# SASL Authentication

SASL Authentication uses usernames and passwords to authenticate your Kafka clients. By default Kafka clients communicating with WarpStream Agents use `PLAINTEXT`, meaning that all data is sent in plain text (unencrypted), this includes the SASL usernames and passwords.

When using SASL it is recommended to [Configure TLS Encrpytion for your WarpStream Cluster.](https://docs.warpstream.com/warpstream/kafka/protect-data-in-motion-with-tls-encryption#configure-tls-encryption-for-a-warpstream-cluster)

The WarpStream Agents support both `SASL/PLAIN` and `SASL/SCRAM-SHA-512` for communication.

## Configure WarpStream Agents

Set the `requireSASLAuthentication` flag or `WARPSTREAM_REQUIRE_SASL_AUTHENTICATION=true` environment variable on the Agents.

Once authentication is enabled on the Agents, they will enforce that all Apache Kafka clients that connect to them authenticate themselves via SASL. Improperly authenticated clients will be unable to connect.

## Creating Credentials

In order to connect an Apache Kafka client to the authenticated WarpStream Agent, you'll need to create a set of credentials. You can do that by navigating to the ["Clusters" section of the WarpStream Console](https://console.warpstream.com/virtual_clusters) and then clicking "Credentials" within the Virtual Cluster that you want to create a set of credentials for.

<figure><img src="https://77315434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjB7FxO8ty4EXO4HsQP4E%2Fuploads%2Fgit-blob-fd08eec116c02352aabe377beca630f461f3c012%2FScreenshot%202024-12-13%20at%2010.40.39%E2%80%AFAM.png?alt=media" alt=""><figcaption><p>Click "Credentials"</p></figcaption></figure>

Once you're on the credentials view, you can create a new set of SASL credentials by clicking the "Create Credentials" button.

<figure><img src="https://77315434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjB7FxO8ty4EXO4HsQP4E%2Fuploads%2Fgit-blob-607c8a2acbd88bf1527d29c22678848ace649fd2%2FScreenshot%202024-12-13%20at%2010.40.42%E2%80%AFAM.png?alt=media" alt=""><figcaption><p>Click "Create Credentials"</p></figcaption></figure>

Insert the name that you want the credential to have, check super user if desired, click Create Credentials

<figure><img src="https://77315434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjB7FxO8ty4EXO4HsQP4E%2Fuploads%2Fgit-blob-d0d8e9311e06bf9cfc6db8d346d3986aa85b75c8%2FScreenshot%202024-12-13%20at%2010.40.58%E2%80%AFAM.png?alt=media" alt="" width="375"><figcaption><p>Enter a name and click Create Credentials</p></figcaption></figure>

Once you're done creating the credentials, the admin console will show you the username and password one time. Store these values somewhere safe, as you'll never be able to view them again. WarpStream does not store them in plaintext, so we cannot retrieve them for you.

<figure><img src="https://77315434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjB7FxO8ty4EXO4HsQP4E%2Fuploads%2Fgit-blob-3c18f1b2c800a0b9855011fb13483c84449dc862%2FScreenshot%202024-12-13%20at%2010.41.04%E2%80%AFAM.png?alt=media" alt=""><figcaption><p>Save your credentials somewhere safe!</p></figcaption></figure>

In the case that you lose your credentials, you can create a new set of credentials in the admin console following the same steps as above, up to a limit of 100 credentials. This limit can be increased to 1000 credentials upon request.

## Configure Kafka clients

For configuring SASL in your Kafka clients it is recommended to review the documentation for your Kafka client. Every Kafka client configures SASL differently and those configurations may change version to version.

We recommend using the [Confluent Platform documentation](https://docs.confluent.io/platform/current/security/authentication/sasl/plain/overview.html#configure-ak-clients) to learn how to configure Java-based clients for SASL.

## Limiting Allowed SASL Mechanisms

Configure the `-enabledSASLMechanisms` flag or `WARPSTREAM_ENABLED_SASL_MECHANISMS` environment variable to a comma-delimited list of allowed SASL mechanisms. If this flag / environment variable is not set, all SASL mechanisms are allowed. If it is set, only the specified mechanisms are allowed.

For example: `WARPSTREAM_ENABLED_SASL_MECHANISMS=PLAIN,SCRAM-SHA-512` means that both `SASL/PLAIN` and `SASL/SCRAM-SHA-512` are allowed, but `WARPSTREAM_ENABLED_SASL_MECHANISMS=PLAIN` means that only `PLAIN` is allowed.

Supported values: `PLAIN`, `SCRAM-SHA-512`.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.warpstream.com/warpstream/kafka/manage-security/sasl-authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.