Looking for Cloud Services or Professional Support? Check restheart.com

User Management


This section provides instructions on how to create, update and delete users with mongoRealAuthenticator.

It also shows how to manage permissions with mongoAclAuthorizer.

mongoRealAuthenticator uses the collection /users by default.

Before running the example requests

The following examples assume RESTHeart running on the localhost with the default configuration: the database restheart is bound to / and the user admin exists with default password secret.

User document

With the default configuration, a user is represented as follows:

    "_id": "username",
    "roles": [ "list", "of", "roles" ],
    "password": "secret"

mongoRealAuthenticator can be configured to use different properties for the username, roles an password. Check mongoRealAuthenticator for more information.

Get existing users

GET /users HTTP/1.1
    "_id": "admin",
    "roles": [
    "_etag": {
      "$oid": "5d2edb155883c050065d6a8a"

The password is always hidden on GET requests.

For security reasons, it not possbile to use the filter query parameter on the password field; the following request is forbidden and will cause an error: GET /users?filter={"password":{"$regex":"^a.*"}}

Create a user

POST /users HTTP/1.1

    "_id": "foo",
    "roles": [ "user" ],
    "password": "secret"

The password is automatically encrypted by RESTHeart.

Update a user

PATCH /users/foo HTTP/1.1

    "password": "betterSecret"

Delete a user

DELETE /users/foo HTTP/1.1

Create an ACL document

POST /acl HTTP/1.1

  "predicate": "path-prefix[/inventory] and method[GET]",
  "roles": [ "user" ],
  "priority": 1

Check Format of permission for more information on ACL permissions.

Watch Managing users with practical examples