# User accounts
By default, authentication is forced.
Authentication can be managed:
* Via the SonarQube Server built-in users/groups database. See [creating-users](https://docs.sonarsource.com/sonarqube-server/2026.1/instance-administration/user-management/creating-users "mention")
* Via several delegated authentication methods, see [authentication](https://docs.sonarsource.com/sonarqube-server/2026.1/instance-administration/authentication "mention") for more information.
To change the password of a manually created account, see [changing-user-password](https://docs.sonarsource.com/sonarqube-server/2026.1/instance-administration/user-management/changing-user-password "mention").
To deactivate a user account, see [deactivating-users](https://docs.sonarsource.com/sonarqube-server/2026.1/instance-administration/user-management/deactivating-users "mention").
To manage the user account permissions, see:
* [user-permissions](https://docs.sonarsource.com/sonarqube-server/2026.1/instance-administration/user-management/user-permissions "mention")
* [setting-project-permissions](https://docs.sonarsource.com/sonarqube-server/2026.1/project-administration/setting-project-permissions "mention")
## Disabling forced user authentication
You can disable forced user authentication, and allow anonymous users to browse public projects and run analyses in your instance. To do so, you need the Administer System permission.
{% hint style="warning" %}
Disabling forced authentication can expose your SonarQube Server instance to security risks. We strongly recommend forcing user authentication on production instances or carefully configuring the security (user permissions, project visibility, etc.) on your instance. See also [#accessible-api-endpoints-if-forced-authentication-disabled](#accessible-api-endpoints-if-forced-authentication-disabled "mention") below.
We advise keeping forced authentication if you have your SonarQube Server instance publicly accessible.
{% endhint %}
Accessible API endpoints if forced authentication disabled
If forced authentication is disabled, the following API endpoints are accessible **without authentication**:
* api/components/search
* api/issues/tags
* api/languages/list
* api/metrics/domains
* api/metrics/search
* api/metrics/types
* api/plugins/installed
* api/project\_tags/search
* api/qualitygates/list
* api/qualitygates/search
* api/qualitygates/show
* api/qualityprofiles/backup
* api/qualityprofiles/changelog
* api/qualityprofiles/export
* api/qualityprofiles/exporters
* api/qualityprofiles/importers
* api/qualityprofiles/inheritance
* api/qualityprofiles/projects
* api/qualityprofiles/search
* api/rules/repositories
* api/rules/search
* api/rules/show
* api/rules/tags
* api/server/version
* api/settings/login\_message
* api/sources/scm (for public repositories)
* api/sources/show (for public repositories)
* api/system/db*migration*status
* api/system/migrate\_db
* api/system/ping
* api/system/status
* api/system/upgrades
* api/users/search
* api/webservices/list
* api/webservices/response\_example
To disable forced authentication:
1. Go to **Administration** > **Configuration** > **General Settings** > **Security.**
2. Disable **Force user authentication**.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.sonarsource.com/sonarqube-server/2026.1/instance-administration/security/user-accounts.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.