Placeholder Default Image

xAuth v2.4.x
Authentication plugin for bukkit powered servers


xAuth is a second-factor authentication plugin that can be used to secure player accounts on your server. As the plugin has been enhanced over time, the direction and main purpose have expanded to new possibilities. Let's say you run a community page. With xAuth, players can authenticate using their forum accounts or using a web-driven account management system. It is also possible to get the credentials from a foreign database.

News and Updates

Please checkout News and upcoming changes for news and update notices.


The basic idea of this protection plugin is allowing players to register an account based on their player name and a supplied password and optionally their email-address. When a registered player connects to the server, that player will be prompted to authenticate his or herself by logging in. If and only if a valid password is supplied, they will regain full control of their account until their session expires.

Permissions (READ ME)

This plugin has the ability to block almost any action (including command execution) for guests and registered xauth players. It also does not use negated permissions in order to not interfere with existing plugins. Permissions are "allowed" or "restricted".

In order to restrict certain actions executed by registered xauth players you need to restrict them since xauth players are trusted. This is different from guests since the default for guests is always "restrict" if not set since a guest is an unknown state. Guest nodes can also only be set via configuration and have the last say even if you might have the right to execute any command.

Please keep in mind in order to block admin commands you need to restrict them via xauth.restrict.player.command.xauth.* or add each command to a group.

This might be confusing at first but has its cons since you always can see if a permission is restricted or allowed via permission node and not via bullet point. More details can be found on page Permission-System


  • Before registering/logging in, players can't:
    • Chat, execute commands, interact with objects (like levers or chests), move or pickup items
    • Break or place blocks
    • Receive or give damage, be targeted (followed) by hostile mobs
  • Inventory and location protection
  • In-depth setting and message configuration
  • Persistent login session through server restarts
  • Player name filter and password complexity configuration
  • Kick non-logged in (but registered) players after a configureable amount of time
  • Fine graded Permission System that also allows you to block interactions or commands
  • Permissions support (PermissionsEx, Bukkit, GroupManager)
  • Kick or temporarily lockout the IP address of a player who fials to log in after a configureable amount of tries
  • Custom, highly secure password hashing
  • Authenticate yourself with /login <password>
  • H2 / mySQL Database storage supported
  • Authentication over URL (AuthURL) allows for connection to forum or website databases
  • Auto-Updater (thanks to Gravity)


Checkout the News & Upcoming-Changes page for details.


The Wiki is located on github.
Please visit the http://bukkit.luricos.de/ress/icons/github_16.png Github Project-Page and click on Wiki


All credits goes to CypherX from bukkit forums who created this plugin. Thanks for your work and long time support!

The old bukkit-thread can be found here

You must login to post a comment. Don't have an account? Register to get one!

  • Avatar of LizardFreak7 LizardFreak7 Feb 22, 2015 at 04:24 UTC - 1 like

    Luricos, when will my issue on the jira be fixed?

    Last edited Feb 22, 2015 by LizardFreak7
  • Avatar of CompeteToDefeat CompeteToDefeat Feb 04, 2015 at 22:34 UTC - 0 likes

    @harrykennedy If you're using bungee this is not really what you're going to want, at least not by itself. If you do use this or even AuthMe Reloaded on it's own you'll have to disable any bungee commands you don't want people to be able to use. I'd suggest AuthMe Reloaded and AuthMe Bridge. There's also a bridge for XAuth however since AuthMe Reloaded is still being actively updated it's a better option IMO. Also if you have multiple lobbies (or any server somebody could initially land on) each will need the authentication plugin installed. If a player could potentially land on more than one server use a shared MySQL database for all of them so once they register on one they won't need to on any others. That's the setup I used and it worked flawlessly for multiple lobbies and without me having to disable any of the bungee commands.


  • Avatar of Megasuper1232 Megasuper1232 Jan 03, 2015 at 08:49 UTC - 1 like

    luricos update to 1.7.2

  • Avatar of harrykennedy harrykennedy Nov 28, 2014 at 16:31 UTC - 0 likes

    ok i have it working but players and do /server with out logging in

  • Avatar of harrykennedy harrykennedy Nov 26, 2014 at 20:08 UTC - 0 likes

    it wont work it is there but when i do /plugins it is red is it outdated? if so please update it

  • Avatar of TheEnKrypt TheEnKrypt Nov 26, 2014 at 15:43 UTC - 0 likes

    I had an entire rant planned in my mind, but that's obviously not going to help either party so I shall keep my problem description as civil as possible.

    Admin commands are available to non-ops by default to anyone who's logged in. So basically, once I've logged in, I can change anyone else's password and your plugin won't complain about it. But you obviously already know about this since you've mentioned above how you implemented this "feature" so that compatibility with some plugins are preserved.

    That is all well and good but I'm not using any sort of extra permissions plugin. In fact my server is pretty low end with very few plugins. Your plugin had been very useful in the past so I decided to use it here.

    Now I can't make my server public in fear of users misusing your so called "feature". I'm sure I'm not the only user being faced with this serious problem. So here's a few things you could do to solve it for us:

    1. Give us a version with this obvious security hole fixed.

    2. Write an example permissions.yml file that does not use any external permissions plugin that restricts admin commands to non ops.

    3. Tell us about a different plugin that has the same functionality minus your "feature".

    I've been breaking my head over what seems to be a pointless issue over and over for a week now. Ignore my rudeness, please. I'm just extremely annoyed at this point.

  • Avatar of oOBartekOo oOBartekOo Nov 14, 2014 at 19:06 UTC - 0 likes

    Hello I wanted to ask luricos Lord when will xauth updated on UUID 1.7.10? If I did have any errors in the text I'm sorry I'm Polish :)

  • Avatar of luricos luricos Nov 03, 2014 at 00:26 UTC - 0 likes

    @Avasam: Go

    It seems i need to fix configuration command since it seems that not existing nodes will result in not beeing able to set them. Since guest.restrict.block.place is a boolean node and not a nested one it will return that error.

    You can try to edit the config and add minecart as subnode of block.place (watch out for correct space indent (4 spaces no tabs)).

    If the output of a restriciton node is false then its not restricted meaning you can move. So a result false from restrict means "yes its allowed". If a restriction node will return true its set to not allow meaning restricted = true.

    Guest nodes are kinda special and it seems i need to work on that since it seems that a specific check for playername move of the debbuing output will result in restrict = false wheras player move check is restricted and thats what is checked inside the move event. This is not very clear here and i need to fix that.

    But for the moment just remember that a guest node has no player name checking. It will only check for the event name and action. That means if a player named bob is a guest and wants to place a block then only "guest.restrict.block.place.rail" is checked since we do not trust playernames. Name checking only works for logged in players using the /login command. Even if the debug output will give you another output for the complete node.

    The debug output simply does not respect guest restrictions right now.

    if guest.restrict.player.command.login returns true then you should not be able to use that command since its restricted.

  • Avatar of Avasam Avasam Oct 31, 2014 at 04:57 UTC - 0 likes

    /xauth config guest.restrict.block.place.minecart false : "This configuration node does not exist!"

    Also, I get these but still can't move around/place blocks etc.(if guest.restricted returns false I should be able to do it right?)

    30.10 23:46:47 [Server] INFO Event: 'PlayerMoveEvent', Section: 'player', Action: 'move' 30.10 23:46:47 [Server] INFO [HQ Guest] ConfigNode: 'guest.restrict.player.move.player.avasam', result: false

    30.10 23:54:59 [Server] INFO Event: 'PlayerInteractEvent', Section: 'player', Action: 'interact' 30.10 23:54:59 [Server] INFO [HQ Guest] ConfigNode: 'guest.restrict.player.interact.doublestep', result: false

    I tried using the commands '/xauth config guest.restrict.player.interact true' and /xauth config guest.restrict.player.move true' but it still return false for some reasons.

    (Oh and letting guests place minecarts as a temp fix is exactly what I'm trying to do. But I'm stuck with a more fundamental problem)

    Edit: Meanwhile, this is the node I'm looking for (once I get the whole thing working): guest.restrict.player.interact.rails

    Edit 2: It seems that 'result: true' means I CAN do it. (wrong) but still, 'guest.restrict.player.command.login' is the only guest node that will ever return 'true' no matter what I tried. (xauth nodes are also working properly)

    Last edited Nov 07, 2014 by Avasam
  • Avatar of luricos luricos Oct 29, 2014 at 23:46 UTC - 0 likes

    @Avasam: Go

    Okay so this is actually a problem related to the implementation. I do not know enough about Spigot or Cauldron so i can not say if the cart placement can be done without using a fakeplayer. Seems the author of railcraft decided to use the fakeplayer to be compatible with MCPC+.

    Im afraid you need to contact the author. If you want you can give him my contact details or link him to my github repo so he can write me a message. Maybe we can sort this out.

    From what i can tell the problem is related to that specific check if the cart can actually be placed. He does that with a fakeplayer which will not be able to place since that fakeplayer does not authenticate with xauth. You could however allow minecart item placement for guests but be aware that any guest could place them too.

    I would however use this only as a temporary solution. Use the xauth debug mode to check what node is used when you try to place a minecart. This can be done as a logged in user since you only have to replace xauth. with guest. The nodes are build in the exact way.

    Checkout http://dev.bukkit.org/bukkit-plugins/xauth/pages/permission-system/ how to enable the permission debug option. You will find a handy cheat sheet there too.

    If i remember correctly the node requested would be guest.restrict.block.place.<block id or name>

    So xauth config guest.restrict.block.place.328 false or xauth config guest.restrict.block.place.minecart false should allow placing this block.

    Last edited Oct 29, 2014 by luricos


Date created
Jan 23, 2012
Last update
Oct 22, 2013
Development stage
  • enUS
GNU General Public License version 3 (GPLv3)
Curse link
Recent files



Optional dependency