Skip to content
KeystoneJS LogoKeystoneJS
👋🏻 We're working on the next generation of KeystoneJS! If you're using the @keystone-next packages, click here to learn more


Authentication strategies allow users to identify themselves to Keystone. This can be used to restrict access to the AdminUI, and to configure access controls.


const { PasswordAuthStrategy } = require('@keystonejs/auth-password');

const keystone = new Keystone({...});

const authStrategy = keystone.createAuthStrategy({
  type: PasswordAuthStrategy,
  list: 'User',
  config: {...},
  hooks: {...},
  plugins: [...],

You then provide authStrategy to apps that facilitate login (typically the Admin UI):

module.exports = {
  apps: [new AdminUIApp({ authStrategy })],


typeAuthStrategy(required)A valid authentication strategy.
listString(required)The list that contains an authenticated item, for example a user.
configObject{}Strategy-specific config options.
hooksObject{}Authentication mutation hooks. See the hooks API docs for details
pluginsArray[]An array of plugins that can modify the authentication strategy config.

Note: Different authentication strategies may have additional config options. See the documentation for individual authentication strategies for more details.


A valid authentication strategy.


Authentication strategies need to authenticate an item in a Keystone list (typically a User). The authenticated item will be provided to access control functions.

This list should have the { auth: true } access control set. See the Access control API docs for more details.


An array of functions that modify option values. Plugin functions receive (options, { keystone }), where options is the objects passed to createAuthStrategy (e.g. { type, list, config, hooks, plugins}), and keystone is the keystone object. They should return a valid options value. Plugin functions are executed in the order provided in the list, with the output options of one being passed as input to the next. The output of the final plugin is used to construct the authentication strategy.

const logAuth = ({ hooks, ...options }) => {
  return {
    hooks: {
      afterAuth: () => console.log('A user logged in!'),

const authStrategy = keystone.createAuthStrategy({
  type: PasswordAuthStrategy,
  list: 'User',
  plugin: [logAuth],

This provides a method for packaging features that can be applied to multiple lists.

On this page

  • Usage
  • Config
  • type
  • list
  • plugins
Edit on GitHub