1---
2layout: "docs"
3page_title: "login - Command"
4sidebar_title: "<code>login</code>"
5sidebar_current: "docs-commands-login"
6description: |-
7  The "login" command authenticates users or machines to Vault using the
8  provided arguments. A successful authentication results in a Vault token -
9  conceptually similar to a session token on a website.
10---
11
12# login
13
14The `login` command authenticates users or machines to Vault using the provided
15arguments. A successful authentication results in a Vault token - conceptually
16similar to a session token on a website. By default, this token is cached on the
17local machine for future requests.
18
19The `-method` flag allows using other auth methods, such as userpass,
20github, or cert. For these, additional "K=V" pairs may be required.  For more
21information about the list of configuration parameters available for a given
22auth method, use the "vault auth help TYPE". You can also use "vault
23auth list" to see the list of enabled auth methods.
24
25If an auth method is enabled at a non-standard path, the `-method`
26flag still refers to the canonical type, but the `-path` flag refers to the
27enabled path.
28
29If the authentication is requested with response wrapping (via `-wrap-ttl`),
30the returned token is automatically unwrapped unless:
31
32  - The `-token-only` flag is used, in which case this command will output
33    the wrapping token.
34
35  - The `-no-store` flag is used, in which case this command will output the
36    details of the wrapping token.
37
38## Examples
39
40By default, login uses a "token" method:
41
42```text
43$ vault login s.3jnbMAKl1i4YS3QoKdbHzGXq
44Success! You are now authenticated. The token information displayed below
45is already stored in the token helper. You do NOT need to run "vault login"
46again. Future Vault requests will automatically use this token.
47
48Key                  Value
49---                  -----
50token                s.3jnbMAKl1i4YS3QoKdbHzGXq
51token_accessor       7Uod1Rm0ejUAz77Oh7SxpAM0
52token_duration       767h59m49s
53token_renewable      true
54token_policies       ["admin" "default"]
55identity_policies    []
56policies             ["admin" "default"]
57```
58
59To login with a different method, use `-method`:
60
61```text
62$ vault login -method=userpass username=my-username
63Password (will be hidden):
64Success! You are now authenticated. The token information below is already
65stored in the token helper. You do NOT need to run "vault login" again. Future
66requests will use this token automatically.
67
68Key                    Value
69---                    -----
70token                  s.2y4SU3Sk46dK3p2Y8q2jSBwL
71token_accessor         8J125x9SZyB76MI9uF2jSJZf
72token_duration         768h
73token_renewable        true
74token_policies         ["default"]
75identity_policies      []
76policies               ["default"]
77token_meta_username    my-username
78```
79
80~> Notice that the command option (`-method=userpass`) precedes the command
81argument (`username=my-username`).
82
83If a github auth method was enabled at the path "github-prod":
84
85```text
86$ vault login -method=github -path=github-prod
87Success! You are now authenticated. The token information below is already
88stored in the token helper. You do NOT need to run "vault login" again. Future
89requests will use this token automatically.
90
91Key                    Value
92---                    -----
93token                  s.2f3c5L1MHtnqbuNCbx90utmC
94token_accessor         JLUIXJ6ltUftTt2UYRl2lTAC
95token_duration         768h
96token_renewable        true
97token_policies         ["default"]
98identity_policies      []
99policies               ["default"]
100token_meta_org         hashicorp
101token_meta_username    my-username
102```
103
104## Usage
105
106The following flags are available in addition to the [standard set of
107flags](/docs/commands/index.html) included on all commands.
108
109### Output Options
110
111- `-field` `(string: "")` - Print only the field with the given name. Specifying
112  this option will take precedence over other formatting directives. The result
113  will not have a trailing newline making it ideal for piping to other processes.
114
115- `-format` `(string: "table")` - Print the output in the given format. Valid
116  formats are "table", "json", or "yaml". This can also be specified via the
117  `VAULT_FORMAT` environment variable.
118
119### Command Options
120
121- `-method` `(string "token")` - Type of authentication to use such as
122  "userpass" or "ldap". Note this corresponds to the TYPE, not the enabled path.
123  Use -path to specify the path where the authentication is enabled.
124
125- `-no-print` `(bool: false)` - Do not display the token. The token will be
126  still be stored to the configured token helper. The default is false.
127
128- `-no-store` `(bool: false)` - Do not persist the token to the token helper
129  (usually the local filesystem) after authentication for use in future
130  requests. The token will only be displayed in the command output.
131
132- `-path` `(string: "")` - Remote path in Vault where the auth method
133  is enabled. This defaults to the TYPE of method (e.g. userpass -> userpass/).
134
135- `-token-only` `(bool: false)` - Output only the token with no verification.
136  This flag is a shortcut for "-field=token -no-store". Setting those
137  flags to other values will have no affect.
138