oliwel
oliwel2d ago

Get Password Hash of user from DB or API

Hi, I want to onboard a legacy application to our SSO but I have no option to interact with Zitadel directly, I am able to use and inject the bcrypted hashes from Zitadel but I am unable to locate them in the database or API 🙁 Can anybody point me to the right location? DB would be preferred... TIA Oliver
4 Replies
Ask Inkeep
Ask Inkeep2d ago
Hi @oliwel, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question. Answer Based on the available sources, I can help you locate password hashes in ZITADEL: Database Location In a running ZITADEL instance, password hashes are stored in the users table (1) . This table holds the password hash for each human user . API Access You can retrieve password hashes using the /admin/v1/export endpoint . Here's an example of how to export data including password hashes: 
curl -L '<https://auth-stg.dungeonfog.com/admin/v1/export'> \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <token>' \
-d '{
  "orgIds": [
    "332024601481607370"
  ],
  "excludedOrgIds": [
    "string"
  ],
  "withPasswords": true,
  "withOtp": true,
  "responseOutput": true,
  "localOutput": {
    "path": "string"
  },
  "s3Output": {
    "path": "string",
    "endpoint": "string",
    "accessKeyId": "string",
    "secretAccessKey": "string",
    "ssl": true,
    "bucket": "string"
  },
  "timeout": "30m"
}' >> zitadel.output
curl -L '<https://auth-stg.dungeonfog.com/admin/v1/export'> \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <token>' \
-d '{
  "orgIds": [
    "332024601481607370"
  ],
  "excludedOrgIds": [
    "string"
  ],
  "withPasswords": true,
  "withOtp": true,
  "responseOutput": true,
  "localOutput": {
    "path": "string"
  },
  "s3Output": {
    "path": "string",
    "endpoint": "string",
    "accessKeyId": "string",
    "secretAccessKey": "string",
    "ssl": true,
    "bucket": "string"
  },
  "timeout": "30m"
}' >> zitadel.output
The export will return user data including the hashed password in this format: 
{"userName":"dfogtest+premium@gmail.com", "profile":{"firstName":"dfogtest+premium", "lastName":"@DungeonFog", "nickName":"DFogTestPremium", "displayName":"DFogTestPremium", "preferredLanguage":"und"}, "email":{"email":"dfogtest+premium@gmail.com", "isEmailVerified":true}, "hashedPassword":{"value":"$2b$10$vENOnWo4/CNFkUcQOybkZuqz9i/qpLIAb3EEOYXQOjePN3P6xW2Sq"}}
{"userName":"dfogtest+premium@gmail.com", "profile":{"firstName":"dfogtest+premium", "lastName":"@DungeonFog", "nickName":"DFogTestPremium", "displayName":"DFogTestPremium", "preferredLanguage":"und"}, "email":{"email":"dfogtest+premium@gmail.com", "isEmailVerified":true}, "hashedPassword":{"value":"$2b$10$vENOnWo4/CNFkUcQOybkZuqz9i/qpLIAb3EEOYXQOjePN3P6xW2Sq"}}
Important Note ZITADEL hashes and stores passwords internally and never exposes them in an SSO flow (2) . For password-based SSO scenarios where you need to send user ID and password via GET or POST, this approach is not possible with ZITADEL . ​ To learn more, see the sources I considered: [1] Discord message from @larzous on 2025-09-08 [2] password based SSO ​ Feel free to tag @Ask Inkeep with additional questions.
oliwel
oliwelOP2d ago
@Ask Inkeep The auth.users table is empty and the projections.users* do not hold any passwords. Where exactly should I look
Ask Inkeep
Ask Inkeep2d ago
Thanks for the follow-up, @oliwel. I'll get back to you soon. Answer I wasn't able to find a direct answer about specific database table locations for password hashes, here are some relevant sources: 1. Migrate from Auth0 to ZITADEL (Including Password Hashes) : This shows the import format for password hashes but doesn't specify the storage location. 2. Create a new human user : Documents the API for creating users but doesn't reveal database schema details. The available sources don't contain specific information about the exact database tables where ZITADEL stores password hashes. You might want to click the "Ask for help" button to tag a team member who can provide the specific database schema information you need. Feel free to tag @Ask Inkeep with additional questions. Got it. Tagging @Rajat for additional help.
Matías
Matías2d ago
Hey @oliwel, I just replied in this thread: https://discord.com/channels/927474939156643850/1414568271390179379/1429892191848763424 But we can follow the conversation here if needed, please let me konw if you have any follow up questions.

Did you find this page helpful?