> ## Documentation Index
> Fetch the complete documentation index at: https://docs.prelude.so/llms.txt
> Use this file to discover all available pages before exploring further.

# Password Authentication

> Configure email and password authentication with the Session API.

This guide walks you through configuring email and password authentication for your application using the Prelude Session Management API.

## Prerequisites

Before you start, make sure you have:

* A Prelude account with access to the Session API
* An **Application ID** (`appID`) — see [Applications](/session/documentation/applications)
* Your **Management API key** for backend calls

## Set up password authentication

Configure password authentication for your application using the Management API from your backend.

<Steps>
  <Step title="Create a password configuration">
    ```bash theme={null}
    curl -X POST https://api.prelude.dev/v2/session/apps/${APP_ID}/config/login/password \
      -H "Authorization: Bearer ${MANAGEMENT_API_KEY}" \
      -H "Content-Type: application/json" \
      -d '{
        "enabled": true,
        "rate_limit_login_ip": {
          "ttl": 600000000000,
          "limit": 10
        },
        "rate_limit_login_identifier": {
          "ttl": 600000000000,
          "limit": 10
        },
        "password_compliancy": {
          "min_length": 8,
          "max_length": 128,
          "uppercase": 1,
          "lowercase": 1,
          "numbers": 1,
          "symbols": 1
        }
      }'
    ```

    | Field                         | Description                                                                                    |
    | ----------------------------- | ---------------------------------------------------------------------------------------------- |
    | `hash_method`                 | The hashing algorithm for passwords. Default `argon2id`.                                       |
    | `rate_limit_login_ip`         | Rate limit per IP address. `ttl` is in nanoseconds (600000000000 = 10 minutes).                |
    | `rate_limit_login_identifier` | Rate limit per identifier (e.g. email). Same format as above.                                  |
    | `password_compliancy`         | Password requirements your users must meet. Adjust these values to match your security policy. |
  </Step>

  <Step title="Create a user with an email identifier">
    Create a user with an email identifier:

    ```bash theme={null}
    curl -X POST https://api.prelude.dev/v2/session/apps/${APP_ID}/users \
      -H "Authorization: Bearer ${MANAGEMENT_API_KEY}" \
      -H "Content-Type: application/json" \
      -d '{
        "identifiers": [
          {
            "type": "email_address",
            "value": "user@example.com"
          }
        ]
      }'
    ```
  </Step>

  <Step title="Set the user's password">
    Set a password for the newly created user:

    ```bash theme={null}
    curl -X PUT https://api.prelude.dev/v2/session/apps/${APP_ID}/users/${USER_ID}/password \
      -H "Authorization: Bearer ${MANAGEMENT_API_KEY}" \
      -H "Content-Type: application/json" \
      -d '{
        "password": "Prelude123*"
      }'
    ```
  </Step>
</Steps>

## What's next?

Now that your backend is configured, integrate the frontend using the [Web Integration](/session/documentation/frontend-sdks/web/password) guide and login the newly created user.