Impersonate a User

Impersonation lets you log into the app as a specific user to troubleshoot issues, verify configurations, or reproduce bugs. All impersonation sessions are fully logged and time-limited.

Starting an Impersonation Session

  1. Navigate to the account detail page.
  2. Click the Members tab.
  3. Find the user you want to impersonate and click the Impersonate button on their row.
  4. A confirmation dialog appears with the user's name and a reminder that the session lasts 20 minutes and all actions are logged.
  5. Click OK to confirm. A new browser tab opens with the app dashboard, logged in as the target user.

During Impersonation

While impersonating a user, a red banner appears at the top of every page in the app, showing that you are impersonating someone. The banner displays the user's name and email.

You can perform any action the user would normally be able to — view templates, edit settings, etc. All actions you take are attributed to the target user but logged in the admin audit trail.

Session Limits

  • Sessions expire automatically after 20 minutes.
  • Only one impersonation session can be active per admin at a time. Starting a new session automatically ends the previous one.
  • The session uses a JWT token scoped to the target user and account.

Ending a Session

There are three ways to end an impersonation session:

  • Wait for expiry — the session ends automatically after 20 minutes.
  • Close the tab — the session data is cleared from session storage.
  • End from the overview dashboard — any admin can end any active session using the End button in the Active Impersonation Sessions table on the admin overview page.

Security Considerations

  • Every impersonation start and end is logged in the immutable admin audit trail.
  • Impersonation tokens are signed JWTs with a 20-minute TTL — they cannot be extended.
  • The admin subdomain and app subdomain are separate origins, so the impersonation token is passed via a secure URL parameter and stored in session storage (not persistent).
  • Superadmin access is required to impersonate anyone.

Related Articles

  • Admin Overview Dashboard
  • Use Member Quick Actions
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.