How to Set Up Login Security (AuthMe / LibreLogin)

Login security plugins add a registration and authentication layer on top of Minecraft's normal connection flow. When a player joins, they must type /register or /login before they can move, chat, or interact with anything. This prevents unauthorized access to accounts and is essential for servers running in offline mode or behind a BungeeCord/Velocity proxy. This guide covers both AuthMe Reloaded (the veteran choice) and LibreLogin (the modern alternative), from installation through production configuration.

When do you need login security?

The short answer: when your server runs in offline mode (online-mode=false in server.properties). In offline mode, the server does not verify player UUIDs against Mojang's servers, which means anyone can join with any username. Without authentication, a griefer could log in as "AdminPlayer" and inherit that player's inventory, permissions, and builds.

There are two common scenarios for offline mode:

• Cracked servers, intentionally allowing players without purchased Minecraft accounts. These servers must have login security, period.
• Proxy networks, BungeeCord and Velocity require backend servers to run in offline mode so the proxy can forward connections. The proxy handles Mojang authentication, and a login plugin adds a second layer of security to prevent players from connecting directly to backend servers and bypassing the proxy.

If your server runs in online-mode=true without a proxy, you generally do not need a login plugin. Mojang's authentication already verifies every connection. Adding one is still possible (as extra security against session token theft), but it is not standard practice.

AuthMe Reloaded vs LibreLogin

Feature	AuthMe Reloaded	LibreLogin
Server type	Spigot, Paper (single server)	Velocity, BungeeCord, Paper
Proxy support	Via AuthMeBungee addon	Native (designed for proxies)
Password hashing	BCrypt, SHA-256, others	BCrypt, Argon2
Database	SQLite, MySQL, PostgreSQL	SQLite, MySQL, PostgreSQL
2FA support	Via addon	Built-in TOTP
Active development	Maintenance mode (stable)	Active
Migration tools	N/A	Can import AuthMe databases
Price	Free	Free

AuthMe Reloaded has been the standard for over a decade. It is stable, well-documented, and handles single-server setups perfectly. LibreLogin is the newer project, built specifically for Velocity-based networks with modern password hashing and native proxy integration. If you are setting up a new network in 2026, LibreLogin is the stronger choice. For single Paper servers, AuthMe still works flawlessly.

Installing AuthMe Reloaded

1. Download AuthMe.jar from the SpigotMC page or the GitHub releases.
2. Place it in the plugins/ folder of your Paper or Spigot server.
3. Restart the server. AuthMe generates plugins/AuthMe/config.yml and a SQLite database.
4. The plugin immediately starts requiring /register and /login from all players.

Essential configuration

Open plugins/AuthMe/config.yml and adjust these settings:

Password requirements

settings:
  security:
    minPasswordLength: 8
    maxPasswordLength: 30
    unsafePasswords:
     , "12345678"
     , "password"
     , "minecraft"

Set a minimum length of at least 8 characters. The unsafe passwords list blocks common weak passwords. Players who try to register with one of these get a denial message.

Session management

settings:
  sessions:
    enabled: true
    timeout: 60        # minutes before session expires
    sessionExpireOnIpChange: true

Sessions let returning players skip /login if they reconnect within the timeout window from the same IP address. This reduces friction for players with unstable connections without compromising security. If their IP changes, the session invalidates and they must authenticate again.

Spawn teleportation

settings:
  teleportUnAuthedToSpawn: true
  forceSpawnLocOnJoin:
    enabled: true

This teleports unauthenticated players to a designated spawn room where they cannot interact with anything. Without this, players appear at their last location and could be killed by mobs or fall damage before they have a chance to type /login.

Restricting unauthenticated players

settings:
  restrictions:
    allowMovement: false
    allowedMovementRadius: 0
    allowCommands:
     , "/login"
     , "/register"
     , "/l"
     , "/reg"
    allowChat: false

This locks down unauthenticated players completely. They cannot move, chat, or run any commands except the login/register ones. This is critical, without these restrictions, someone could walk around, read signs, see builds, or even pick up items before logging in.

Email recovery

AuthMe supports email-based password recovery. Players register their email with /email add [email protected] [email protected], and if they forget their password, they use /email recover [email protected] to receive a recovery code. This requires SMTP configuration:

Email:
  mailSMTP: smtp.gmail.com
  mailPort: 465
  mailAccount: [email protected]
  mailPassword: "app-password-here"
  useTls: true

Use an app-specific password for Gmail, not your actual account password. For production servers, consider a transactional email service like Mailgun or SendGrid for better deliverability.

Installing LibreLogin (Velocity networks)

If you run a Velocity proxy, LibreLogin installs on the proxy itself, not on individual backend servers:

1. Download the Velocity build of LibreLogin from Modrinth or GitHub.
2. Place it in the Velocity plugins/ folder.
3. Restart Velocity. LibreLogin creates its config in plugins/librelogin/.
4. Configure a limbo server, a lightweight backend server where unauthenticated players wait. This can be a NanoLimbo instance or a stripped-down Paper server with no world.

LibreLogin routes unauthenticated players to the limbo server automatically. Once they /login or /register, the plugin transfers them to the lobby or last-connected server. This architecture keeps unauthenticated players completely isolated from actual game servers.

MySQL backend for multi-server networks

Both AuthMe and LibreLogin default to SQLite, which stores data in a local file. On single servers this is fine. On networks with multiple backend servers, you need a shared database so that registration and session data persist across servers.

# AuthMe MySQL config
DataSource:
  backend: MYSQL
  mySQLHost: 127.0.0.1
  mySQLPort: 3306
  mySQLDatabase: authme
  mySQLUsername: authme_user
  mySQLPassword: "strong-password"
  mySQLTablename: authme

Create the database and user beforehand with appropriate permissions (SELECT, INSERT, UPDATE, DELETE on the authme database). The plugin creates the required tables on first run.

Captcha and brute force protection

AuthMe includes a captcha system that triggers after multiple failed login attempts:

Security:
  captcha:
    useCaptcha: true
    maxLoginTry: 5
    captchaLength: 5

After five failed /login attempts, the player must type a random captcha code before trying again. This prevents automated brute-force attacks against player accounts. LibreLogin handles this with rate limiting and configurable attempt thresholds.

Common issues

• Players stuck at spawn, cannot move, they have not authenticated yet. The "cannot move" behavior is intentional. Make sure the login instructions are visible via a join message or hologram at the spawn room.
• Players cannot type /login, check that the command is in the allowCommands whitelist. Also verify no other plugin is overriding the /login command.
• Sessions not working, ensure sessions.enabled is true and the timeout is reasonable. If players use a VPN with rotating IPs, sessions may expire every time they reconnect.
• Duplicate UUIDs, in offline mode, UUIDs are derived from usernames. If two players have the same username on different sessions, they collide. AuthMe handles this by tying authentication to the username, but inventory/playerdata conflicts can still occur. This is a fundamental limitation of offline mode.

Authentication pairs well with a proper permissions setup, restrict default group permissions so even if someone bypasses auth, they have minimal access until manually promoted.

Need reliable hosting for your server? Astroworld Hosting offers NVMe SSD, Pterodactyl panel, and DDoS protection. See features , plans from €6.39/mo.