Placeholder Default Image

xAuth v2.6.x
Authentication plugin for bukkit powered servers


xAuth is a second-factor authentication plugin that can be used to secure player accounts on your server. As the plugin has been enhanced over time, the direction and main purpose have expanded to new possibilities. Let's say you run a community page. With xAuth, players can authenticate using their forum accounts or using a web-driven account management system. It is also possible to get the credentials from a foreign database.

Important Notice

Before upgrading please read xAuth Documentation (external link). I have added documenation to my Confluence instance that will be updated over time. Permissions Node changed! If you get "command is restricted" you most likely did not check the release log.

Further Instructions can be found there.


The basic idea of this protection plugin is allowing players to register an account based on their player name and a supplied password and optionally their email-address. When a registered player connects to the server, that player will be prompted to authenticate his or herself by logging in. If and only if a valid password is supplied, they will regain full control of their account until their session expires.

Permissions (READ ME)

This plugin has the ability to block almost any action (including command execution) for guests and registered xauth players. It also does not use negated permissions in order to not interfere with existing plugins. Permissions are "allowed" or "restricted".

In order to restrict certain actions executed by registered xauth players you need to restrict them since xauth players are trusted. This is different from guests since the default for guests is always "restrict" if not set since a guest is an unknown state. Guest nodes can also only be set via configuration and have the last say even if you might have the right to execute any command.

Please keep in mind in order to block admin commands you need to restrict them via xauth.restrict.player.command.xauth.* or add each command to a group.

This might be confusing at first but has its cons since you always can see if a permission is restricted or allowed via permission node and not via bullet point. More details can be found on page Permission-System


  • Before registering/logging in, players can't:
    • Chat, execute commands, interact with objects (like levers or chests), move or pickup items
    • Break or place blocks
    • Receive or give damage, be targeted (followed) by hostile mobs
  • Inventory and location protection
  • Command TabCompletion including Configuration Node Browser!
  • In-depth setting and message configuration
  • Persistent login session through server restarts
  • Player name filter and password complexity configuration
  • Kick non-logged in (but registered) players after a configureable amount of time
  • Fine graded Permission System that also allows you to block interactions or commands
  • Permissions support (PermissionsEx, Bukkit, GroupManager)
  • Kick or temporarily lockout the IP address of a player who fials to log in after a configureable amount of tries
  • Custom, highly secure password hashing
  • Authenticate yourself with /login <password>
  • H2 / mySQL Database storage supported
  • Authentication over URL (AuthURL) allows for connection to forum or website databases
  • Auto-Updater (thanks to Gravity)


Checkout the News & Upcoming-Changes page for details.


The Wiki is located on github.
Please visit the http://bukkit.luricos.de/ress/icons/github_16.png Github Project-Page and click on Wiki


All credits goes to CypherX from bukkit forums who created this plugin. Thanks for your work and long time support!

The old bukkit-thread can be found here

You must login to post a comment. Don't have an account? Register to get one!

  • Avatar of luricos luricos May 20, 2015 at 09:27 UTC - 1 like

    @xion87: Go

    Thanks. I will have a look at it.

    @MasterMithrandir: Go

    There is a Tool available for that but not yet integrated into xAuth. Adding this request to roadmap.

    @xSeeron: Go

    I dont have an import ready for LoginSecurity yet.

    @Camaroz1: Go

    Extending xAuth Documentation is on my todo list

    @RaycusMX: Go

    I need to look into that. Could be a bug. Can you please open a ticket?

    @xSeeron: Go

    account limits is currently bugged. I will rework this feature when profiles are fully implemented.

  • Avatar of MasterMithrandir MasterMithrandir May 18, 2015 at 16:06 UTC - 0 likes

    Authme Reloaded sql Database converter?

    Servidor Español: mithrandir.craft.vg

  • Avatar of Camaroz1 Camaroz1 May 10, 2015 at 07:47 UTC - 0 likes

    any tutorial for Xenforo Integration?

    Indie Game VN: http://igvn.org/

  • Avatar of xSeeron xSeeron May 04, 2015 at 16:58 UTC - 0 likes

    Hi i have problem with Account-limits my confin is this http://prntscr.com/71gw88

  • Avatar of CrazzyNava CrazzyNava Apr 27, 2015 at 13:49 UTC - 0 likes

    @xSeeron: Go

    Sorry for the question, but, Why you will change your LoginSecurity?

  • Avatar of xSeeron xSeeron Apr 19, 2015 at 10:28 UTC - 0 likes

    If i have a Loginsecurity DB i can import to xAuth?

  • Avatar of LizardFreak7 LizardFreak7 Apr 18, 2015 at 20:43 UTC - 1 like

    Thank you for updating the plugin! You should post your plugin on spigot.

    Last edited Apr 19, 2015 by LizardFreak7
  • Avatar of xion87 xion87 Apr 09, 2015 at 11:11 UTC - 0 likes

    can you add capitalization checker? Because i dont want user log with different name, Scenario example:

    • user Teta register on the server
    • the same user is a tard and login with teta instead Teta
    • user file get messed because player folder got 2 uuid with the same name and confuse some plugins
      xAuth must act like this:
    • user Teta register on the server
    • the same user is a tard and login with teta instead Teta
    • xAuth say "you cant login with this name, you need to use name Teta" with a kick
    Last edited Apr 09, 2015 by xion87
  • Avatar of RaycusMX RaycusMX Apr 07, 2015 at 07:20 UTC - 0 likes

    I have a problem about login spawning. I set xauth global spawning location in a certain world (not main world), and set the world to default spawning world. Players spawn at that location before login, but after registering and logging in, they are teleported to the main world. That really makes me confused. What should I do to correct it?

    Last edited Apr 07, 2015 by RaycusMX
  • Avatar of Dimatert9 Dimatert9 Apr 02, 2015 at 20:29 UTC - 0 likes

    Pls add AuthMe Reloaded import support


Date created
Jan 23, 2012
Last update
Mar 19, 2015
Development stage
  • enUS
GNU General Public License version 3 (GPLv3)
Curse link
Recent files



Optional dependency