Docs Menu

Authentication Mechanisms

On this page

  • Overview
  • Specify an Authentication Mechanism
  • Mechanisms
  • Default
  • SCRAM-SHA-256
  • SCRAM-SHA-1
  • MONGODB-CR
  • MONGODB-AWS
  • X.509

In this guide, you can learn how to authenticate with MongoDB using each authentication mechanism available in the MongoDB Community Edition. Authentication mechanisms are processes by which the driver and server confirm identity and establish trust to ensure security.

The mechanisms that you can use with the latest version of MongoDB Community Edition are as follows:

To authenticate using Kerberos or LDAP, see the Enterprise Authentication Mechanisms guide. For more information on establishing a connection to your MongoDB cluster, read our Connection Guide.

You can specify your authentication mechanism and credentials when connecting to MongoDB using either of the following:

  • A connection string
  • A MongoCredential factory method

A connection string (also known as a connection uri) specifies how to connect and authenticate to your MongoDB cluster.

To authenticate using a connection string, include your settings in your connection string and pass it to the MongoClients.create() method to instantiate your MongoClient. Select the Connection String tab to see the syntax for authenticating using a connection string.

Alternatively, you can use the MongoCredential class to specify your authentication details. The MongoCredential class contains static factory methods that construct instances containing your authentication mechanism and credentials. When you use the MongoCredential helper class, you need to use the MongoClientSettings.Builder class to configure your connection settings when constructing your MongoClient. Select the MongoCredential tab to see the syntax for authenticating using a MongoCredential.

For more information on these classes and methods, refer to the following API documentation:

The default authentication mechanism setting uses one of the following authentication mechanisms depending on what your MongoDB server supports:

  1. SCRAM-SHA-256
  2. SCRAM-SHA-1
  3. MONGODB-CR

Server versions 3.6 and earlier use MONGODB-CR as the default mechanism. Newer versions of the server use one of the mechanisms for which they advertise support.

The following code snippets show how to specify the authentication mechanism, using the following placeholders:

  • username - your MongoDB username
  • password - your MongoDB user's password
  • hostname - network address of your MongoDB server, accessible by your client
  • port - port number of your MongoDB server
  • authenticationDb - MongoDB database that contains your user's authentication data. If you omit this parameter, the driver uses the default value admin.

Select the Connection String or the MongoCredential tab below for instructions and sample code for specifying this authentication mechanism:

For more information on the challenge-response (CR) and salted challenge-response authentication mechanisms (SCRAM) that MongoDB supports, see the SCRAM section of the server manual.

Note

SCRAM-SHA-256 is the default authentication method for MongoDB starting in MongoDB 4.0.

SCRAM-SHA-256 is a salted challenge-response authentication mechanism (SCRAM) that uses your username and password, encrypted with the SHA-256 algorithm, to authenticate your user.

The following code snippets show how to specify the authentication mechanism, using the following placeholders:

  • username - your MongoDB username.
  • password - your MongoDB user's password.
  • hostname - network address of your MongoDB server, accessible by your client.
  • port - port number of your MongoDB server.
  • authenticationDb - MongoDB database that contains your user's authentication data. If you omit this parameter, the driver uses the default value admin.

Select the Connection String or the MongoCredential tab below for instructions and sample code for specifying this authentication mechanism:

Note

SCRAM-SHA-1 is the default authentication method for MongoDB versions 3.0, 3.2, 3.4, and 3.6.

SCRAM-SHA-1 is a salted challenge-response mechanism (SCRAM) that uses your username and password, encrypted with the SHA-1 algorithm, to authenticate your user.

The following code snippets show how to specify the authentication mechanism, using the following placeholders:

  • username - your MongoDB username.
  • password - your MongoDB user's password.
  • hostname - network address of your MongoDB server, accessible by your client.
  • port - port number of your MongoDB server.
  • authenticationDb - MongoDB database that contains your user's authentication data. If you omit this parameter, the driver uses the default value admin.

Select the Connection String or the MongoCredential tab below for instructions and sample code for specifying this authentication mechanism:

MONGODB-CR is a challenge-response authentication mechanism that uses your username and password to authenticate your user. This authentication mechanism was deprecated starting in MongoDB 3.6 and is no longer supported as of MongoDB 4.0.

You cannot specify this method explicitly; refer to the fallback provided by the default authentication mechanism to connect using MONGODB-CR.

Note

The MONGODB-AWS authentication mechanism is only available in MongoDB versions 4.4 and later.

The MONGODB-AWS authentication mechanism uses your Amazon Web Services Identity and Access Management (AWS IAM) credentials to authenticate your user.

The following code snippets show how to specify the authentication mechanism, using the following placeholders:

  • username - value of your AWS_ACCESS_KEY_ID.
  • password - value of your AWS_SECRET_ACCESS_KEY.
  • hostname - network address of your MongoDB server, accessible by your client.
  • port - port number of your MongoDB server.
  • authenticationDb - MongoDB database that contains your user's authentication data. If you omit this parameter, the driver uses the default value admin.
  • awsSessionToken - value of your AWS_SESSION_TOKEN. (optional)

Select the Connection String or the MongoCredential tab below for instructions and sample code for specifying this authentication mechanism:

The X.509 authentication mechanism uses TLS with X.509 certificates to authenticate your user, identified by the relative distinguished names (RDNs) of your client certificate. When you specify the X.509 authentication mechanism, the server authenticates the connection using the subject name of the client certificate.

The following code snippets show how to specify the authentication mechanism, using the following placeholders:

  • hostname - network address of your MongoDB server, accessible by your client.
  • port - port number of your MongoDB server.
  • authenticationDb - MongoDB database that contains your user's authentication data. If you omit this parameter, the driver uses the default value admin.

Select the Connection String or the MongoCredential tab below for instructions and sample code for specifying this authentication mechanism:

For additional information on configuring your application to use certificates as well as TLS/SSL options, see our TLS/SSL guide.

Give Feedback
© 2021 MongoDB, Inc.

About

  • Careers
  • Legal Notices
  • Privacy Notices
  • Security Information
  • Trust Center
© 2021 MongoDB, Inc.