Learn the Django User Authentication System

Table of Contents


Giving users the ability to create an account they can sign into is a common function for many websites.

Users might need an account to participate in a comment thread, save their personal information, or transfer money. Whatever the use case may be, you need to build an authentication system that’s simple and safe for your users.

After reading this post, you should have a solid understanding of how Django thinks about authentication – from users, to groups, to permissions. You’ll also see how Django plays things safe where it can in order to help you avoid inadvertently contributing your users’ information to “Have I Been Pwned”.


For most websites, the basic entity of authentication is a user. A user is identified by some unique string, which is almost always an email address or username.

To prove someone is who they say they are, they must provide a password when creating an account, and again at any time they want to authenticate themselves. This should be familiar: you go through this kind of workflow any time you sign up for a service like Twitter or Netflix.

Django provides a User model for creating and managing users. Django users have a username and password, but can also optionally have an email address and a first and last name:

from django.contrib.auth.models import User
rafaela = User('rafaela', password='$uper$ecretpassword')
# OR
rafaela = User(

If you prefer to identify users by their email addresses, I recommend filling the username with the email address and keeping the address in the email field as well. This will allow users to authenticate using their email address while also allowing you to continue using Django’s built-in features that deal with email.

Back to Top