[role="xpack"] [[security-api-put-user]] === Create or update users API ++++ Create or update users ++++ Adds and updates users in the native realm. These users are commonly referred to as _native users_. [[security-api-put-user-request]] ==== {api-request-title} `POST /_security/user/` + `PUT /_security/user/` [[security-api-put-user-prereqs]] ==== {api-prereq-title} * To use this API, you must have at least the `manage_security` cluster privilege. [[security-api-put-user-desc]] ==== {api-description-title} When updating a user, you can update everything but its `username` and `password`. To change a user's password, use the <>. For more information about the native realm, see {stack-ov}/realms.html[Realms] and <>. [[security-api-put-user-path-params]] ==== {api-path-parms-title} `username`:: (Required, string) An identifier for the user. + -- [[username-validation]] NOTE: Usernames must be at least 1 and no more than 1024 characters. They can contain alphanumeric characters (`a-z`, `A-Z`, `0-9`), spaces, punctuation, and printable symbols in the https://en.wikipedia.org/wiki/Basic_Latin_(Unicode_block)[Basic Latin (ASCII) block]. Leading or trailing whitespace is not allowed. -- [[security-api-put-user-query-params]] ==== {api-query-parms-title} `refresh`:: (string) One of `true`, `false`, or `wait_for`. These values have the same meaning as in the <>, but the default value for this API (Put User) is `true`. [[security-api-put-user-request-body]] ==== {api-request-body-title} The following parameters can be specified in the body of a POST or PUT request: `enabled`:: (boolean) Specifies whether the user is enabled. The default value is `true`. `email`:: (string) The email of the user. `full_name`:: (string) The full name of the user. `metadata`:: (object) Arbitrary metadata that you want to associate with the user. `password`:: (string) The user's password. Passwords must be at least 6 characters long. + When adding a user, one of `password` or `password_hash` is required. When updating an existing user, the password is optional, so that other fields on the user (such as their roles) may be updated without modifying the user's password. `password_hash`:: (string) A _hash_ of the user's password. This must be produced using the same hashing algorithm as has been configured for password storage. For more details, see the explanation of the `xpack.security.authc.password_hashing.algorithm` setting in <>. + Using this parameter allows the client to pre-hash the password for performance and/or confidentiality reasons. + The `password` parameter and the `password_hash` parameter cannot be used in the same request. `roles`:: (Required, list) A set of roles the user has. The roles determine the user's access permissions. To create a user without any roles, specify an empty list: `[]`. [[security-api-put-user-example]] ==== {api-examples-title} The following example creates a user `jacknich`: [source,console] -------------------------------------------------- POST /_security/user/jacknich { "password" : "j@rV1s", "roles" : [ "admin", "other_role1" ], "full_name" : "Jack Nicholson", "email" : "jacknich@example.com", "metadata" : { "intelligence" : 7 } } -------------------------------------------------- A successful call returns a JSON structure that shows whether the user has been created or updated. [source,console-result] -------------------------------------------------- { "created": true <1> } -------------------------------------------------- <1> When an existing user is updated, `created` is set to false. After you add a user, requests from that user can be authenticated. For example: [source,shell] -------------------------------------------------- curl -u jacknich:j@rV1s http://localhost:9200/_cluster/health -------------------------------------------------- // NOTCONSOLE