> ## Documentation Index
> Fetch the complete documentation index at: https://docs.risingwave.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CREATE USER

> Use the `CREATE USER` command to create a new user account in RisingWave.

## Syntax for creating a new user

```sql theme={null}
CREATE USER user_name [ [ WITH ] system_permission [ ... ][PASSWORD { password | NULL }] ];
```

If you do not want password authentication for the user, omit the PASSWORD option.

Below are the options for system permissions.

| Option       | Description                                                                                                                 |
| :----------- | :-------------------------------------------------------------------------------------------------------------------------- |
| SUPERUSER    | Grants the user superuser permission. A superuser can override all access restrictions. NOSUPERUSER is the default value.   |
| NOSUPERUSER  | Denies the user superuser permission. A superuser can override all access restrictions. NOSUPERUSER is the default value.   |
| CREATEDB     | Grants the user the permission to create databases. NOCREATEDB is the default value.                                        |
| NOCREATEDB   | Denies the user the permission to create databases. NOCREATEDB is the default value.                                        |
| CREATEUSER   | Grants the user the permission to create new users and/or alter and drop existing users. NOCREATEUSER is the default value. |
| NOCREATEUSER | Denies the user the ability to create new users and/or alter and drop existing users. NOCREATEUSER is the default value.    |

<Note>
  The user name `rwadmin` is reserved for cloud control plane operations and cannot be used when creating new users.
</Note>

## Syntax for creating a user with OAuth authentication

In addition, you can create a user with OAuth authentication. The syntax is as follows:

```sql theme={null}
CREATE USER user_name WITH oauth (
  jwks_url = 'xxx.com',
  issuer = 'risingwave',
  other_params_should_match = 'xxx',
);

```

The `jwks_url` and `issuer` parameters are mandatory. On the other hand, `other_params_should_match` is an optional parameter that will be validated against `jwt.claims`. Please ensure that all keys in the options are in **lowercase**.

<Note>
  `kid` and `alg` are required in the header of JWT, and `kid` is also required in the JWKs returned by the JWKS server. All parameters set in user creation (except `jwks_url`) will be checked in the claims of JWT. Any mismatch will deny the login process.
</Note>

### OAuth audience validation

<Note>
  Added in v2.7.0.
</Note>

When using OAuth authentication, the JWT payload must contain an `aud` (audience) claim with the value `urn:risingwave:cluster:your_cluster_id`, where `your_cluster_id` is the ID of your RisingWave cluster. This ensures that tokens are only accepted by the intended cluster.

To get your cluster ID, use the [`rw_cluster_id()`](/sql/functions/sys-info#rw-cluster-id) function:

```sql theme={null}
SELECT rw_cluster_id();
```

The JWT payload should include the audience claim in the following format:

```json theme={null}
{
  "aud": "urn:risingwave:cluster:your_cluster_id",
  "iss": "your-issuer",
  "exp": 1234567890,
  ...
}
```

## Examples

### Create a user account and switch to it

The following statement creates a user account with the name "user1" and password 'pAssword12345'.

```sql theme={null}
CREATE USER user1
    WITH PASSWORD 'pAssword12345';
```

<Tip>
  You can connect to RisingWave with the newly created user account.
</Tip>

To switch to the new user account:

Quit current connection.

```bash theme={null}
\q
```

Connect and log in with the new account.

```bash theme={null}
psql -h localhost -p 4566 -d dev -U user1

```

Enter the password to log in.

<Note>
  Names and unquoted identifiers are case-insensitive. Therefore, you must double-quote any of these fields for them to be case-sensitive. See also [Identifiers](/sql/identifiers).
</Note>

### Create a user with OAuth authentication

Here is an example of creating a new user `test` with OAuth authentication.

Connect and log in with the root account.

```bash theme={null}
psql -h localhost -p 4566 -d dev -U root
```

Create a new user test with OAuth authentication in psql.

```sql theme={null}
CREATE USER test WITH oauth (
  jwks_url = 'xxx.com',  // required
  issuer = 'risingwave',  // required
  other_params_should_match = 'xxx',  // optional, will be checked against jwt.claims
);
```

Connect and log in with the new account.

```bash theme={null}
-- The password here is actually OAuth token, and will be passed with plaintext.
psql -h localhost -p 4566 -d dev -U test
```
