RabbitMQ has pluggable support for various SASL authentication mechanisms. There are three such mechanisms built into the server: PLAIN, AMQPLAIN, and RABBIT-CR-DEMO, and one - EXTERNAL - available as a plugin. You can also implement your own authentication mechanism by implementing the rabbit_auth_mechanism behaviour in a plugin. See the plugin development guide for more information on general plugin development.

A separate guide covers authentication and authorisation backends in RabbitMQ and how they are configured. There's also a guide on passwords.

Built-in Mechanisms

The built-in mechanisms are:

SASL PLAIN authentication. This is enabled by default in the RabbitMQ server and clients, and is the default for most other clients.
Non-standard version of PLAIN retained for backwards compatibility. This is enabled by default in the RabbitMQ server.
Authentication happens using an out-of-band mechanism such as x509 certificate peer verification, client IP address range, or similar. Such mechanisms are usually provided by RabbitMQ plugins.
Non-standard mechanism which demonstrates challenge-response authentication. This mechanism has security equivalent to PLAIN, and is not enabled by default in the RabbitMQ server.

Server configuration

The configuration variable auth_mechanisms in the rabbit application determines which of the installed mechanisms are offered to connecting clients. This variable should be a list of atoms corresponding to mechanism names, for example ['PLAIN', 'AMQPLAIN'] by default. The server-side list is not considered to be in any particular order. See the configuration file documentation.

Client configuration


The Java client does not use the package by default since this can be unpredictable on non-Oracle JDKs and is missing entirely on Android. There is a RabbitMQ-specific SASL implementation, configured by the SaslConfig interface. A class DefaultSaslConfig is provided to make SASL configuration more convenient in the common case. A class JDKSaslConfig is provided to act as a bridge to

See ConnectionFactory.getSaslConfig() and ConnectionFactory.setSaslConfig(SaslConfig)


The Erlang client provides its own SASL mechanism implementations in the amqp_auth_mechanisms module. The #amqp_params{} record can be provided with a list of authentication functions in preference order for network connections.


The .Net client provides its own SASL mechanism implementations based on the AuthMechanism and AuthMechanismFactory interfaces. The ConnectionFactory.AuthMechanisms property is a list of authentication mechanism factories in preference order.

Authentication Failures

Per AMQP 0-9-1 spec, authentication failures should result in the server closing TCP connection immediately. However, with RabbitMQ clients can opt in to receive a more specific notification using the authentication failure notification extension to AMQP 0-9-1.

Getting Help and Providing Feedback

If you have questions about the contents of this guide or any other topic related to RabbitMQ, don't hesitate to ask them on the RabbitMQ mailing list.

Help Us Improve the Docs <3

If you'd like to contribute an improvement to the site, its source is available on GitHub. Simply fork the repository and submit a pull request. Thank you!