Skip to main content

User Management

listmonk supports multiple authentication methods and user management features. Users are managed through the Settings → Users dashboard in the admin interface.
Starting from recent versions, listmonk has moved away from config file-based credentials to database-managed users with role-based access control.

Initial Setup

On first launch, listmonk will prompt you to create a Super Admin user:
1

Access Setup Page

Navigate to http://localhost:9000/admin and you’ll see the first-time setup page.
2

Create Super Admin

Enter:
  • Email address
  • Username
  • Password (minimum 8 characters)
  • Confirm password
3

Login

After creation, you’ll be automatically logged in and redirected to the dashboard.

Environment Variables for Setup

You can pre-configure the Super Admin credentials using environment variables: 
LISTMONK_ADMIN_USER=myadmin LISTMONK_ADMIN_PASSWORD=mypassword ./listmonk --install

User Types

listmonk supports two types of users:

User

Regular users who log in through the web interface. Support password and OIDC authentication.

API

API-only users for programmatic access. Use username/password for HTTP Basic Authentication.

Role-Based Access Control

Users are assigned roles that define their permissions:
User Role
object
Defines what a user can do in the admin interface (view, create, edit campaigns, manage subscribers, etc.).
List Role
object
Defines which mailing lists a user can access. Can be restricted to specific lists.
The default Super Admin role (ID: 1) has all permissions and cannot be deleted.

Password Authentication

Standard username/password authentication for web interface users.

Password Requirements

  • Minimum length: 8 characters
  • No maximum length limit
  • No special character requirements (but recommended)

Password Reset

Users can reset their password through the login page:
1

Click Forgot Password

On the login page, click the “Forgot Password” link.
2

Enter Email

Enter the email address associated with your account.
3

Check Email

You’ll receive a password reset link (valid for 30 minutes).
4

Set New Password

Click the link and enter your new password.
Password reset emails are sent using the configured SMTP settings.

OIDC Authentication

listmonk supports OpenID Connect (OIDC) for single sign-on with external identity providers.
security.oidc.enabled
boolean
default:"false"
Enable OIDC authentication.
security.oidc.provider_url
string
required
OIDC provider’s discovery URL.Examples:
  • Google: https://accounts.google.com
  • Azure AD: https://login.microsoftonline.com/{tenant-id}/v2.0
  • Keycloak: https://keycloak.example.com/realms/{realm}
security.oidc.provider_name
string
default:""
Optional display name for the OIDC provider shown on the login page.If empty, listmonk will attempt to derive it from the provider URL.
security.oidc.client_id
string
required
OAuth 2.0 client ID from your OIDC provider.
security.oidc.client_secret
string
required
OAuth 2.0 client secret from your OIDC provider.
security.oidc.auto_create_users
boolean
default:"false"
Automatically create users on first OIDC login.
When enabled, any user who can authenticate with your OIDC provider will get access to listmonk.
security.oidc.default_user_role_id
integer
default:"null"
Default user role ID assigned to auto-created users.Required if auto_create_users is enabled.
security.oidc.default_list_role_id
integer
default:"null"
Default list role ID assigned to auto-created users.Optional. If not set, users get access to all lists.

OIDC Configuration Example

{
  "enabled": true,
  "provider_url": "https://accounts.google.com",
  "provider_name": "Google",
  "client_id": "your-client-id.apps.googleusercontent.com",
  "client_secret": "your-client-secret",
  "auto_create_users": true,
  "default_user_role_id": 2,
  "default_list_role_id": null
}

Supported OIDC Providers

listmonk has been tested with:
  • Google
  • Microsoft Azure AD / Entra ID
  • Keycloak
  • Auth0
  • Authentik
  • GitHub (via OIDC)
Any standard OIDC-compliant provider should work.

OIDC Setup Guide

1

Create OAuth 2.0 Client

  1. Go to Google Cloud Console
  2. Navigate to APIs & Services → Credentials
  3. Create OAuth 2.0 Client ID (Web application)
2

Configure Redirect URI

Add: https://your-listmonk-domain.com/auth/oidc/callback
3

Get Credentials

Note the Client ID and Client Secret
4

Configure listmonk

In Settings → Security → OIDC:
  • Provider URL: https://accounts.google.com
  • Client ID and Secret from step 3
1

Register Application

  1. Go to Azure Portal
  2. Navigate to Azure Active Directory → App registrations
  3. New registration
2

Configure Redirect URI

Add: https://your-listmonk-domain.com/auth/oidc/callback
3

Create Client Secret

Under Certificates & secrets, create a new client secret
4

Configure listmonk

  • Provider URL: https://login.microsoftonline.com/{tenant-id}/v2.0
  • Client ID: Application (client) ID
  • Client Secret: Value from step 3

Two-Factor Authentication (TOTP)

listmonk supports TOTP (Time-based One-Time Password) for additional security.
2FA is configured per user and is optional. Each user can enable it for their own account.

Enabling 2FA

1

Access Profile Settings

Click your username in the admin interface → Profile
2

Generate TOTP Secret

Click “Enable Two-Factor Authentication”
3

Scan QR Code

Use an authenticator app (Google Authenticator, Authy, 1Password, etc.) to scan the QR code
4

Verify Code

Enter the 6-digit code from your authenticator app to confirm

2FA Login Flow

  1. Enter username and password on the login page
  2. If 2FA is enabled, you’ll be redirected to the 2FA verification page
  3. Enter the current 6-digit code from your authenticator app
  4. Upon successful verification, you’ll be logged in
If you lose access to your authenticator app, you’ll need a database administrator to disable 2FA for your account.

API Authentication

API users authenticate using HTTP Basic Authentication.

Creating an API User

1

Navigate to Users

Go to Settings → Users in the admin interface
2

Create New User

Click “New User” and select Type: “API”
3

Set Credentials

  • Username: API identifier
  • Password: API secret (minimum 8 characters)
  • Role: Assign appropriate permissions
4

Save

The username and password will be used for API authentication

Using API Credentials

curl -u username:password \
  https://listmonk.example.com/api/lists

Session Management

listmonk uses secure session cookies for web authentication.

Session Behavior

  • Sessions are stored in the PostgreSQL database
  • Session cookies are HTTP-only and use SameSite=Lax
  • Sessions persist across browser restarts
  • Logout clears the session from both browser and database

Session Security

  • All session cookies are marked as secure when accessed over HTTPS
  • CSRF protection using nonce tokens for OIDC flows
  • Session timeout is managed by the underlying session library

Legacy Credentials

If you have admin_username and admin_password in your config.toml file, remove them immediately and create users through the UI.
Legacy config-based credentials:
  • Are deprecated and show a warning banner
  • Should be migrated to database users
  • Will be removed in future versions
To migrate:
  1. Create a new user through Settings → Users
  2. Assign the Super Admin role
  3. Test the new credentials
  4. Remove admin_username and admin_password from config.toml
  5. Restart listmonk

Security Best Practices

Use Strong Passwords

Require passwords of at least 12 characters with mixed case, numbers, and symbols.

Enable 2FA

Require all admin users to enable two-factor authentication.

Use OIDC

Centralize authentication with your organization’s identity provider.

Limit Permissions

Create custom roles with minimal required permissions for each user.

Separate API Users

Use dedicated API users for programmatic access, not personal accounts.

Regular Audits

Periodically review active users and remove unused accounts.

Build docs developers (and LLMs) love

Get started for freeTalk to us