Manage users and credentials for your Aiven services. Each service can have multiple users with different credentials and access levels.
List service users
Retrieve all users for a service.
GET /v1/project/{project}/service/{service_name}/user
Request example
curl -X GET "https://api.aiven.io/v1/project/my-project/service/pg-demo/user" \
-H "Authorization: aivenv1 YOUR_TOKEN"
Response
List of service user objects
User type: primary, regular, or admin
User password (only returned for newly created users)
Client certificate for certificate-based authentication
Client key for certificate-based authentication
Response example
{
"users": [
{
"username": "avnadmin",
"type": "primary"
},
{
"username": "app_user",
"type": "regular"
}
]
}
Create service user
Create a new user for a service.
POST /v1/project/{project}/service/{service_name}/user
Request body
Username (3-63 characters, alphanumeric and underscores)
Authentication method: caching_sha2_password (MySQL) or scram-sha-256 (PostgreSQL)
Request example
curl -X POST "https://api.aiven.io/v1/project/my-project/service/pg-demo/user" \
-H "Authorization: aivenv1 YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"username": "app_user"
}'
Response
The newly created user object with generated password
The password is only returned once during user creation. Store it securely immediately.
Response example
{
"user": {
"username": "app_user",
"type": "regular",
"password": "GENERATED_PASSWORD_HERE"
}
}
Reset user password
Reset the password for a service user.
PUT /v1/project/{project}/service/{service_name}/user/{username}
Request body
Must be reset-credentials
Request example
curl -X PUT "https://api.aiven.io/v1/project/my-project/service/pg-demo/user/app_user" \
-H "Authorization: aivenv1 YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"operation": "reset-credentials"
}'
Response
User object with new password
Response example
{
"user": {
"username": "app_user",
"type": "regular",
"password": "NEW_GENERATED_PASSWORD"
}
}
Delete service user
Delete a user from a service.
DELETE /v1/project/{project}/service/{service_name}/user/{username}
You cannot delete the primary service user (typically avnadmin). Ensure no applications are using this user before deletion.
Request example
curl -X DELETE "https://api.aiven.io/v1/project/my-project/service/pg-demo/user/app_user" \
-H "Authorization: aivenv1 YOUR_TOKEN"
Response
Returns 200 OK with an empty response body on success.
Get service connection info
Retrieve connection information for a service including host, port, and credentials.
GET /v1/project/{project}/service/{service_name}/connection_info
Request example
curl -X GET "https://api.aiven.io/v1/project/my-project/service/pg-demo/connection_info" \
-H "Authorization: aivenv1 YOUR_TOKEN"
Response
Default database name (for database services)
CA certificate for TLS connections
Response example
{
"host": "pg-demo-project.aivencloud.com",
"port": 12345,
"user": "avnadmin",
"password": "REDACTED",
"database": "defaultdb",
"uri": "postgres://avnadmin:[email protected]:12345/defaultdb?sslmode=require",
"ca_cert": "-----BEGIN CERTIFICATE-----\n..."
}
Kafka user ACL management
For Apache Kafka services, you can manage user ACLs (Access Control Lists) to control topic access.
Create Kafka ACL
POST /v1/project/{project}/service/{service_name}/acl
Request body
Topic name or pattern (use * for all topics)
Permission level: read, write, readwrite, or admin
Request example
curl -X POST "https://api.aiven.io/v1/project/my-project/service/kafka-prod/acl" \
-H "Authorization: aivenv1 YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"username": "app_user",
"topic": "events.*",
"permission": "readwrite"
}'
List Kafka ACLs
GET /v1/project/{project}/service/{service_name}/acl
curl -X GET "https://api.aiven.io/v1/project/my-project/service/kafka-prod/acl" \
-H "Authorization: aivenv1 YOUR_TOKEN"
