Account Management


All access to any XNAT site is restricted to valid users of the site. User accounts determine the data and pages which are accessible to visitors of the site. This documentation is directed at XNAT users. XNAT administrators may want to consult the more administration focused Managing User Accounts page.

Unless a guest account is enabled, all visitors to the site will need to login using a valid user account. You can register an account on the site yourself, or the site administrator can create a user account for you. Depending on the configuration, an administrator may need to enable your account before it becomes functional. In addition to enabling your account, administrators can give you permission to access the data by associating your user account with various projects. Project owners can also give you access to the projects they own.


In a standard XNAT installation, user accounts must be created by either the user themselves or by the site administrator. Users will be given the option of registering for an account when they first visit the site.

The User Registration form collects the necessary data for the creation of your account including First & Last Name, Email, and Username. Once you have registered for an account, your new account may need to be enabled by an administrator (depending on how the site is configured). Once an administrator has enabled your account, you will receive a Welcome email at the email address you entered on the registration page.


User accounts are used to govern which data you have access to. Your permissions are generally governed by which projects your account has been assigned to. Your permissions for a given project could be one of the following roles: Owner, Member, or Collaborator. [Related: XNAT Security Structure: Ownership]

Editing Your Account

After creating your account, if you decide that you want to change your password or associate a different email address with your account, you can click on your username in the bar at the top of each page. In the example below, you would click on the 'aa' link. After entering and confirming your new password or email address, simply click 'Submit' to change it.

Enhanced Authentication Options

In a standard XNAT installation, all user accounts are registered and authenticated based on the contents of XNAT's PostgreSQL database. In some situations, external authentication servers can be used to authenticate and create user accounts. XNAT comes with support for using LDAP (or Active Directory) servers to authenticate and create user accounts. The XNAT team is working on additional authentication mechanisms and the authentication system is easily customizable to allow for unique authentication implementations. If the version of XNAT you're trying to access has additional authentication options, the log in page will have a drop-down from which you will select how you want to log in to the site. [Related: Enhanced Authentication Options] 

Login Credential Security and Authentication

Lots of XNAT installations use scripts, batch files, cron jobs, and other command line-based tools to automate or batch data operations. This works well with XNAT's REST API, but also introduces a risk of exposing login names and passwords on command invokation. To mitigate this risk, XNAT provides the alias token service, which provides a set of temporary login credentials suitable for processing a single task.

Creating a new alias token requires valid login credentials to initialize a session from which the alias token can be created. Care should be taken to protect the credentials at that point. XNAT launches pipelines with alias tokens for credentials, so exposure of credentials isn't a concern in that context. You can also reuse an existing valid JSESSIONID (taken from a browser with an active XNAT session, for example) for the command line. Lastly, you can call these REST URLs directly in your browser with an active XNAT session.


Operations include:

  • issue
  • validate
  • invalidate