ArangoDB v3.13 is under development and not released yet. This documentation is not final and potentially incomplete.

HTTP interface for authentication

You can gain access to a protected ArangoDB server via HTTP authentication using a username and password, or a JSON Web Tokens (JWT) generated from the user credentials or the JWT secret of the deployment

Client authentication can be achieved by using the Authorization HTTP header in client requests. ArangoDB supports authentication via HTTP Basic or JWT.

Authentication is turned on by default for all internal database APIs but turned off for custom Foxx apps. To toggle authentication for incoming requests to the internal database APIs, use the --server.authentication startup option. This option is turned on by default so authentication is required for the database APIs.

Requests using the HTTP OPTIONS method are answered by ArangoDB in any case, even if no authentication data is sent by the client or if the authentication data is wrong. This is required for handling CORS preflight requests (see Cross Origin Resource Sharing requests). The response to an HTTP OPTIONS request is generic and doesn’t expose any private data.

There is an additional option to control authentication for custom Foxx apps. The --server.authentication-system-only startup option controls whether authentication is required only for requests to the internal database APIs and the admin interface. It is turned on by default, meaning that other APIs (this includes custom Foxx apps) do not require authentication.

The default values allow exposing a public custom Foxx API built with ArangoDB to the outside world without the need for HTTP authentication, but still protecting the usage of the internal database APIs (i.e. /_api/, /_admin/) with HTTP authentication.

If the server is started with the --server.authentication-system-only option set to false, all incoming requests need HTTP authentication if the server is configured to require HTTP authentication (i.e. --server.authentication true). Setting the option to true makes the server require authentication only for requests to the internal database APIs and allows unauthenticated requests to all other URLs.

Here is a short summary:

  • --server.authentication true --server.authentication-system-only true: This requires authentication for all requests to the internal database APIs but not custom Foxx apps. This is the default setting.
  • --server.authentication true --server.authentication-system-only false: This requires authentication for all requests (including custom Foxx apps).
  • --server.authentication false: Authentication is disabled for all requests.

Whenever authentication is required and the client has not yet authenticated, ArangoDB returns HTTP 401 (Unauthorized). It also sends the Www-Authenticate response header, indicating that the client should prompt the user for username and password if supported. If the client is a browser, then sending back this header normally triggers the display of the browser-side HTTP authentication dialog. As showing the browser HTTP authentication dialog is undesired in AJAX requests, ArangoDB can be told to not send the Www-Authenticate header back to the client. Whenever a client sends the X-Omit-Www-Authenticate HTTP header (with an arbitrary value) to the server, ArangoDB only sends status code 401, but no Www-Authenticate header. This allows clients to implement credentials handling and bypassing the browser’s built-in dialog.

HTTP Basic Authentication

ArangoDB supports basic authentication with a user name and password. The name and the password of an ArangoDB user account need to be separated by a colon and the entire string needs to be Base64-encoded. The resulting value can be used in the Authorization header of an HTTP request, indicating that the authorization scheme is Basic.

For example, if the name is user and the password pass, the temporary string that needs to be encoded is user:pass. The Base64-encoded value is dXNlcjpwYXNz (e.g. using the btoa() JavaScript function in a browser). The HTTP request header to authenticate is a follows:

Authorization: Basic dXNlcjpwYXNz

If you use a tool like cURL, you can manually specify this header as follows:

curl -H 'Authorization: Basic dXNlcjpwYXNz' ...

However, cURL can also take care of the authentication and specifically the encoding of the credentials for you:

curl -u user:pass ...
Encoding credentials using the Base64 scheme does not encrypt them. Base64-encoded strings can easily be decoded. Be careful not to expose the encoded credentials by accident. It is recommended to secure connections with ArangoDB servers using TLS for encryption in transit.

You can also authenticate with Access tokens. Use the access token as the password. You can omit the user name in this case:

curl -u:the_access_token

If you specify the user name, it must match the name encoded in the token.

Bearer Token Authentication

ArangoDB uses a standard JWT-based authentication method. To authenticate via JWT, you must first obtain a JWT token with a signature generated via HMAC with SHA-256. The secret may either be set using --server.jwt-secret or it is randomly generated on server startup.

For more information on JWT please consult RFC7519 and jwt.io .

JWT user tokens

To authenticate with a specific user account, you need to supply a JWT token containing the preferred_username field with the username. You can either let ArangoDB generate this token for you via an API call or you can generate it yourself (only if you know the JWT secret).

ArangoDB offers a RESTful API to generate user tokens for you if you know the username and password. To do so, send a POST request to this endpoint:

/_open/auth

The request body needs to contain the username and password JSON-encoded like so:

{
  "username": "root",
  "password": "rootPassword"
}

You can also use Access tokens for creating JWTs. Provide the access token as the password. You can omit the username:

{
  "password": "theAccessToken"
}

If you specify the user name, it must match the name encoded in the token.

On success, the endpoint returns a **200 OK** and an answer containing
the JWT in a JSON-encoded object like so:

```json
{ "jwt": "eyJhbGciOiJIUzI1NiI..x6EfI" }

This JWT should then be used within the Authorization HTTP header in subsequent requests:

Authorization: Bearer eyJhbGciOiJIUzI1NiI..x6EfI
The JWT token expires after one hour by default and needs to be updated. You can configure the token lifetime via the --server.session-timeout startup option.

You can find the expiration date of the JWT token in the exp field, encoded as Unix timestamp in seconds. Please note that all JWT tokens must contain the iss field with string value arangodb. As an example the decoded JWT body would look like this:

{
  "exp": 1540381557,
  "iat": 1537789.55727901,
  "iss": "arangodb",
  "preferred_username": "root"
}

Create a JWT session token

POST /_open/auth

Obtain a JSON Web Token (JWT) from the credentials of an ArangoDB user account or a user’s access token. You can use the JWT in the Authorization HTTP header as a Bearer token to authenticate requests.

The lifetime for the token is controlled by the --server.session-timeout startup option.

Request Body application/json object
  • The password of the ArangoDB user or an access token.

  • The name of an ArangoDB user.

    It is optional if you specify an access token in password but required if you use the user’s password.

Responses
    • Response Body application/json object
    • The encoded JWT session token.

  • An HTTP 400 Bad Request status code is returned if the request misses required attributes or if it is otherwise malformed.

  • An HTTP 401 Unauthorized status code is returned if the user credentials are incorrect.

  • An HTTP 404 Not Found status code is returned if the server has authentication disabled and the endpoint is thus not available.

JWT superuser tokens

To access specific internal APIs as well as Agency and DB-Server instances a token generated via POST /_open/auth is not good enough. For these special APIs, you need to generate a special JWT token which grants superuser access. Note that using superuser access for normal database operations is not advised.

It is only possible to generate this JWT token with the knowledge of the JWT secret.

For your convenience it is possible to generate this token via the ArangoDB starter CLI.

Should you wish to generate the JWT token yourself with a tool of your choice, you need to include the correct body. The body must contain the iss field with string value arangodb and the server_id field with an arbitrary string identifier:

{
  "exp": 1537900279,
  "iat": 1537800279,
  "iss": "arangodb",
  "server_id": "myclient"
}

For example to generate a token via the jwtgen tool  (note the lifetime of one hour):

jwtgen -s <my-secret> -e 3600 -v -a "HS256" -c 'iss=arangodb' -c 'server_id=myclient'
curl -v -H "Authorization: bearer $(jwtgen -s <my-secret> -e 3600 -a "HS256" -c 'iss=arangodb' -c 'server_id=myclient')" http://<database-ip>:8529/_api/version

Access tokens

Access tokens act like passwords in authentication. Unlike normal credentials comprised of a username and a password, you can create multiple access tokens for a single user account. This is akin to having multiple passwords. You can set a desired expiration date for each access token (typically a few weeks or months) and individually revoke tokens on the server-side if necessary. You can use every access tokens for a different purpose, like different services that access ArangoDB using the same account, for fine-grained access control without having to change the password if you want to revoke access for one of the services.

You can use access tokens instead of the password to generate JWT session tokens (recommended) or use them directly as password in HTTP Basic Authentication (for backwards compatibility).

You need to create any user accounts first that you want to add access tokens to, see Create a user.

Create an access token

POST /_api/token/{user}

Create a new access token for the given user.

The response includes the actual access token string that you need to store in a secure manner. It is only shown once.

The user account you authenticate with needs to have administrate access to the _system database if you want to create an access token for a different user. You can always create an access token for yourself, regardless of database access levels.

Path Parameters
  • The name of the user.

Query Parameters
    HTTP Headers
      Request Body application/json object
      • A name for the access token to make identification easier, like a short description.

      • A Unix timestamp in seconds to set the expiration date and time.

      Responses
      • Is returned if the user data can be replaced by the server.

          Response Body application/json object
        • Whether the access token is valid based on the expiration date and time (valid_until).

        • A Unix timestamp in seconds with the creation date and time of the access token.

        • The beginning and end of the access token string, showing the version and the last few hexadecimal digits for identification, like v1...54227d.

        • A unique identifier. It is only needed for calling the endpoint for revoking an access token.

        • The name for the access token you specified to make identification easier.

        • The actual access token string. Store it in a secure manner. This is the only time it is shown to you.

        • A Unix timestamp in seconds with the configured expiration date and time.

      • The JSON representation is malformed or mandatory data is missing from the request.

          Response Body application/json object
        • The HTTP response status code.

        • A flag indicating that an error occurred.

        • A descriptive error message.

        • ArangoDB error number for the error that occurred.

      • The request is not authenticated correctly (e.g. wrong credentials, inactive user account).

          Response Body application/json object
        • The HTTP response status code.

        • A flag indicating that an error occurred.

        • A descriptive error message.

        • ArangoDB error number for the error that occurred.

      • The user’s access level for the _system database is too low. It needs to be Administrate to manage access tokens for other users.

          Response Body application/json object
        • The HTTP response status code.

        • A flag indicating that an error occurred.

        • A descriptive error message.

        • ArangoDB error number for the error that occurred.

      • The user specified in the path does not exist.

          Response Body application/json object
        • The HTTP response status code.

        • A flag indicating that an error occurred.

        • A descriptive error message.

        • ArangoDB error number for the error that occurred.

      • Duplicate access token name.

          Response Body application/json object
        • The HTTP response status code.

        • A flag indicating that an error occurred.

        • A descriptive error message.

        • ArangoDB error number for the error that occurred.

      Create an access token for the root user:

      curl -X POST --header 'accept: application/json' --data-binary @- --dump - 'http://localhost:8529/_api/token/root' <<'EOF'
      {
        "name": "Token for Service A",
        "valid_until": 1782864000
      }
      EOF
      Show output

      List all access tokens

      GET /_api/token/{user}

      List the access tokens for a given user.

      This only returns the access token metadata. The actual access token strings are only shown when creating tokens.

      The user account you authenticate with needs to have administrate access to the _system database if you want to list the access tokens for a different user. You can always list your own access tokens, regardless of database access levels.

      Path Parameters
      • The name of the user.

      Query Parameters
        HTTP Headers
          Responses
          • The metadata of the user’s access tokens.

              Response Body application/json object
            • A list with information about the user’s access tokens.

              • Whether the access token is valid based on the expiration date and time (valid_until).

              • A Unix timestamp in seconds with the creation date and time of the access token.

              • The beginning and end of the access token string, showing the version and the last few hexadecimal digits for identification, like v1...54227d.

              • A unique identifier. It is only needed for calling the endpoint for revoking an access token.

              • The name for the access token you specified to make identification easier.

              • A Unix timestamp in seconds with the configured expiration date and time.

          • The request is not authenticated correctly (e.g. wrong credentials, inactive user account).

              Response Body application/json object
            • The HTTP response status code.

            • A flag indicating that an error occurred.

            • A descriptive error message.

            • ArangoDB error number for the error that occurred.

          • The user’s access level for the _system database is too low. It needs to be Administrate to manage access tokens for other users.

              Response Body application/json object
            • The HTTP response status code.

            • A flag indicating that an error occurred.

            • A descriptive error message.

            • ArangoDB error number for the error that occurred.

          • The user specified in the path does not exist.

              Response Body application/json object
            • The HTTP response status code.

            • A flag indicating that an error occurred.

            • A descriptive error message.

            • ArangoDB error number for the error that occurred.

          List the access tokens of the root user:

          curl --header 'accept: application/json' --dump - 'http://localhost:8529/_api/token/root'
          Show output

          Delete an access token

          DELETE /_api/token/{user}/{token-id}

          Delete an access token with the specified identifier for the given user.

          The user account you authenticate with needs to have administrate access to the _system database if you want to delete an access token for a different user. You can always delete your own access tokens, regardless of database access levels.

          Path Parameters
          • The name of the user.

          • The identifier of the access token.

          Query Parameters
            HTTP Headers
              Responses
              • The request is valid and the access token has been deleted if it existed. However, the request also succeeds if the specified user doesn’t have an access token with the given identifier.

                  Response Body application/json
                  The response does not have a body.
              • The request is not authenticated correctly (e.g. wrong credentials, inactive user account).

                  Response Body application/json object
                • The HTTP response status code.

                • A flag indicating that an error occurred.

                • A descriptive error message.

                • ArangoDB error number for the error that occurred.

              • The user’s access level for the _system database is too low. It needs to be Administrate to manage access tokens for other users.

                  Response Body application/json object
                • The HTTP response status code.

                • A flag indicating that an error occurred.

                • A descriptive error message.

                • ArangoDB error number for the error that occurred.

              • The user specified in the path does not exist.

                  Response Body application/json object
                • The HTTP response status code.

                • A flag indicating that an error occurred.

                • A descriptive error message.

                • ArangoDB error number for the error that occurred.

              Delete an access tokens of the root user:

              curl -X DELETE --header 'accept: application/json' --dump - 'http://localhost:8529/_api/token/root/1'
              Show output

              Hot-reload JWT secrets

              In the ArangoGraph Insights Platform, authentication secrets are managed and therefore this feature isn’t available.

              To reload the JWT secrets of a local arangod process without a restart, you may use the following RESTful API. A POST request reloads the secret, a GET request may be used to load information about the currently used secrets.

              Get information about the loaded JWT secrets

              GET /_db/{database-name}/_admin/server/jwt

              Get information about the currently loaded secrets.

              To utilize the API a superuser JWT token is necessary, otherwise the response will be HTTP 403 Forbidden.

              Path Parameters
              • The name of a database. Which database you use doesn’t matter as long as the user account you authenticate with has at least read access to this database. If the --server.harden startup option is enabled, administrate access to the _system database is required.

              Query Parameters
                HTTP Headers
                  Responses
                    • Response Body application/json object
                      The reply with the JWT secrets information.
                    • the HTTP status code - 200 in this case

                    • boolean flag to indicate whether an error occurred (false in this case)

                    • The result object.

                      • An object with the SHA-256 hash of the active secret.

                      • An array of objects with the SHA-256 hashes of the passive secrets.

                        Can be empty.

                  • if the request was not authenticated as a user with sufficient rights

                  Hot-reload the JWT secret(s) from disk

                  POST /_admin/server/jwt

                  Sending a request without payload to this endpoint reloads the JWT secret(s) from disk. Only the files specified via the arangod startup option --server.jwt-secret-keyfile or --server.jwt-secret-folder are used. It is not possible to change the locations where files are loaded from without restarting the process.

                  To utilize the API a superuser JWT token is necessary, otherwise the response will be HTTP 403 Forbidden.

                  Responses
                    • Response Body application/json object
                      The reply with the JWT secrets information.
                    • the HTTP status code - 200 in this case

                    • boolean flag to indicate whether an error occurred (false in this case)

                    • The result object.

                      • An object with the SHA-256 hash of the active secret.

                      • An array of objects with the SHA-256 hashes of the passive secrets.

                        Can be empty.

                  • if the request was not authenticated as a user with sufficient rights

                  Example result:

                  {
                    "error": false,
                    "code": 200,
                    "result": {
                      "active": {
                        "sha256": "c6c1021286dfe870b7050f9e704df93c7f1de3c89dbdadc3fb30394bebd81e97"
                      },
                      "passive": [
                        {
                          "sha256": "6d2fe32dc4249ef7e7359c6d874fffbbf335e832e49a2681236e1b686af78794"
                        },
                        {
                          "sha256": "448a28491967ea4f7599f454af261a685153c27a7d5748456022565947820fb9"
                        },
                        {
                          "sha256": "6745d49264bdfc2e89d4333fe88f0fce94615fdbdb8990e95b5fda0583336da8"
                        }
                      ]
                    }
                  }