open-vault/website/source/docs/auth/userpass.html.md

---
layout: "docs"
page_title: "Auth Backend: Username & Password"
sidebar_current: "docs-auth-userpass"
description: |-
  The "userpass" auth backend allows users to authenticate with Vault using a username and password.
---

# Auth Backend: Username & Password

Name: `userpass`

The "userpass" auth backend allows users to authenticate with Vault using
a username and password combination.

The username/password combinations are configured directly to the auth
backend using the `users/` path. This backend cannot read usernames and
passwords from an external source.

The backend lowercases all submitted usernames, e.g. `Mary` and `mary` are the
same entry.

## Authentication

#### Via the CLI

```
$ vault auth -method=userpass \
    username=foo \
    password=bar
```

#### Via the API

The endpoint for the login is `auth/userpass/login/<username>`.

The password should be sent in the POST body encoded as JSON.

```shell
$ curl $VAULT_ADDR/v1/auth/userpass/login/mitchellh \
    -d '{ "password": "foo" }'
```

The response will be in JSON. For example:

```javascript
{
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": null,
  "auth": {
    "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
    "policies": [
      "admins"
    ],
    "metadata": {
      "username": "mitchellh"
    },
    "lease_duration": 0,
    "renewable": false
  }
}
```

## Configuration

First, you must enable the username/password auth backend:

```
$ vault auth-enable userpass
Successfully enabled 'userpass' at 'userpass'!
```

Now when you run `vault auth -methods`, the username/password backend is
available:

```
Path       Type      Description
token/     token     token based credentials
userpass/  userpass
```

To use the "userpass" auth backend, an operator must configure it with
users that are allowed to authenticate. An example is shown below.
Use `vault path-help` for more details.

```
$ vault write auth/userpass/users/mitchellh \
    password=foo \
    policies=admins
...
```

The above creates a new user "mitchellh" with the password "foo" that
will be associated with the "admins" policy. This is the only configuration
necessary.

## API

The Username & Password authentication backend has a full HTTP API. Please see the
[Userpass auth backend API](/api/auth/userpass/index.html) for more
details.
website: doc userpass 2015-04-19 22:21:35 +00:00			`---`
			`layout: "docs"`
			`page_title: "Auth Backend: Username & Password"`
			`sidebar_current: "docs-auth-userpass"`
			`description: \|-`
			`The "userpass" auth backend allows users to authenticate with Vault using a username and password.`
			`---`

			`# Auth Backend: Username & Password`

			Name: `userpass`

			`The "userpass" auth backend allows users to authenticate with Vault using`
			`a username and password combination.`

			`The username/password combinations are configured directly to the auth`
			backend using the `users/` path. This backend cannot read usernames and
			`passwords from an external source.`

Add note about lowercasing usernames to userpass docs 2017-06-08 13:41:01 +00:00			The backend lowercases all submitted usernames, e.g. `Mary` and `mary` are the
			`same entry.`

website: doc userpass 2015-04-19 22:21:35 +00:00			`## Authentication`

			`#### Via the CLI`

			```
			`$ vault auth -method=userpass \`
Remove tabs from terminal output This also standardizes on the indentation we use for multi-line commands as well as prefixes all commands with a $ to indicate a shell. 2015-10-12 16:10:22 +00:00			`username=foo \`
			`password=bar`
website: doc userpass 2015-04-19 22:21:35 +00:00			```

			`#### Via the API`

Cleanup userpass docs 2015-05-08 15:49:58 +00:00			The endpoint for the login is `auth/userpass/login/<username>`.
Added more info about the userpass auth backend API endpoint 2015-05-08 09:45:21 +00:00
Cleanup userpass docs 2015-05-08 15:49:58 +00:00			`The password should be sent in the POST body encoded as JSON.`
Added more info about the userpass auth backend API endpoint 2015-05-08 09:45:21 +00:00
Cleanup userpass docs 2015-05-08 15:49:58 +00:00			```shell
			`$ curl $VAULT_ADDR/v1/auth/userpass/login/mitchellh \`
docs: Fix examples of auth via JSON For both userpass and LDAP 2015-06-04 14:38:08 +00:00			`-d '{ "password": "foo" }'`
Added more info about the userpass auth backend API endpoint 2015-05-08 09:45:21 +00:00			```

Cleanup userpass docs 2015-05-08 15:49:58 +00:00			`The response will be in JSON. For example:`

			```javascript
			`{`
Remove tabs from terminal output This also standardizes on the indentation we use for multi-line commands as well as prefixes all commands with a $ to indicate a shell. 2015-10-12 16:10:22 +00:00			`"lease_id": "",`
			`"renewable": false,`
			`"lease_duration": 0,`
			`"data": null,`
			`"auth": {`
			`"client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",`
			`"policies": [`
Don't allow root from authentication backends either. We've disabled this in the token store, but it makes no sense to have that disabled but have it enabled elsewhere. It's the same issue across all, so simply remove the ability altogether. 2016-08-08 21:32:37 +00:00			`"admins"`
Cleanup userpass docs 2015-05-08 15:49:58 +00:00			`],`
Remove tabs from terminal output This also standardizes on the indentation we use for multi-line commands as well as prefixes all commands with a $ to indicate a shell. 2015-10-12 16:10:22 +00:00			`"metadata": {`
			`"username": "mitchellh"`
Cleanup userpass docs 2015-05-08 15:49:58 +00:00			`},`
Remove tabs from terminal output This also standardizes on the indentation we use for multi-line commands as well as prefixes all commands with a $ to indicate a shell. 2015-10-12 16:10:22 +00:00			`"lease_duration": 0,`
			`"renewable": false`
Cleanup userpass docs 2015-05-08 15:49:58 +00:00			`}`
			`}`
Added more info about the userpass auth backend API endpoint 2015-05-08 09:45:21 +00:00			```
website: doc userpass 2015-04-19 22:21:35 +00:00
			`## Configuration`

Add instructions for enabling the auth first 2015-05-07 17:41:23 +00:00			`First, you must enable the username/password auth backend:`

			```
			`$ vault auth-enable userpass`
			`Successfully enabled 'userpass' at 'userpass'!`
			```

			Now when you run `vault auth -methods`, the username/password backend is
			`available:`

			```
			`Path Type Description`
			`token/ token token based credentials`
			`userpass/ userpass`
			```

website: doc userpass 2015-04-19 22:21:35 +00:00			`To use the "userpass" auth backend, an operator must configure it with`
website: address minor doc typos 2015-04-28 18:32:04 +00:00			`users that are allowed to authenticate. An example is shown below.`
website: fixing lots of references to vault help 2015-07-13 10:12:09 +00:00			Use `vault path-help` for more details.
website: doc userpass 2015-04-19 22:21:35 +00:00
			```
Remove tabs from terminal output This also standardizes on the indentation we use for multi-line commands as well as prefixes all commands with a $ to indicate a shell. 2015-10-12 16:10:22 +00:00			`$ vault write auth/userpass/users/mitchellh \`
			`password=foo \`
Don't allow root from authentication backends either. We've disabled this in the token store, but it makes no sense to have that disabled but have it enabled elsewhere. It's the same issue across all, so simply remove the ability altogether. 2016-08-08 21:32:37 +00:00			`policies=admins`
website: doc userpass 2015-04-19 22:21:35 +00:00			`...`
			```

			`The above creates a new user "mitchellh" with the password "foo" that`
Don't allow root from authentication backends either. We've disabled this in the token store, but it makes no sense to have that disabled but have it enabled elsewhere. It's the same issue across all, so simply remove the ability altogether. 2016-08-08 21:32:37 +00:00			`will be associated with the "admins" policy. This is the only configuration`
website: doc userpass 2015-04-19 22:21:35 +00:00			`necessary.`
Added API documentation for userpass backend 2016-03-16 02:19:31 +00:00
			`## API`

API Docs updates (#3101) 2017-08-08 16:28:17 +00:00			`The Username & Password authentication backend has a full HTTP API. Please see the`
			`[Userpass auth backend API](/api/auth/userpass/index.html) for more`
			`details.`
Added user listing endpoint to userpass docs 2016-09-30 19:47:33 +00:00