Authentication System
Jellyfin Server provides two primary authentication methods:- User Authentication - Username/password authentication that creates a session with an access token
- API Key Authentication - Persistent tokens for programmatic access without user credentials
How Authentication Works
Jellyfin uses a token-based authentication system. After successful authentication, you receive an access token that must be included in subsequent API requests.Authentication Flow
- Authenticate using username/password or API key
- Receive an access token in the response
- Include the token in the
Authorizationheader or query parameter for subsequent requests - Token remains valid until explicitly logged out or revoked
User Authentication
Authenticate by Username
Authenticate a user with their username and password to create a new session.Authenticates a user by username and password
The username of the user account
The plain text password for the user
Client information in MediaBrowser format:
MediaBrowser Client="AppName", Device="DeviceName", DeviceId="unique-id", Version="1.0.0"User information object
Session information
Access token for authenticated requests
Server ID
Response Example
Using Access Tokens
Once authenticated, include the access token in all subsequent requests using one of these methods:Method 1: Authorization Header (Recommended)
Method 2: Query Parameter
Method 3: Legacy Headers (if enabled)
Legacy authorization methods (X-Emby-Token, X-MediaBrowser-Token, api_key parameter) may be disabled in server configuration. Use the standard Authorization header for best compatibility.
Token Management
Logout
End the current session and invalidate the access token.cURL
Ends the current session
Must include the Token to be invalidated
204 No Content
Get Current User
Retrieve information about the authenticated user.cURL
API Key Authentication
API keys provide persistent authentication without requiring user credentials. They are ideal for:- Server-to-server communication
- Long-running background services
- Administrative automation
- Third-party integrations
Using API Keys
API keys can be used the same way as user access tokens:API Key vs User Token
| Feature | User Token | API Key |
|---|---|---|
| Duration | Session-based (until logout) | Persistent (until manually revoked) |
| Permissions | User’s permissions | Administrator privileges |
| Use Case | User-facing applications | Server automation, integrations |
| Creation | Login endpoint | Admin panel or API |
| Device Info | Required on authentication | Not required |
Authentication Policies
Jellyfin implements several authorization policies that control access to different endpoints:- RequiresElevation - Requires administrator privileges
- IgnoreParentalControl - Bypasses parental control restrictions
- LocalAccessOrRequiresElevation - Allows local network access or requires admin
- FirstTimeSetup - Only accessible during initial setup
- AnonymousLanAccess - Allows anonymous access from local network
Error Responses
401 Unauthorized
Returned when authentication fails or token is invalid.403 Forbidden
Returned when the user lacks required permissions.404 Not Found
Returned when the user doesn’t exist.Security Best Practices
- Use HTTPS - Always use HTTPS in production to protect tokens in transit
- Secure Storage - Store tokens securely (encrypted storage, secure cookies, environment variables)
- Token Rotation - Implement token refresh mechanisms for long-lived applications
- Least Privilege - Use user tokens with appropriate permissions instead of API keys when possible
- Revoke Unused Tokens - Regularly audit and revoke unused API keys and sessions
- Client Information - Always provide accurate client information in the Authorization header
Next Steps
API Keys
Create and manage persistent API keys
User Management
Manage user accounts and permissions