A newer version of this documentation is available.

View Latest


Authentication is a process that securely identifies who is accessing the system.

Only Couchbase administrators and applications can authenticate with Couchbase Server:

Authentication for Couchbase administrators

Two types of Couchbase administrators can authenticate with Couchbase Server using their passwords: one full administrator and one read-only administrator.

The full Couchbase administrator can connect to Couchbase Server at all times.
Full Couchbase administrator

The full (built-in) Couchbase administrator is configured during installation. This administrator can configure one read-only Couchbase administrator and access all Couchbase Server functions, including the ability to enable LDAP and configure additional LDAP administrators.

Passwords for full Couchbase administrators must follow security best practices. See Couchbase passwords for more details.

Read-only Couchbase administrator

The read-only administrator is optional and can be set by the full Couchbase administrator at any time using the Couchbase Web Console. This administrator can view certain activities without having ability to edit.

Passwords for read-only administrators follow the same security best practices. See Couchbase passwords for more details.

To set up credentials for the read-only Couchbase administrator, open the Couchbase Web Console and go to Settings  Account Management to enter the administrator’s credentials.

admin read only
Resetting the administrative password

The administrative password can be reset using the password reset tool: cbreset_password

Authentication for applications

Applications authenticate themselves with buckets using the SASL password.

Authentication at the bucket level takes place over the CRAM-MD5 protocol and involves a single challenge-and-response cycle initiated by Couchbase Server.

In the challenge sequence, the server sends a string in the format of a Message ID (email header value including angle brackets). The Message ID includes an arbitrary string of random digits, a timestamp, and the server’s fully qualified domain name.

Access control is configured using the Couchbase Web Console at Data Buckets  Create New Data Bucket and is set for two ports:

admin access control
Standard port

This is TCP port 11211, which requires SASL authentication. Enter the password that complies with the best practices rules.

Dedicated port

This port supports ASCII protocol and doesn’t need authentication. You only need to enter the port number.