Get Password Hash of user from DB or API

oliwel · 2025-10-20T12:08:38.908Z

Hi, I want to onboard a legacy application to our SSO but I have no option to interact with Zitadel directly, I am able to use and inject the bcrypted hashes from Zitadel but I am unable to locate them in the database or API 🙁 Can anybody point me to the right location? DB would be preferred... TIA Oliver

A

Ask Inkeep•10/20/25, 12:08 PM

Hi @oliwel, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

A

Ask Inkeep•10/20/25, 12:09 PM

Answer

Based on the available sources, I can help you locate password hashes in ZITADEL:

Database Location

In a running ZITADEL instance, password hashes are stored in the

users

users

users

users table (1) . This table holds the password hash for each human user .

API Access

You can retrieve password hashes using the

/admin/v1/export

/admin/v1/export

/admin/v1/export

/admin/v1/export endpoint . Here's an example of how to export data including password hashes:

curl -L '<https://auth-stg.dungeonfog.com/admin/v1/export'> \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <token>' \
-d '{
  "orgIds": [
    "332024601481607370"
  ],
  "excludedOrgIds": [
    "string"
  ],
  "withPasswords": true,
  "withOtp": true,
  "responseOutput": true,
  "localOutput": {
    "path": "string"
  },
  "s3Output": {
    "path": "string",
    "endpoint": "string",
    "accessKeyId": "string",
    "secretAccessKey": "string",
    "ssl": true,
    "bucket": "string"
  },
  "timeout": "30m"
}' >> zitadel.output

curl -L '<https://auth-stg.dungeonfog.com/admin/v1/export'> \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <token>' \
-d '{
  "orgIds": [
    "332024601481607370"
  ],
  "excludedOrgIds": [
    "string"
  ],
  "withPasswords": true,
  "withOtp": true,
  "responseOutput": true,
  "localOutput": {
    "path": "string"
  },
  "s3Output": {
    "path": "string",
    "endpoint": "string",
    "accessKeyId": "string",
    "secretAccessKey": "string",
    "ssl": true,
    "bucket": "string"
  },
  "timeout": "30m"
}' >> zitadel.output

curl -L '<https://auth-stg.dungeonfog.com/admin/v1/export'> \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <token>' \
-d '{
  "orgIds": [
    "332024601481607370"
  ],
  "excludedOrgIds": [
    "string"
  ],
  "withPasswords": true,
  "withOtp": true,
  "responseOutput": true,
  "localOutput": {
    "path": "string"
  },
  "s3Output": {
    "path": "string",
    "endpoint": "string",
    "accessKeyId": "string",
    "secretAccessKey": "string",
    "ssl": true,
    "bucket": "string"
  },
  "timeout": "30m"
}' >> zitadel.output

curl -L '<https://auth-stg.dungeonfog.com/admin/v1/export'> \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <token>' \
-d '{
  "orgIds": [
    "332024601481607370"
  ],
  "excludedOrgIds": [
    "string"
  ],
  "withPasswords": true,
  "withOtp": true,
  "responseOutput": true,
  "localOutput": {
    "path": "string"
  },
  "s3Output": {
    "path": "string",
    "endpoint": "string",
    "accessKeyId": "string",
    "secretAccessKey": "string",
    "ssl": true,
    "bucket": "string"
  },
  "timeout": "30m"
}' >> zitadel.output

The export will return user data including the hashed password in this format:

{"userName":"dfogtest+premium@gmail.com", "profile":{"firstName":"dfogtest+premium", "lastName":"@DungeonFog", "nickName":"DFogTestPremium", "displayName":"DFogTestPremium", "preferredLanguage":"und"}, "email":{"email":"dfogtest+premium@gmail.com", "isEmailVerified":true}, "hashedPassword":{"value":"$2b$10$vENOnWo4/CNFkUcQOybkZuqz9i/qpLIAb3EEOYXQOjePN3P6xW2Sq"}}

{"userName":"dfogtest+premium@gmail.com", "profile":{"firstName":"dfogtest+premium", "lastName":"@DungeonFog", "nickName":"DFogTestPremium", "displayName":"DFogTestPremium", "preferredLanguage":"und"}, "email":{"email":"dfogtest+premium@gmail.com", "isEmailVerified":true}, "hashedPassword":{"value":"$2b$10$vENOnWo4/CNFkUcQOybkZuqz9i/qpLIAb3EEOYXQOjePN3P6xW2Sq"}}

{"userName":"dfogtest+premium@gmail.com", "profile":{"firstName":"dfogtest+premium", "lastName":"@DungeonFog", "nickName":"DFogTestPremium", "displayName":"DFogTestPremium", "preferredLanguage":"und"}, "email":{"email":"dfogtest+premium@gmail.com", "isEmailVerified":true}, "hashedPassword":{"value":"$2b$10$vENOnWo4/CNFkUcQOybkZuqz9i/qpLIAb3EEOYXQOjePN3P6xW2Sq"}}

{"userName":"dfogtest+premium@gmail.com", "profile":{"firstName":"dfogtest+premium", "lastName":"@DungeonFog", "nickName":"DFogTestPremium", "displayName":"DFogTestPremium", "preferredLanguage":"und"}, "email":{"email":"dfogtest+premium@gmail.com", "isEmailVerified":true}, "hashedPassword":{"value":"$2b$10$vENOnWo4/CNFkUcQOybkZuqz9i/qpLIAb3EEOYXQOjePN3P6xW2Sq"}}

Important Note

ZITADEL hashes and stores passwords internally and never exposes them in an SSO flow (2) . For password-based SSO scenarios where you need to send user ID and password via GET or POST, this approach is not possible with ZITADEL .

A

Ask Inkeep•10/20/25, 12:09 PM

To learn more, see the sources I considered:

[1] Discord message from @larzous on 2025-09-08
[2] password based SSO

A

Ask Inkeep•10/20/25, 12:09 PM

Feel free to tag @Ask Inkeep with additional questions.

O

oliwelOP•10/20/25, 12:27 PM

@Ask Inkeep The auth.users table is empty and the projections.users* do not hold any passwords. Where exactly should I look

A

Ask Inkeep•10/20/25, 12:27 PM

Thanks for the follow-up, @oliwel. I'll get back to you soon.

A

Ask Inkeep•10/20/25, 12:27 PM

Answer

I wasn't able to find a direct answer about specific database table locations for password hashes, here are some relevant sources:

Migrate from Auth0 to ZITADEL (Including Password Hashes) : This shows the import format for password hashes but doesn't specify the storage location.
Create a new human user : Documents the API for creating users but doesn't reveal database schema details.

The available sources don't contain specific information about the exact database tables where ZITADEL stores password hashes. You might want to click the "Ask for help" button to tag a team member who can provide the specific database schema information you need.

A

Ask Inkeep•10/20/25, 12:27 PM

A

Ask Inkeep•10/20/25, 12:27 PM

Feel free to tag @Ask Inkeep with additional questions.

AAsk Inkeep Empty message

A

Ask InkeepAPP•10/20/25, 1:06 PM

Got it. Tagging @Rajat for additional help.

M

Matías•10/20/25, 6:06 PM

Hey @oliwel, I just replied in this thread:
https://discord.com/channels/927474939156643850/1414568271390179379/1429892191848763424

M

Matías•10/20/25, 6:07 PM

But we can follow the conversation here if needed, please let me konw if you have any follow up questions.