open-vault/website/source/docs/auth/userpass.html.md

---
layout: "docs"
page_title: "Userpass - Auth Methods"
sidebar_title: "Username &amp; Password"
sidebar_current: "docs-auth-userpass"
description: |-
  The "userpass" auth method allows users to authenticate with Vault using a username and password.
---

# Userpass Auth Method

The `userpass` auth method allows users to authenticate with Vault using
a username and password combination.

The username/password combinations are configured directly to the auth
method using the `users/` path. This method cannot read usernames and
passwords from an external source.

The method lowercases all submitted usernames, e.g. `Mary` and `mary` are the
same entry.

## Authentication

### Via the CLI

```text
$ vault login -method=userpass \
    username=mitchellh \
    password=foo
```

### Via the API

```shell
$ curl \
    --request POST \
    --data '{"password": "foo"}' \
    http://127.0.0.1:8200/v1/auth/userpass/login/mitchellh
```

The response will contain the token at `auth.client_token`:

```json
{
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": null,
  "auth": {
    "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
    "policies": [
      "admins"
    ],
    "metadata": {
      "username": "mitchellh"
    },
    "lease_duration": 0,
    "renewable": false
  }
}
```

## Configuration

Auth methods must be configured in advance before users or machines can
authenticate. These steps are usually completed by an operator or configuration
management tool.

1. Enable the userpass auth method:

    ```text
    $ vault auth enable userpass
    ```

1. Configure it with users that are allowed to authenticate:

    ```text
    $ vault write auth/userpass/users/mitchellh \
        password=foo \
        policies=admins
    ```

    This creates a new user "mitchellh" with the password "foo" that will be
    associated with the "admins" policy. This is the only configuration
    necessary.

## API

The Userpass auth method has a full HTTP API. Please see the [Userpass auth
method API](/api/auth/userpass/index.html) for more details.
website: doc userpass 2015-04-19 22:21:35 +00:00			`---`
			`layout: "docs"`
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`page_title: "Userpass - Auth Methods"`
New Docs Website (#5535) * conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads 2018-10-19 15:40:11 +00:00			`sidebar_title: "Username & Password"`
website: doc userpass 2015-04-19 22:21:35 +00:00			`sidebar_current: "docs-auth-userpass"`
			`description: \|-`
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`The "userpass" auth method allows users to authenticate with Vault using a username and password.`
website: doc userpass 2015-04-19 22:21:35 +00:00			`---`

Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`# Userpass Auth Method`
website: doc userpass 2015-04-19 22:21:35 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			The `userpass` auth method allows users to authenticate with Vault using
website: doc userpass 2015-04-19 22:21:35 +00:00			`a username and password combination.`

			`The username/password combinations are configured directly to the auth`
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			method using the `users/` path. This method cannot read usernames and
website: doc userpass 2015-04-19 22:21:35 +00:00			`passwords from an external source.`

Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			The method lowercases all submitted usernames, e.g. `Mary` and `mary` are the
Add note about lowercasing usernames to userpass docs 2017-06-08 13:41:01 +00:00			`same entry.`

website: doc userpass 2015-04-19 22:21:35 +00:00			`## Authentication`

Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`### Via the CLI`
website: doc userpass 2015-04-19 22:21:35 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			```text
			`$ vault login -method=userpass \`
Make the usernames match in all examples in userpass 2018-08-28 22:33:00 +00:00			`username=mitchellh \`
			`password=foo`
website: doc userpass 2015-04-19 22:21:35 +00:00			```

Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`### Via the API`
Added more info about the userpass auth backend API endpoint 2015-05-08 09:45:21 +00:00
Cleanup userpass docs 2015-05-08 15:49:58 +00:00			```shell
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`$ curl \`
			`--request POST \`
			`--data '{"password": "foo"}' \`
Drop vault.rocks (#4186) 2018-03-23 15:41:51 +00:00			`http://127.0.0.1:8200/v1/auth/userpass/login/mitchellh`
Added more info about the userpass auth backend API endpoint 2015-05-08 09:45:21 +00:00			```

Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			The response will contain the token at `auth.client_token`:
Cleanup userpass docs 2015-05-08 15:49:58 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			```json
Cleanup userpass docs 2015-05-08 15:49:58 +00:00			`{`
Remove tabs from terminal output This also standardizes on the indentation we use for multi-line commands as well as prefixes all commands with a $ to indicate a shell. 2015-10-12 16:10:22 +00:00			`"lease_id": "",`
			`"renewable": false,`
			`"lease_duration": 0,`
			`"data": null,`
			`"auth": {`
			`"client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",`
			`"policies": [`
Don't allow root from authentication backends either. We've disabled this in the token store, but it makes no sense to have that disabled but have it enabled elsewhere. It's the same issue across all, so simply remove the ability altogether. 2016-08-08 21:32:37 +00:00			`"admins"`
Cleanup userpass docs 2015-05-08 15:49:58 +00:00			`],`
Remove tabs from terminal output This also standardizes on the indentation we use for multi-line commands as well as prefixes all commands with a $ to indicate a shell. 2015-10-12 16:10:22 +00:00			`"metadata": {`
			`"username": "mitchellh"`
Cleanup userpass docs 2015-05-08 15:49:58 +00:00			`},`
Remove tabs from terminal output This also standardizes on the indentation we use for multi-line commands as well as prefixes all commands with a $ to indicate a shell. 2015-10-12 16:10:22 +00:00			`"lease_duration": 0,`
			`"renewable": false`
Cleanup userpass docs 2015-05-08 15:49:58 +00:00			`}`
			`}`
Added more info about the userpass auth backend API endpoint 2015-05-08 09:45:21 +00:00			```
website: doc userpass 2015-04-19 22:21:35 +00:00
			`## Configuration`

Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`Auth methods must be configured in advance before users or machines can`
			`authenticate. These steps are usually completed by an operator or configuration`
			`management tool.`
Add instructions for enabling the auth first 2015-05-07 17:41:23 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`1. Enable the userpass auth method:`
Add instructions for enabling the auth first 2015-05-07 17:41:23 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			```text
			`$ vault auth enable userpass`
			```
Add instructions for enabling the auth first 2015-05-07 17:41:23 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`1. Configure it with users that are allowed to authenticate:`
website: doc userpass 2015-04-19 22:21:35 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			```text
			`$ vault write auth/userpass/users/mitchellh \`
			`password=foo \`
			`policies=admins`
			```
website: doc userpass 2015-04-19 22:21:35 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`This creates a new user "mitchellh" with the password "foo" that will be`
			`associated with the "admins" policy. This is the only configuration`
			`necessary.`
Added API documentation for userpass backend 2016-03-16 02:19:31 +00:00
			`## API`

Make the usernames match in all examples in userpass 2018-08-28 22:33:00 +00:00			`The Userpass auth method has a full HTTP API. Please see the [Userpass auth`
			`method API](/api/auth/userpass/index.html) for more details.`