open-vault/website/content/docs/auth/userpass.mdx

---
layout: docs
page_title: Userpass - Auth Methods
description: >-
  The "userpass" auth method allows users to authenticate with Vault using a
  username and password.
---

# Userpass Auth Method

The `userpass` auth method allows users to authenticate with Vault using
a username and password combination.

The username/password combinations are configured directly to the auth
method using the `users/` path. This method cannot read usernames and
passwords from an external source.

The method lowercases all submitted usernames, e.g. `Mary` and `mary` are the
same entry.

## Authentication

### Via the CLI

```shell-session
$ vault login -method=userpass \
    username=mitchellh \
    password=foo
```

### Via the API

```shell-session
$ curl \
    --request POST \
    --data '{"password": "foo"}' \
    http://127.0.0.1:8200/v1/auth/userpass/login/mitchellh
```

The response will contain the token at `auth.client_token`:

```json
{
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": null,
  "auth": {
    "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
    "policies": ["admins"],
    "metadata": {
      "username": "mitchellh"
    },
    "lease_duration": 0,
    "renewable": false
  }
}
```

## Configuration

Auth methods must be configured in advance before users or machines can
authenticate. These steps are usually completed by an operator or configuration
management tool.

1. Enable the userpass auth method:

   ```shell-session
   $ vault auth enable userpass
   ```
   
   This enables the userpass auth method at `auth/userpass`. To enable it at a different path, use the `-path` flag:
   
   ```shell-session
   $ vault auth enable -path=<path> userpass
   ```

1. Configure it with users that are allowed to authenticate:

   ```shell-session
   $ vault write auth/<userpass:path>/users/mitchellh \
       password=foo \
       policies=admins
   ```

   This creates a new user "mitchellh" with the password "foo" that will be
   associated with the "admins" policy. This is the only configuration
   necessary.


## API

The Userpass auth method has a full HTTP API. Please see the [Userpass auth
method API](/vault/api-docs/auth/userpass) for more details.
website: doc userpass 2015-04-19 22:21:35 +00:00			`---`
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`layout: docs`
			`page_title: Userpass - Auth Methods`
			`description: >-`
			`The "userpass" auth method allows users to authenticate with Vault using a`
			`username and password.`
website: doc userpass 2015-04-19 22:21:35 +00:00			`---`

Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`# Userpass Auth Method`
website: doc userpass 2015-04-19 22:21:35 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			The `userpass` auth method allows users to authenticate with Vault using
website: doc userpass 2015-04-19 22:21:35 +00:00			`a username and password combination.`

			`The username/password combinations are configured directly to the auth`
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			method using the `users/` path. This method cannot read usernames and
website: doc userpass 2015-04-19 22:21:35 +00:00			`passwords from an external source.`

Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			The method lowercases all submitted usernames, e.g. `Mary` and `mary` are the
Add note about lowercasing usernames to userpass docs 2017-06-08 13:41:01 +00:00			`same entry.`

website: doc userpass 2015-04-19 22:21:35 +00:00			`## Authentication`

Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`### Via the CLI`
website: doc userpass 2015-04-19 22:21:35 +00:00
🌷 Docs Website Maintenance (#8985) * website maintenance round * improve docs, revert bug workaround as it was fixed * boost memory * remove unnecessary code 2020-05-21 17:18:17 +00:00			```shell-session
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`$ vault login -method=userpass \`
Make the usernames match in all examples in userpass 2018-08-28 22:33:00 +00:00			`username=mitchellh \`
			`password=foo`
website: doc userpass 2015-04-19 22:21:35 +00:00			```

Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`### Via the API`
Added more info about the userpass auth backend API endpoint 2015-05-08 09:45:21 +00:00
🌷 Docs Website Maintenance (#8985) * website maintenance round * improve docs, revert bug workaround as it was fixed * boost memory * remove unnecessary code 2020-05-21 17:18:17 +00:00			```shell-session
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`$ curl \`
			`--request POST \`
			`--data '{"password": "foo"}' \`
Drop vault.rocks (#4186) 2018-03-23 15:41:51 +00:00			`http://127.0.0.1:8200/v1/auth/userpass/login/mitchellh`
Added more info about the userpass auth backend API endpoint 2015-05-08 09:45:21 +00:00			```

Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			The response will contain the token at `auth.client_token`:
Cleanup userpass docs 2015-05-08 15:49:58 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			```json
Cleanup userpass docs 2015-05-08 15:49:58 +00:00			`{`
Remove tabs from terminal output This also standardizes on the indentation we use for multi-line commands as well as prefixes all commands with a $ to indicate a shell. 2015-10-12 16:10:22 +00:00			`"lease_id": "",`
			`"renewable": false,`
			`"lease_duration": 0,`
			`"data": null,`
			`"auth": {`
			`"client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",`
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`"policies": ["admins"],`
Remove tabs from terminal output This also standardizes on the indentation we use for multi-line commands as well as prefixes all commands with a $ to indicate a shell. 2015-10-12 16:10:22 +00:00			`"metadata": {`
			`"username": "mitchellh"`
Cleanup userpass docs 2015-05-08 15:49:58 +00:00			`},`
Remove tabs from terminal output This also standardizes on the indentation we use for multi-line commands as well as prefixes all commands with a $ to indicate a shell. 2015-10-12 16:10:22 +00:00			`"lease_duration": 0,`
			`"renewable": false`
Cleanup userpass docs 2015-05-08 15:49:58 +00:00			`}`
			`}`
Added more info about the userpass auth backend API endpoint 2015-05-08 09:45:21 +00:00			```
website: doc userpass 2015-04-19 22:21:35 +00:00
			`## Configuration`

Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`Auth methods must be configured in advance before users or machines can`
			`authenticate. These steps are usually completed by an operator or configuration`
			`management tool.`
Add instructions for enabling the auth first 2015-05-07 17:41:23 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`1. Enable the userpass auth method:`
Add instructions for enabling the auth first 2015-05-07 17:41:23 +00:00
Update userpass.mdx (#20121) * Update userpass.mdx vault write auth/userpass/users/mitchellh password=foo policies=admins in the path "userpass" is actually a path, if custom path is defined, custom path need to used, instead of userpass. * Add extra description --------- Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> 2023-04-17 16:52:13 +00:00			```shell-session
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`$ vault auth enable userpass`
			```
Update userpass.mdx (#20121) * Update userpass.mdx vault write auth/userpass/users/mitchellh password=foo policies=admins in the path "userpass" is actually a path, if custom path is defined, custom path need to used, instead of userpass. * Add extra description --------- Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> 2023-04-17 16:52:13 +00:00
			This enables the userpass auth method at `auth/userpass`. To enable it at a different path, use the `-path` flag:

			```shell-session
			`$ vault auth enable -path=<path> userpass`
			```
Add instructions for enabling the auth first 2015-05-07 17:41:23 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`1. Configure it with users that are allowed to authenticate:`
website: doc userpass 2015-04-19 22:21:35 +00:00
Update userpass.mdx (#20121) * Update userpass.mdx vault write auth/userpass/users/mitchellh password=foo policies=admins in the path "userpass" is actually a path, if custom path is defined, custom path need to used, instead of userpass. * Add extra description --------- Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> 2023-04-17 16:52:13 +00:00			```shell-session
			`$ vault write auth/<userpass:path>/users/mitchellh \`
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`password=foo \`
			`policies=admins`
			```
website: doc userpass 2015-04-19 22:21:35 +00:00
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`This creates a new user "mitchellh" with the password "foo" that will be`
			`associated with the "admins" policy. This is the only configuration`
			`necessary.`
Added API documentation for userpass backend 2016-03-16 02:19:31 +00:00
Update userpass.mdx (#20121) * Update userpass.mdx vault write auth/userpass/users/mitchellh password=foo policies=admins in the path "userpass" is actually a path, if custom path is defined, custom path need to used, instead of userpass. * Add extra description --------- Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> 2023-04-17 16:52:13 +00:00
Added API documentation for userpass backend 2016-03-16 02:19:31 +00:00			`## API`

Make the usernames match in all examples in userpass 2018-08-28 22:33:00 +00:00			`The Userpass auth method has a full HTTP API. Please see the [Userpass auth`
docs: Migrate link formats (#18696) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-26 00:12:15 +00:00			`method API](/vault/api-docs/auth/userpass) for more details.`