> ## Documentation Index
> Fetch the complete documentation index at: https://docs.livingsecurity.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Template Variables

> Complete reference for the {{ token }} variables you can use in playbook notifications, nudges, scorecard emails, and report-ready messages.

Template variables let you personalize playbook notifications, nudges, scorecard emails, and report messages without writing separate copy for every recipient. The platform resolves each `{{ token }}` against directory data, the run context, and the triggering event before the message is delivered.

## Syntax

All template variables use **Mustache-style double braces**:

```text theme={null}
Hi {{ recipient.firstName }}, your training is due {{ training.dueDate }}.
```

* Whitespace inside the braces is optional. `{{recipient.firstName}}`, `{{ recipient.firstName }}`, and `{{  recipient.firstName  }}` all resolve identically.
* Tokens are **case-sensitive** and use **dot-notation** for nested fields (`recipient.firstName`, not `recipient.first_name`).
* Tokens use the canonical names below, but most accept short aliases for backward compatibility (see [Aliases](#aliases)).

<Warning>
  **Unresolved tokens are rendered literally.** If you type `{{ recipient.firsName }}` (typo) or reference a variable the template doesn't support, the recipient will see the raw `{{ recipient.firsName }}` text in their inbox. Always preview a message before sending and validate any tokens you add.
</Warning>

## Universal recipient variables

These tokens are available in **every** template (welcome emails, training notifications, nudges, scorecards, reports, and playbook-step messages).

| Token                       | Description                                                | Sample value                                 |
| --------------------------- | ---------------------------------------------------------- | -------------------------------------------- |
| `recipient.firstName`       | The recipient's first name.                                | `Jane`                                       |
| `recipient.fullName`        | The recipient's full display name.                         | `Jane Doe`                                   |
| `recipient.email`           | The recipient's primary email address.                     | `jane.doe@example.com`                       |
| `organization.name`         | The customer's organization name.                          | `Acme Corporation`                           |
| `system.loginUrl`           | The platform sign-in URL.                                  | `https://app.livingsecurity.ai`              |
| `system.engageUrl`          | The Engage learner app URL.                                | `https://engage.livingsecurity.ai`           |
| `system.engageScorecardUrl` | Direct link to the employee's scorecard in the Engage app. | `https://engage.livingsecurity.ai/scorecard` |

## Playbook step variables

When you author a playbook **Send Nudge**, **Send Notification**, or **Webhook** step, the recipient's full directory record is available under the `user` namespace. These tokens work in subject lines, email bodies, Slack/Teams messages, and webhook body templates.

| Token                         | Description                                                                                 | Sample value                      |
| ----------------------------- | ------------------------------------------------------------------------------------------- | --------------------------------- |
| `user.firstName`              | First name from the directory.                                                              | `Jane`                            |
| `user.lastName`               | Last name from the directory.                                                               | `Doe`                             |
| `user.displayName`            | Full display name.                                                                          | `Jane Doe`                        |
| `user.email`                  | Primary email.                                                                              | `jane.doe@example.com`            |
| `user.department`             | Department from the identity provider.                                                      | `Engineering`                     |
| `user.jobTitle`               | Job title from the identity provider.                                                       | `Software Engineer`               |
| `user.managerEmail`           | Manager's primary email.                                                                    | `boss@example.com`                |
| `user.hrManagerEmail`         | HR manager's primary email.                                                                 | `hr@example.com`                  |
| `user.phone`                  | Phone number from the directory.                                                            | `+1-555-0100`                     |
| `user.custom.<attribute_key>` | Any custom attribute defined for your org (SCIM `customAttributes` or local custom fields). | `user.custom.lms_id` → `EMP-4821` |

<Note>
  **Custom attributes** are configured per organization. The key after `user.custom.` must exactly match the attribute key shown in **Settings → People → Custom Attributes**.
</Note>

### Risk and signal variables (playbook steps only)

If your playbook step references a risk or signal token, the platform automatically enriches the recipient's context with their current HRI data before sending. No extra configuration required.

| Token                  | Description                                                                | Sample value                         |
| ---------------------- | -------------------------------------------------------------------------- | ------------------------------------ |
| `risk.overallScore`    | Overall HRI score (0–1000, higher = safer).                                | `742`                                |
| `risk.riskLevel`       | Derived risk category: `low`, `moderate`, `high`, `very_high`, `critical`. | `moderate`                           |
| `risk.behaviorScore`   | Behavior component score (0–400).                                          | `310`                                |
| `risk.threatScore`     | Threat component score (0–200).                                            | `145`                                |
| `risk.identityScore`   | Identity component score (0–400).                                          | `287`                                |
| `signals.<signal_key>` | Count of a specific normalized signal for the recipient.                   | `signals.training_overdue_30d` → `1` |

### Run context (advanced)

For webhook step body templates and branch expressions, the playbook run itself is addressable:

| Token                  | Description                                               |
| ---------------------- | --------------------------------------------------------- |
| `participant.id`       | The current run participant ID.                           |
| `participant.userId`   | The participant's user ID.                                |
| `run.id`               | The playbook run ID.                                      |
| `step.id`              | The current step ID.                                      |
| `step.name`            | The current step name.                                    |
| `input.<key>`          | Any input parameter passed when the playbook run started. |
| `steps.<stepId>.<key>` | Any output value produced by a previous step.             |

## Per-template extras

Some platform-managed templates expose **additional** tokens specific to their purpose. Expand the template you're editing to see its extra variables.

<AccordionGroup>
  <Accordion title="Welcome email (WELCOME_EMAIL)">
    In addition to the [universal recipient variables](#universal-recipient-variables):

    | Token                       | Description                                    | Sample value       |
    | --------------------------- | ---------------------------------------------- | ------------------ |
    | `organization.supportEmail` | The customer or partner support email address. | `support@acme.com` |
  </Accordion>

  <Accordion title="User invite email (USER_INVITE)">
    In addition to the [universal recipient variables](#universal-recipient-variables):

    | Token                       | Description                                               | Sample value                    |
    | --------------------------- | --------------------------------------------------------- | ------------------------------- |
    | `organization.supportEmail` | The customer or partner support email address.            | `support@acme.com`              |
    | `invite.loginUrl`           | The sign-in URL the invite recipient should use.          | `https://app.livingsecurity.ai` |
    | `invite.role`               | The role granted by the invitation.                       | `OWNER`                         |
    | `invite.expiresAt`          | The date or time when the invite expires, when available. | `June 30, 2026`                 |
    | `inviter.fullName`          | The full display name of the person sending the invite.   | `Alex Morgan`                   |
    | `inviter.email`             | The email address of the person sending the invite.       | `alex.morgan@example.com`       |
  </Accordion>

  <Accordion title="Employee invite email (EMPLOYEE_INVITE)">
    In addition to the [universal recipient variables](#universal-recipient-variables):

    | Token                       | Description                                               | Sample value                    |
    | --------------------------- | --------------------------------------------------------- | ------------------------------- |
    | `organization.supportEmail` | The customer or partner support email address.            | `support@acme.com`              |
    | `invite.loginUrl`           | The sign-in URL the invite recipient should use.          | `https://app.livingsecurity.ai` |
    | `invite.role`               | The role granted by the invitation.                       | `LEARNER`                       |
    | `invite.expiresAt`          | The date or time when the invite expires, when available. | `June 30, 2026`                 |
    | `inviter.fullName`          | The full display name of the person sending the invite.   | `Alex Morgan`                   |
    | `inviter.email`             | The email address of the person sending the invite.       | `alex.morgan@example.com`       |
  </Accordion>

  <Accordion title="Training assigned notification (TRAINING_ASSIGNED)">
    In addition to the [universal recipient variables](#universal-recipient-variables):

    | Token              | Description                         | Sample value            |
    | ------------------ | ----------------------------------- | ----------------------- |
    | `training.title`   | The assigned training module title. | `Phishing Fundamentals` |
    | `training.dueDate` | The assignment due date.            | `May 15, 2026`          |
  </Accordion>

  <Accordion title="Training reminder notification (TRAINING_REMINDER)">
    In addition to the [universal recipient variables](#universal-recipient-variables):

    | Token              | Description                         | Sample value            |
    | ------------------ | ----------------------------------- | ----------------------- |
    | `training.title`   | The assigned training module title. | `Phishing Fundamentals` |
    | `training.dueDate` | The assignment due date.            | `May 15, 2026`          |
  </Accordion>

  <Accordion title="Point-in-time training nudge (POINT_IN_TIME_TRAINING_NUDGE)">
    In addition to the [universal recipient variables](#universal-recipient-variables):

    | Token                  | Description                                                                   | Sample value          |
    | ---------------------- | ----------------------------------------------------------------------------- | --------------------- |
    | `sender.name`          | Display name of the security team / sender for the message.                   | `Security Team`       |
    | `recipient.department` | The recipient's department.                                                   | `Engineering`         |
    | `recipient.jobTitle`   | The recipient's job title.                                                    | `Software Engineer`   |
    | `risk.hriScore`        | The recipient's Human Risk Index score.                                       | `256`                 |
    | `risk.level`           | The recipient's risk level label.                                             | `Somewhat Risky`      |
    | `risk.topFactor`       | The recipient's primary HRI risk factor (behavior / threat / identity).       | `Multiple DLP events` |
    | `risk.identityScore`   | The recipient's HRI identity-pillar score (0-400).                            | `128`                 |
    | `risk.behaviorScore`   | The recipient's HRI behavior-pillar score (0-400).                            | `150`                 |
    | `risk.threatScore`     | The recipient's HRI threat-pillar score (0-200).                              | `92`                  |
    | `risk.overallScore`    | Alias for `risk.hriScore`. The recipient's overall Human Risk Index (0-1000). | `256`                 |
  </Accordion>

  <Accordion title="Manager scorecard notification (MANAGER_SCORECARD_NOTIFICATION)">
    In addition to the [universal recipient variables](#universal-recipient-variables):

    | Token                   | Description                                     | Sample value                                        |
    | ----------------------- | ----------------------------------------------- | --------------------------------------------------- |
    | `scorecard.score`       | The rendered scorecard score for the recipient. | `742`                                               |
    | `scorecard.snapshotUrl` | A link to view the scorecard.                   | `https://app.livingsecurity.com/scorecards/preview` |
  </Accordion>

  <Accordion title="Employee scorecard notification (EMPLOYEE_SCORECARD_NOTIFICATION)">
    Uses the [universal recipient variables](#universal-recipient-variables) only, including `system.engageUrl` and `system.engageScorecardUrl` for Engage deep links.
  </Accordion>

  <Accordion title="Report ready notification (REPORT_READY)">
    In addition to the [universal recipient variables](#universal-recipient-variables):

    | Token            | Description                                       | Sample value                                          |
    | ---------------- | ------------------------------------------------- | ----------------------------------------------------- |
    | `report.name`    | The report display name.                          | `Monthly Human Risk Report`                           |
    | `report.summary` | A short generated summary of the report contents. | `Your human risk score improved by 12% this month.`   |
    | `report.url`     | A link to view the report.                        | `https://app.livingsecurity.com/reports/monthly-risk` |
  </Accordion>

  <Accordion title="Achievement issued notification (ACHIEVEMENT_ISSUED)">
    The certificate/badge delivery email sent when an achievement is issued. This template supports a focused variable set (not the full universal list):

    | Token                        | Description                                                                                                | Sample value                                    |
    | ---------------------------- | ---------------------------------------------------------------------------------------------------------- | ----------------------------------------------- |
    | `recipient.fullName`         | The credential recipient's display name.                                                                   | `Jane Doe`                                      |
    | `recipient.firstName`        | First token of the recipient's display name.                                                               | `Jane`                                          |
    | `organization.name`          | The issuing organization's display name (email-wrapper branding). Empty when branding resolution degrades. | `Acme Corp`                                     |
    | `achievement.issuedAt`       | Issue date formatted for the recipient's locale. Empty until issued.                                       | `July 5, 2026`                                  |
    | `achievement.expiresAt`      | Expiry date formatted for the recipient's locale. Empty when the credential never expires.                 | `July 5, 2027`                                  |
    | `achievement.name`           | The issued certificate or badge display name.                                                              | `2026 Security Awareness Certified`             |
    | `achievement.verifyUrl`      | Public verification link for the credential.                                                               | `https://api.livingsecurity.ai/verify/c/…`      |
    | `achievement.claimUrl`       | Tokenized claim/download link. Empty when no claim token could be minted.                                  | `https://api.livingsecurity.ai/claim/c?token=…` |
    | `achievement.badgeUrl`       | CDN URL of the rendered badge PNG. Empty until the badge is rendered.                                      | `https://cdn.livingsecurity.ai/badge.png`       |
    | `achievement.badgeImageHtml` | Pre-built badge `<img>` block. Empty when the badge artifact is not ready.                                 | *(HTML block)*                                  |
    | `achievement.claimCtaHtml`   | Pre-built claim/download call-to-action. Empty when no claim link exists.                                  | *(HTML block)*                                  |

    <Note>
      Prefer `achievement.badgeImageHtml` and `achievement.claimCtaHtml` over hand-built `<img>`/`<a>` blocks: they render as empty strings when the badge or claim link is unavailable, so your template degrades cleanly instead of shipping a broken image or dead link.
    </Note>
  </Accordion>
</AccordionGroup>

## Aliases

To stay backward compatible with older content, several tokens accept short or legacy aliases. The platform automatically canonicalizes them at render time, so all variants below resolve to the same value.

| Canonical token             | Accepted aliases                                                                                          |
| --------------------------- | --------------------------------------------------------------------------------------------------------- |
| `recipient.firstName`       | `first_name`, `member.firstName`, `user.firstName`                                                        |
| `recipient.fullName`        | `full_name`, `member.fullName`, `user.fullName`, `recipient_name`                                         |
| `recipient.email`           | `member.email`, `user.email`                                                                              |
| `recipient.department`      | `department`, `member.department`, `user.department`                                                      |
| `recipient.jobTitle`        | `job_title`, `member.jobTitle`, `user.jobTitle`                                                           |
| `organization.name`         | `organization_name`, `org_name`                                                                           |
| `system.loginUrl`           | `system.login_url`, `invite_link` outside `USER_INVITE` templates                                         |
| `system.engageUrl`          | `system.engage_url`                                                                                       |
| `system.engageScorecardUrl` | `system.engage_scorecard_url`                                                                             |
| `invite.loginUrl`           | `invite_link`, `system.loginUrl`, `system.login_url` within `USER_INVITE` and `EMPLOYEE_INVITE` templates |
| `sender.name`               | `sender_name`                                                                                             |
| `risk.hriScore`             | `hri_score`, `risk.overallScore`                                                                          |
| `risk.level`                | `risk_level`                                                                                              |
| `risk.topFactor`            | `top_risk_factor`                                                                                         |
| `risk.identityScore`        | `identity_score`                                                                                          |
| `risk.behaviorScore`        | `behavior_score`                                                                                          |
| `risk.threatScore`          | `threat_score`                                                                                            |
| `report.name`               | `report_name`                                                                                             |
| `report.summary`            | `report_summary`                                                                                          |
| `report.url`                | `report_url`                                                                                              |
| `achievement.name`          | `achievement_name`                                                                                        |

<Tip>
  Prefer the **canonical** dot-notation form (`recipient.firstName`) in new content. Aliases exist for older templates and may be retired in a future release.
</Tip>

## Examples

### Training assignment notification

```text theme={null}
Subject: New training assigned — due {{ training.dueDate }}

Hi {{ recipient.firstName }},

{{ organization.name }} has assigned you a new course: **{{ training.title }}**.
Please complete it by **{{ training.dueDate }}**.

Sign in: {{ system.loginUrl }}
```

### Point-in-time nudge after a risky behavior

```text theme={null}
Hey {{ user.firstName }},

A quick heads-up from the {{ sender.name }}: based on your recent activity,
your HRI score is currently **{{ risk.hriScore }} ({{ risk.level }})**.
The top factor driving this is: {{ risk.topFactor }}.

Spend two minutes on a refresher: {{ system.loginUrl }}
```

### Scorecard email to a people-manager

```text theme={null}
Subject: Your team's scorecard is ready

{{ recipient.firstName }}, your team scored **{{ scorecard.score }}** this period.

View the full breakdown: {{ scorecard.snapshotUrl }}
```

### Webhook step body using custom attributes

```json theme={null}
{
  "userId": "{{ user.custom.lms_id }}",
  "email": "{{ user.email }}",
  "department": "{{ user.department }}",
  "assignedBy": "{{ user.managerEmail }}"
}
```

## Where to use these

<CardGroup cols={2}>
  <Card title="Creating Nudges" icon="bell" href="/features/toolkit/content-studio/nudges/creating-nudges">
    Author nudge templates in Content Studio.
  </Card>

  <Card title="Editing Playbooks" icon="pencil" href="/features/actions/playbooks/editing-playbooks">
    Configure notification, nudge, and webhook steps inside a playbook.
  </Card>

  <Card title="Creating Playbooks" icon="plus" href="/features/actions/playbooks/creating-playbooks">
    Build a new playbook from scratch.
  </Card>

  <Card title="Glossary" icon="book" href="/reference/glossary">
    Definitions for HRI, signals, cohorts, and other terms used above.
  </Card>
</CardGroup>
