open-vault/website/source/api/auth/userpass/index.html.md

---
layout: "api"
page_title: "Userpass - Auth Methods - HTTP API"
sidebar_title: "Username & Password"
sidebar_current: "api-http-auth-userpass"
description: |-
  This is the API documentation for the Vault username and password
  auth method.
---

# Userpass Auth Method (HTTP API)

This is the API documentation for the Vault Username & Password auth method. For
general information about the usage and operation of the Username and Password method, please
see the [Vault Userpass method documentation](/docs/auth/userpass.html).

This documentation assumes the Username & Password method is mounted at the `/auth/userpass`
path in Vault. Since it is possible to enable auth methods at any location,
please update your API calls accordingly.

## Create/Update User

Create a new user or update an existing user. This path honors the distinction between the `create` and `update` capabilities inside ACL policies.

| Method   | Path                         | Produces               |
| :------- | :--------------------------- | :--------------------- |
| `POST`    | `/auth/userpass/users/:username`   | `204 (empty body)`     |

### Parameters

- `username` `(string: <required>)` – The username for the user.
- `password` `(string: <required>)` - The password for the user. Only required
  when creating the user.
- `policies` `(string: "")` – Comma-separated list of policies. If set to empty
  string, only the `default` policy will be applicable to the user.
- `ttl` `(string: "")` - The lease duration which decides login expiration.
- `max_ttl` `(string: "")` - Maximum duration after which login should expire.
- `bound_cidrs` `(string: "", or list: [])` – If set, restricts usage of the
  login and token to client IPs falling within the range of the specified
  CIDR(s).

### Sample Payload

```json
{
  "password": "superSecretPassword",
  "policies": "admin,default",
  "bound_cidrs": ["127.0.0.1/32", "128.252.0.0/16"]
}
```

### Sample Request

```
$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh
```

## Read User

Reads the properties of an existing username.

| Method   | Path                         | Produces               |
| :------- | :--------------------------- | :--------------------- |
| `GET`    | `/auth/userpass/users/:username`   | `200 application/json`     |

### Sample Request

```
$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh
```

### Sample Response

```json
{
  "request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "max_ttl": 0,
    "policies": "default,dev",
    "ttl": 0
  },
  "warnings": null
}
```

## Delete User

This endpoint deletes the user from the method.

| Method   | Path                         | Produces               |
| :------- | :--------------------------- | :--------------------- |
| `DELETE` | `/auth/userpass/users/:username` | `204 (empty body)`     |

### Parameters

- `username` `(string: <required>)` - The username for the user.

### Sample Request

```
$ curl \
    --header "X-Vault-Token: ..." \
    --request DELETE \
    http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh
```

## Update Password on User

Update password for an existing user.

| Method   | Path                         | Produces               |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/auth/userpass/users/:username/password` | `204 (empty body)`     |

### Parameters

- `username` `(string: <required>)` – The username for the user.
- `password` `(string: <required>)` - The password for the user.

### Sample Payload

```json
{
  "password": "superSecretPassword2",
}
```

### Sample Request

```
$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh/password
```

## Update Policies on User

Update policies for an existing user.

| Method   | Path                         | Produces               |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/auth/userpass/users/:username/policies` | `204 (empty body)`     |

### Parameters

- `username` `(string: <required>)` – The username for the user.
- `policies` `(string: "")` – Comma-separated list of policies. If set to empty

### Sample Payload

```json
{
  "policies": "policy1,policy2",
}
```

### Sample Request

```
$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh/policies
```

## List Users

List available userpass users.

| Method   | Path                         | Produces               |
| :------- | :--------------------------- | :--------------------- |
| `LIST`   | `/auth/userpass/users`          | `200 application/json` |

### Sample Request

```
$ curl \
    --header "X-Vault-Token: ..." \
    --request LIST
    http://127.0.0.1:8200/v1/auth/userpass/users
```

### Sample Response

```json
{
  "data": {
    "keys": [
      "mitchellh",
      "armon"
    ]
  }
}
```

## Login

Login with the username and password.

| Method   | Path                         | Produces               |
| :------- | :--------------------------- | :--------------------- |
| `POST` | `/auth/userpass/login/:username` | `200 application/json`     |

### Parameters

- `username` `(string: <required>)` – The username for the user.
- `password` `(string: <required>)` - The password for the user.

### Sample Payload

```json
{
  "password": "superSecretPassword2",
}
```

### Sample Request

```
$ curl \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/auth/userpass/login/mitchellh
```

### Sample Response

```json
{
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": null,
  "warnings": null,
  "auth": {
    "client_token": "64d2a8f2-2a2f-5688-102b-e6088b76e344",
    "accessor": "18bb8f89-826a-56ee-c65b-1736dc5ea27d",
    "policies": ["default"],
    "metadata": {
      "username": "mitchellh"
    },
    "lease_duration": 7200,
    "renewable": true
  }
}
```
-												API Docs updates (#3101)


											
										
										
											2017-08-08 16:28:17 +00:00
+								---
 								layout: "api"
-												Standardize on "auth method"

This removes all references I could find to:

- credential provider
- authentication backend
- authentication provider
- auth provider
- auth backend

in favor of the unified:

- auth method

											
										
										
											2017-09-13 01:48:52 +00:00
+								page_title: "Userpass - Auth Methods - HTTP API"
-												New Docs Website (#5535)

* conversion stage 1

* correct image paths

* add sidebar title to frontmatter

* docs/concepts and docs/internals

* configuration docs and multi-level nav corrections

* commands docs, index file corrections, small item nav correction

* secrets converted

* auth

* add enterprise and agent docs

* add extra dividers

* secret section, wip

* correct sidebar nav title in front matter for apu section, start working on api items

* auth and backend, a couple directory structure fixes

* remove old docs

* intro side nav converted

* reset sidebar styles, add hashi-global-styles

* basic styling for nav sidebar

* folder collapse functionality

* patch up border length on last list item

* wip restructure for content component

* taking middleman hacking to the extreme, but its working

* small css fix

* add new mega nav

* fix a small mistake from the rebase

* fix a content resolution issue with middleman

* title a couple missing docs pages

* update deps, remove temporary markup

* community page

* footer to layout, community page css adjustments

* wip downloads page

* deps updated, downloads page ready

* fix community page

* homepage progress

* add components, adjust spacing

* docs and api landing pages

* a bunch of fixes, add docs and api landing pages

* update deps, add deploy scripts

* add readme note

* update deploy command

* overview page, index title

* Update doc fields

Note this still requires the link fields to be populated -- this is solely related to copy on the description fields

* Update api_basic_categories.yml

Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.

* Add bottom hero, adjust CSS, responsive friendly

* Add mega nav title

* homepage adjustments, asset boosts

* small fixes

* docs page styling fixes

* meganav title

* some category link corrections

* Update API categories page

updated to reflect the second level headings for api categories

* Update docs_detailed_categories.yml

Updated to represent the existing docs structure

* Update docs_detailed_categories.yml

* docs page data fix, extra operator page remove

* api data fix

* fix makefile

* update deps, add product subnav to docs and api landing pages

* Rearrange non-hands-on guides to _docs_

Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.

* WIP Redirects for guides to docs

* content and component updates

* font weight hotfix, redirects

* fix guides and intro sidenavs

* fix some redirects

* small style tweaks

* Redirects to learn and internally to docs

* Remove redirect to `/vault`

* Remove `.html` from destination on redirects

* fix incorrect index redirect

* final touchups

* address feedback from michell for makefile and product downloads

											
										
										
											2018-10-19 15:40:11 +00:00
+								sidebar_title: "Username & Password"
 								sidebar_current: "api-http-auth-userpass"
-												API Docs updates (#3101)


											
										
										
											2017-08-08 16:28:17 +00:00
+								description: |-
 								  This is the API documentation for the Vault username and password
-												Standardize on "auth method"

This removes all references I could find to:

- credential provider
- authentication backend
- authentication provider
- auth provider
- auth backend

in favor of the unified:

- auth method

											
										
										
											2017-09-13 01:48:52 +00:00
+								  auth method.
-												API Docs updates (#3101)


											
										
										
											2017-08-08 16:28:17 +00:00
+								---
-												Standardize on "auth method"

This removes all references I could find to:

- credential provider
- authentication backend
- authentication provider
- auth provider
- auth backend

in favor of the unified:

- auth method

											
										
										
											2017-09-13 01:48:52 +00:00
+								# Userpass Auth Method (HTTP API)
-												API Docs updates (#3101)


											
										
										
											2017-08-08 16:28:17 +00:00
-												Standardize on "auth method"

This removes all references I could find to:

- credential provider
- authentication backend
- authentication provider
- auth provider
- auth backend

in favor of the unified:

- auth method

											
										
										
											2017-09-13 01:48:52 +00:00
+								This is the API documentation for the Vault Username & Password auth method. For
 								general information about the usage and operation of the Username and Password method, please
 								see the [Vault Userpass method documentation](/docs/auth/userpass.html).
-												API Docs updates (#3101)


											
										
										
											2017-08-08 16:28:17 +00:00
-												Standardize on "auth method"

This removes all references I could find to:

- credential provider
- authentication backend
- authentication provider
- auth provider
- auth backend

in favor of the unified:

- auth method

											
										
										
											2017-09-13 01:48:52 +00:00
+								This documentation assumes the Username & Password method is mounted at the `/auth/userpass`
-												More naming cleanup

											
										
										
											2017-09-21 21:14:40 +00:00
+								path in Vault. Since it is possible to enable auth methods at any location,
-												API Docs updates (#3101)


											
										
										
											2017-08-08 16:28:17 +00:00
+								please update your API calls accordingly.
 								## Create/Update User
 								Create a new user or update an existing user. This path honors the distinction between the `create` and `update` capabilities inside ACL policies.
 								| Method   | Path                         | Produces               |
 								| :------- | :--------------------------- | :--------------------- |
 								| `POST`    | `/auth/userpass/users/:username`   | `204 (empty body)`     |
 								### Parameters
 								- `username` `(string: <required>)` – The username for the user.
-												Standardize on "auth method"

This removes all references I could find to:

- credential provider
- authentication backend
- authentication provider
- auth provider
- auth backend

in favor of the unified:

- auth method

											
										
										
											2017-09-13 01:48:52 +00:00
+								- `password` `(string: <required>)` - The password for the user. Only required
-												API Docs updates (#3101)


											
										
										
											2017-08-08 16:28:17 +00:00
+								  when creating the user.
 								- `policies` `(string: "")` – Comma-separated list of policies. If set to empty
 								  string, only the `default` policy will be applicable to the user.
 								- `ttl` `(string: "")` - The lease duration which decides login expiration.
 								- `max_ttl` `(string: "")` - Maximum duration after which login should expire.
-												add userpass note on bound cidrs (#4610)


											
										
										
											2018-05-25 18:35:09 +00:00
+								- `bound_cidrs` `(string: "", or list: [])` – If set, restricts usage of the
 								  login and token to client IPs falling within the range of the specified
 								  CIDR(s).
-												API Docs updates (#3101)


											
										
										
											2017-08-08 16:28:17 +00:00
 								### Sample Payload
 								```json
 								{
 								  "password": "superSecretPassword",
-												add userpass note on bound cidrs (#4610)


											
										
										
											2018-05-25 18:35:09 +00:00
+								  "policies": "admin,default",
 								  "bound_cidrs": ["127.0.0.1/32", "128.252.0.0/16"]
-												API Docs updates (#3101)


											
										
										
											2017-08-08 16:28:17 +00:00
+								}
 								```
 								### Sample Request
 								```
 								$ curl \
 								    --header "X-Vault-Token: ..." \
 								    --request POST \
 								    --data @payload.json \
-												Drop vault.rocks (#4186)


											
										
										
											2018-03-23 15:41:51 +00:00
+								    http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh
-												API Docs updates (#3101)


											
										
										
											2017-08-08 16:28:17 +00:00
+								```
 								## Read User
 								Reads the properties of an existing username.
 								| Method   | Path                         | Produces               |
 								| :------- | :--------------------------- | :--------------------- |
 								| `GET`    | `/auth/userpass/users/:username`   | `200 application/json`     |
 								### Sample Request
 								```
 								$ curl \
 								    --header "X-Vault-Token: ..." \
-												Drop vault.rocks (#4186)


											
										
										
											2018-03-23 15:41:51 +00:00
+								    http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh
-												API Docs updates (#3101)


											
										
										
											2017-08-08 16:28:17 +00:00
+								```
 								### Sample Response
 								```json
 								{
 								  "request_id": "812229d7-a82e-0b20-c35b-81ce8c1b9fa6",
 								  "lease_id": "",
 								  "lease_duration": 0,
 								  "renewable": false,
 								  "data": {
 								    "max_ttl": 0,
 								    "policies": "default,dev",
 								    "ttl": 0
 								  },
 								  "warnings": null
 								}
 								```
 								## Delete User
-												Standardize on "auth method"

This removes all references I could find to:

- credential provider
- authentication backend
- authentication provider
- auth provider
- auth backend

in favor of the unified:

- auth method

											
										
										
											2017-09-13 01:48:52 +00:00
+								This endpoint deletes the user from the method.
-												API Docs updates (#3101)


											
										
										
											2017-08-08 16:28:17 +00:00
 								| Method   | Path                         | Produces               |
 								| :------- | :--------------------------- | :--------------------- |
 								| `DELETE` | `/auth/userpass/users/:username` | `204 (empty body)`     |
 								### Parameters
 								- `username` `(string: <required>)` - The username for the user.
 								### Sample Request
 								```
 								$ curl \
 								    --header "X-Vault-Token: ..." \
 								    --request DELETE \
-												Drop vault.rocks (#4186)


											
										
										
											2018-03-23 15:41:51 +00:00
+								    http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh
-												API Docs updates (#3101)


											
										
										
											2017-08-08 16:28:17 +00:00
+								```
 								## Update Password on User
 								Update password for an existing user.
 								| Method   | Path                         | Produces               |
 								| :------- | :--------------------------- | :--------------------- |
 								| `POST` | `/auth/userpass/users/:username/password` | `204 (empty body)`     |
 								### Parameters
 								- `username` `(string: <required>)` – The username for the user.
 								- `password` `(string: <required>)` - The password for the user.
 								### Sample Payload
 								```json
 								{
 								  "password": "superSecretPassword2",
 								}
 								```
 								### Sample Request
 								```
 								$ curl \
 								    --header "X-Vault-Token: ..." \
 								    --request POST \
 								    --data @payload.json \
-												Drop vault.rocks (#4186)


											
										
										
											2018-03-23 15:41:51 +00:00
+								    http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh/password
-												API Docs updates (#3101)


											
										
										
											2017-08-08 16:28:17 +00:00
+								```
 								## Update Policies on User
 								Update policies for an existing user.
 								| Method   | Path                         | Produces               |
 								| :------- | :--------------------------- | :--------------------- |
 								| `POST` | `/auth/userpass/users/:username/policies` | `204 (empty body)`     |
 								### Parameters
 								- `username` `(string: <required>)` – The username for the user.
 								- `policies` `(string: "")` – Comma-separated list of policies. If set to empty
 								### Sample Payload
 								```json
 								{
 								  "policies": "policy1,policy2",
 								}
 								```
 								### Sample Request
 								```
 								$ curl \
 								    --header "X-Vault-Token: ..." \
 								    --request POST \
 								    --data @payload.json \
-												Drop vault.rocks (#4186)


											
										
										
											2018-03-23 15:41:51 +00:00
+								    http://127.0.0.1:8200/v1/auth/userpass/users/mitchellh/policies
-												API Docs updates (#3101)


											
										
										
											2017-08-08 16:28:17 +00:00
+								```
 								## List Users
 								List available userpass users.
 								| Method   | Path                         | Produces               |
 								| :------- | :--------------------------- | :--------------------- |
 								| `LIST`   | `/auth/userpass/users`          | `200 application/json` |
 								### Sample Request
 								```
 								$ curl \
 								    --header "X-Vault-Token: ..." \
 								    --request LIST
-												Drop vault.rocks (#4186)


											
										
										
											2018-03-23 15:41:51 +00:00
+								    http://127.0.0.1:8200/v1/auth/userpass/users
-												API Docs updates (#3101)


											
										
										
											2017-08-08 16:28:17 +00:00
+								```
 								### Sample Response
 								```json
 								{
 								  "data": {
 								    "keys": [
 								      "mitchellh",
 								      "armon"
 								    ]
 								  }
 								}
 								```
 								## Login
 								Login with the username and password.
 								| Method   | Path                         | Produces               |
 								| :------- | :--------------------------- | :--------------------- |
 								| `POST` | `/auth/userpass/login/:username` | `200 application/json`     |
 								### Parameters
 								- `username` `(string: <required>)` – The username for the user.
 								- `password` `(string: <required>)` - The password for the user.
 								### Sample Payload
 								```json
 								{
 								  "password": "superSecretPassword2",
 								}
 								```
 								### Sample Request
 								```
 								$ curl \
 								    --request POST \
 								    --data @payload.json \
-												Drop vault.rocks (#4186)


											
										
										
											2018-03-23 15:41:51 +00:00
+								    http://127.0.0.1:8200/v1/auth/userpass/login/mitchellh
-												API Docs updates (#3101)


											
										
										
											2017-08-08 16:28:17 +00:00
+								```
 								### Sample Response
 								```json
 								{
 								  "lease_id": "",
 								  "renewable": false,
 								  "lease_duration": 0,
 								  "data": null,
 								  "warnings": null,
 								  "auth": {
 								    "client_token": "64d2a8f2-2a2f-5688-102b-e6088b76e344",
 								    "accessor": "18bb8f89-826a-56ee-c65b-1736dc5ea27d",
 								    "policies": ["default"],
 								    "metadata": {
 								      "username": "mitchellh"
 								    },
 								    "lease_duration": 7200,
 								    "renewable": true
 								  }
 								}
-												Standardize on "auth method"

This removes all references I could find to:

- credential provider
- authentication backend
- authentication provider
- auth provider
- auth backend

in favor of the unified:

- auth method

											
										
										
											2017-09-13 01:48:52 +00:00
+								```