--- layout: "docs" page_title: "Auth Backend: Username & Password" sidebar_current: "docs-auth-userpass" description: |- The "userpass" auth backend allows users to authenticate with Vault using a username and password. --- # Auth Backend: Username & Password Name: `userpass` The "userpass" auth backend allows users to authenticate with Vault using a username and password combination. The username/password combinations are configured directly to the auth backend using the `users/` path. This backend cannot read usernames and passwords from an external source. ## Authentication #### Via the CLI ``` $ vault auth -method=userpass \ username=foo \ password=bar ``` #### Via the API The endpoint for the login is `auth/userpass/login/`. The password should be sent in the POST body encoded as JSON. ```shell $ curl $VAULT_ADDR/v1/auth/userpass/login/mitchellh \ -d '{ "password": "foo" }' ``` The response will be in JSON. For example: ```javascript { "lease_id": "", "renewable": false, "lease_duration": 0, "data": null, "auth": { "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb", "policies": [ "root" ], "metadata": { "username": "mitchellh" }, "lease_duration": 0, "renewable": false } } ``` ## Configuration First, you must enable the username/password auth backend: ``` $ vault auth-enable userpass Successfully enabled 'userpass' at 'userpass'! ``` Now when you run `vault auth -methods`, the username/password backend is available: ``` Path Type Description token/ token token based credentials userpass/ userpass ``` To use the "userpass" auth backend, an operator must configure it with users that are allowed to authenticate. An example is shown below. Use `vault path-help` for more details. ``` $ vault write auth/userpass/users/mitchellh \ password=foo \ policies=root ... ``` The above creates a new user "mitchellh" with the password "foo" that will be associated with the "root" policy. This is the only configuration necessary. ## API ### /auth/userpass/users/[username] #### POST
Description
Create a new user or update an existing user. This path honors the distinction between the `create` and `update` capabilities inside ACL policies.
Method
POST
URL
`/auth/userpass/users/`
Parameters
  • username required Username for this user.
  • password required Password for this user.
  • policies optional Comma-separated list of policies. If set to empty string, only the `default` policy will be applicable to the user.
  • ttl optional The lease duration which decides login expiration.
  • max_ttl optional Maximum duration after which login should expire.
Returns
`204` response code.
### /auth/userpass/users/[username]/password #### POST
Description
Update the password for an existing user.
Method
POST
URL
`/auth/userpass/users//password`
Parameters
  • username required Username for this user.
  • password required Password for this user.
Returns
`204` response code.
### /auth/userpass/users/[username]/policies #### POST
Description
Update the policies associated with an existing user.
Method
POST
URL
`/auth/userpass/users//policies`
Parameters
  • username required Username for this user.
  • policies optional Comma-separated list of policies. If this is field is not supplied, the policies will be unchanged. If set to empty string, only the `default` policy will be applicable to the user.
Returns
`204` response code.
### /auth/userpass/login/[username] #### POST
Description
Update the policies associated with an existing user.
Method
POST
URL
`/auth/userpass/users//policies`
Parameters
  • username required Username for this user.
  • password required Password for this user.
Returns
```javascript { "lease_id": "", "renewable": false, "lease_duration": 0, "data": null, "warnings": null, "auth": { "client_token": "64d2a8f2-2a2f-5688-102b-e6088b76e344", "accessor": "18bb8f89-826a-56ee-c65b-1736dc5ea27d", "policies": ["default"], "metadata": { "username": "vishal" }, "lease_duration": 7200, "renewable": true } } ```