sys-user-token-transact-sql.md

title	sys.user_token (Transact-SQL)
description	sys.user_token (Transact-SQL)
author	VanMSFT
ms.author	vanto
ms.date	08/27/2019
ms.service	sql
ms.subservice	system-objects
ms.topic	reference
ms.custom	ignite-2025
f1_keywords	sys.user_token user_token sys.user_token_TSQL user_token_TSQL
helpviewer_keywords	logins [SQL Server], security tokens sys.user_token catalog view user tokens [SQL Server] tokens [SQL Server] user_token catalog view
dev_langs	TSQL
monikerRange	=azuresqldb-current || >=sql-server-2016 || >=sql-server-linux-2017 || =azure-sqldw-latest || =fabric-sqldb

sys.user_token (Transact-SQL)

[!INCLUDE SQL Server Azure SQL Database Azure SQL Managed Instance FabricSQLDB]

Returns one row for every database principal that is part of the user token in [!INCLUDEssNoVersion].

Column name	Data type	Description
principal_id	int	ID of the principal. The value is unique within database.
sid	varbinary(85)	Security identifier of the principal if the principal is defined external to the database. For example, this can be a [!INCLUDEssNoVersion] login, Windows login, Windows Group login, or a login mapped to a certificate, otherwise, this value is NULL.
name	nvarchar (128)	Name of the principal. The value is unique within database.
type	nvarchar (128)	Description of principal type. All types are mapped to sid. The value can be one of the following: SQL USER WINDOWS LOGIN WINDOWS GROUP ROLE APPLICATION ROLE DATABASE ROLE USER MAPPED TO CERTIFICATE USER MAPPED TO ASYMMETRIC KEY CERTIFICATE ASYMMETRIC KEY
usage	nvarchar (128)	Indicates the principal participates in the evaluation of GRANT or DENY permissions, or serves as an authenticator. This value can be one of the following: GRANT OR DENY DENY ONLY AUTHENTICATOR

See Also

sys.login_token (Transact-SQL)
sys.server_principals (Transact-SQL)
sys.database_principals (Transact-SQL)
Principals (Database Engine)