diff --git a/cmd/zrok/create.go b/cmd/zrok/create.go
index 1aae78f4..ad382060 100644
--- a/cmd/zrok/create.go
+++ b/cmd/zrok/create.go
@@ -34,7 +34,7 @@ func newCreateAccountCommand() *createAccountCommand {
 }
 
 func (cmd *createAccountCommand) run(_ *cobra.Command, _ []string) {
-	username, err := term.Prompt("New Username: ")
+	email, err := term.Prompt("New Email: ")
 	if err != nil {
 		panic(err)
 	}
@@ -53,7 +53,7 @@ func (cmd *createAccountCommand) run(_ *cobra.Command, _ []string) {
 	zrok := newZrokClient()
 	req := identity.NewCreateAccountParams()
 	req.Body = &rest_model_zrok.AccountRequest{
-		Username: username,
+		Email:    email,
 		Password: password,
 	}
 	resp, err := zrok.Identity.CreateAccount(req)
diff --git a/controller/account.go b/controller/account.go
index fb6a22aa..7190db22 100644
--- a/controller/account.go
+++ b/controller/account.go
@@ -11,10 +11,10 @@ import (
 )
 
 func createAccountHandler(params identity.CreateAccountParams) middleware.Responder {
-	logrus.Infof("received account request for username '%v'", params.Body.Username)
-	if params.Body == nil || params.Body.Username == "" || params.Body.Password == "" {
-		logrus.Errorf("missing username or password")
-		return identity.NewCreateAccountBadRequest().WithPayload("missing username or password")
+	logrus.Infof("received account request for email '%v'", params.Body.Email)
+	if params.Body == nil || params.Body.Email == "" || params.Body.Password == "" {
+		logrus.Errorf("missing email or password")
+		return identity.NewCreateAccountBadRequest().WithPayload("missing email or password")
 	}
 
 	token, err := generateApiToken()
@@ -23,7 +23,7 @@ func createAccountHandler(params identity.CreateAccountParams) middleware.Respon
 		return identity.NewCreateAccountInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
 	}
 	a := &store.Account{
-		Username: params.Body.Username,
+		Email:    params.Body.Email,
 		Password: hashPassword(params.Body.Password),
 		Token:    token,
 	}
diff --git a/controller/enable.go b/controller/enable.go
index c9149883..e70d4a5d 100644
--- a/controller/enable.go
+++ b/controller/enable.go
@@ -41,7 +41,7 @@ func (self *enableHandler) Handle(params identity.EnableParams, principal *rest_
 		logrus.Errorf("error getting edge client: %v", err)
 		return identity.NewEnableInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
 	}
-	ident, err := self.createIdentity(principal.Username, client)
+	ident, err := self.createIdentity(principal.Email, client)
 	if err != nil {
 		logrus.Error(err)
 		return identity.NewEnableInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
@@ -73,7 +73,7 @@ func (self *enableHandler) Handle(params identity.EnableParams, principal *rest_
 		logrus.Errorf("error committing: %v", err)
 		return identity.NewCreateAccountInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
 	}
-	logrus.Infof("recorded identity '%v' with id '%v' for '%v'", ident.Payload.Data.ID, envId, principal.Username)
+	logrus.Infof("recorded identity '%v' with id '%v' for '%v'", ident.Payload.Data.ID, envId, principal.Email)
 
 	resp := identity.NewEnableCreated().WithPayload(&rest_model_zrok.EnableResponse{
 		Identity: ident.Payload.Data.ID,
@@ -91,13 +91,13 @@ func (self *enableHandler) Handle(params identity.EnableParams, principal *rest_
 	return resp
 }
 
-func (_ *enableHandler) createIdentity(username string, client *rest_management_api_client.ZitiEdgeManagement) (*identity_edge.CreateIdentityCreated, error) {
+func (_ *enableHandler) createIdentity(email string, client *rest_management_api_client.ZitiEdgeManagement) (*identity_edge.CreateIdentityCreated, error) {
 	iIsAdmin := false
 	iId, err := randomId()
 	if err != nil {
 		return nil, err
 	}
-	name := fmt.Sprintf("%v-%v", username, iId)
+	name := fmt.Sprintf("%v-%v", email, iId)
 	identityType := rest_model_edge.IdentityTypeUser
 	i := &rest_model_edge.IdentityCreate{
 		Enrollment:          &rest_model_edge.IdentityCreateEnrollment{Ott: true},
diff --git a/controller/login.go b/controller/login.go
index f5fa9e5f..7c1f5830 100644
--- a/controller/login.go
+++ b/controller/login.go
@@ -21,7 +21,7 @@ func loginHandler(params identity.LoginParams) middleware.Responder {
 		return identity.NewLoginUnauthorized()
 	}
 	defer func() { _ = tx.Rollback() }()
-	a, err := str.FindAccountWithUsername(params.Body.Email, tx)
+	a, err := str.FindAccountWithEmail(params.Body.Email, tx)
 	if err != nil {
 		logrus.Errorf("error finding account '%v': %v", params.Body.Email, err)
 		return identity.NewLoginUnauthorized()
diff --git a/controller/overview.go b/controller/overview.go
index dbf95a1d..9c603fcd 100644
--- a/controller/overview.go
+++ b/controller/overview.go
@@ -16,7 +16,7 @@ func overviewHandler(_ metadata.OverviewParams, principal *rest_model_zrok.Princ
 	defer func() { _ = tx.Rollback() }()
 	envs, err := str.FindEnvironmentsForAccount(int(principal.ID), tx)
 	if err != nil {
-		logrus.Errorf("error finding environments for '%v': %v", principal.Username, err)
+		logrus.Errorf("error finding environments for '%v': %v", principal.Email, err)
 		return metadata.NewOverviewInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
 	}
 	var out rest_model_zrok.EnvironmentServicesList
diff --git a/controller/store/account.go b/controller/store/account.go
index 5c545b22..4bc0150c 100644
--- a/controller/store/account.go
+++ b/controller/store/account.go
@@ -7,17 +7,17 @@ import (
 
 type Account struct {
 	Model
-	Username string
+	Email    string
 	Password string
 	Token    string
 }
 
 func (self *Store) CreateAccount(a *Account, tx *sqlx.Tx) (int, error) {
-	stmt, err := tx.Prepare("insert into accounts (username, password, token) values (?, ?, ?)")
+	stmt, err := tx.Prepare("insert into accounts (email, password, token) values (?, ?, ?)")
 	if err != nil {
 		return 0, errors.Wrap(err, "error preparing accounts insert statement")
 	}
-	res, err := stmt.Exec(a.Username, a.Password, a.Token)
+	res, err := stmt.Exec(a.Email, a.Password, a.Token)
 	if err != nil {
 		return 0, errors.Wrap(err, "error executing accounts insert statement")
 	}
@@ -36,10 +36,10 @@ func (self *Store) GetAccount(id int, tx *sqlx.Tx) (*Account, error) {
 	return a, nil
 }
 
-func (self *Store) FindAccountWithUsername(username string, tx *sqlx.Tx) (*Account, error) {
+func (self *Store) FindAccountWithEmail(email string, tx *sqlx.Tx) (*Account, error) {
 	a := &Account{}
-	if err := tx.QueryRowx("select * from accounts where username = ?", username).StructScan(a); err != nil {
-		return nil, errors.Wrap(err, "error selecting account by username")
+	if err := tx.QueryRowx("select * from accounts where email = ?", email).StructScan(a); err != nil {
+		return nil, errors.Wrap(err, "error selecting account by email")
 	}
 	return a, nil
 }
diff --git a/controller/store/sql/000_base.sql b/controller/store/sql/000_base.sql
index d732ef1e..9278ca42 100644
--- a/controller/store/sql/000_base.sql
+++ b/controller/store/sql/000_base.sql
@@ -5,14 +5,14 @@
 --
 create table accounts (
   id                    integer             primary key,
-  username              string              not null unique,
+  email                 string              not null unique,
   password              string              not null,
   token                 string              not null unique,
   created_at            datetime            not null default(strftime('%Y-%m-%d %H:%M:%f', 'now')),
   updated_at            datetime            not null default(strftime('%Y-%m-%d %H:%M:%f', 'now')),
 
-  constraint chk_username check (username <> ''),
-  constraint chk_password check (username <> ''),
+  constraint chk_email check (email <> ''),
+  constraint chk_password check (password <> ''),
   constraint chk_token check(token <> '')
 );
 
diff --git a/controller/tunnel.go b/controller/tunnel.go
index 6294a0c4..6e5f179f 100644
--- a/controller/tunnel.go
+++ b/controller/tunnel.go
@@ -28,7 +28,7 @@ func newTunnelHandler(cfg *Config) *tunnelHandler {
 }
 
 func (self *tunnelHandler) Handle(params tunnel.TunnelParams, principal *rest_model_zrok.Principal) middleware.Responder {
-	logrus.Infof("tunneling for '%v' (%v)", principal.Username, principal.Token)
+	logrus.Infof("tunneling for '%v' (%v)", principal.Email, principal.Token)
 
 	tx, err := str.Begin()
 	if err != nil {
@@ -42,17 +42,17 @@ func (self *tunnelHandler) Handle(params tunnel.TunnelParams, principal *rest_mo
 		found := false
 		for _, env := range envs {
 			if env.ZitiIdentityId == envId {
-				logrus.Infof("found identity '%v' for user '%v'", envId, principal.Username)
+				logrus.Infof("found identity '%v' for user '%v'", envId, principal.Email)
 				found = true
 				break
 			}
 		}
 		if !found {
-			logrus.Errorf("environment '%v' not found for user '%v'", envId, principal.Username)
+			logrus.Errorf("environment '%v' not found for user '%v'", envId, principal.Email)
 			return tunnel.NewTunnelUnauthorized().WithPayload("bad environment identity")
 		}
 	} else {
-		logrus.Errorf("error finding environments for account '%v'", principal.Username)
+		logrus.Errorf("error finding environments for account '%v'", principal.Email)
 		return tunnel.NewTunnelInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
 	}
 
@@ -104,7 +104,7 @@ func (self *tunnelHandler) Handle(params tunnel.TunnelParams, principal *rest_mo
 		logrus.Errorf("error committing service record: %v", err)
 		return tunnel.NewTunnelInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
 	}
-	logrus.Infof("recorded service '%v' with id '%v' for '%v'", svcId, sid, principal.Username)
+	logrus.Infof("recorded service '%v' with id '%v' for '%v'", svcId, sid, principal.Email)
 
 	return tunnel.NewTunnelCreated().WithPayload(&rest_model_zrok.TunnelResponse{
 		ProxyEndpoint: self.proxyUrl(svcName),
diff --git a/controller/untunnel.go b/controller/untunnel.go
index e2a6190d..30cc8b89 100644
--- a/controller/untunnel.go
+++ b/controller/untunnel.go
@@ -26,7 +26,7 @@ func newUntunnelHandler(cfg *Config) *untunnelHandler {
 }
 
 func (self *untunnelHandler) Handle(params tunnel.UntunnelParams, principal *rest_model_zrok.Principal) middleware.Responder {
-	logrus.Infof("untunneling for '%v' (%v)", principal.Username, principal.Token)
+	logrus.Infof("untunneling for '%v' (%v)", principal.Email, principal.Token)
 
 	tx, err := str.Begin()
 	if err != nil {
@@ -55,12 +55,12 @@ func (self *untunnelHandler) Handle(params tunnel.UntunnelParams, principal *res
 			}
 		}
 		if senv == nil {
-			err := errors.Errorf("environment with id '%v' not found for '%v", params.Body.ZitiIdentityID, principal.Username)
+			err := errors.Errorf("environment with id '%v' not found for '%v", params.Body.ZitiIdentityID, principal.Email)
 			logrus.Error(err)
 			return tunnel.NewUntunnelNotFound().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
 		}
 	} else {
-		logrus.Errorf("error finding environments for account '%v': %v", principal.Username, err)
+		logrus.Errorf("error finding environments for account '%v': %v", principal.Email, err)
 		return tunnel.NewUntunnelInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
 	}
 
@@ -73,12 +73,12 @@ func (self *untunnelHandler) Handle(params tunnel.UntunnelParams, principal *res
 			}
 		}
 		if ssvc == nil {
-			err := errors.Errorf("service with id '%v' not found for '%v'", svcId, principal.Username)
+			err := errors.Errorf("service with id '%v' not found for '%v'", svcId, principal.Email)
 			logrus.Error(err)
 			return tunnel.NewUntunnelNotFound().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
 		}
 	} else {
-		logrus.Errorf("error finding services for account '%v': %v", principal.Username, err)
+		logrus.Errorf("error finding services for account '%v': %v", principal.Email, err)
 		return tunnel.NewUntunnelInternalServerError().WithPayload(rest_model_zrok.ErrorMessage(err.Error()))
 	}
 
diff --git a/controller/util.go b/controller/util.go
index 01993c56..e8318521 100644
--- a/controller/util.go
+++ b/controller/util.go
@@ -19,9 +19,9 @@ func ZrokAuthenticate(token string) (*rest_model_zrok.Principal, error) {
 	defer func() { _ = tx.Rollback() }()
 	if a, err := str.FindAccountWithToken(token, tx); err == nil {
 		principal := rest_model_zrok.Principal{
-			ID:       int64(a.Id),
-			Token:    a.Token,
-			Username: a.Username,
+			ID:    int64(a.Id),
+			Token: a.Token,
+			Email: a.Email,
 		}
 		return &principal, nil
 	} else {
diff --git a/rest_model_zrok/account_request.go b/rest_model_zrok/account_request.go
index 7096ab0e..fa22b4d4 100644
--- a/rest_model_zrok/account_request.go
+++ b/rest_model_zrok/account_request.go
@@ -17,11 +17,11 @@ import (
 // swagger:model accountRequest
 type AccountRequest struct {
 
+	// email
+	Email string `json:"email,omitempty"`
+
 	// password
 	Password string `json:"password,omitempty"`
-
-	// username
-	Username string `json:"username,omitempty"`
 }
 
 // Validate validates this account request
diff --git a/rest_model_zrok/principal.go b/rest_model_zrok/principal.go
index 3a8b70ef..dcda9328 100644
--- a/rest_model_zrok/principal.go
+++ b/rest_model_zrok/principal.go
@@ -17,14 +17,14 @@ import (
 // swagger:model principal
 type Principal struct {
 
+	// email
+	Email string `json:"email,omitempty"`
+
 	// id
 	ID int64 `json:"id,omitempty"`
 
 	// token
 	Token string `json:"token,omitempty"`
-
-	// username
-	Username string `json:"username,omitempty"`
 }
 
 // Validate validates this principal
diff --git a/rest_server_zrok/embedded_spec.go b/rest_server_zrok/embedded_spec.go
index eaff3d57..400222e2 100644
--- a/rest_server_zrok/embedded_spec.go
+++ b/rest_server_zrok/embedded_spec.go
@@ -307,10 +307,10 @@ func init() {
     "accountRequest": {
       "type": "object",
       "properties": {
-        "password": {
+        "email": {
           "type": "string"
         },
-        "username": {
+        "password": {
           "type": "string"
         }
       }
@@ -433,14 +433,14 @@ func init() {
     "principal": {
       "type": "object",
       "properties": {
+        "email": {
+          "type": "string"
+        },
         "id": {
           "type": "integer"
         },
         "token": {
           "type": "string"
-        },
-        "username": {
-          "type": "string"
         }
       }
     },
@@ -814,10 +814,10 @@ func init() {
     "accountRequest": {
       "type": "object",
       "properties": {
-        "password": {
+        "email": {
           "type": "string"
         },
-        "username": {
+        "password": {
           "type": "string"
         }
       }
@@ -940,14 +940,14 @@ func init() {
     "principal": {
       "type": "object",
       "properties": {
+        "email": {
+          "type": "string"
+        },
         "id": {
           "type": "integer"
         },
         "token": {
           "type": "string"
-        },
-        "username": {
-          "type": "string"
         }
       }
     },
diff --git a/specs/zrok.yml b/specs/zrok.yml
index ecbd38b9..e5556c79 100644
--- a/specs/zrok.yml
+++ b/specs/zrok.yml
@@ -183,7 +183,7 @@ definitions:
   accountRequest:
     type: object
     properties:
-      username:
+      email:
         type: string
       password:
         type: string
@@ -274,7 +274,7 @@ definitions:
     properties:
       id:
         type: integer
-      username:
+      email:
         type: string
       token:
         type: string
diff --git a/ui/src/api/types.js b/ui/src/api/types.js
index e21449d3..cf3d165d 100644
--- a/ui/src/api/types.js
+++ b/ui/src/api/types.js
@@ -5,7 +5,7 @@
  * @typedef accountRequest
  * @memberof module:types
  * 
- * @property {string} username 
+ * @property {string} email 
  * @property {string} password 
  */
 
@@ -81,7 +81,7 @@
  * @memberof module:types
  * 
  * @property {number} id 
- * @property {string} username 
+ * @property {string} email 
  * @property {string} token 
  */