1--- 2layout: "docs" 3page_title: "login - Command" 4sidebar_title: "<code>login</code>" 5sidebar_current: "docs-commands-login" 6description: |- 7 The "login" command authenticates users or machines to Vault using the 8 provided arguments. A successful authentication results in a Vault token - 9 conceptually similar to a session token on a website. 10--- 11 12# login 13 14The `login` command authenticates users or machines to Vault using the provided 15arguments. A successful authentication results in a Vault token - conceptually 16similar to a session token on a website. By default, this token is cached on the 17local machine for future requests. 18 19The `-method` flag allows using other auth methods, such as userpass, 20github, or cert. For these, additional "K=V" pairs may be required. For more 21information about the list of configuration parameters available for a given 22auth method, use the "vault auth help TYPE". You can also use "vault 23auth list" to see the list of enabled auth methods. 24 25If an auth method is enabled at a non-standard path, the `-method` 26flag still refers to the canonical type, but the `-path` flag refers to the 27enabled path. 28 29If the authentication is requested with response wrapping (via `-wrap-ttl`), 30the returned token is automatically unwrapped unless: 31 32 - The `-token-only` flag is used, in which case this command will output 33 the wrapping token. 34 35 - The `-no-store` flag is used, in which case this command will output the 36 details of the wrapping token. 37 38## Examples 39 40By default, login uses a "token" method: 41 42```text 43$ vault login s.3jnbMAKl1i4YS3QoKdbHzGXq 44Success! You are now authenticated. The token information displayed below 45is already stored in the token helper. You do NOT need to run "vault login" 46again. Future Vault requests will automatically use this token. 47 48Key Value 49--- ----- 50token s.3jnbMAKl1i4YS3QoKdbHzGXq 51token_accessor 7Uod1Rm0ejUAz77Oh7SxpAM0 52token_duration 767h59m49s 53token_renewable true 54token_policies ["admin" "default"] 55identity_policies [] 56policies ["admin" "default"] 57``` 58 59To login with a different method, use `-method`: 60 61```text 62$ vault login -method=userpass username=my-username 63Password (will be hidden): 64Success! You are now authenticated. The token information below is already 65stored in the token helper. You do NOT need to run "vault login" again. Future 66requests will use this token automatically. 67 68Key Value 69--- ----- 70token s.2y4SU3Sk46dK3p2Y8q2jSBwL 71token_accessor 8J125x9SZyB76MI9uF2jSJZf 72token_duration 768h 73token_renewable true 74token_policies ["default"] 75identity_policies [] 76policies ["default"] 77token_meta_username my-username 78``` 79 80~> Notice that the command option (`-method=userpass`) precedes the command 81argument (`username=my-username`). 82 83If a github auth method was enabled at the path "github-prod": 84 85```text 86$ vault login -method=github -path=github-prod 87Success! You are now authenticated. The token information below is already 88stored in the token helper. You do NOT need to run "vault login" again. Future 89requests will use this token automatically. 90 91Key Value 92--- ----- 93token s.2f3c5L1MHtnqbuNCbx90utmC 94token_accessor JLUIXJ6ltUftTt2UYRl2lTAC 95token_duration 768h 96token_renewable true 97token_policies ["default"] 98identity_policies [] 99policies ["default"] 100token_meta_org hashicorp 101token_meta_username my-username 102``` 103 104## Usage 105 106The following flags are available in addition to the [standard set of 107flags](/docs/commands/index.html) included on all commands. 108 109### Output Options 110 111- `-field` `(string: "")` - Print only the field with the given name. Specifying 112 this option will take precedence over other formatting directives. The result 113 will not have a trailing newline making it ideal for piping to other processes. 114 115- `-format` `(string: "table")` - Print the output in the given format. Valid 116 formats are "table", "json", or "yaml". This can also be specified via the 117 `VAULT_FORMAT` environment variable. 118 119### Command Options 120 121- `-method` `(string "token")` - Type of authentication to use such as 122 "userpass" or "ldap". Note this corresponds to the TYPE, not the enabled path. 123 Use -path to specify the path where the authentication is enabled. 124 125- `-no-print` `(bool: false)` - Do not display the token. The token will be 126 still be stored to the configured token helper. The default is false. 127 128- `-no-store` `(bool: false)` - Do not persist the token to the token helper 129 (usually the local filesystem) after authentication for use in future 130 requests. The token will only be displayed in the command output. 131 132- `-path` `(string: "")` - Remote path in Vault where the auth method 133 is enabled. This defaults to the TYPE of method (e.g. userpass -> userpass/). 134 135- `-token-only` `(bool: false)` - Output only the token with no verification. 136 This flag is a shortcut for "-field=token -no-store". Setting those 137 flags to other values will have no affect. 138