unleash.unleash/website/docs/using-unleash/deploy/securing-unleash.md

---
title: Securing Unleash
---

**If you are still using Unleash v3 you need to follow the [securing-unleash-v3](./securing-unleash-v3)**

> This guide is only relevant if you are using Unleash Open-Source. The Enterprise edition does already ship with multiple SSO options, such as SAML 2.0, OpenID Connect.

Unleash Open-Source v4 comes with username/password authentication out of the box. In addition Unleash v4 also comes with API token support, to make it easy to handle access tokens for Client SDKs and programmatic access to the Unleash APIs.

### Password requirements {#password-requirements}

Unleash requires a strong password.

- minimum 10 characters long
- contains at least one uppercase letter
- contains at least one number
- contains at least one special character (symbol)

### Implementing Custom Authentication {#implementing-custom-authentication}

If you do not wish to use the built-in username/password authentication you can add a customAuthHandler

To secure the Admin API, you have to tell Unleash that you are using a custom admin authentication and implement your authentication logic as a preHook.

```javascript
const unleash = require('unleash-server');
const myCustomAdminAuth = require('./auth-hook');

unleash
  .start({
    databaseUrl: 'postgres://unleash_user:password@localhost:5432/unleash',
    authentication: {
      type: 'custom',
      customAuthHandler: myCustomAdminAuth,
    },
  })
  .then((unleash) => {
    console.log(
      `Unleash started on http://localhost:${unleash.app.get('port')}`,
    );
  });
```

Additionally, you can trigger the admin interface to prompt the user to sign in by configuring your middleware to return a `401` status on protected routes. The response body must contain a `message` and a `path` used to redirect the user to the proper login route.

```json
{
  "message": "You must be logged in to use Unleash",
  "path": "/custom/login"
}
```

Examples of custom authentication hooks:

- [securing-google-auth](https://github.com/Unleash/unleash-examples/tree/main/v4/securing-google-auth)
- [securing-basic-auth](https://github.com/Unleash/unleash-examples/tree/main/v4/securing-basic-auth)
- [securing-keycloak-auth](https://github.com/Unleash/unleash-examples/tree/main/v4/securing-keycloak-auth)
- [securing-azure-auth](https://github.com/Unleash/unleash-examples/tree/main/v4/securing-azure-auth)
chore(documentation): Added Docusaurus with a website fixes #355 2018-11-20 20:34:42 +01:00			`---`
			`title: Securing Unleash`
			`---`

feat: update docs to match v4. Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> Co-authored-by: Fredrik Oseberg <fredrik.no@gmail.com> 2021-05-18 11:19:33 +02:00			`If you are still using Unleash v3 you need to follow the [securing-unleash-v3](./securing-unleash-v3)`
chore: more docs 2021-02-26 07:49:31 +01:00
Create Signup page for users from Invite link (#2052) * refactor: user creation screen cleanup * feat: deprecation notice for google sso * fix: docs openid typo * user invite hook mock 2022-09-14 11:42:20 +02:00			`> This guide is only relevant if you are using Unleash Open-Source. The Enterprise edition does already ship with multiple SSO options, such as SAML 2.0, OpenID Connect.`
Implement authentication support for Unleash UI. Closes: #261, #233, #232, #231 2017-11-16 16:45:01 +01:00
chore: document password requirements 2021-08-05 14:00:30 +02:00			`Unleash Open-Source v4 comes with username/password authentication out of the box. In addition Unleash v4 also comes with API token support, to make it easy to handle access tokens for Client SDKs and programmatic access to the Unleash APIs.`

			`### Password requirements {#password-requirements}`

			`Unleash requires a strong password.`

			`- minimum 10 characters long`
			`- contains at least one uppercase letter`
			`- contains at least one number`
			`- contains at least one special character (symbol)`
chore: Fix formatting all the things 2018-11-22 11:20:28 +01:00
Docusaurusv2 (#864) feat: Upgraded to Docusaurus v2 closes: #771 2021-06-04 11:17:15 +02:00			`### Implementing Custom Authentication {#implementing-custom-authentication}`
Document how to secure Unleash. closes: #233 2018-01-04 15:48:48 +01:00
chore: document password requirements 2021-08-05 14:00:30 +02:00			`If you do not wish to use the built-in username/password authentication you can add a customAuthHandler`
chore: Fix formatting all the things 2018-11-22 11:20:28 +01:00
feat: move secrets to settings (#577) * feat: move secrets to settings * feat: Add better support for detailed db options. Added db field in options to allow better control of db-options. Especially important to allow special chars in database password which might lead to an invaid url when defined as a database-url. * fix: integrate logger with knex logger * fix: remove secret option from all examples * fix: more options.js unit tests * fix: added settings-store e2e tests 2020-04-13 22:38:46 +02:00			`To secure the Admin API, you have to tell Unleash that you are using a custom admin authentication and implement your authentication logic as a preHook.`
Document how to secure Unleash. closes: #233 2018-01-04 15:48:48 +01:00
			```javascript
			`const unleash = require('unleash-server');`
			`const myCustomAdminAuth = require('./auth-hook');`

chore: Fix formatting all the things 2018-11-22 11:20:28 +01:00			`unleash`
			`.start({`
docs: update documentation and dev server use of passord (#3564) ## About the changes Update `passord` documentation with `password`. Note this was not a typo but just Norwegian: https://dictionary.cambridge.org/dictionary/english-norwegian/password ```shell grep passord * -R -l \| grep -v .git \| grep -v dist \| grep -v v3 \| xargs sed -i 's/passord/password/g' ``` The script above avoids updating v3 because of legacy reasons Related to #1265 2023-04-19 13:29:18 +02:00			`databaseUrl: 'postgres://unleash_user:password@localhost:5432/unleash',`
feat: update docs to match v4. Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> Co-authored-by: Fredrik Oseberg <fredrik.no@gmail.com> 2021-05-18 11:19:33 +02:00			`authentication: {`
			`type: 'custom',`
			`customAuthHandler: myCustomAdminAuth,`
			`},`
chore: Fix formatting all the things 2018-11-22 11:20:28 +01:00			`})`
chore: document password requirements 2021-08-05 14:00:30 +02:00			`.then((unleash) => {`
chore: Fix formatting all the things 2018-11-22 11:20:28 +01:00			`console.log(`
			`Unleash started on http://localhost:${unleash.app.get('port')}`,
			`);`
			`});`
Document how to secure Unleash. closes: #233 2018-01-04 15:48:48 +01:00			```

chore: Fix formatting all the things 2018-11-22 11:20:28 +01:00			Additionally, you can trigger the admin interface to prompt the user to sign in by configuring your middleware to return a `401` status on protected routes. The response body must contain a `message` and a `path` used to redirect the user to the proper login route.
Add example and documentation around triggering login modal #234 2018-01-20 20:35:54 +01:00
			```json
			`{`
chore: Fix formatting all the things 2018-11-22 11:20:28 +01:00			`"message": "You must be logged in to use Unleash",`
			`"path": "/custom/login"`
Add example and documentation around triggering login modal #234 2018-01-20 20:35:54 +01:00			`}`
			```

Fix typos in documentation 2019-03-05 09:26:34 +01:00			`Examples of custom authentication hooks:`
chore: Fix formatting all the things 2018-11-22 11:20:28 +01:00
feat: update docs to match v4. Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> Co-authored-by: Fredrik Oseberg <fredrik.no@gmail.com> 2021-05-18 11:19:33 +02:00			`- [securing-google-auth](https://github.com/Unleash/unleash-examples/tree/main/v4/securing-google-auth)`
			`- [securing-basic-auth](https://github.com/Unleash/unleash-examples/tree/main/v4/securing-basic-auth)`
			`- [securing-keycloak-auth](https://github.com/Unleash/unleash-examples/tree/main/v4/securing-keycloak-auth)`
Add azure example to the documentation page (#2641) ## About the changes Noticed there is missing link to the azure sso implementation example. 2022-12-09 11:49:38 +01:00			`- [securing-azure-auth](https://github.com/Unleash/unleash-examples/tree/main/v4/securing-azure-auth)`