Placeholder Default Image

xAuth v2.6.x
Authentication plugin for bukkit powered servers


xAuth is a second-factor authentication plugin that can be used to secure player accounts on your server. As the plugin has been enhanced over time, the direction and main purpose have expanded to new possibilities. Let's say you run a community page. With xAuth, players can authenticate using their forum accounts or using a web-driven account management system. It is also possible to get the credentials from a foreign database.

Important Notice

Before upgrading please read xAuth Documentation (external link). I have added documenation to my Confluence instance that will be updated over time. Permissions Node changed! If you get "command is restricted" you most likely did not check the release log.

Further Instructions can be found there.


The basic idea of this protection plugin is allowing players to register an account based on their player name and a supplied password and optionally their email-address. When a registered player connects to the server, that player will be prompted to authenticate his or herself by logging in. If and only if a valid password is supplied, they will regain full control of their account until their session expires.

Permissions (READ ME)

This plugin has the ability to block almost any action (including command execution) for guests and registered xauth players. It also does not use negated permissions in order to not interfere with existing plugins. Permissions are "allowed" or "restricted".

In order to restrict certain actions executed by registered xauth players you need to restrict them since xauth players are trusted. This is different from guests since the default for guests is always "restrict" if not set since a guest is an unknown state. Guest nodes can also only be set via configuration and have the last say even if you might have the right to execute any command.

Please keep in mind in order to block admin commands you need to restrict them via xauth.restrict.player.command.xauth.* or add each command to a group.

This might be confusing at first but has its cons since you always can see if a permission is restricted or allowed via permission node and not via bullet point. More details can be found on page Permission-System


  • Before registering/logging in, players can't:
    • Chat, execute commands, interact with objects (like levers or chests), move or pickup items
    • Break or place blocks
    • Receive or give damage, be targeted (followed) by hostile mobs
  • Inventory and location protection
  • Command TabCompletion including Configuration Node Browser!
  • In-depth setting and message configuration
  • Persistent login session through server restarts
  • Player name filter and password complexity configuration
  • Kick non-logged in (but registered) players after a configureable amount of time
  • Fine graded Permission System that also allows you to block interactions or commands
  • Permissions support (PermissionsEx, Bukkit, GroupManager)
  • Kick or temporarily lockout the IP address of a player who fials to log in after a configureable amount of tries
  • Custom, highly secure password hashing
  • Authenticate yourself with /login <password>
  • H2 / mySQL Database storage supported
  • Authentication over URL (AuthURL) allows for connection to forum or website databases
  • Auto-Updater (thanks to Gravity)


Checkout the News & Upcoming-Changes page for details.


The Wiki is located on github.
Please visit the http://bukkit.luricos.de/ress/icons/github_16.png Github Project-Page and click on Wiki


All credits goes to CypherX from bukkit forums who created this plugin. Thanks for your work and long time support!

The old bukkit-thread can be found here

You must login to post a comment. Don't have an account? Register to get one!

  • Avatar of games647 games647 Sep 14, 2016 at 15:50 UTC - 0 likes

    @luricos: Go

    It's been months. Still no new update

    FastLogin Auto login cracked accounts if the player has a paid account
    ScoreboardStats Fast custom scoreboard + compatibility with other scoreboard plugins
    ChangeSkin Change your ingame skin
    LagMonitor Analyze your server performance
    Minecraft Database

  • Avatar of LueLusten LueLusten Sep 05, 2016 at 10:52 UTC - 0 likes

    @luricos: Go

    Any news on a update, I have a auth plugin but I still looking around for one, yours says the user can register and set up via a website, this is what I want then users login via the game no register in game so I can manage my user base online without a problem.

  • Avatar of luricos luricos Jul 10, 2016 at 22:23 UTC - 0 likes

    im currently updating my development environment and will bring out a compatible version.

  • Avatar of rakion99 rakion99 Jun 10, 2016 at 04:45 UTC - 0 likes

    almost everyone is now in java 8 and this was/is the best auth plugin for bukkit/spigot, u.u i tried by myself to fix the permission issue in java 8 but i failed :C but is normal because i only know the basic of java, authme cause lag spikes and lag when a player join, but back in time when i was using xauth all was smoth and fast :D i dont want to this plugin die in the shadows like a lot of great plugins, anyways great work on keeping xauth alive

    Last edited Jun 16, 2016 by rakion99


  • Avatar of XxDawnsusxX XxDawnsusxX May 20, 2016 at 01:50 UTC - 0 likes

    @games647: Go

    Unfortunately that doesn't seem to work, apparently only working for Java Versions under 7.

  • Avatar of XxDawnsusxX XxDawnsusxX Apr 10, 2016 at 14:12 UTC - 0 likes

    What are the permissions to add so players can register/login?

  • Avatar of olool1 olool1 Mar 04, 2016 at 12:24 UTC - 0 likes

    @luricos: Go

    Hi! Is there any plugin update to 1.8/1.9 minecraft?

  • Avatar of luricos luricos Jan 31, 2016 at 18:44 UTC - 0 likes

    @Gnacik: Go

    ím working on a remote java app where you can do all sorts of this stuff outside of minecraft. Also password recovery is on my list yes.

  • Avatar of Gnacik Gnacik Jan 31, 2016 at 14:16 UTC - 0 likes

    I have in pex that nodes, and its working :

        - -xauth.allow.player.command.xauth.*
        - xauth.restrict.player.command.xauth.*
        - xauth.allow.*

    make sure that you are using java7

    Luricos: maybe you have in plans some email based system to password recover ? Its important feature which is missing. Players alwyas forget passwords, loose pass, or give to other players (and that other one is changing it) and its always problem to check who is real account owner. So password recovery feature will be really nice :)




Date created
Jan 23, 2012
Last update
Mar 19, 2015
Development stage
  • enUS
GNU General Public License version 3 (GPLv3)
Curse link
Reverse relationships
Recent files



Optional dependency