Перейти к содержимому
Mineforgian

AuthMeReloaded

The best authentication plugin for the Bukkit/Spigot API!

65K загрузок36 подписчиковGPL-3.0-onlybukkitbungeecordfoliapaperspigotvelocity

Обновлён 7 мая 2026 г. · опубликован 29 июня 2024 г.

AuthMeReloaded

"The best authentication plugin for the Bukkit modding API!"

Description

Prevent username stealing on your server!
Use it to secure your Offline mode server or to increase your Online mode server's protection!

AuthMeReloaded disallows players who aren't authenticated to do actions like placing blocks, moving,
typing commands or using the inventory. It can also kick players with uncommonly long or short player names or kick players from banned countries.

With the Session Login feature, you don't have to execute the authentication command every time you connect to the server! Each command and every feature can be enabled or disabled from our well-structured configuration file.

You can also create your own translation file and, if you want, you can share it with us! :)

Features:

  • Dedicated builds for Spigot Legacy (1.16–1.19), Spigot 1.21 (1.20–1.21), Paper 1.21+, and Folia 1.21+
  • Native proxy plugins for BungeeCord and Velocity
  • E-Mail Recovery System!
  • Username spoofing protection.
  • Countries Whitelist/Blacklist! (country codes)
  • Built-in AntiBot System!
  • ForceLogin Feature: Admins can login with all account via console command!
  • Avoid the "Logged in from another location" message!
  • Two-factor (2FA) support!
  • Session Login!
  • Messages served in each player's own Minecraft client language, with server-language fallback
  • Editable translations and messages!
  • MySQL, MariaDB, PostgreSQL and SQLite Backend support!
  • Supported password encryption algorithms: SHA256, ARGON2, BCRYPT, PBKDF2, PBKDF2BASE64 — full list
  • Supports hashes from external systems for zero-downtime migration (XFBCRYPT, MYBB, PHPBB, JOOMLA, WORDPRESS, WBB3/WBB4, IPB3, and more)
  • Custom MySQL tables/columns names (useful with forum databases)
  • Cached database queries!
  • Fully compatible with Citizens2, CombatTag, CombatTagPlus!
  • Graphical login/register dialogs, with optional Paper/Folia pre-join dialogs
  • Restricted users (associate a username with an IP)
  • Protect player's inventory until correct authentication (requires PacketEvents)
  • Premium bypass: Mojang-account holders skip password auth (requires PacketEvents)
  • Saves the quit location of the player
  • Ender pearls thrown before authentication are returned to the player on login
  • Separate timeouts for login and registration
  • Email address confirmation required before saving on /email add and /email change
  • Automatic database backup
  • Available languages: translations
  • Account importers for Auth+, LibreLogin, LimboAuth, nLogin, OpeNLogin, tiAuth — and built-in SQLite ↔ MySQL/MariaDB/PostgreSQL migration.

Configuration

How to configure AuthMe

Dialog UI

AuthMe can display graphical login/register dialogs instead of chat-based prompts.

  • settings.registration.dialog.postJoin.enable enables the post-join dialog flow.
  • settings.registration.dialog.preJoin.enable enables the pre-join dialog flow on Paper/Folia.
  • Both options are independent: you can enable either one, both, or neither.
  • Pre-join dialogs currently require modern dialog-capable server versions such as Paper/Folia 1.21.11+.
  • Verified premium players skip the pre-join dialog entirely when premium bypass is enabled.

Premium bypass

AuthMe can let players with a legitimate Mojang account skip password authentication entirely. Identity is verified via a cryptographic handshake with Mojang's session server during the Minecraft login phase — no password prompt is ever shown.

  • Enable with settings.enablePremium: true in config.yml.
  • Players opt in with /premium and out with /freemium (must be logged in). Admins can enrol or remove players with /authme premium <player> / /authme freemium <player>.
  • Direct-connection (offline-mode, no proxy): requires PacketEvents 2.x. Without it, premium bypass is disabled at startup (fail-closed).
  • Behind an online-mode proxy (Velocity / BungeeCord): the proxy authenticates with Mojang and forwards the verified UUID — no PacketEvents needed on the backend. Set Hooks.bungeecord: true on the backend.
  • Behind an offline-mode proxy: install authme-velocity or authme-bungee on the proxy; premium players are authenticated per-player by the proxy and the verified UUID is forwarded to the backend.
  • Full documentation: docs/premium.md

Commands

Command list and usage

Permissions

How To

Links and Contacts

  • Support:

  • Dev resources:

      <repositories>
          <repository>
              <id>codemc-repo</id>
              <url>https://repo.codemc.org/repository/maven-public/</url>
          </repository>
      </repositories>
    
      <dependencies>
          <dependency>
              <groupId>fr.xephi</groupId>
              <artifactId>authme-core</artifactId>
              <version>6.0.0-SNAPSHOT</version>
              <scope>provided</scope>
          </dependency>
      </dependencies>
    
  • Statistics: Graph

Requirements

Compiling requirements:
  • JDK 17+ for authme-core, authme-tools, and authme-spigot-legacy
  • JDK 21+ for the full multi-module build (authme-bungee, authme-spigot-1.21, authme-paper-common, authme-paper, authme-folia, authme-velocity)
  • Maven (3.8.8+)
  • Git/GitHub (Optional)
How to compile the project:
  • Clone the project with Git/GitHub
  • Execute command mvn clean package
  • With JDK 17, Maven builds only the Java 17-compatible modules
  • With JDK 21+, Maven builds the full reactor
  • Build and tooling command reference: docs/build.md
Running requirements:
  • Use the jar matching your server platform/version:
  • Java 17+: AuthMe-*-Spigot-Legacy.jar — Spigot 1.16.x – 1.19.x
  • Java 21+: AuthMe-*-Spigot-1.21.jar — Spigot 1.20.x – 1.21.x
  • Java 21+: AuthMe-*-Paper.jar — Paper 1.21+
  • Java 21+: AuthMe-*-Folia.jar — Folia 1.21+
  • Java 21+: AuthMe-*-Bungee.jar — BungeeCord / Waterfall proxy (1.19 API)
  • Java 21+: AuthMe-*-Velocity.jar — Velocity 3.4+ proxy
  • PacketEvents 2.x (optional plugin; required for inventory protection, tab-complete blocking, and premium bypass in direct-connection mode)

Credits

Contributors:

Team members: developers, translators

Credits for the old version of the plugin: d4rkwarriors, fabe1337, Whoami2 and pomo4ka

Thanks also to: AS1LV3RN1NJA, Hoeze and eprimex

GeoIP License:

This product uses data from the GeoLite API created by MaxMind, available at https://www.maxmind.com

Центр версий

14 версий
  • Релиз158 КБ
  • Релиз155 КБ
  • Релиз1.1 МБ
  • Релиз1.0 МБ
  • Релиз1.1 МБ
  • Релиз1.1 МБ
  • Бета153 КБ
  • Бета156 КБ
  • Бета958 КБ
  • Бета985 КБ
  • Бета983 КБ
  • Бета962 КБ
  • Релиз923 КБ
  • Релиз14.4 МБ

Ченджлог

6.0.0Релиз26.1.1, 26.1.2, 26.2 · 7 мая 2026 г.

AuthMe 6.0.0

AuthMe 6.0.0 is a major overhaul focused on modern server compatibility, a cleaner authentication experience, and broader plugin ecosystem support. This is the first stable release of the 6.x line.

Highlights

Dedicated builds for every platform

AuthMe now ships as separate, purpose-built jars for each server platform: Spigot 1.16–1.19, Spigot 1.20–1.21+, Paper 1.21+ (1.21.11+ recommended for Dialog), and Folia 1.21+. Install the jar that matches your server — no further configuration needed to get the right behaviour for your platform.

Native proxy plugins for BungeeCord and Velocity

Two dedicated proxy plugins are now available, one for BungeeCord and one for Velocity. They handle authentication state synchronisation between the proxy and backend servers automatically, replacing the previous approach that relied solely on backend-side configuration. See the proxy configuration guide for setup instructions.

Dialog-based login and registration

On Spigot 1.21.6+ and Paper / Folia 1.21.11+, players are presented with a graphical dialog to log in or register — displayed right as they connect, before they even fully join the server. The dialog is shown in the player's own language.

Several quality-of-life improvements ship with the dialog system:

  • Email recovery in post-join dialogs — players with a recovery email can trigger password recovery directly from the dialog
  • "Let player in" recovery option — a new setting allows players to partially join the server to complete account recovery rather than being held at the connection screen
  • Customisable body description — the body text of login/register dialogs is configurable per server
  • Separate forgot-password dialog — the forgot-password flow has its own dedicated UI for both pre-join and post-join contexts
  • Register field validation — pre-join registration dialogs validate fields (password length, email format, etc.) before submission
  • Kick-on-cancel option — a new setting controls whether players are kicked if they dismiss the pre-join dialog

Premium bypass with cryptographic Mojang verification

Players with a legitimate Mojang account can skip password authentication entirely. AuthMe verifies their identity via a full cryptographic handshake with Mojang's session server — no password prompt, no dialog box. This closes the spoofing vector that existed when relying solely on username matching.

Three verification modes are supported automatically depending on your setup: direct offline-mode (requires PacketEvents), online-mode proxy (UUID forwarded by the proxy), and offline-mode proxy with the AuthMe proxy plugin. Premium player lists are synchronised automatically and sent in chunks for large servers.

See the premium bypass guide for full setup instructions.

Messages in the player's own language

AuthMe serves each player messages in their Minecraft client language, including login/register prompts, help output, and dialogs. When a player's locale is not available it falls back to the server's configured default. See the translations reference for the full list of supported languages. New in this release: Tatar and Spanish translations.

Eight new account importers

The converter system now covers a wide range of authentication plugins. You can migrate accounts from:

  • Auth+, LibreLogin, LimboAuth, nLogin (including SQLite auto-detection), OpeNLogin, tiAuth

All importers reuse the AuthMe connection pool and apply consistent UUID handling. See the converters guide for usage.

New server spawn priority

A new server value is available for the spawn priority setting. The spawn location is determined by the configured server spawn point with an optional radius so players don't stack on the same block. Falls back to the default spawn location if none is available.

Email confirmation on change

/email add and /email change now require the player to confirm the new address before it is saved, preventing typos from locking players out of account recovery.

Separate login and registration timeouts

The single timeout setting has been split into two independent values: loginTimeout and registerTimeout. Existing configurations are migrated automatically — no action required. Full details are in the configuration reference.

New hash algorithm: PBKDF2BASE64

A new PBKDF2BASE64 hash algorithm is now supported. See the hash algorithms reference for details.

Ender pearls returned on login

Ender pearls thrown before authentication are held and returned to the player's inventory on successful login rather than being lost. Configurable via settings.restrictions.cancelThrownEnderPearlOnJoin.


Breaking changes

Java 17 is now the minimum required version for spigot-legacy. Servers still running Java 8 or Java 11 must upgrade before installing this release.

Java 21 is now the minimum required version for other platforms (Spigot 1.21, Paper, Folia).

PacketEvents replaces ProtocolLib for inventory protection, tab-complete blocking, and premium bypass in direct-connection mode. Install PacketEvents 2.x if you use any of these features — ProtocolLib is no longer used for this purpose.


Bug fixes

  • Quit location is now correctly saved on disconnect
  • Walk and fly speed are properly reset on auto-login via premium, session, or proxy
  • Admin force-login commands correctly dismiss any open dialog for the target player
  • Proxy auto-login works correctly when the target player is already online
  • Email format is validated before any processing is attempted
  • Email recovery UI is only shown when the email sending system is properly configured
  • TOTP QR codes are generated with a default margin
  • BungeeCord plugin messaging channel is correctly registered on startup
  • Brigadier command registration handles @ characters and awaits proper type resolution
  • Converters correctly insert and update player UUIDs
  • Spawn location Y coordinate is correctly selected in server spawn mode

Additional resources

6.0.0Релиз26.1.1, 26.1.2, 26.2 · 7 мая 2026 г.

AuthMe 6.0.0

AuthMe 6.0.0 is a major overhaul focused on modern server compatibility, a cleaner authentication experience, and broader plugin ecosystem support. This is the first stable release of the 6.x line.

Highlights

Dedicated builds for every platform

AuthMe now ships as separate, purpose-built jars for each server platform: Spigot 1.16–1.19, Spigot 1.20–1.21+, Paper 1.21+ (1.21.11+ recommended for Dialog), and Folia 1.21+. Install the jar that matches your server — no further configuration needed to get the right behaviour for your platform.

Native proxy plugins for BungeeCord and Velocity

Two dedicated proxy plugins are now available, one for BungeeCord and one for Velocity. They handle authentication state synchronisation between the proxy and backend servers automatically, replacing the previous approach that relied solely on backend-side configuration. See the proxy configuration guide for setup instructions.

Dialog-based login and registration

On Spigot 1.21.6+ and Paper / Folia 1.21.11+, players are presented with a graphical dialog to log in or register — displayed right as they connect, before they even fully join the server. The dialog is shown in the player's own language.

Several quality-of-life improvements ship with the dialog system:

  • Email recovery in post-join dialogs — players with a recovery email can trigger password recovery directly from the dialog
  • "Let player in" recovery option — a new setting allows players to partially join the server to complete account recovery rather than being held at the connection screen
  • Customisable body description — the body text of login/register dialogs is configurable per server
  • Separate forgot-password dialog — the forgot-password flow has its own dedicated UI for both pre-join and post-join contexts
  • Register field validation — pre-join registration dialogs validate fields (password length, email format, etc.) before submission
  • Kick-on-cancel option — a new setting controls whether players are kicked if they dismiss the pre-join dialog

Premium bypass with cryptographic Mojang verification

Players with a legitimate Mojang account can skip password authentication entirely. AuthMe verifies their identity via a full cryptographic handshake with Mojang's session server — no password prompt, no dialog box. This closes the spoofing vector that existed when relying solely on username matching.

Three verification modes are supported automatically depending on your setup: direct offline-mode (requires PacketEvents), online-mode proxy (UUID forwarded by the proxy), and offline-mode proxy with the AuthMe proxy plugin. Premium player lists are synchronised automatically and sent in chunks for large servers.

See the premium bypass guide for full setup instructions.

Messages in the player's own language

AuthMe serves each player messages in their Minecraft client language, including login/register prompts, help output, and dialogs. When a player's locale is not available it falls back to the server's configured default. See the translations reference for the full list of supported languages. New in this release: Tatar and Spanish translations.

Eight new account importers

The converter system now covers a wide range of authentication plugins. You can migrate accounts from:

  • Auth+, LibreLogin, LimboAuth, nLogin (including SQLite auto-detection), OpeNLogin, tiAuth

All importers reuse the AuthMe connection pool and apply consistent UUID handling. See the converters guide for usage.

New server spawn priority

A new server value is available for the spawn priority setting. The spawn location is determined by the configured server spawn point with an optional radius so players don't stack on the same block. Falls back to the default spawn location if none is available.

Email confirmation on change

/email add and /email change now require the player to confirm the new address before it is saved, preventing typos from locking players out of account recovery.

Separate login and registration timeouts

The single timeout setting has been split into two independent values: loginTimeout and registerTimeout. Existing configurations are migrated automatically — no action required. Full details are in the configuration reference.

New hash algorithm: PBKDF2BASE64

A new PBKDF2BASE64 hash algorithm is now supported. See the hash algorithms reference for details.

Ender pearls returned on login

Ender pearls thrown before authentication are held and returned to the player's inventory on successful login rather than being lost. Configurable via settings.restrictions.cancelThrownEnderPearlOnJoin.


Breaking changes

Java 17 is now the minimum required version for spigot-legacy. Servers still running Java 8 or Java 11 must upgrade before installing this release.

Java 21 is now the minimum required version for other platforms (Spigot 1.21, Paper, Folia).

PacketEvents replaces ProtocolLib for inventory protection, tab-complete blocking, and premium bypass in direct-connection mode. Install PacketEvents 2.x if you use any of these features — ProtocolLib is no longer used for this purpose.


Bug fixes

  • Quit location is now correctly saved on disconnect
  • Walk and fly speed are properly reset on auto-login via premium, session, or proxy
  • Admin force-login commands correctly dismiss any open dialog for the target player
  • Proxy auto-login works correctly when the target player is already online
  • Email format is validated before any processing is attempted
  • Email recovery UI is only shown when the email sending system is properly configured
  • TOTP QR codes are generated with a default margin
  • BungeeCord plugin messaging channel is correctly registered on startup
  • Brigadier command registration handles @ characters and awaits proper type resolution
  • Converters correctly insert and update player UUIDs
  • Spawn location Y coordinate is correctly selected in server spawn mode

Additional resources

6.0.0Релиз26.1.1, 26.1.2, 26.2 · 7 мая 2026 г.

AuthMe 6.0.0

AuthMe 6.0.0 is a major overhaul focused on modern server compatibility, a cleaner authentication experience, and broader plugin ecosystem support. This is the first stable release of the 6.x line.

Highlights

Dedicated builds for every platform

AuthMe now ships as separate, purpose-built jars for each server platform: Spigot 1.16–1.19, Spigot 1.20–1.21+, Paper 1.21+ (1.21.11+ recommended for Dialog), and Folia 1.21+. Install the jar that matches your server — no further configuration needed to get the right behaviour for your platform.

Native proxy plugins for BungeeCord and Velocity

Two dedicated proxy plugins are now available, one for BungeeCord and one for Velocity. They handle authentication state synchronisation between the proxy and backend servers automatically, replacing the previous approach that relied solely on backend-side configuration. See the proxy configuration guide for setup instructions.

Dialog-based login and registration

On Spigot 1.21.6+ and Paper / Folia 1.21.11+, players are presented with a graphical dialog to log in or register — displayed right as they connect, before they even fully join the server. The dialog is shown in the player's own language.

Several quality-of-life improvements ship with the dialog system:

  • Email recovery in post-join dialogs — players with a recovery email can trigger password recovery directly from the dialog
  • "Let player in" recovery option — a new setting allows players to partially join the server to complete account recovery rather than being held at the connection screen
  • Customisable body description — the body text of login/register dialogs is configurable per server
  • Separate forgot-password dialog — the forgot-password flow has its own dedicated UI for both pre-join and post-join contexts
  • Register field validation — pre-join registration dialogs validate fields (password length, email format, etc.) before submission
  • Kick-on-cancel option — a new setting controls whether players are kicked if they dismiss the pre-join dialog

Premium bypass with cryptographic Mojang verification

Players with a legitimate Mojang account can skip password authentication entirely. AuthMe verifies their identity via a full cryptographic handshake with Mojang's session server — no password prompt, no dialog box. This closes the spoofing vector that existed when relying solely on username matching.

Three verification modes are supported automatically depending on your setup: direct offline-mode (requires PacketEvents), online-mode proxy (UUID forwarded by the proxy), and offline-mode proxy with the AuthMe proxy plugin. Premium player lists are synchronised automatically and sent in chunks for large servers.

See the premium bypass guide for full setup instructions.

Messages in the player's own language

AuthMe serves each player messages in their Minecraft client language, including login/register prompts, help output, and dialogs. When a player's locale is not available it falls back to the server's configured default. See the translations reference for the full list of supported languages. New in this release: Tatar and Spanish translations.

Eight new account importers

The converter system now covers a wide range of authentication plugins. You can migrate accounts from:

  • Auth+, LibreLogin, LimboAuth, nLogin (including SQLite auto-detection), OpeNLogin, tiAuth

All importers reuse the AuthMe connection pool and apply consistent UUID handling. See the converters guide for usage.

New server spawn priority

A new server value is available for the spawn priority setting. The spawn location is determined by the configured server spawn point with an optional radius so players don't stack on the same block. Falls back to the default spawn location if none is available.

Email confirmation on change

/email add and /email change now require the player to confirm the new address before it is saved, preventing typos from locking players out of account recovery.

Separate login and registration timeouts

The single timeout setting has been split into two independent values: loginTimeout and registerTimeout. Existing configurations are migrated automatically — no action required. Full details are in the configuration reference.

New hash algorithm: PBKDF2BASE64

A new PBKDF2BASE64 hash algorithm is now supported. See the hash algorithms reference for details.

Ender pearls returned on login

Ender pearls thrown before authentication are held and returned to the player's inventory on successful login rather than being lost. Configurable via settings.restrictions.cancelThrownEnderPearlOnJoin.


Breaking changes

Java 17 is now the minimum required version for spigot-legacy. Servers still running Java 8 or Java 11 must upgrade before installing this release.

Java 21 is now the minimum required version for other platforms (Spigot 1.21, Paper, Folia).

PacketEvents replaces ProtocolLib for inventory protection, tab-complete blocking, and premium bypass in direct-connection mode. Install PacketEvents 2.x if you use any of these features — ProtocolLib is no longer used for this purpose.


Bug fixes

  • Quit location is now correctly saved on disconnect
  • Walk and fly speed are properly reset on auto-login via premium, session, or proxy
  • Admin force-login commands correctly dismiss any open dialog for the target player
  • Proxy auto-login works correctly when the target player is already online
  • Email format is validated before any processing is attempted
  • Email recovery UI is only shown when the email sending system is properly configured
  • TOTP QR codes are generated with a default margin
  • BungeeCord plugin messaging channel is correctly registered on startup
  • Brigadier command registration handles @ characters and awaits proper type resolution
  • Converters correctly insert and update player UUIDs
  • Spawn location Y coordinate is correctly selected in server spawn mode

Additional resources

6.0.0Релиз1.21.3, 1.21.4, 1.21.5 · 7 мая 2026 г.

AuthMe 6.0.0

AuthMe 6.0.0 is a major overhaul focused on modern server compatibility, a cleaner authentication experience, and broader plugin ecosystem support. This is the first stable release of the 6.x line.

Highlights

Dedicated builds for every platform

AuthMe now ships as separate, purpose-built jars for each server platform: Spigot 1.16–1.19, Spigot 1.20–1.21+, Paper 1.21+ (1.21.11+ recommended for Dialog), and Folia 1.21+. Install the jar that matches your server — no further configuration needed to get the right behaviour for your platform.

Native proxy plugins for BungeeCord and Velocity

Two dedicated proxy plugins are now available, one for BungeeCord and one for Velocity. They handle authentication state synchronisation between the proxy and backend servers automatically, replacing the previous approach that relied solely on backend-side configuration. See the proxy configuration guide for setup instructions.

Dialog-based login and registration

On Spigot 1.21.6+ and Paper / Folia 1.21.11+, players are presented with a graphical dialog to log in or register — displayed right as they connect, before they even fully join the server. The dialog is shown in the player's own language.

Several quality-of-life improvements ship with the dialog system:

  • Email recovery in post-join dialogs — players with a recovery email can trigger password recovery directly from the dialog
  • "Let player in" recovery option — a new setting allows players to partially join the server to complete account recovery rather than being held at the connection screen
  • Customisable body description — the body text of login/register dialogs is configurable per server
  • Separate forgot-password dialog — the forgot-password flow has its own dedicated UI for both pre-join and post-join contexts
  • Register field validation — pre-join registration dialogs validate fields (password length, email format, etc.) before submission
  • Kick-on-cancel option — a new setting controls whether players are kicked if they dismiss the pre-join dialog

Premium bypass with cryptographic Mojang verification

Players with a legitimate Mojang account can skip password authentication entirely. AuthMe verifies their identity via a full cryptographic handshake with Mojang's session server — no password prompt, no dialog box. This closes the spoofing vector that existed when relying solely on username matching.

Three verification modes are supported automatically depending on your setup: direct offline-mode (requires PacketEvents), online-mode proxy (UUID forwarded by the proxy), and offline-mode proxy with the AuthMe proxy plugin. Premium player lists are synchronised automatically and sent in chunks for large servers.

See the premium bypass guide for full setup instructions.

Messages in the player's own language

AuthMe serves each player messages in their Minecraft client language, including login/register prompts, help output, and dialogs. When a player's locale is not available it falls back to the server's configured default. See the translations reference for the full list of supported languages. New in this release: Tatar and Spanish translations.

Eight new account importers

The converter system now covers a wide range of authentication plugins. You can migrate accounts from:

  • Auth+, LibreLogin, LimboAuth, nLogin (including SQLite auto-detection), OpeNLogin, tiAuth

All importers reuse the AuthMe connection pool and apply consistent UUID handling. See the converters guide for usage.

New server spawn priority

A new server value is available for the spawn priority setting. The spawn location is determined by the configured server spawn point with an optional radius so players don't stack on the same block. Falls back to the default spawn location if none is available.

Email confirmation on change

/email add and /email change now require the player to confirm the new address before it is saved, preventing typos from locking players out of account recovery.

Separate login and registration timeouts

The single timeout setting has been split into two independent values: loginTimeout and registerTimeout. Existing configurations are migrated automatically — no action required. Full details are in the configuration reference.

New hash algorithm: PBKDF2BASE64

A new PBKDF2BASE64 hash algorithm is now supported. See the hash algorithms reference for details.

Ender pearls returned on login

Ender pearls thrown before authentication are held and returned to the player's inventory on successful login rather than being lost. Configurable via settings.restrictions.cancelThrownEnderPearlOnJoin.


Breaking changes

Java 17 is now the minimum required version for spigot-legacy. Servers still running Java 8 or Java 11 must upgrade before installing this release.

Java 21 is now the minimum required version for other platforms (Spigot 1.21, Paper, Folia).

PacketEvents replaces ProtocolLib for inventory protection, tab-complete blocking, and premium bypass in direct-connection mode. Install PacketEvents 2.x if you use any of these features — ProtocolLib is no longer used for this purpose.


Bug fixes

  • Quit location is now correctly saved on disconnect
  • Walk and fly speed are properly reset on auto-login via premium, session, or proxy
  • Admin force-login commands correctly dismiss any open dialog for the target player
  • Proxy auto-login works correctly when the target player is already online
  • Email format is validated before any processing is attempted
  • Email recovery UI is only shown when the email sending system is properly configured
  • TOTP QR codes are generated with a default margin
  • BungeeCord plugin messaging channel is correctly registered on startup
  • Brigadier command registration handles @ characters and awaits proper type resolution
  • Converters correctly insert and update player UUIDs
  • Spawn location Y coordinate is correctly selected in server spawn mode

Additional resources

6.0.0Релиз26.1.1, 26.1.2, 26.2 · 7 мая 2026 г.

AuthMe 6.0.0

AuthMe 6.0.0 is a major overhaul focused on modern server compatibility, a cleaner authentication experience, and broader plugin ecosystem support. This is the first stable release of the 6.x line.

Highlights

Dedicated builds for every platform

AuthMe now ships as separate, purpose-built jars for each server platform: Spigot 1.16–1.19, Spigot 1.20–1.21+, Paper 1.21+ (1.21.11+ recommended for Dialog), and Folia 1.21+. Install the jar that matches your server — no further configuration needed to get the right behaviour for your platform.

Native proxy plugins for BungeeCord and Velocity

Two dedicated proxy plugins are now available, one for BungeeCord and one for Velocity. They handle authentication state synchronisation between the proxy and backend servers automatically, replacing the previous approach that relied solely on backend-side configuration. See the proxy configuration guide for setup instructions.

Dialog-based login and registration

On Spigot 1.21.6+ and Paper / Folia 1.21.11+, players are presented with a graphical dialog to log in or register — displayed right as they connect, before they even fully join the server. The dialog is shown in the player's own language.

Several quality-of-life improvements ship with the dialog system:

  • Email recovery in post-join dialogs — players with a recovery email can trigger password recovery directly from the dialog
  • "Let player in" recovery option — a new setting allows players to partially join the server to complete account recovery rather than being held at the connection screen
  • Customisable body description — the body text of login/register dialogs is configurable per server
  • Separate forgot-password dialog — the forgot-password flow has its own dedicated UI for both pre-join and post-join contexts
  • Register field validation — pre-join registration dialogs validate fields (password length, email format, etc.) before submission
  • Kick-on-cancel option — a new setting controls whether players are kicked if they dismiss the pre-join dialog

Premium bypass with cryptographic Mojang verification

Players with a legitimate Mojang account can skip password authentication entirely. AuthMe verifies their identity via a full cryptographic handshake with Mojang's session server — no password prompt, no dialog box. This closes the spoofing vector that existed when relying solely on username matching.

Three verification modes are supported automatically depending on your setup: direct offline-mode (requires PacketEvents), online-mode proxy (UUID forwarded by the proxy), and offline-mode proxy with the AuthMe proxy plugin. Premium player lists are synchronised automatically and sent in chunks for large servers.

See the premium bypass guide for full setup instructions.

Messages in the player's own language

AuthMe serves each player messages in their Minecraft client language, including login/register prompts, help output, and dialogs. When a player's locale is not available it falls back to the server's configured default. See the translations reference for the full list of supported languages. New in this release: Tatar and Spanish translations.

Eight new account importers

The converter system now covers a wide range of authentication plugins. You can migrate accounts from:

  • Auth+, LibreLogin, LimboAuth, nLogin (including SQLite auto-detection), OpeNLogin, tiAuth

All importers reuse the AuthMe connection pool and apply consistent UUID handling. See the converters guide for usage.

New server spawn priority

A new server value is available for the spawn priority setting. The spawn location is determined by the configured server spawn point with an optional radius so players don't stack on the same block. Falls back to the default spawn location if none is available.

Email confirmation on change

/email add and /email change now require the player to confirm the new address before it is saved, preventing typos from locking players out of account recovery.

Separate login and registration timeouts

The single timeout setting has been split into two independent values: loginTimeout and registerTimeout. Existing configurations are migrated automatically — no action required. Full details are in the configuration reference.

New hash algorithm: PBKDF2BASE64

A new PBKDF2BASE64 hash algorithm is now supported. See the hash algorithms reference for details.

Ender pearls returned on login

Ender pearls thrown before authentication are held and returned to the player's inventory on successful login rather than being lost. Configurable via settings.restrictions.cancelThrownEnderPearlOnJoin.


Breaking changes

Java 17 is now the minimum required version for spigot-legacy. Servers still running Java 8 or Java 11 must upgrade before installing this release.

Java 21 is now the minimum required version for other platforms (Spigot 1.21, Paper, Folia).

PacketEvents replaces ProtocolLib for inventory protection, tab-complete blocking, and premium bypass in direct-connection mode. Install PacketEvents 2.x if you use any of these features — ProtocolLib is no longer used for this purpose.


Bug fixes

  • Quit location is now correctly saved on disconnect
  • Walk and fly speed are properly reset on auto-login via premium, session, or proxy
  • Admin force-login commands correctly dismiss any open dialog for the target player
  • Proxy auto-login works correctly when the target player is already online
  • Email format is validated before any processing is attempted
  • Email recovery UI is only shown when the email sending system is properly configured
  • TOTP QR codes are generated with a default margin
  • BungeeCord plugin messaging channel is correctly registered on startup
  • Brigadier command registration handles @ characters and awaits proper type resolution
  • Converters correctly insert and update player UUIDs
  • Spawn location Y coordinate is correctly selected in server spawn mode

Additional resources

6.0.0Релиз26.1.1, 26.1.2, 26.2 · 7 мая 2026 г.

AuthMe 6.0.0

AuthMe 6.0.0 is a major overhaul focused on modern server compatibility, a cleaner authentication experience, and broader plugin ecosystem support. This is the first stable release of the 6.x line.

Highlights

Dedicated builds for every platform

AuthMe now ships as separate, purpose-built jars for each server platform: Spigot 1.16–1.19, Spigot 1.20–1.21+, Paper 1.21+ (1.21.11+ recommended for Dialog), and Folia 1.21+. Install the jar that matches your server — no further configuration needed to get the right behaviour for your platform.

Native proxy plugins for BungeeCord and Velocity

Two dedicated proxy plugins are now available, one for BungeeCord and one for Velocity. They handle authentication state synchronisation between the proxy and backend servers automatically, replacing the previous approach that relied solely on backend-side configuration. See the proxy configuration guide for setup instructions.

Dialog-based login and registration

On Spigot 1.21.6+ and Paper / Folia 1.21.11+, players are presented with a graphical dialog to log in or register — displayed right as they connect, before they even fully join the server. The dialog is shown in the player's own language.

Several quality-of-life improvements ship with the dialog system:

  • Email recovery in post-join dialogs — players with a recovery email can trigger password recovery directly from the dialog
  • "Let player in" recovery option — a new setting allows players to partially join the server to complete account recovery rather than being held at the connection screen
  • Customisable body description — the body text of login/register dialogs is configurable per server
  • Separate forgot-password dialog — the forgot-password flow has its own dedicated UI for both pre-join and post-join contexts
  • Register field validation — pre-join registration dialogs validate fields (password length, email format, etc.) before submission
  • Kick-on-cancel option — a new setting controls whether players are kicked if they dismiss the pre-join dialog

Premium bypass with cryptographic Mojang verification

Players with a legitimate Mojang account can skip password authentication entirely. AuthMe verifies their identity via a full cryptographic handshake with Mojang's session server — no password prompt, no dialog box. This closes the spoofing vector that existed when relying solely on username matching.

Three verification modes are supported automatically depending on your setup: direct offline-mode (requires PacketEvents), online-mode proxy (UUID forwarded by the proxy), and offline-mode proxy with the AuthMe proxy plugin. Premium player lists are synchronised automatically and sent in chunks for large servers.

See the premium bypass guide for full setup instructions.

Messages in the player's own language

AuthMe serves each player messages in their Minecraft client language, including login/register prompts, help output, and dialogs. When a player's locale is not available it falls back to the server's configured default. See the translations reference for the full list of supported languages. New in this release: Tatar and Spanish translations.

Eight new account importers

The converter system now covers a wide range of authentication plugins. You can migrate accounts from:

  • Auth+, LibreLogin, LimboAuth, nLogin (including SQLite auto-detection), OpeNLogin, tiAuth

All importers reuse the AuthMe connection pool and apply consistent UUID handling. See the converters guide for usage.

New server spawn priority

A new server value is available for the spawn priority setting. The spawn location is determined by the configured server spawn point with an optional radius so players don't stack on the same block. Falls back to the default spawn location if none is available.

Email confirmation on change

/email add and /email change now require the player to confirm the new address before it is saved, preventing typos from locking players out of account recovery.

Separate login and registration timeouts

The single timeout setting has been split into two independent values: loginTimeout and registerTimeout. Existing configurations are migrated automatically — no action required. Full details are in the configuration reference.

New hash algorithm: PBKDF2BASE64

A new PBKDF2BASE64 hash algorithm is now supported. See the hash algorithms reference for details.

Ender pearls returned on login

Ender pearls thrown before authentication are held and returned to the player's inventory on successful login rather than being lost. Configurable via settings.restrictions.cancelThrownEnderPearlOnJoin.


Breaking changes

Java 17 is now the minimum required version for spigot-legacy. Servers still running Java 8 or Java 11 must upgrade before installing this release.

Java 21 is now the minimum required version for other platforms (Spigot 1.21, Paper, Folia).

PacketEvents replaces ProtocolLib for inventory protection, tab-complete blocking, and premium bypass in direct-connection mode. Install PacketEvents 2.x if you use any of these features — ProtocolLib is no longer used for this purpose.


Bug fixes

  • Quit location is now correctly saved on disconnect
  • Walk and fly speed are properly reset on auto-login via premium, session, or proxy
  • Admin force-login commands correctly dismiss any open dialog for the target player
  • Proxy auto-login works correctly when the target player is already online
  • Email format is validated before any processing is attempted
  • Email recovery UI is only shown when the email sending system is properly configured
  • TOTP QR codes are generated with a default margin
  • BungeeCord plugin messaging channel is correctly registered on startup
  • Brigadier command registration handles @ characters and awaits proper type resolution
  • Converters correctly insert and update player UUIDs
  • Spawn location Y coordinate is correctly selected in server spawn mode

Additional resources

6.0.0-R1Бета26.1, 26.1.1, 26.1.2 · 26 апреля 2026 г.

AuthMe 6.0.0-R1 - Release Candidate

This update brings a smoother, more modern AuthMe experience for both server owners and players. The focus of this release is simple: better support for modern server setups, a cleaner login flow, and more flexibility for server customization.

Highlights

Dedicated builds for every platform

AuthMe now ships as separate, purpose-built jars for each server platform: Spigot 1.16–1.19, Spigot 1.20–1.21, Paper 1.21+, and Folia 1.21+. Install the jar that matches your server — no further configuration needed to get the right behaviour for your platform.

Native proxy plugins for BungeeCord and Velocity

Two new dedicated proxy plugins are now available, one for BungeeCord and one for Velocity. They handle authentication state synchronisation between the proxy and your backend servers automatically, replacing the previous approach that relied solely on backend-side configuration. See the proxy configuration guide for setup instructions.

Dialog-based login and registration

On Spigot 1.21.6+ and Paper / Folia 1.21.11+, players are presented with a graphical dialog to log in or register — displayed right as they connect, before they even fully join the server. The dialog is shown in the server's configured language.

Messages in the player's own language

AuthMe can now automatically serve each player messages in their Minecraft client language. When a player's locale is not available, it falls back cleanly to the server's configured default. See the translations reference for the full list of supported languages.

Separate login and registration timeouts

The single timeout setting has been split into two independent values: loginTimeout and registerTimeout. Existing configurations are migrated automatically — no action required. Full details are in the configuration reference.

New hash algorithm and Auth+ account importer

A new PBKDF2BASE64 hash algorithm is now supported. An importer for accounts from the Auth+ plugin is also included. See the hash algorithms reference and the converters guide for details.

Ender pearls returned on login

Ender pearls thrown before authentication are held and returned to the player's inventory on successful login, rather than being lost. This behaviour is configurable via settings.restrictions.cancelThrownEnderPearlOnJoin.

Breaking changes

Java 17 is now the minimum required version. Servers still running Java 8 or Java 11 must upgrade before installing this release.

PacketEvents replaces ProtocolLib for inventory protection and tab-complete blocking. If you used those features with ProtocolLib, install PacketEvents as an optional dependency instead — ProtocolLib is no longer used for this purpose.

Additional resources

6.0.0-R1Бета26.1, 26.1.1, 26.1.2 · 25 апреля 2026 г.

AuthMe 6.0.0-R1 - Release Candidate

This update brings a smoother, more modern AuthMe experience for both server owners and players. The focus of this release is simple: better support for modern server setups, a cleaner login flow, and more flexibility for server customization.

Highlights

Dedicated builds for every platform

AuthMe now ships as separate, purpose-built jars for each server platform: Spigot 1.16–1.19, Spigot 1.20–1.21, Paper 1.21+, and Folia 1.21+. Install the jar that matches your server — no further configuration needed to get the right behaviour for your platform.

Native proxy plugins for BungeeCord and Velocity

Two new dedicated proxy plugins are now available, one for BungeeCord and one for Velocity. They handle authentication state synchronisation between the proxy and your backend servers automatically, replacing the previous approach that relied solely on backend-side configuration. See the proxy configuration guide for setup instructions.

Dialog-based login and registration

On Spigot 1.21.6+ and Paper / Folia 1.21.11+, players are presented with a graphical dialog to log in or register — displayed right as they connect, before they even fully join the server. The dialog is shown in the server's configured language.

Messages in the player's own language

AuthMe can now automatically serve each player messages in their Minecraft client language. When a player's locale is not available, it falls back cleanly to the server's configured default. See the translations reference for the full list of supported languages.

Separate login and registration timeouts

The single timeout setting has been split into two independent values: loginTimeout and registerTimeout. Existing configurations are migrated automatically — no action required. Full details are in the configuration reference.

New hash algorithm and Auth+ account importer

A new PBKDF2BASE64 hash algorithm is now supported. An importer for accounts from the Auth+ plugin is also included. See the hash algorithms reference and the converters guide for details.

Ender pearls returned on login

Ender pearls thrown before authentication are held and returned to the player's inventory on successful login, rather than being lost. This behaviour is configurable via settings.restrictions.cancelThrownEnderPearlOnJoin.

Breaking changes

Java 17 is now the minimum required version. Servers still running Java 8 or Java 11 must upgrade before installing this release.

PacketEvents replaces ProtocolLib for inventory protection and tab-complete blocking. If you used those features with ProtocolLib, install PacketEvents as an optional dependency instead — ProtocolLib is no longer used for this purpose.

Additional resources

Комментарии

Загружаем…