EventStoreDB supports authentication based on usernames and passwords out of the box. The Enterprise version also supports LDAP as the authentication source.
Authentication is applied to all HTTP endpoints, except
GET) and static web content.
EventStoreDB provides two default users,
$admin has full access to everything in EventStoreDB. It can read and write to protected streams, which is any stream that starts with $, such as
$projections-master. Protected streams are usually system streams, for example,
$projections-master manages some of the projections' states. The
$admin user can also run operational commands, such as scavenges and shutdowns on EventStoreDB.
$ops user can do everything that an
$admin can do except manage users and read from system streams (except for
New users created in EventStoreDB are standard non-authenticated users. Non-authenticated users are allowed
GET access to the
/gossip system streams.
POST access to the
/gossip system streams is only allowed on the internal HTTP service.
By default, any user can read any non-protected stream unless there is an ACL preventing that.
You can also use the trusted intermediary header for externalized authentication that allows you to integrate almost any authentication system with EventStoreDB. Read more about the trusted intermediary header.
Disable HTTP authentication
It is possible to disable authentication on all protected HTTP endpoints by setting the
DisableFirstLevelHttpAuthorization setting to
true. The setting is set to
false by default. When enabled, the setting will force EventStoreDB to use the supplied credentials only to check the stream access using ACLs.