="login location" />
+
+  </APIField>
+  <APIField name="logins[x].location.zipcode" type="String" since="1.30.0">
+    The zipcode where the login request originated.
+
+<EnterprisePlanBlurbApi feature="login location" />
+
+  </APIField>
+  <APIField name="logins[x].loginId" type="String">
+    The User's email address or username at the time of the login request.
+  </APIField>
+  <APIField name="logins[x].userId" type="UUID">
+    The unique Id of the user that is represented by this login record.
+  </APIField>
+</APIBlock>
+
+<JSON title="Example Response JSON" src="users/recent-logins-response.json" />
diff --git a/astro/src/content/docs/apis/users/resend-verification.mdx b/astro/src/content/docs/apis/users/resend-verification.mdx
new file mode 100644
index 0000000000..f8790a7852
--- /dev/null
+++ b/astro/src/content/docs/apis/users/resend-verification.mdx
@@ -0,0 +1,86 @@
+---
+title: Resend Verification Email
+description: API documentation for the FusionAuth Resend Verification Email API.
+order: 14
+---
+import APIBlock from 'src/components/api/APIBlock.astro';
+import APIField from 'src/components/api/APIField.astro';
+import API from 'src/components/api/API.astro';
+import InlineField from 'src/components/InlineField.astro';
+import JSON from 'src/components/JSON.astro';
+import PremiumPlanBlurbApi from 'src/content/docs/_shared/_premium-plan-blurb-api.astro';
+import StandardPutResponseCodes from 'src/content/docs/apis/_standard-put-response-codes.astro';
+import XFusionauthTenantIdHeaderAmbiguousOperation from 'src/content/docs/apis/_x-fusionauth-tenant-id-header-ambiguous-operation.mdx';
+
+This API is used to resend the verification email to a User. This API is useful if the User has deleted the email, or the verification Id has expired. By default, the verification Id will expire after 24 hours. You can modify this duration in the Tenant settings.
+
+## Request
+
+
+### Without an API key
+
+<API method="PUT" uri="/api/user/verify-email?applicationId={applicationId}&email={email}" authentication={["none"]} title="Resend the verification email"/>
+
+
+#### Request Parameters
+
+<APIBlock>
+  <APIField name="applicationId" type="String" optional since="1.21.0">
+    The Id of the application. If valid, the email or message template configured in the Application settings will be used, if present. If not present, the template configured in the Tenant settings will be used. In either case, the corresponding Application object will be available to the template.
+  </APIField>
+  <APIField name="email" type="String" required>
+    The email address used to uniquely identify the User.
+  </APIField>
+</APIBlock>
+
+<XFusionauthTenantIdHeaderAmbiguousOperation />
+
+
+### Using an API key
+
+<API method="PUT" uri="/api/user/verify-email?applicationId={applicationId}&email={email}&sendVerifyEmail={sendVerifyEmail}" authentication={["api-key"]} title="Resend the verification email using an API key"/>
+
+
+#### Request Parameters
+
+<APIBlock>
+  <APIField name="applicationId" type="String" optional since="1.21.0">
+    The Id of the application. If valid, the email or message template configured in the Application settings will be used, if present. If not present, the template configured in the Tenant settings will be used. In either case, the corresponding Application object will be available to the template.
+  </APIField>
+  <APIField name="email" type="String" required>
+    The email address used to uniquely identify the User.
+  </APIField>
+  <APIField name="sendVerifyEmail" type="Boolean" optional defaults="true">
+    If you would only like to generate a new <InlineField>verificationId</InlineField> and return it in the JSON body without FusionAuth attempting to send the User an email
+    set this optional parameter to `false`.
+
+    This may be useful if you need to integrate the Email Verification process using a third party messaging service.
+  </APIField>
+</APIBlock>
+
+<XFusionauthTenantIdHeaderAmbiguousOperation />
+
+## Response
+
+When authenticated using an API key a response body will be provided. If an API key was not used to authenticate the request no body is returned.
+
+<StandardPutResponseCodes success_code="200" success_message="The request was successful. The response will contain a JSON body if an API key was used for authentication. If no API key was provided no response body will be returned." />
+
+### Response Body
+
+<APIBlock>
+  <APIField name="verificationId" type="String">
+    The email verification Id that was generated by this API request. This identifier may be used by the [Verify a User's Email](#verify-a-users-email) API.
+    This field is only returned in the JSON response body if the request was authenticated using an API key, if an API key is not used no response body is returned.
+  </APIField>
+  <APIField name="verificationOneTimeCode" type="String">
+    Depending on your tenant configuration, this may be returned. The verification One Time Code is used with the gated Email Verification workflow. The user enters this code to verify their email.
+
+<PremiumPlanBlurbApi feature="gated email" />
+
+
+  </APIField>
+</APIBlock>
+
+
+<JSON title="Example Response JSON" src="users/resend-verify-email-response.json" />
diff --git a/astro/src/content/docs/apis/users/retrieve.mdx b/astro/src/content/docs/apis/users/retrieve.mdx
new file mode 100644
index 0000000000..ea51fe5b1e
--- /dev/null
+++ b/astro/src/content/docs/apis/users/retrieve.mdx
@@ -0,0 +1,130 @@
+---
+title: Retrieve a User
+description: API documentation for the FusionAuth Retrieve a User API.
+order: 3
+---
+import APIBlock from 'src/components/api/APIBlock.astro';
+import APIField from 'src/components/api/APIField.astro';
+import API from 'src/components/api/API.astro';
+import LoginIdField from 'src/content/docs/apis/_login-id-field.mdx';
+import LoginIdTypeField from 'src/content/docs/apis/_login-id-type-field.mdx';
+import StandardGetResponseCodes from 'src/content/docs/apis/_standard-get-response-codes.astro';
+import UserResponseBody from 'src/content/docs/apis/_user-response-body.mdx';
+import XFusionauthTenantIdHeaderAmbiguousOperation from 'src/content/docs/apis/_x-fusionauth-tenant-id-header-ambiguous-operation.mdx';
+import XFusionauthTenantIdHeaderScopedOperation from 'src/content/docs/apis/_x-fusionauth-tenant-id-header-scoped-operation.mdx';
+
+This API is used to retrieve the information about a single User. You can use the User's Id, username or email address to retrieve the User. The Id is specified on the URI and the username or email are specified as URL parameters.
+
+## Request
+
+
+### By user ID
+
+<API method="GET" uri="/api/user/{userId}" authentication={["api-key"]} title="Retrieve a User by Id"/>
+
+#### Request Parameters
+
+<APIBlock>
+  <APIField name="userId" type="UUID" required>
+    The unique Id of the User to retrieve.
+  </APIField>
+</APIBlock>
+
+<XFusionauthTenantIdHeaderScopedOperation />
+
+
+### By login ID
+
+<API method="GET" uri="/api/user?loginId={loginId}" authentication={["api-key"]} title="Retrieve a User by login Id"/>
+
+#### Request Parameters
+
+<APIBlock>
+  <APIField name="loginId" type="String" required>
+    The unique Id of the User to retrieve. The loginId can be either the email or username.
+  </APIField>
+</APIBlock>
+
+<XFusionauthTenantIdHeaderScopedOperation />
+
+
+### By login ID and type
+
+<API method="GET" uri="/api/user?loginId={loginId}&loginIdTypes={type1}[&loginIdTypes={type2}]" authentication={["api-key"]} title="Retrieve a User by login Id and login Id types"/>
+
+#### Request Parameters
+
+<APIBlock>
+  <LoginIdField login_id_type_field="loginIdTypes"/>
+  <LoginIdTypeField plural />
+</APIBlock>
+
+<XFusionauthTenantIdHeaderAmbiguousOperation />
+
+
+### By email
+
+<API method="GET" uri="/api/user?email={email}" authentication={["api-key"]} title="Retrieve a User by email"/>
+
+#### Request Parameters
+
+<APIBlock>
+  <APIField name="email" type="String" required>
+    The email of the User to retrieve.
+  </APIField>
+</APIBlock>
+
+<XFusionauthTenantIdHeaderAmbiguousOperation />
+
+
+### By username
+
+<API method="GET" uri="/api/user?username={username}" authentication={["api-key"]} title="Retrieve a User by username"/>
+
+#### Request Parameters
+
+<APIBlock>
+  <APIField name="username" type="String" required>
+    The username of the User to retrieve.
+  </APIField>
+</APIBlock>
+
+<XFusionauthTenantIdHeaderAmbiguousOperation />
+
+
+### By change password ID
+
+<API method="GET" uri="/api/user?changePasswordId={changePasswordId}" authentication={["api-key"]} title="Retrieve a User by Change Password Id"/>
+
+#### Request Parameters
+
+<APIBlock>
+  <APIField name="changePasswordId" type="String" required>
+    The change password Id associated with the user when the Forgot Password workflow has been started.
+  </APIField>
+</APIBlock>
+
+<XFusionauthTenantIdHeaderScopedOperation />
+
+
+### By verification ID
+
+<API method="GET" uri="/api/user?verificationId={verificationId}" authentication={["api-key"]} title="Retrieve a User by Verification Id"/>
+
+#### Request Parameters
+
+<APIBlock>
+  <APIField name="verificationId" type="String" required>
+    The verification Id associated with the user when the Email or Phone number verification process has been started.
+  </APIField>
+</APIBlock>
+
+<XFusionauthTenantIdHeaderScopedOperation />
+
+## Response
+
+The response for this API contains the User.
+
+<StandardGetResponseCodes />
+
+<UserResponseBody retrieve_user />
diff --git a/astro/src/content/docs/apis/users/search.mdx b/astro/src/content/docs/apis/users/search.mdx
new file mode 100644
index 0000000000..6a7a5828ab
--- /dev/null
+++ b/astro/src/content/docs/apis/users/search.mdx
@@ -0,0 +1,96 @@
+---
+title: Search for Users
+description: API documentation for the FusionAuth Search for Users API.
+order: 10
+---
+import API from 'src/components/api/API.astro';
+import Aside from 'src/components/Aside.astro';
+import JSON from 'src/components/JSON.astro';
+import StandardGetResponseCodes from 'src/content/docs/apis/_standard-get-response-codes.astro';
+import UserSearchRequestBodyDatabaseExamples from 'src/content/docs/apis/_user-search-request-body-database-examples.mdx';
+import UserSearchRequestBodyElasticsearchExamples from 'src/content/docs/apis/_user-search-request-body-elasticsearch-examples.mdx';
+import UserSearchRequestParameters from 'src/content/docs/apis/_user-search-request-parameters.mdx';
+import UsersResponseBody from 'src/content/docs/apis/_users-response-body.mdx';
+import XFusionauthTenantIdHeaderScopedOperation from 'src/content/docs/apis/_x-fusionauth-tenant-id-header-scoped-operation.mdx';
+
+This API is used to search for Users.
+This API may be called using the `GET` or `POST` HTTP methods, examples of each are provided below.
+The `POST` method is provided to allow for a richer request object without worrying about exceeding the maximum length of a URL.
+Calling this API with either the `GET` or `POST` HTTP method will provide the same search results given the same query parameters.
+
+## Request
+
+Which search query parameters are available and how they behave depends on the search engine type. Read more about [the different types of search engines](/docs/get-started/core-concepts/users#user-search).
+
+## Database Search Engine
+
+This is a good choice for [smaller installs, embedded scenarios, or other places where the additional capability of Elasticsearch is not required](/docs/get-started/core-concepts/users#database-search-engine).
+
+<Aside type="version">
+Available Since Version 1.16.0
+</Aside>
+
+
+<API method="GET" uri="/api/user/search?ids={uuid}&ids={uuid}" authentication={["api-key"]} title="Search for Users by Id"/>
+
+<API method="GET" uri="/api/user/search?queryString={queryString}" authentication={["api-key"]} title="Search for Users by a query string"/>
+
+<API method="GET" uri="/api/user/search?queryString={queryString}&sortFields[0].name={name}&sortFields[0].order={order}" authentication={["api-key"]} title="Search for Users by a query string and sort the response"/>
+
+### Request Parameters
+
+<UserSearchRequestParameters query_string_request database_search_engine_type parameter_prefix="" />
+
+<XFusionauthTenantIdHeaderScopedOperation />
+
+<API method="POST" uri="/api/user/search" authentication={["api-key"]} title="Search for Users using a JSON request body. This allows for larger requests than are possible using request parameters."/>
+
+<XFusionauthTenantIdHeaderScopedOperation />
+
+### Request Body
+
+<UserSearchRequestParameters database_search_engine_type parameter_prefix="search." />
+
+#### Request Body Examples
+
+<UserSearchRequestBodyDatabaseExamples />
+
+## Elasticsearch Search Engine
+
+The Elasticsearch engine has [advanced querying capabilities and better performance](/docs/get-started/core-concepts/users#elasticsearch-search-engine). You can also review the [Elasticsearch search guide](/docs/lifecycle/manage-users/search/user-search-with-elasticsearch) for more examples.
+
+<API method="GET" uri="/api/user/search?ids={uuid}&ids={uuid}" authentication={["api-key"]} title="Search for Users by Id"/>
+
+<API method="GET" uri="/api/user/search?queryString={queryString}" authentication={["api-key"]} title="Search for Users by a query string"/>
+
+<API method="GET" uri="/api/user/search?queryString={queryString}&sortFields[0].name={name}&sortFields[0].order={order}" authentication={["api-key"]} title="Search for Users by a query string and sort the response"/>
+
+<API method="GET" uri="/api/user/search?query={query}" authentication={["api-key"]} title="Search for Users by a raw JSON query"/>
+
+<API method="GET" uri="/api/user/search?nextResults={nextResults}" authentication={["api-key"]} title="Search for Users with a nextResults token"/>
+
+### Request Parameters
+
+<UserSearchRequestParameters query_string_request elasticsearch_search_engine_type parameter_prefix='' />
+
+<XFusionauthTenantIdHeaderScopedOperation />
+
+<API method="POST" uri="/api/user/search" authentication={["api-key"]} title="Search for Users using a JSON request body. This allows for larger requests than are possible using request parameters."/>
+
+<XFusionauthTenantIdHeaderScopedOperation />
+
+### Request Body
+
+<UserSearchRequestParameters elasticsearch_search_engine_type parameter_prefix="search." />
+
+#### Request Body Examples
+
+<UserSearchRequestBodyElasticsearchExamples />
+
+## Response
+
+The response contains the User objects that were found as part of the lookup or search. Both the database and Elasticsearch search engines return the response in the same format.
+
+<StandardGetResponseCodes />
+
+<UsersResponseBody search_result />
diff --git a/astro/src/content/docs/apis/users/update.mdx b/astro/src/content/docs/apis/users/update.mdx
new file mode 100644
index 0000000000..84cfc0fca5
--- /dev/null
+++ b/astro/src/content/docs/apis/users/update.mdx
@@ -0,0 +1,41 @@
+---
+title: Update a User
+description: API documentation for the FusionAuth Update a User API.
+order: 4
+---
+import APIBlock from 'src/components/api/APIBlock.astro';
+import APIField from 'src/components/api/APIField.astro';
+import API from 'src/components/api/API.astro';
+import GenericUpdateExplanationFragment from 'src/content/docs/apis/_generic-update-explanation-fragment.mdx';
+import StandardPutResponseCodes from 'src/content/docs/apis/_standard-put-response-codes.astro';
+import UserRequestBody from 'src/content/docs/apis/_user-request-body.mdx';
+import UserResponseBody from 'src/content/docs/apis/_user-response-body.mdx';
+import XFusionauthTenantIdHeaderScopedOperation from 'src/content/docs/apis/_x-fusionauth-tenant-id-header-scoped-operation.mdx';
+
+<GenericUpdateExplanationFragment capitalized_object_name="User" />
+
+If you specify a new password for the User, it will be encrypted and stored. However, if you do not provide a new password, the User's old password will be preserved. This is the only field that is merged during an update using the `PUT` method.
+
+## Request
+
+<API method="PUT" uri="/api/user/{userId}" authentication={["api-key"]} showPatch={true} title="Update the User with the given Id"/>
+
+### Request Parameters
+
+<APIBlock>
+  <APIField name="userId" type="UUID" immutable required>
+    The Id of the User to update.
+  </APIField>
+</APIBlock>
+
+<XFusionauthTenantIdHeaderScopedOperation />
+
+<UserRequestBody http_method="PUT" />
+
+## Response
+
+The response for this API contains the User that was updated. The password hash and other sensitive fields are never returned on the API response.
+
+<StandardPutResponseCodes webhook_event />
+
+<UserResponseBody update_user />
diff --git a/astro/src/content/docs/apis/users/validate-password-change.mdx b/astro/src/content/docs/apis/users/validate-password-change.mdx
new file mode 100644
index 0000000000..8abc3bca64
--- /dev/null
+++ b/astro/src/content/docs/apis/users/validate-password-change.mdx
@@ -0,0 +1,103 @@
+---
+title: Validate a password change
+description: API documentation for the FusionAuth Validate a password change API.
+order: 16
+---
+import APIBlock from 'src/components/api/APIBlock.astro';
+import APIField from 'src/components/api/APIField.astro';
+import API from 'src/components/api/API.astro';
+import Aside from 'src/components/Aside.astro';
+import LoginIdField from 'src/content/docs/apis/_login-id-field.mdx';
+import LoginIdTypeField from 'src/content/docs/apis/_login-id-type-field.mdx';
+import LoginMetadataDevice from 'src/content/docs/apis/_login-metadata-device.mdx';
+import JSON from 'src/components/JSON.astro';
+import XFusionauthTenantIdHeaderScopedOperation from 'src/content/docs/apis/_x-fusionauth-tenant-id-header-scoped-operation.mdx';
+import ChangePassGetResponseCodes from 'src/content/docs/apis/_change-pass-get-response-codes.astro';
+
+## Request
+
+This API is used to validate whether a request to [change a user's password](#change-a-users-password) will require MFA (via a `trustToken`). There are 3 ways to call the endpoint:
+1. Validate a `changePasswordId` without authentication
+2. Validate user password change using a JWT
+3. Validate user password change using a `loginId` with API key
+
+The first case will also verify that a `changePasswordId` is valid. This usage is generally intended to be part of an email or SMS workflow and does not require authentication. The `changePasswordId` used on this API request will have been previously generated by the [Start Forgot Password API](#start-forgot-password-workflow) or by using the Forgot Password workflow on the FusionAuth login page. Use this API to validate the `changePasswordId` before requesting a password change.
+
+
+### Using a change password ID
+
+<API method="GET" uri="/api/user/change-password/{changePasswordId}" authentication={["none"]} title="Validate a changePasswordId" />
+
+
+#### Request Parameters
+
+<APIBlock>
+    <APIField name="changePasswordId" type="String" required>
+        The `changePasswordId` that is used to identify the user after the [Start Forgot Password workflow](#start-forgot-password-workflow) has been initiated.
+    </APIField>
+    <APIField name="ipAddress" type="String" optional since="1.62.0">
+        The IP address of the end-user that is changing their password. If this value is omitted FusionAuth will attempt to obtain the IP address of
+        the client, the value will be that of the `X-Forwarded-For` header if provided or the last proxy that sent the request. This value may be used by an MFA requirement lambda to determine if multi-factor authentication should be required.
+    </APIField>
+    <Aside>
+        Since version 1.62.0, the metadata fields below may be used by an MFA requirement lambda to determine if multi-factor authentication should be required.
+    </Aside>
+    <LoginMetadataDevice since="1.62.0"/>
+</APIBlock>
+
+<XFusionauthTenantIdHeaderScopedOperation />
+
+The "Validate user password change using a JWT or `loginId`" cases are used to verify whether MFA is required to change a user's password based solely on the user's JWT or `loginId`. It does not validate a specific `changePasswordId` and is instead meant to validate whether MFA is required before [changing the user's password](#change-a-users-password) using a JWT or `loginId`.
+
+
+### Using a JWT
+
+<API method="GET" uri="/api/user/change-password" authentication={["jwt"]} title="Validate user password change using a JWT" />
+
+
+#### Request Parameters
+
+<APIBlock>
+    <APIField name="ipAddress" type="String" optional since="1.62.0">
+        The IP address of the end-user that is changing their password. If this value is omitted FusionAuth will attempt to obtain the IP address of
+        the client, the value will be that of the `X-Forwarded-For` header if provided or the last proxy that sent the request. This value may be used by an MFA requirement lambda to determine if multi-factor authentication should be required.
+    </APIField>
+    <Aside>
+        Since version 1.62.0, the metadata fields below may be used by an MFA requirement lambda to determine if multi-factor authentication should be required.
+    </Aside>
+    <LoginMetadataDevice since="1.62.0"/>
+</APIBlock>
+
+
+### Using a login ID
+
+<API method="GET" uri="/api/user/change-password?loginId={loginId}" authentication={["api-key"]} title="Validate user password change using a loginId" />
+
+
+#### Request Parameters
+
+<APIBlock>
+    <LoginIdField
+        hide_canonical_details
+        login_id_type_field="loginIdTypes"
+        required />
+    <LoginIdTypeField plural optional since="1.61.0" />
+    <APIField name="ipAddress" type="String" optional since="1.62.0">
+        The IP address of the end-user that is changing their password. If this value is omitted FusionAuth will attempt to obtain the IP address of
+        the client, the value will be that of the `X-Forwarded-For` header if provided or the last proxy that sent the request. This value may be used by an MFA requirement lambda to determine if multi-factor authentication should be required.
+    </APIField>
+    <Aside>
+        Since version 1.62.0, the metadata fields below may be used by an MFA requirement lambda to determine if multi-factor authentication should be required.
+    </Aside>
+    <LoginMetadataDevice since="1.62.0"/>
+</APIBlock>
+
+<XFusionauthTenantIdHeaderScopedOperation />
+
+## Response
+
+This JSON response body will only be returned when a validation error occurs.
+
+A successful response will not contain a response body.
+
+<ChangePassGetResponseCodes/>
diff --git a/astro/src/content/docs/apis/users/verify-email.mdx b/astro/src/content/docs/apis/users/verify-email.mdx
new file mode 100644
index 0000000000..585f0d3afb
--- /dev/null
+++ b/astro/src/content/docs/apis/users/verify-email.mdx
@@ -0,0 +1,82 @@
+---
+title: Verify a User's Email
+description: API documentation for the FusionAuth Verify a User's Email API.
+order: 13
+---
+import APIBlock from 'src/components/api/APIBlock.astro';
+import APIField from 'src/components/api/APIField.astro';
+import API from 'src/components/api/API.astro';
+import Aside from 'src/components/Aside.astro';
+import DeprecatedSince from 'src/components/api/DeprecatedSince.astro';
+import InlineField from 'src/components/InlineField.astro';
+import StandardPutResponseCodes from 'src/content/docs/apis/_standard-put-response-codes.astro';
+import XFusionauthTenantIdHeaderScopedOperation from 'src/content/docs/apis/_x-fusionauth-tenant-id-header-scoped-operation.mdx';
+import Breadcrumb from 'src/components/Breadcrumb.astro';
+
+This API is used to mark a User's email as verified. This is usually called after the User receives the verification email after they register and they click the link in the email. To verify a User's phone number identity, see the [Identity Verify API](/docs/apis/identity-verify).
+
+## Request
+
+
+### Using a verification ID
+
+<API method="POST" uri="/api/user/verify-email" authentication={["none"]} title="Verifies the User's email address using the verificationId."/>
+<API method="POST" uri="/api/user/verify-email/{verificationId}" authentication={["none"]} title="Verifies the User's email address using the verificationId."/>
+
+
+#### Request Parameters
+
+<APIBlock>
+  <APIField name="verificationId" type="String" required deprecated>
+    The verification Id generated by FusionAuth used to verify the User's registration is valid by ensuring they have access to the provided email address.
+
+    <DeprecatedSince since="1.28.0">
+    This value can still be provided on the URL segment as shown in the above example, but it is recommended you send this value in the request body instead using the <InlineField>verificationId</InlineField> field. If the value is provided in the URL segment and in the request body, the value provided in the request body will be preferred.
+    </DeprecatedSince>
+  </APIField>
+</APIBlock>
+
+#### Request Body
+
+<APIBlock>
+  <APIField name="oneTimeCode" type="String" optional since="1.27.0">
+    The short code used to verify the User's account is valid by ensuring they have access to the provided email address. This field is required when the email <InlineField>verification strategy</InlineField> on the Tenant is set to `Form field`.
+  </APIField>
+  <APIField name="verificationId" type="String" required since="1.27.0">
+    The verification Id generated by FusionAuth used to verify the User's account is valid by ensuring they have access to the provided email address.
+
+    When using the `Form field` strategy for Email verification, this value is used along with the `oneTimeCode` as a pair to verify the email address.
+
+    If the <InlineField>verificationId</InlineField> is provided in the URL segment and in the request body, the value provided in the request body will be preferred.
+  </APIField>
+</APIBlock>
+
+<XFusionauthTenantIdHeaderScopedOperation />
+
+<Aside type="version">
+Available since version 1.37.0
+</Aside>
+
+This API can be used to mark a user as verified without requiring the user to actually complete a verification process.
+
+
+### Administratively
+
+<API method="POST" uri="/api/user/verify-email" authentication={["api-key"]} title="Administratively verify the User's email address."/>
+
+
+#### Request Body
+
+<APIBlock>
+  <APIField name="userId" type="String" required>
+    The unique Id of the user to mark verified.
+  </APIField>
+</APIBlock>
+
+## Response
+
+The response does not contain a body. It only contains one of the status codes below.
+
+<StandardPutResponseCodes>
+    <Fragment slot="forbidden-message">The verify email functionality has been disabled. See <Breadcrumb>Tenants -> Email -> Email verification settings</Breadcrumb> in the FusionAuth admin UI.</Fragment>
+</StandardPutResponseCodes>