Skip to main content
Version: 0.7.5

Authentication and authorization

Skytable supports token-based authentication as an authentication scheme, with more on the way in future releases. In this document, we explore how you can set up authentication on your Skytable instance.

Token-based authentication

Token-based authentication is just like password-based authentication with the exception that the password is generated by the server, and is cryptographically strong. All login operations are resistant to brute-force search attacks. Read more here.

Permission model

There are three kinds of users:

  • Superuser: These users have access to everything
  • Standard user: These users have access to all tables and keyspaces, but don't have access to the actions exclusive to the superusers. For example, the following actions cannot be performed by standard users:
    • auth deluser
    • auth adduser
  • Anonymous user: This is the default account type you're logged into when you connect to an instance that has authn/authz enabled. This is a very limited account and only has access to the following:
    • auth claim
    • auth login

Currently, there can only be one superuser, which is the root account and any number of standard users.

Enabling authn

  1. Set an origin key using your preferred mode of configuration. The origin key is a 40-character long ASCII string. The simplest way to generate a secure origin key is by using OpenSSL:

    openssl rand -hex 20
  2. Now launch a skysh instance and connect to your instance

  3. First claim the root account using your origin key:

    auth claim <origin-key>

    The server will respond with the root token. Keep this safe; the root user can only be claimed once!

  4. Now create other users. These users are standard users.

    auth adduser <username>

    The server will again respond with a token for the given user

  5. You can now login using the token:

    auth login <username> <token>

See the complete documentation for the auth action here


The password produced has 54 characters, is cryptographically strong and hence is extremely secure. The password has the following alphabet (character set):


Every login operation initiates an expensive verification operation that is based on bcrypt; this makes logins resistant to brute-force attacks. Also, just like any password storage system, plaintext passwords are never stored by the server.

Restoring tokens

Yeah, no matter how well we safeguard our passwords, we tend to lose them. So, don't worry if you did lose any of your tokens. Here are two simple ways to restore your tokens:

  1. You have your root password: First log into your root account and then run:
    auth restore <username>
    for the users who have lost their passwords
  2. You have lost your root password: That's okay! See which situation matches yours:
    1. You still have your origin key: Simply run:
      auth restore <origin key> root
      You can also run:
      auth restore <origin key> <username>
      to restore other tokens using the origin key although it's easier to just log into the root account and then restore other accounts
    2. You have lost your origin key: That's fine too, as long you have shell access to the node on which your instance is running. Simply create a new origin key and update your configuration. Then follow the above step (2(i)) and you're good to go.

      This however means that you'll have to shut down your instance