--- layout: docs page_title: auth enable - Command description: |- The "auth enable" command enables an auth method at a given path. If an auth method already exists at the given path, an error is returned. After the auth method is enabled, it usually needs configuration. --- # auth enable The `auth enable` command enables an auth method at a given path. If an auth method already exists at the given path, an error is returned. After the auth method is enabled, it usually needs configuration. The configuration varies by auth method. An auth method is responsible for authenticating users or machines and assigning them policies and a token with which they can access Vault. Authentication is usually mapped to policy. Please see the [policies concepts](/docs/concepts/policies) page for more information. ## Examples Enable the auth method "userpass" enabled at "userpass/": ```shell-session $ vault auth enable userpass Success! Enabled the userpass auth method at: userpass/ ``` Create a user: ```shell-session $ vault write auth/userpass/users/sethvargo password=secret Success! Data written to: auth/userpass/users/sethvargo ``` For more information on the specific configuration options and paths, please see the [auth method](/docs/auth) documentation. ## Usage The following flags are available in addition to the [standard set of flags](/docs/commands) included on all commands. - `-audit-non-hmac-request-keys` `(string: "")` - Key that will not be HMAC'd by audit devices in the request data object. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. An example of this is provided in the [tune section](/docs/commands/auth/tune). - `-audit-non-hmac-response-keys` `(string: "")` - Key that will not be HMAC'd by audit devices in the response data object. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. - `-default-lease-ttl` `(duration: "")` - The default lease TTL for this auth method. If unspecified, this defaults to the Vault server's globally configured default lease TTL, or a previously configured value for the auth method. Uses [duration format strings](/docs/concepts/duration-format). - `-passthrough-request-headers` `(string: "")` - request header values that will be sent to the auth method. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. - `-allowed-response-headers` `(string: "")` - response header values that the auth method will be allowed to set. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. - `-description` `(string: "")` - Human-friendly description for the purpose of this auth method. - `-listing-visibility` `(string: "")` - The flag to toggle whether to show the mount in the UI-specific listing endpoint. Valid values are `"unauth"` or `"hidden"`, with the default `""` being equivalent to `"hidden"`. - `-local` `(bool: false)` - Mark the auth method as local-only. Local auth methods are not replicated nor removed by replication. - `-max-lease-ttl` `(string: "")` - The maximum lease duration, specified as a string duration like "5s" or "30m". - `-path` `(string: "")` - Place where the auth method will be accessible. This must be unique across all auth methods. This defaults to the "type" of the auth method. The auth method will be accessible at `/auth/`. - `-seal-wrap` `(bool: false)` - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability. - `-token-type` `(string: "")` - Specifies the type of tokens that should be returned by the auth method.