---
title: Set up internal Kapacitor authorizations
description: Use user-based authorizations stored and managed in Kapacitor to authenticate requests to the Kapacitor HTTP API.
url: https://docs.influxdata.com/kapacitor/v1/administration/auth/kapacitor-auth/
estimated_tokens: 2060
product: Kapacitor
version: v1
---

# Set up internal Kapacitor authorizations

Use user-based authorizations and permissions stored in Kapacitor to authenticate requests to the Kapacitor HTTP API.

## Use Kapacitor authorizations

1. Create an **admin** user:
    
    1. Set the following in the `[auth]` configuration group in your `kapacitor.conf`:
        
        -   **enabled**: true
        -   **bcrypt**: *an integer greater than or equal to 4*
        -   **meta-\***: *empty string or false*
        
        ```toml
        [auth]
          enabled = true
          cache-expiration = "1h"
          bcrypt-cost = 4
          meta-addr = ""
          meta-username = ""
          meta-password = ""
          meta-use-tls = false
          meta-ca = ""
          meta-cert = ""
          meta-key = ""
          meta-insecure-skip-verify = false
        ```
        
        Or use environment variables to set these configuration options:
        
        ```sh
        export KAPACITOR_AUTH_ENABLED=true
        export KAPACITOR_AUTH_BCRYPT=4
        ```
        
    2. Start `kapacitord` using the updated configuration:
        
        ```sh
        kapactord -config /path/to/kapacitor.conf
        ```
        
    3. Use the `/users` endpoint of the Kapacitor HTTP API to create a new admin user. In the request body, provide a JSON object with the following fields:
        
        -   **name**: *admin username*
        -   **password**: *admin password*
        -   **type**: `"admin"`
        
        ```sh
        curl --request POST 'http://localhost:9092/kapacitor/v1/users' \
          --data '{
            "name": "exampleUsername",
            "password": "examplePassword",
            "type":"admin"
        }'
        ```
        
2. Stop the `kapacitord` service.
    
3. Set `[http].auth-enabled` to `true` in your `kapacitor.conf`:
    
    ```toml
    [http]
      #...
      auth-enabled = true
      #...
    ```
    
    Or use the `KAPACITOR_HTTP_AUTH_ENABLED` environment variable:
    
    ```sh
    export KAPACITOR_HTTP_AUTH_ENABLED=true
    ```
    
4. Restart `kapacitord` with the updated configuration.
    
    ```sh
    kapacitord -config /path/to/kapacitor.conf
    ```
    
5. *(Optional)* Create additional users with user-specific permissions. For more information, see:
    
    -   [Kapacitor HTTP API – Create a user](/kapacitor/v1/working/api/#create-a-user)
    -   [Kapacitor user types and permissions](/kapacitor/v1/reference/user-types-permissions)

## Authenticate with the Kapacitor CLI

To authenticate with Kapacitor when using the [`kapacitor` CLI](/kapacitor/v1/working/cli_client/), provide your username and password as part of the Kapacitor `-url`:

```sh
# Syntax
kapacitor -url http://<username>:<password>@localhost:9092

# Example
kapacitor -url http://admin:Pa5sw0Rd@localhost:9092
```

## Authenticate with the Kapacitor API

To authenticate directly with the Kapacitor API, use **basic authentication** to provide your username and password.

```sh
# Syntax
curl --request GET http://localhost:9092/kapacitor/v1/tasks \
  -u "<username>:<password>" 

# Example
curl --request GET http://localhost:9092/kapacitor/v1/tasks \
  -u "johndoe:Pa5sw0Rd" 
```

#### Related

-   [Kapacitor HTTP API – Manage users](/kapacitor/v1/working/api/#users)
-   [Kapacitor user types and permissions](/kapacitor/v1/reference/user-types-permissions/)