diff --git a/components/changelog/content/config_v1.2.9.mdx b/components/changelog/content/config_v1.2.9.mdx
new file mode 100644
index 0000000..f6ec4a5
--- /dev/null
+++ b/components/changelog/content/config_v1.2.9.mdx
@@ -0,0 +1,12 @@
+- Added file citation configuration for agents endpoint
+ - `maxCitations` - Maximum total citations in agent responses (1-50, default: 30)
+ - `maxCitationsPerFile` - Maximum citations from each file (1-10, default: 7)
+ - `minRelevanceScore` - Minimum relevance score threshold (0.0-1.0, default: 0.45)
+ - Provides fine-grained control over file search citation quality and quantity
+ - See [Agents Configuration](/docs/configuration/librechat_yaml/object_structure/agents) for details
+
+- Added `fileCitations` to interface configuration
+ - Acts as global toggle for the `FILE_CITATIONS` permission
+ - When disabled, prevents all users from seeing file citations regardless of individual permissions
+ - Default enabled to allow file search results to include source citations
+ - See [Interface Configuration - fileCitations](/docs/configuration/librechat_yaml/object_structure/interface#filecitations) for details
diff --git a/components/changelog/content/v0.8.0-rc3.mdx b/components/changelog/content/v0.8.0-rc3.mdx
new file mode 100644
index 0000000..18c5f94
--- /dev/null
+++ b/components/changelog/content/v0.8.0-rc3.mdx
@@ -0,0 +1,88 @@
+## What's Changed
+
+### ๐ฃ๏ธ Highlights
+
+* ๐ **Granular Permissions System** by [@danny-avila](https://github.com/danny-avila) in [#8654](https://github.com/danny-avila/LibreChat/pull/8654), [#9068](https://github.com/danny-avila/LibreChat/pull/9068)
+ - Complete overhaul of permission system with fine-grained access control
+ - Entra ID group discovery and integration
+ - ACL-based (Access Control List) resource permissions with permission bits
+
+* ๐ช **Agent Marketplace with Advanced Sharing** by [@danny-avila](https://github.com/danny-avila) in [#8654](https://github.com/danny-avila/LibreChat/pull/8654)
+ - Agent marketplace ecosystem for discovering and sharing agents
+ - Agent categorization and promotion system
+ - Advanced sharing dialogs with role-based access controls
+ - People picker UI for sharing with user/group/role search
+
+### โจ Features
+
+* ๐จ๏ธ feat: Granular ACL-based Sharing for Prompts by [@danny-avila](https://github.com/danny-avila) in [#8654](https://github.com/danny-avila/LibreChat/pull/8654)
+* ๐ feat: Advanced File Storage & Access Control with Agent-based Permissions by [@nagago](https://github.com/nagago) in [#8654](https://github.com/danny-avila/LibreChat/pull/8654)
+* ๐ feat: SharePoint File Picker Integration with Microsoft Graph API by [@danny-avila](https://github.com/danny-avila) in [#8654](https://github.com/danny-avila/LibreChat/pull/8654)
+* ๐ feat: Source Citations for File Search in Agents with Role-based Controls by [@nagago](https://github.com/nagago) in [#8654](https://github.com/danny-avila/LibreChat/pull/8654)
+* ๐ feat: MongoDB Connection Pool Configuration Options by [@JordiHigueraDT](https://github.com/JordiHigueraDT) in [#8654](https://github.com/danny-avila/LibreChat/pull/8654)
+* ๐ feat: Configurable Redis Cluster Mode with Single URI Support by [@luiscga](https://github.com/luiscga) in [#9039](https://github.com/danny-avila/LibreChat/pull/9039)
+* ๐ feat: Add Prompt and Agent Permissions Migration Checks by [@danny-avila](https://github.com/danny-avila) in [#9063](https://github.com/danny-avila/LibreChat/pull/9063)
+* ๐ feat: Group schema support, refine user schema security, and improve types by [@berry-13](https://github.com/berry-13) in [#9070](https://github.com/danny-avila/LibreChat/pull/9070)
+* ๐งช feat: Claude Sonnet 4 - 1M Context Window (Beta Header) by [@danny-avila](https://github.com/danny-avila) in [#9093](https://github.com/danny-avila/LibreChat/pull/9093)
+* ๐ท๏ธ feat: Request Placeholders for Custom Endpoint & MCP Headers by [@danny-avila](https://github.com/danny-avila) in [#9095](https://github.com/danny-avila/LibreChat/pull/9095)
+* ๐ฌ feat: Agent Support Email Address Validation by [@dustinhealy](https://github.com/dustinhealy) in [#9128](https://github.com/danny-avila/LibreChat/pull/9128)
+* ๐ feat: Add User ID to Anthropic API Payload as Metadata by [@danny-avila](https://github.com/danny-avila) in [#9174](https://github.com/danny-avila/LibreChat/pull/9174)
+* ๐ฃ๏ธ feat: `directEndpoint` Fetch Override for Custom Endpoints by [@danny-avila](https://github.com/danny-avila) in [#9179](https://github.com/danny-avila/LibreChat/pull/9179)
+* โจ feat: Add cursor pagination utilities for users/groups/roles by [@berry-13](https://github.com/berry-13) in [#9218](https://github.com/danny-avila/LibreChat/pull/9218)
+
+
+### ๐ง Refactoring
+
+* ๐ refactor: Decouple MCP Dialog UI from `BadgeRowContext` by [@ruggishop](https://github.com/ruggishop) in [#8920](https://github.com/danny-avila/LibreChat/pull/8920)
+* โป๏ธ refactor: MCP Scalability, Fix App-Level Detection, Add Lazy Connections by [@nhtruong](https://github.com/nhtruong) in [#8930](https://github.com/danny-avila/LibreChat/pull/8930)
+* ๐ช refactor: Remove Title `maxTokens` & Support LMStudio/Ollama Reasoning by [@danny-avila](https://github.com/danny-avila) in [#9085](https://github.com/danny-avila/LibreChat/pull/9085)
+* ๐งโ๐ป refactor: Secure Field Selection for 2FA & API Build Sourcemap by [@danny-avila](https://github.com/danny-avila) in [#9087](https://github.com/danny-avila/LibreChat/pull/9087)
+* โ๏ธ refactor: Only register OpenID Strategy if Config Succeeded by [@danny-avila](https://github.com/danny-avila) in [#9094](https://github.com/danny-avila/LibreChat/pull/9094)
+* ๐ท๏ธ refactor: Normalize Request Headers in `setRequestHeaders` by [@danny-avila](https://github.com/danny-avila) in [#9106](https://github.com/danny-avila/LibreChat/pull/9106)
+* ๐ ๏ธ refactor: Consolidate MCP Tool Caching by [@danny-avila](https://github.com/danny-avila) in [#9172](https://github.com/danny-avila/LibreChat/pull/9172)
+* ๐โโ๏ธ refactor: Improve Cancelled Stream Handling for Pending Authentication by [@danny-avila](https://github.com/danny-avila) in [#9235](https://github.com/danny-avila/LibreChat/pull/9235)
+* ๐๏ธ refactor: Resource Migration Scripts for DocumentDB Compatibility by [@danny-avila](https://github.com/danny-avila) in [#9249](https://github.com/danny-avila/LibreChat/pull/9249)
+
+
+### โ๏ธ Other Changes
+
+* ๐ ci: Optimize Dockerfile Caching by [@faustoFF](https://github.com/faustoFF) in [#8480](https://github.com/danny-avila/LibreChat/pull/8480)
+* ๐ chore: Remove `` from `index.html` by [@mattmueller-stripe](https://github.com/mattmueller-stripe) in [#9222](https://github.com/danny-avila/LibreChat/pull/9222)
+* ๐ญ refactor: Avatar Loading UX and Fix Initials Rendering Bugs by [@berry-13](https://github.com/berry-13) in [#9261](https://github.com/danny-avila/LibreChat/pull/9261)
+* ๐ chore: Add Timestamp to Error logs by [@danny-avila](https://github.com/danny-avila) in [#9262](https://github.com/danny-avila/LibreChat/pull/9262)
+* ๐ท๏ธ chore: Add Missing Localizations for Agents, Categories, Bookmarks by [@danny-avila](https://github.com/danny-avila) in [#9266](https://github.com/danny-avila/LibreChat/pull/9266)
+
+### ๐ Bug Fixes
+
+* ๐ fix: Prevent Type Error in Successful Bookmark Deletion by [@usnavy13](https://github.com/usnavy13) in [#9014](https://github.com/danny-avila/LibreChat/pull/9014)
+* ๐ง fix: Redis cluster connection errors and configuration by [@nhtruong](https://github.com/nhtruong) in [#9016](https://github.com/danny-avila/LibreChat/pull/9016)
+* ๐ fix: MCP Runtime Errors while Initializing by [@danny-avila](https://github.com/danny-avila) in [#9046](https://github.com/danny-avila/LibreChat/pull/9046)
+* ๐ fix: Update MCP server initialization to skip non-startup and oauth servers by [@nhtruong](https://github.com/nhtruong) in [#9049](https://github.com/danny-avila/LibreChat/pull/9049)
+* ๐ ๏ธ fix: Workaround for Federated OpenID Nonce Validation Issues by [@busla](https://github.com/busla) in [#9067](https://github.com/danny-avila/LibreChat/pull/9067)
+* ๐ fix: `lastRefill` Date for Existing Users & Refactor Balance Middleware by [@danny-avila](https://github.com/danny-avila) in [#9086](https://github.com/danny-avila/LibreChat/pull/9086)
+* ๐ fix: Add Azure to Recognized and Content array providers for MCP Tool Calls by [@danny-avila](https://github.com/danny-avila) in [#9092](https://github.com/danny-avila/LibreChat/pull/9092)
+* ๐ก๏ธ fix: Add Null Checks to Parameter Settings to Prevent Undefined Access by [@thelinuxkid](https://github.com/thelinuxkid) in [#9108](https://github.com/danny-avila/LibreChat/pull/9108)
+* ๐ fix: Correct Next Refill Date Logic for Balance Settings by [@Isydmr](https://github.com/Isydmr) in [#9121](https://github.com/danny-avila/LibreChat/pull/9121)
+* ๐ fix: Use Standard Mongoose Module Resolution in Config Scripts by [@derhelge](https://github.com/derhelge) in [#9143](https://github.com/danny-avila/LibreChat/pull/9143)
+* ๐ฎ fix: Remove Filtering Logic Before MCP Initialization by [@danny-avila](https://github.com/danny-avila) in [#9149](https://github.com/danny-avila/LibreChat/pull/9149)
+* ๐ ๏ธ fix: Restrict Editable Content Types & Consolidate Typing by [@danny-avila](https://github.com/danny-avila) in [#9173](https://github.com/danny-avila/LibreChat/pull/9173)
+* โ fix: `AbortSignal` Cleanup Logic for New Chats by [@danny-avila](https://github.com/danny-avila) in [#9177](https://github.com/danny-avila/LibreChat/pull/9177)
+* ๐งฐ fix: Available Tools Retrieval with correct MCP Caching by [@danny-avila](https://github.com/danny-avila) in [#9181](https://github.com/danny-avila/LibreChat/pull/9181)
+* ๐ชช fix: Preserve Existing Interface Permissions When Updating Config by [@danny-avila](https://github.com/danny-avila) in [#9199](https://github.com/danny-avila/LibreChat/pull/9199)
+* ๐งฎ fix: Properly Escape Currency and Prevent Code Block LaTeX Bugs by [@danny-avila](https://github.com/danny-avila) in [#9248](https://github.com/danny-avila/LibreChat/pull/9248)
+
+
+### ๐ Internationalization
+
+* ๐ i18n: Translation updates including automated translation.json updates and addition of Bosnian and Norsk Bokmรฅl languages in [#9020](https://github.com/danny-avila/LibreChat/pull/9020), [#9104](https://github.com/danny-avila/LibreChat/pull/9104), [#9151](https://github.com/danny-avila/LibreChat/pull/9151), [#9176](https://github.com/danny-avila/LibreChat/pull/9176), [#9228](https://github.com/danny-avila/LibreChat/pull/9228), [#9250](https://github.com/danny-avila/LibreChat/pull/9250), [#9267](https://github.com/danny-avila/LibreChat/pull/9267)
+
+
+## New Contributors
+* [@faustoFF](https://github.com/faustoFF) made their first contribution in [#8480](https://github.com/danny-avila/LibreChat/pull/8480)
+* [@busla](https://github.com/busla) made their first contribution in [#9067](https://github.com/danny-avila/LibreChat/pull/9067)
+* [@luiscga](https://github.com/luiscga) made their first contribution in [#9039](https://github.com/danny-avila/LibreChat/pull/9039)
+* [@ruggishop](https://github.com/ruggishop) made their first contribution in [#8920](https://github.com/danny-avila/LibreChat/pull/8920)
+* [@Isydmr](https://github.com/Isydmr) made their first contribution in [#9121](https://github.com/danny-avila/LibreChat/pull/9121)
+* [@mattmueller-stripe](https://github.com/mattmueller-stripe) made their first contribution in [#9222](https://github.com/danny-avila/LibreChat/pull/9222)
+
+**Full Changelog**: https://github.com/danny-avila/LibreChat/compare/v0.8.0-rc2...v0.8.0-rc3
\ No newline at end of file
diff --git a/pages/changelog/config_v1.2.9.mdx b/pages/changelog/config_v1.2.9.mdx
new file mode 100644
index 0000000..c4c7d71
--- /dev/null
+++ b/pages/changelog/config_v1.2.9.mdx
@@ -0,0 +1,13 @@
+---
+date: 2025/08/26
+title: โ๏ธ Config v1.2.9
+---
+
+import { ChangelogHeader } from '@/components/changelog/ChangelogHeader'
+import Content from '@/components/changelog/content/config_v1.2.9.mdx'
+
+
+
+---
+
+
diff --git a/pages/changelog/v0.8.0-rc3.mdx b/pages/changelog/v0.8.0-rc3.mdx
new file mode 100644
index 0000000..4c3ccd3
--- /dev/null
+++ b/pages/changelog/v0.8.0-rc3.mdx
@@ -0,0 +1,14 @@
+---
+date: 2025/08/25
+title: ๐ LibreChat v0.8.0-rc3
+description: The v0.8.0-rc3 release of LibreChat
+---
+
+import { ChangelogHeader } from '@/components/changelog/ChangelogHeader'
+import Content from '@/components/changelog/content/v0.8.0-rc3.mdx'
+
+
+
+---
+
+
diff --git a/pages/docs/configuration/_meta.ts b/pages/docs/configuration/_meta.ts
index 2e6b0cd..7d07af4 100644
--- a/pages/docs/configuration/_meta.ts
+++ b/pages/docs/configuration/_meta.ts
@@ -7,6 +7,7 @@ export default {
redis: 'Redis',
pre_configured_ai: 'AI Providers',
tools: 'Tools and Plugins',
+ sharepoint: 'SharePoint Files',
cdn: 'CDN',
azure: 'Azure OpenAI',
docker_override: 'Docker Override',
diff --git a/pages/docs/configuration/authentication/OAuth2-OIDC/authentik.mdx b/pages/docs/configuration/authentication/OAuth2-OIDC/authentik.mdx
index 1bc5796..61a040b 100644
--- a/pages/docs/configuration/authentication/OAuth2-OIDC/authentik.mdx
+++ b/pages/docs/configuration/authentication/OAuth2-OIDC/authentik.mdx
@@ -6,13 +6,15 @@ description: Learn how to configure LibreChat to use Authentik for user authenti
# Authentik
1. **Access Authentik Admin Interface:**
+
- Open the Authentik Admin Interface in your browser. Can be found at a URL such as: `https://authentik.example.com/if/admin/#/administration/overview`.
-> We will use `https://authentik.example.com` as an example URL. Replace this with the URL of your Authentik instance.
+ > We will use `https://authentik.example.com` as an example URL. Replace this with the URL of your Authentik instance.
2. **Create a new Application and Provider using the wizard:**
+
- Click on the Applications tab in the left sidebar and click on Applications again.
- At the top of the page you should see a button that says `Create with Wizard`. Click on it.
-> Note: You can also create an application and provider manually just be sure to link them afterwards.
+ > Note: You can also create an application and provider manually just be sure to link them afterwards.
- You can name the application whatever you want. For this example, we will name it `LibreChat` and click next.
- Choose the `OAuth2/OIDC` provider and click next.
- Choose your authentication and authorization flows.
@@ -20,17 +22,20 @@ description: Learn how to configure LibreChat to use Authentik for user authenti
- Under Advanced protocol settings change Subject mode to `Based on the User's Email`.
- Click Submit.
- Add the new application you created to an Outpost.
-> Note: You should also apply any policies for access control that you want to apply to LibreChat at this point.
+ > Note: You should also apply any policies for access control that you want to apply to LibreChat at this point.
3. **Gather Information for .env:**
+
- You will need the following information from Authentik:
- `Client ID`
- `Client Secret`
- `OpenID Configuration URL`
- > All of these can be found by clicking on the provider you just created.
+ > All of these can be found by clicking on the provider you just created.
3. **Configure LibreChat:**
+
- Open the `.env` file and add the following variables:
+
```bash filename=".env"
OPENID_ISSUER=https://authentik.example.com/application/o/librechat/.well-known/openid-configuration
OPENID_CLIENT_ID=[YourClientID]
@@ -41,15 +46,20 @@ OPENID_SCOPE=openid profile email
# Optional customization below
OPENID_BUTTON_LABEL=Login with Authentik
OPENID_IMAGE_URL=https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png
+# Generate nonce for federated identity providers that require it, i.e. Cognito configured with Entra as an OIDC provider.
+OPENID_GENERATE_NONCE=true
# Redirects the user to the end session endpoint after logging out
-OPENID_USE_END_SESSION_ENDPOINT=true
+OPENID_USE_END_SESSION_ENDPOINT=true
```
+
> Note: Make sure nothing is wrapped in quotes in your .env and you have allowed social login.
4. **Check Configuration:**
+
- Restart LibreChat to apply the changes.
- Open an Icognito window and navigate to your LibreChat instance.
- Underneath the form login there should be a new button that says `Login with Authentik`.
- You should be redirected to Authentik to login.
- After logging in you should be redirected back to LibreChat and be logged in.
- - If you are not redirected back to LibreChat, check Authentik logs for any errors.
\ No newline at end of file
+ - If you are not redirected back to LibreChat, check Authentik logs for any errors.
+
diff --git a/pages/docs/configuration/authentication/OAuth2-OIDC/aws.mdx b/pages/docs/configuration/authentication/OAuth2-OIDC/aws.mdx
index f0e6ab0..752fa3e 100644
--- a/pages/docs/configuration/authentication/OAuth2-OIDC/aws.mdx
+++ b/pages/docs/configuration/authentication/OAuth2-OIDC/aws.mdx
@@ -54,6 +54,7 @@ Under `Advanced app client settings` make sure `Profile` is included in the `Ope
## Review and create
+
You can now make last minute changes, click on `Create user pool` when you're done reviewing the configuration
@@ -75,11 +76,11 @@ You can now make last minute changes, click on `Create user pool` when you're do
-3. Go to the `App Integrations` tab
+3. Go to the `App Integrations` tab
-4. Open the app client
+4. Open the app client
@@ -109,8 +110,14 @@ OPENID_SCOPE=openid profile email
OPENID_CALLBACK_URL=/oauth/openid/callback
# Optional: redirects the user to the end session endpoint after logging out
-OPENID_USE_END_SESSION_ENDPOINT=true
+OPENID_USE_END_SESSION_ENDPOINT=true
+# Optional: generates the nonce url parameter.
+OPENID_GENERATE_NONCE=true
```
+
+> [!WARNING]
+> If Cognito is configured with an OIDC provider, i.e. federation to Entra, the `OPENID_GENERATE_NONCE=true` is required. Otherwise Cognito will generate it regardless and the claims validation will fail since the client didn't provide one.
+
7. Save the .env file
> Note: If using docker, run `docker compose up -d` to apply the .env configuration changes
diff --git a/pages/docs/configuration/authentication/OAuth2-OIDC/azure.mdx b/pages/docs/configuration/authentication/OAuth2-OIDC/azure.mdx
index 7fc840c..f8bd138 100644
--- a/pages/docs/configuration/authentication/OAuth2-OIDC/azure.mdx
+++ b/pages/docs/configuration/authentication/OAuth2-OIDC/azure.mdx
@@ -69,3 +69,116 @@ LibreChat supports reusing Azure Entra ID tokens for session management, which c
To learn more about this feature and how to configure it, see [Re-use OpenID Tokens for Login Session](/docs/configuration/authentication/OAuth2-OIDC/token-reuse).
+## Advanced: Microsoft Graph API Integration
+
+When using Azure Entra ID as your OpenID provider, you can enable Microsoft Graph API integration to enhance the permissions and sharing system with people and group search capabilities.
+
+### Prerequisites
+
+1. Your Azure app registration must have the appropriate Microsoft Graph API permissions
+2. Admin consent may be required for certain Graph API scopes (like `GroupMember.Read.All`)
+
+### Adding Graph API Permissions
+
+1. In your Azure app registration, go to **API permissions**
+2. Click **Add a permission** > **Microsoft Graph** > **Delegated permissions**
+3. Add these permissions:
+ - `User.Read` - Sign in and read user profile
+ - `People.Read` - Read user contacts
+ - `GroupMember.Read.All` - Read all group memberships
+ - `User.ReadBasic.All` - Read all users' basic profiles
+4. Click **Grant admin consent** if required (you'll need admin privileges)
+
+### Configuration
+
+
+**Important:** You MUST enable OpenID token reuse for this feature to work:
+```bash filename=".env"
+OPENID_REUSE_TOKENS=true
+```
+See [Token Reuse Configuration](#advanced-token-reuse) above for details.
+
+
+Add the following environment variables to your `.env` file:
+
+```bash filename=".env"
+# Enable Entra ID people search in permissions/sharing
+USE_ENTRA_ID_FOR_PEOPLE_SEARCH=true
+
+# Include group owners as members when searching groups
+ENTRA_ID_INCLUDE_OWNERS_AS_MEMBERS=true
+
+# Microsoft Graph API scopes (these are automatically included with the OpenID scopes)
+OPENID_GRAPH_SCOPES=User.Read,People.Read,GroupMember.Read.All,User.ReadBasic.All
+```
+
+When enabled, the people picker in the permissions and sharing dialogs will:
+- Search both local LibreChat users and Azure Entra ID users
+- Display user profiles with names and emails from your organization
+- Allow searching and selecting Azure Entra ID groups
+- Show group members based on your Graph API permissions
+
+### Notes
+
+- **Token reuse (`OPENID_REUSE_TOKENS=true`) is mandatory** for this feature to work
+- The `OPENID_GRAPH_SCOPES` are automatically appended to your existing `OPENID_SCOPE` during authentication
+- Group search requires the `GroupMember.Read.All` permission, which typically needs admin consent
+- User search works with basic `User.Read`, `People.Read`, and `User.ReadBasic.All` permissions
+
+## Advanced: SharePoint Integration
+
+LibreChat can integrate with SharePoint Online and OneDrive for Business, allowing users to browse and attach files directly from their SharePoint libraries.
+
+### Prerequisites
+
+1. All requirements from [Token Reuse](#advanced-token-reuse) must be met
+2. Your Azure app registration needs additional SharePoint permissions
+
+### Adding SharePoint Permissions
+
+1. In your Azure app registration, go to **API permissions**
+2. Click **Add a permission**
+
+#### For SharePoint Access:
+3. Select **SharePoint** (not Microsoft Graph)
+4. Choose **Delegated permissions**
+5. Add: `AllSites.Read` - Read items in all site collections
+
+#### For File Downloads:
+6. Click **Add a permission** again
+7. Select **Microsoft Graph**
+8. Choose **Delegated permissions**
+9. Add: `Files.Read.All` - Read all files that user can access
+
+10. Click **Grant admin consent** for both permissions
+
+### Configuration
+
+```bash filename=".env"
+# Enable SharePoint file picker
+ENABLE_SHAREPOINT_FILEPICKER=true
+
+# Your SharePoint tenant URL
+SHAREPOINT_BASE_URL=https://yourtenant.sharepoint.com
+
+# SharePoint scope for file picker (replace 'yourtenant' with your actual tenant)
+SHAREPOINT_PICKER_SHAREPOINT_SCOPE=https://yourtenant.sharepoint.com/AllSites.Read
+
+# Graph API scope for downloading files
+SHAREPOINT_PICKER_GRAPH_SCOPE=Files.Read.All
+```
+
+### Usage
+
+When properly configured:
+1. Users will see "From SharePoint" option in the file attachment menu
+2. Clicking it opens the native SharePoint file picker
+3. Users can browse and select files from any SharePoint site or OneDrive they have access to
+4. Selected files are downloaded and attached to the conversation
+
+
+The SharePoint integration respects all existing SharePoint permissions. Users can only access files they already have permission to view in SharePoint/OneDrive.
+
+
+For detailed troubleshooting and advanced configuration, see: [SharePoint Integration Guide](/docs/configuration/sharepoint)
+
diff --git a/pages/docs/configuration/authentication/OAuth2-OIDC/index.mdx b/pages/docs/configuration/authentication/OAuth2-OIDC/index.mdx
index 0175e1a..7614599 100644
--- a/pages/docs/configuration/authentication/OAuth2-OIDC/index.mdx
+++ b/pages/docs/configuration/authentication/OAuth2-OIDC/index.mdx
@@ -18,17 +18,20 @@ This section will cover how to configure OAuth2 and OpenID Connect with LibreCha
## OAuth2
- - [Apple](/docs/configuration/authentication/OAuth2-OIDC/apple)
- - [Discord](/docs/configuration/authentication/OAuth2-OIDC/discord)
- - [Facebook](/docs/configuration/authentication/OAuth2-OIDC/facebook)
- - [GitHub](/docs/configuration/authentication/OAuth2-OIDC/github)
- - [Google](/docs/configuration/authentication/OAuth2-OIDC/google)
+
+- [Apple](/docs/configuration/authentication/OAuth2-OIDC/apple)
+- [Discord](/docs/configuration/authentication/OAuth2-OIDC/discord)
+- [Facebook](/docs/configuration/authentication/OAuth2-OIDC/facebook)
+- [GitHub](/docs/configuration/authentication/OAuth2-OIDC/github)
+- [Google](/docs/configuration/authentication/OAuth2-OIDC/google)
+
## OpenID Connect
- - [Auth0](/docs/configuration/authentication/OAuth2-OIDC/auth0)
- - [AWS Cognito](/docs/configuration/authentication/OAuth2-OIDC/aws)
- - [Azure Entra/AD](/docs/configuration/authentication/OAuth2-OIDC/azure)
- - [Keycloak](/docs/configuration/authentication/OAuth2-OIDC/keycloak)
- - [Re-use OpenID Tokens for Login Session](/docs/configuration/authentication/OAuth2-OIDC/token-reuse)
+
+- [Auth0](/docs/configuration/authentication/OAuth2-OIDC/auth0)
+- [AWS Cognito](/docs/configuration/authentication/OAuth2-OIDC/aws)
+- [Azure Entra/AD](/docs/configuration/authentication/OAuth2-OIDC/azure)
+- [Keycloak](/docs/configuration/authentication/OAuth2-OIDC/keycloak)
+- [Re-use OpenID Tokens for Login Session](/docs/configuration/authentication/OAuth2-OIDC/token-reuse)
## Troubleshooting OpenID Connect
@@ -38,4 +41,6 @@ If you encounter issues with OpenID Connect authentication:
2. **Check Redirect URIs**: Ensure your callback URL matches exactly between your provider and LibreChat configuration
3. **Verify Scopes**: Make sure all required scopes are properly configured
4. **Review Provider Logs**: Check your identity provider's logs for authentication errors
-5. **Validate Tokens**: Ensure your provider is issuing valid tokens with the expected claims
\ No newline at end of file
+5. **Validate Tokens**: Ensure your provider is issuing valid tokens with the expected claims
+6. **Ensure _nonce_ is generated**: Some identity providers generate `nonce` url parameter if it's missing in the request. Set `OPENID_GENERATE_NONCE=true` to force the openid-client to generate it.
+
diff --git a/pages/docs/configuration/authentication/OAuth2-OIDC/token-reuse.mdx b/pages/docs/configuration/authentication/OAuth2-OIDC/token-reuse.mdx
index 9bf35e1..8227963 100644
--- a/pages/docs/configuration/authentication/OAuth2-OIDC/token-reuse.mdx
+++ b/pages/docs/configuration/authentication/OAuth2-OIDC/token-reuse.mdx
@@ -90,6 +90,10 @@ For detailed Auth0 configuration, see: [Auth0 OpenID Connect Configuration](/doc
8. Clear LibreChat cache and restart the service.
+
+When using Azure Entra ID with token reuse, you can also enable Microsoft Graph API integration for enhanced people and group search capabilities. See [Microsoft Graph API Integration](/docs/configuration/authentication/OAuth2-OIDC/azure#advanced-microsoft-graph-api-integration) for more details.
+
+
## Environment Variables
```bash filename=".env"
diff --git a/pages/docs/configuration/authentication/index.mdx b/pages/docs/configuration/authentication/index.mdx
index 1a6caf5..7986cd3 100644
--- a/pages/docs/configuration/authentication/index.mdx
+++ b/pages/docs/configuration/authentication/index.mdx
@@ -105,17 +105,17 @@ To set up the mod system, review [the setup guide](/docs/configuration/mod_syste
The create-user script allows you to add users directly to the database, even when registration is disabled. Here's how to use it:
1. For the default `docker-compose.yml` (if you use `docker compose up` to start the app):
- ```
+ ```bash
docker-compose exec api npm run create-user
```
2. For the `deploy-compose.yml` (if you followed the [Ubuntu Docker Guide](/docs/remote/docker_linux)):
- ```
+ ```bash
docker exec -it LibreChat-API /bin/sh -c "cd .. && npm run create-user"
```
3. For local development (from project root):
- ```
+ ```bash
npm run create-user
```
@@ -126,17 +126,17 @@ Follow the prompts to enter the new user's email and password.
To delete a user, you can use the delete-user script:
1. For the default `docker-compose.yml` (if you use `docker compose up` to start the app):
- ```
+ ```bash
docker-compose exec api npm run delete-user email@domain.com
```
2. For the `deploy-compose.yml` (if you followed the [Ubuntu Docker Guide](/docs/remote/docker_linux)):
- ```
+ ```bash
docker exec -it LibreChat-API /bin/sh -c "cd .. && npm run delete-user email@domain.com"
```
3. For local development (from project root):
- ```
+ ```bash
npm run delete-user email@domain.com
```
diff --git a/pages/docs/configuration/dotenv.mdx b/pages/docs/configuration/dotenv.mdx
index 00c252c..22bdb8d 100644
--- a/pages/docs/configuration/dotenv.mdx
+++ b/pages/docs/configuration/dotenv.mdx
@@ -121,11 +121,33 @@ Unlike static assets which are cached for performance, the index.html file's cac
['MONGO_URI', 'string', 'Specifies the MongoDB URI.','MONGO_URI=mongodb://127.0.0.1:27017/LibreChat'],
]}
/>
+
Change this to your MongoDB URI if different. You should add `LibreChat` or your own `APP_TITLE` as the database name in the URI.
If you are using an online database, the URI format is `mongodb+srv://:@/?`. Your `MONGO_URI` should look like this:
* `mongodb+srv://username:password@host.mongodb.net/LibreChat?retryWrites=true` (`retryWrites` is the only option you need when using the online database.)
+#### MongoDB Connection Pool Configuration
+
+
@@ -1116,6 +1139,57 @@ LibreChat supports reusing access and refresh tokens issued by your OpenID Conne
For detailed configuration steps and prerequisites, see [Re-use OpenID Tokens for Login Session](/docs/configuration/authentication/OAuth2-OIDC/token-reuse).
+##### Microsoft Graph API / Entra ID Integration
+
+When using Azure Entra ID (formerly Azure AD) as your OpenID provider, you can enable additional Microsoft Graph API features for enhanced people and group search capabilities within the permissions and sharing system.
+
+
+
+
+- You must have Azure Entra ID configured as your OpenID provider
+- **OpenID token reuse MUST be enabled** (`OPENID_REUSE_TOKENS=true`) - this feature will not work without it
+- Your Azure app registration must have the appropriate Microsoft Graph API permissions
+- For group search functionality, admin consent may be required for certain Graph API scopes
+
+
+##### SharePoint Integration
+
+LibreChat supports direct integration with SharePoint Online and OneDrive for Business, allowing users to select and attach files from their SharePoint libraries directly within conversations. This enterprise feature leverages the existing Azure Entra ID authentication.
+
+
+
+
+**All of the following must be configured for SharePoint integration to work:**
+- Azure Entra ID authentication must be fully configured
+- **`OPENID_REUSE_TOKENS=true`** is mandatory (uses on-behalf-of token flow)
+- Your Azure app registration must have SharePoint and Graph API permissions
+- All four SharePoint environment variables must be set
+- HTTPS is required in production environments
+
+
+
+When enabled, users can:
+- Access files from SharePoint document libraries and OneDrive for Business
+- Select multiple files at once (default max: 10 files)
+- See real-time download progress
+- Files are downloaded and attached to the conversation like regular uploads
+
+
+For detailed SharePoint configuration instructions, see: [SharePoint Integration Guide](/docs/configuration/sharepoint)
+
#### [SAML](/docs/configuration/authentication/SAML)
For more information:
@@ -1314,6 +1388,20 @@ LibreChat supports Google Tag Manager for analytics. You will need a Google Tag
]}
/>
+### MCP (Model Context Protocol)
+
+Configure Model Context Protocol settings for enhanced server management and OAuth support.
+
+#### MCP Server Configuration
+
+
+
### Other
#### Redis
@@ -1330,6 +1418,7 @@ For detailed configuration and examples, see: **[Redis Configuration Guide](/doc
options={[
['USE_REDIS', 'boolean', 'Enable Redis for caching and session storage. When true, REDIS_URI must be provided.', 'USE_REDIS=true'],
['REDIS_URI', 'string', 'Redis connection URI. For single instance: redis://host:port. For cluster: comma-separated URIs.', 'REDIS_URI=redis://127.0.0.1:6379'],
+ ['USE_REDIS_CLUSTER', 'boolean', 'Enable Redis cluster mode when using a single URI', '# USE_REDIS_CLUSTER="true"'],
['REDIS_USERNAME', 'string', 'Redis username for authentication. Overrides username in URI if both provided.', '# REDIS_USERNAME=your_redis_username'],
['REDIS_PASSWORD', 'string', 'Redis password for authentication. Overrides password in URI if both provided.', '# REDIS_PASSWORD=your_redis_password'],
['REDIS_CA', 'string', 'Path to CA certificate for TLS verification when using rediss:// protocol.', '# REDIS_CA=/path/to/ca-cert.pem'],
diff --git a/pages/docs/configuration/librechat_yaml/object_structure/agents.mdx b/pages/docs/configuration/librechat_yaml/object_structure/agents.mdx
index 0ce7c53..80c01b0 100644
--- a/pages/docs/configuration/librechat_yaml/object_structure/agents.mdx
+++ b/pages/docs/configuration/librechat_yaml/object_structure/agents.mdx
@@ -12,6 +12,10 @@ endpoints:
disableBuilder: false
# (optional) Agent Capabilities available to all users. Omit the ones you wish to exclude. Defaults to list below.
# capabilities: ["execute_code", "file_search", "actions", "tools", "artifacts", "ocr", "chain", "web_search"]
+ # (optional) File citation configuration for file_search capability
+ maxCitations: 30 # Maximum total citations in responses (1-50)
+ maxCitationsPerFile: 7 # Maximum citations from each file (1-10)
+ minRelevanceScore: 0.45 # Minimum relevance score threshold (0.0-1.0)
```
> This configuration enables the builder interface for agents.
@@ -108,12 +112,95 @@ capabilities:
```
**Note:** This field is optional. If omitted, the default behavior is to include all the capabilities listed in the default.
+## maxCitations
+
+
+
+**Default:** `30`
+
+**Range:** `1-50`
+
+**Example:**
+```yaml filename="endpoints / agents / maxCitations"
+maxCitations: 30
+```
+
+## maxCitationsPerFile
+
+
+
+**Default:** `7`
+
+**Range:** `1-10`
+
+**Example:**
+```yaml filename="endpoints / agents / maxCitationsPerFile"
+maxCitationsPerFile: 7
+```
+
+## minRelevanceScore
+
+
+
+**Default:** `0.45` (45% relevance threshold)
+
+**Range:** `0.0-1.0`
+
+**Example:**
+```yaml filename="endpoints / agents / minRelevanceScore"
+minRelevanceScore: 0.45
+```
+
+### File Citation Configuration Examples
+
+**Default Configuration (Balanced)**
+```yaml
+endpoints:
+ agents:
+ maxCitations: 30
+ maxCitationsPerFile: 7
+ minRelevanceScore: 0.45
+```
+Provides comprehensive citations while preventing overwhelming responses and filtering out low-quality matches.
+
+**Strict Configuration (High Quality)**
+```yaml
+endpoints:
+ agents:
+ maxCitations: 10
+ maxCitationsPerFile: 3
+ minRelevanceScore: 0.7
+```
+Only includes highly relevant citations with strict limits for focused responses.
+
+**Comprehensive Configuration (Research)**
+```yaml
+endpoints:
+ agents:
+ maxCitations: 50
+ maxCitationsPerFile: 10
+ minRelevanceScore: 0.0
+```
+Maximum information extraction for exhaustive research tasks, including all sources regardless of relevance.
+
## Agent Capabilities
The `capabilities` field allows you to enable or disable specific functionalities for agents. The available capabilities are:
- **execute_code**: Allows the agent to execute code.
-- **file_search**: Enables the agent to search and interact with files.
+- **file_search**: Enables the agent to search and interact with files. When enabled, citation behavior is controlled by `maxCitations`, `maxCitationsPerFile`, and `minRelevanceScore` settings.
- **actions**: Permits the agent to perform predefined actions.
- **tools**: Grants the agent access to various tools.
- **ocr**: Enables uploading files as additional context, leveraging Optical Character Recognition for extracting text from images and documents.
@@ -123,22 +210,35 @@ By specifying the capabilities, you can control the features available to users
## Example Configuration
-Here is an example of configuring the `agents` endpoint with custom capabilities:
+Here is an example of configuring the `agents` endpoint with custom capabilities and file citation settings:
```yaml filename="Agents Endpoint"
endpoints:
agents:
disableBuilder: false
+ # File citation configuration
+ maxCitations: 20
+ maxCitationsPerFile: 5
+ minRelevanceScore: 0.6
+ # Custom capabilities
capabilities:
- "execute_code"
+ - "file_search"
- "actions"
- "artifacts"
- "ocr"
- "web_search"
```
-In this example, the builder interface for agents is disabled, and only the `execute_code`, `actions`, `ocr`, and `web_search` capabilities are enabled.
+In this example:
+- The builder interface is enabled
+- File citations are limited to 20 total, with maximum 5 per file
+- Only sources with 60%+ relevance are included
+- The agent has access to code execution, file search (with citations), actions, artifacts, OCR, and web search capabilities
## Notes
- It's not recommended to disable the builder interface unless you are using [modelSpecs](/docs/configuration/librechat_yaml/object_structure/model_specs) to define a list of agents to choose from.
+- File citation configuration (`maxCitations`, `maxCitationsPerFile`, `minRelevanceScore`) only applies when the `file_search` capability is enabled.
+- The relevance score is calculated using vector similarity, where 1.0 represents a perfect match and 0.0 represents no similarity.
+- Citation limits help balance comprehensive information retrieval with response quality and performance.
diff --git a/pages/docs/configuration/librechat_yaml/object_structure/config.mdx b/pages/docs/configuration/librechat_yaml/object_structure/config.mdx
index 01e161f..636a7ef 100644
--- a/pages/docs/configuration/librechat_yaml/object_structure/config.mdx
+++ b/pages/docs/configuration/librechat_yaml/object_structure/config.mdx
@@ -7,7 +7,7 @@
diff --git a/pages/docs/configuration/librechat_yaml/object_structure/custom_endpoint.mdx b/pages/docs/configuration/librechat_yaml/object_structure/custom_endpoint.mdx
index 513dcb4..0b220fa 100644
--- a/pages/docs/configuration/librechat_yaml/object_structure/custom_endpoint.mdx
+++ b/pages/docs/configuration/librechat_yaml/object_structure/custom_endpoint.mdx
@@ -436,7 +436,7 @@ dropParams:
**Key:**
@@ -473,6 +473,23 @@ headers:
| `{{LIBRECHAT_USER_TWOFACTORENABLED}}` | `twoFactorEnabled` | Boolean โ String | 2FA status ("true" or "false") |
| `{{LIBRECHAT_USER_TERMSACCEPTED}}` | `termsAccepted` | Boolean โ String | Terms acceptance status ("true" or "false") |
+**Available Request Body Placeholders:**
+
+| Placeholder | Body Field | Type | Description |
+|------------|------------|------|-------------|
+| `{{LIBRECHAT_BODY_CONVERSATIONID}}` | `conversationId` | String | Current conversation identifier |
+| `{{LIBRECHAT_BODY_PARENTMESSAGEID}}` | `parentMessageId` | String | Parent message identifier |
+| `{{LIBRECHAT_BODY_MESSAGEID}}` | `messageId` | String | Current message identifier |
+
+**Example using request body placeholders:**
+
+```yaml filename="endpoints / custom / headers with body placeholders"
+headers:
+ X-Conversation-ID: "{{LIBRECHAT_BODY_CONVERSATIONID}}"
+ X-Parent-Message-ID: "{{LIBRECHAT_BODY_PARENTMESSAGEID}}"
+ X-Message-ID: "{{LIBRECHAT_BODY_MESSAGEID}}"
+```
+
## directEndpoint
**Key:**
@@ -503,4 +520,4 @@ directEndpoint: true
**Example:**
```yaml filename="endpoints / custom / titleMessageRole"
titleMessageRole: "user"
-```
\ No newline at end of file
+```
diff --git a/pages/docs/configuration/librechat_yaml/object_structure/interface.mdx b/pages/docs/configuration/librechat_yaml/object_structure/interface.mdx
index d3180ab..0acf5d8 100644
--- a/pages/docs/configuration/librechat_yaml/object_structure/interface.mdx
+++ b/pages/docs/configuration/librechat_yaml/object_structure/interface.mdx
@@ -21,6 +21,7 @@ These are fields under `interface`:
- `runCode`
- `webSearch`
- `fileSearch`
+ - `fileCitations`
**Notes:**
@@ -58,6 +59,7 @@ interface:
runCode: true
webSearch: true
fileSearch: true
+ fileCitations: true
```
## mcpServers
@@ -336,3 +338,28 @@ Enables/disables the file search (for RAG API usage via tool) button in the chat
interface:
fileSearch: true
```
+
+## fileCitations
+
+Controls the global availability of file citations functionality. When disabled, it effectively removes the `FILE_CITATIONS` permission for all users, preventing any file citations from being displayed when using file search, regardless of individual user permissions.
+
+**Note:**
+- This setting acts as a global toggle for the `FILE_CITATIONS` permission system-wide.
+- When set to `false`, no users will see file citations, even if they have been granted the permission through roles.
+- File citations require the `fileSearch` feature to be enabled.
+- When using agents with file search capability, citation behavior (quantity and quality) can be configured through the [Agents endpoint configuration](/docs/configuration/librechat_yaml/object_structure/agents#file-citation-configuration-examples).
+
+**Key:**
+
+
+**Default:** `true`
+
+**Example:**
+```yaml filename="interface / fileCitations"
+interface:
+ fileCitations: true
+```
diff --git a/pages/docs/configuration/librechat_yaml/object_structure/mcp_servers.mdx b/pages/docs/configuration/librechat_yaml/object_structure/mcp_servers.mdx
index 4661905..28cef5a 100644
--- a/pages/docs/configuration/librechat_yaml/object_structure/mcp_servers.mdx
+++ b/pages/docs/configuration/librechat_yaml/object_structure/mcp_servers.mdx
@@ -11,6 +11,7 @@ mcpServers:
googlesheets:
type: sse
url: https://mcp.composio.dev/googlesheets/some-endpoint
+ requiresOAuth: true
headers:
X-User-ID: "{{LIBRECHAT_USER_ID}}"
X-API-Key: "${SOME_API_KEY}"
@@ -85,6 +86,7 @@ mcpServers:
['timeout', 'Number', '(Optional) Timeout in milliseconds for MCP server requests. Determines how long to wait for a response for tool requests.', 'timeout: 30000'],
['initTimeout', 'Number', '(Optional) Timeout in milliseconds for MCP server initialization. Determines how long to wait for the server to initialize.', 'initTimeout: 10000'],
['env', 'Object', '(Optional, `stdio` type only) Environment variables to use when spawning the process.', 'env:\n NODE_ENV: "production"'],
+ ['requiresOAuth', 'Boolean', '(Optional, `sse` type only) Whether this server requires OAuth authentication. If not specified, will be auto-detected during server startup. Although optional, it\'s best to set this value explicitly if you know whether the server requires OAuth or not.', 'requiresOAuth: true'],
['stderr', 'String or Stream or Number', '(Optional, `stdio` type only) How to handle `stderr` of the child process. Defaults to `"inherit"`.', 'stderr: "inherit"'],
['customUserVars', 'Object', '(Optional) Defines custom variables that users can set for this MCP server, allowing for per-user credentials or configurations (e.g., API keys). These variables can then be referenced in `headers` or `env` fields.', 'customUserVars:\n API_KEY:\n title: "API Key"\n description: "Your personal API key."'],
['oauth', 'Object', '(Optional) OAuth2 configuration for authenticating with the MCP server. When configured, users will be prompted to authenticate via OAuth flow.', 'oauth:\n authorization_url: "https://example.com/oauth/authorize"\n token_url: "https://example.com/oauth/token"'],
@@ -221,6 +223,17 @@ mcpServers:
- **Description:** Timeout in milliseconds for MCP server initialization. Determines how long to wait for the server to initialize.
- **Default Value:** `10000` (10 seconds)
+#### `requiresOAuth`
+
+- **Type:** Boolean (Optional, `sse` type only)
+- **Description:** Whether this server requires OAuth authentication. If not specified, will be auto-detected during server startup. Although optional, it's best to set this value explicitly if you know whether the server requires OAuth or not.
+- **Default Value:** Auto-detected if not specified
+- **Notes:**
+ - Only applicable to `sse` type MCP servers
+ - Auto-detection occurs during server startup, which may add initialization time
+ - Explicit configuration improves startup performance by skipping detection
+ - Works with MCP OAuth environment variables (`MCP_OAUTH_ON_AUTH_ERROR`, `MCP_OAUTH_DETECTION_TIMEOUT`) for enhanced connection management
+
#### `stderr`
- **Type:** String or Stream or Number (Optional, `stdio` type only)
@@ -461,6 +474,30 @@ puppeteer:
5. Check console logs for JavaScript errors when troubleshooting
```
+### OAuth-Enabled MCP Server (Legacy requiresOAuth)
+
+```yaml filename="OAuth-Enabled MCP Server"
+composio-googlesheets:
+ type: sse
+ url: https://mcp.composio.dev/googlesheets/sse-endpoint
+ requiresOAuth: true
+ headers:
+ X-User-ID: "{{LIBRECHAT_USER_ID}}"
+ X-API-Key: "${COMPOSIO_API_KEY}"
+ timeout: 45000
+ initTimeout: 15000
+```
+
+**Related Environment Variables (Optional):**
+```bash
+# OAuth configuration for MCP servers
+MCP_OAUTH_ON_AUTH_ERROR=true
+MCP_OAUTH_DETECTION_TIMEOUT=10000
+
+# API key for the service
+COMPOSIO_API_KEY=your_composio_api_key_here
+```
+
---
**Importing MCP Server Configurations**
diff --git a/pages/docs/configuration/librechat_yaml/object_structure/shared_endpoint_settings.mdx b/pages/docs/configuration/librechat_yaml/object_structure/shared_endpoint_settings.mdx
index a5c33b3..5107605 100644
--- a/pages/docs/configuration/librechat_yaml/object_structure/shared_endpoint_settings.mdx
+++ b/pages/docs/configuration/librechat_yaml/object_structure/shared_endpoint_settings.mdx
@@ -56,6 +56,7 @@ endpoints:
1. The detected language of the conversation
2. A concise title in the detected language (5 words or less, no punctuation or quotation)
3. Always provide a relevant emoji at the start of the title
+ {convo}
```
> **Important:** When using the `all` configuration, it will override ALL individual endpoint settings for the properties you define. In the example above, the `all` configuration would override the `titleConvo`, `titleModel`, and `titlePrompt` settings for all endpoints, while individual `streamRate` settings would be preserved since it's not defined in `all`.
@@ -235,4 +236,4 @@ endpoints:
- [Bedrock](/docs/configuration/pre_configured_ai/bedrock)
- [Google](/docs/configuration/pre_configured_ai/google)
- [Azure OpenAI](/docs/configuration/librechat_yaml/object_structure/azure_openai)
-- [Assistants](/docs/configuration/librechat_yaml/object_structure/assistants_endpoint)
\ No newline at end of file
+- [Assistants](/docs/configuration/librechat_yaml/object_structure/assistants_endpoint)
diff --git a/pages/docs/configuration/redis.mdx b/pages/docs/configuration/redis.mdx
index 4088896..cabd9d7 100644
--- a/pages/docs/configuration/redis.mdx
+++ b/pages/docs/configuration/redis.mdx
@@ -53,6 +53,14 @@ REDIS_URI=redis://127.0.0.1:7001,redis://127.0.0.1:7002,redis://127.0.0.1:7003
The application automatically detects cluster mode when multiple URIs are provided.
+If your redis cluster only has a single URI, you can use the `USE_REDIS_CLUSTER` environment variable to enable cluster mode:
+
+```bash
+# Redis cluster with single URI
+REDIS_URI=redis://127.0.0.1:7001
+USE_REDIS_CLUSTER=true
+```
+
### Redis with TLS/SSL
For secure Redis connections:
diff --git a/pages/docs/configuration/sharepoint.mdx b/pages/docs/configuration/sharepoint.mdx
new file mode 100644
index 0000000..0bd7e62
--- /dev/null
+++ b/pages/docs/configuration/sharepoint.mdx
@@ -0,0 +1,276 @@
+---
+title: SharePoint Integration
+description: Configure SharePoint Online and OneDrive for Business integration with LibreChat
+---
+
+# SharePoint Integration
+
+LibreChat provides enterprise-grade integration with SharePoint Online and OneDrive for Business, enabling users to seamlessly browse, select, and attach files from their Microsoft 365 environment directly within conversations.
+
+## Overview
+
+The SharePoint integration allows users to:
+- Browse SharePoint document libraries and OneDrive files
+- Select multiple files at once (up to 10 by default)
+- View real-time download progress
+- Attach files from SharePoint to conversations
+- Maintain enterprise security with proper access controls
+
+
+This feature requires Microsoft 365/SharePoint Online and is designed for enterprise deployments using Azure Entra ID (formerly Azure AD) authentication.
+
+
+## Prerequisites
+
+Before configuring SharePoint integration, ensure you have:
+
+1. **Azure Entra ID Authentication** configured and working
+2. **Token Reuse** enabled (`OPENID_REUSE_TOKENS=true`)
+3. **Admin access** to your Azure tenant for app permissions
+4. **HTTPS** enabled (required for production environments)
+
+
+SharePoint integration will not function without `OPENID_REUSE_TOKENS=true` as it relies on the on-behalf-of token flow to access Microsoft Graph APIs.
+
+
+## Azure App Registration Setup
+
+### Step 1: Configure API Permissions
+
+1. Navigate to your app registration in the [Azure Portal](https://portal.azure.com)
+2. Go to **API permissions** in the left menu
+3. Click **Add a permission**
+
+### Step 2: Add SharePoint Permissions
+
+For the file picker interface:
+
+1. Select **SharePoint** from the API list
+2. Choose **Delegated permissions**
+3. Search for and select:
+ - `AllSites.Read` - Read items in all site collections
+4. Click **Add permissions**
+
+### Step 3: Add Microsoft Graph Permissions
+
+For file downloads:
+
+1. Click **Add a permission** again
+2. Select **Microsoft Graph**
+3. Choose **Delegated permissions**
+4. Search for and select:
+ - `Files.Read.All` - Read all files that user can access
+5. Click **Add permissions**
+
+### Step 4: Grant Admin Consent
+
+1. After adding both permissions, you'll see them listed
+2. Click **Grant admin consent for [Your Organization]**
+3. Confirm the consent in the popup
+
+Your permissions should look like this:
+
+| API / Permissions name | Type | Description | Status |
+|------------------------|------|-------------|---------|
+| Microsoft Graph - Files.Read.All | Delegated | Read all files that user can access | โ Granted |
+| SharePoint - AllSites.Read | Delegated | Read items in all site collections | โ Granted |
+
+## Environment Configuration
+
+Add the following environment variables to your `.env` file:
+
+```bash filename=".env"
+# Enable SharePoint file picker
+ENABLE_SHAREPOINT_FILEPICKER=true
+
+# Your SharePoint tenant base URL
+# Format: https://[your-tenant-name].sharepoint.com
+SHAREPOINT_BASE_URL=https://contoso.sharepoint.com
+
+# SharePoint scope for the file picker
+# Replace 'contoso' with your actual tenant name
+SHAREPOINT_PICKER_SHAREPOINT_SCOPE=https://contoso.sharepoint.com/AllSites.Read
+
+# Microsoft Graph scope for file downloads
+SHAREPOINT_PICKER_GRAPH_SCOPE=Files.Read.All
+```
+
+
+Ensure you replace `contoso` in the examples above with your actual SharePoint tenant name. This must match your SharePoint URL exactly.
+
+
+## How It Works
+
+### Authentication Flow
+
+1. User authenticates via Azure Entra ID
+2. When accessing SharePoint picker, LibreChat exchanges the user's token for SharePoint access
+3. Tokens are cached for optimal performance (typically 50 minutes)
+4. Separate scopes ensure principle of least privilege
+
+### File Selection Process
+
+1. User clicks "From SharePoint" in the attachment menu
+2. SharePoint Online file picker opens in an embedded iframe
+3. User browses and selects files using familiar SharePoint interface
+4. Selected files are queued for download
+
+### Download Process
+
+1. Files are downloaded in batches (up to 3 concurrent downloads)
+2. Progress indicator shows current file and percentage complete
+3. Downloaded files are attached to the conversation
+4. Failed downloads are retried automatically
+
+## User Experience
+
+### Accessing SharePoint Files
+
+When properly configured, users will see a new option in the file attachment menu:
+
+1. Click the attachment icon in the message input
+2. Select "From SharePoint" from the menu
+3. The SharePoint file picker will open
+4. Browse and select files as needed
+5. Click "Select" to begin downloading
+
+### Features Available
+
+- **Multiple file selection**: Select up to 10 files at once
+- **Familiar interface**: Uses native SharePoint file picker
+- **Progress tracking**: See real-time download progress
+- **Error handling**: Clear messages for any issues
+- **Localization**: Supports multiple languages
+
+## Security Considerations
+
+### Access Control
+
+- Only files the user has permission to access in SharePoint are available
+- Respects all SharePoint permissions and policies
+- No elevated access or bypassing of security controls
+
+### Token Security
+
+- Uses secure on-behalf-of flow for token exchange
+- Tokens are short-lived and automatically refreshed
+- No long-term storage of SharePoint credentials
+
+### Scope Isolation
+
+- SharePoint scope limited to read operations only
+- Graph API scope restricted to file read access
+- Cannot modify or delete files through LibreChat
+
+## Troubleshooting
+
+### Common Issues
+
+#### "From SharePoint" option not appearing
+
+**Cause**: Feature not properly enabled or authentication issues
+
+**Solutions**:
+1. Verify `ENABLE_SHAREPOINT_FILEPICKER=true` in `.env`
+2. Confirm `OPENID_REUSE_TOKENS=true` is set
+3. Check that user is authenticated via Azure Entra ID
+4. Restart LibreChat after configuration changes
+
+#### File picker fails to open
+
+**Cause**: Missing or incorrect permissions
+
+**Solutions**:
+1. Verify SharePoint permissions are granted in Azure
+2. Ensure admin consent was provided
+3. Check that `SHAREPOINT_BASE_URL` matches your tenant exactly
+4. Confirm HTTPS is enabled in production
+
+#### Downloads fail or timeout
+
+**Cause**: Graph API permissions or network issues
+
+**Solutions**:
+1. Verify `Files.Read.All` permission is granted
+2. Check network connectivity to SharePoint
+3. Ensure tokens haven't expired (re-authenticate if needed)
+4. Check browser console for specific error messages
+
+### Debug Mode
+
+For troubleshooting, enable debug logging:
+
+```bash filename=".env"
+DEBUG_LOGGING=true
+DEBUG_CONSOLE=true
+```
+
+This will provide detailed logs about:
+- Token exchange processes
+- API calls to SharePoint and Graph
+- Download progress and errors
+- Authentication flows
+
+## Performance Optimization
+
+### Token Caching
+
+- Tokens are cached to reduce authentication overhead
+- Cache duration matches token lifetime (typically 50 minutes)
+- Automatic refresh before expiration
+
+### Concurrent Downloads
+
+- Up to 3 files download simultaneously
+- Prevents overwhelming the browser or server
+- Optimizes for both speed and stability
+
+### File Size Considerations
+
+- Large files may take time to download
+- Progress indicator helps manage user expectations
+- Consider your file upload limits in LibreChat configuration
+
+## Best Practices
+
+### For Administrators
+
+1. **Regular Permission Audits**: Review app permissions periodically
+2. **Monitor Usage**: Track SharePoint integration usage in logs
+3. **Update Documentation**: Keep internal docs updated with your tenant specifics
+4. **Test Thoroughly**: Verify functionality after any Azure AD changes
+
+### For End Users
+
+1. **File Organization**: Well-organized SharePoint libraries improve user experience
+2. **File Sizes**: Be mindful of large files that may slow conversations
+3. **Permissions**: Ensure you have access to files before sharing
+4. **Patient Downloads**: Allow time for multiple or large files
+
+## Advanced Configuration
+
+### Custom Scopes
+
+For organizations with specific requirements, you can customize scopes:
+
+```bash filename=".env"
+# Example: Limiting to specific site collections
+SHAREPOINT_PICKER_SHAREPOINT_SCOPE=https://contoso.sharepoint.com/sites/Engineering/AllSites.Read
+
+# Example: Using more restrictive Graph permissions
+SHAREPOINT_PICKER_GRAPH_SCOPE=Files.Read
+```
+
+### Integration with Information Barriers
+
+If your organization uses Information Barriers:
+- SharePoint integration respects all barrier policies
+- Users only see content they're allowed to access
+- No additional configuration required
+
+## Related Documentation
+
+- [Azure Entra Authentication](/docs/configuration/authentication/OAuth2-OIDC/azure)
+- [OpenID Token Reuse](/docs/configuration/authentication/OAuth2-OIDC/token-reuse)
+- [Microsoft Graph API Integration](/docs/configuration/authentication/OAuth2-OIDC/azure#advanced-microsoft-graph-api-integration)
+- [File Upload Configuration](/docs/configuration/file_uploads)
diff --git a/pages/docs/features/agents.mdx b/pages/docs/features/agents.mdx
index e2649e8..4e85d01 100644
--- a/pages/docs/features/agents.mdx
+++ b/pages/docs/features/agents.mdx
@@ -285,6 +285,88 @@ LibreChat allows admins to configure the use of agents via the [`librechat.yaml`
6. Set sharing permissions if desired
7. Create and start using your agent
+## Migration Required (v0.8.0-rc3+)
+
+
+Starting from version v0.8.0-rc3, LibreChat uses a new Access Control List (ACL) based permission system for agents. If you're upgrading from an earlier version, you must run the agent permissions migration for existing agents to remain accessible.
+
+
+### What the Migration Does
+
+The agent permissions migration transitions your agents from a simple ownership model to a sophisticated ACL-based system with multiple permission levels:
+- **OWNER**: Full control over the agent
+- **EDITOR**: Can view and modify the agent
+- **VIEWER**: Read-only access to the agent
+
+Without running this migration, existing agents will be inaccessible through the new permission-aware API endpoints.
+
+### Running the Migration
+
+Choose the appropriate command based on your deployment method:
+
+#### 1. For the default `docker-compose.yml` (if you use `docker compose up` to start the app):
+
+**Preview changes (dry run):**
+```bash
+docker-compose exec api npm run migrate:agent-permissions:dry-run
+```
+
+**Execute migration:**
+```bash
+docker-compose exec api npm run migrate:agent-permissions
+```
+
+**Custom batch size (for large datasets):**
+```bash
+docker-compose exec api npm run migrate:agent-permissions:batch
+```
+
+#### 2. For the `deploy-compose.yml` (if you followed the [Ubuntu Docker Guide](/docs/remote/docker_linux)):
+
+**Preview changes (dry run):**
+```bash
+docker exec -it LibreChat-API /bin/sh -c "cd .. && npm run migrate:agent-permissions:dry-run"
+```
+
+**Execute migration:**
+```bash
+docker exec -it LibreChat-API /bin/sh -c "cd .. && npm run migrate:agent-permissions"
+```
+
+**Custom batch size (for large datasets):**
+```bash
+docker exec -it LibreChat-API /bin/sh -c "cd .. && npm run migrate:agent-permissions:batch"
+```
+
+#### 3. For local development (from project root):
+
+**Preview changes (dry run):**
+```bash
+npm run migrate:agent-permissions:dry-run
+```
+
+**Execute migration:**
+```bash
+npm run migrate:agent-permissions
+```
+
+**Custom batch size (for large datasets):**
+```bash
+npm run migrate:agent-permissions:batch
+```
+
+### What Happens During Migration
+
+- **Private Agents**: Remain accessible only to their creators (receive OWNER permission)
+- **Shared Agents**: If an agent was previously shared, it will receive appropriate ACL entries as a Public Agent (shared to all users)
+- **System Detection**: LibreChat automatically detects unmigrated agents at startup and displays a warning
+
+You can adjust the resulting agent permissions via the Agent Builder UI.
+
+
+The same migration process applies to prompts. If you also have existing prompts, run the prompt permissions migration using the same commands but replace `agent` with `prompt` in the command names.
+
+
## What's next?
LibreChat Agents usher in a new era for the app where future pipelines can be streamlined via Agents for specific tasks and workflows across your experience in LibreChat.
diff --git a/pages/docs/translation/index.mdx b/pages/docs/translation/index.mdx
index a5d4d67..8824833 100644
--- a/pages/docs/translation/index.mdx
+++ b/pages/docs/translation/index.mdx
@@ -115,6 +115,7 @@ Before you begin translating, please follow the steps below to set up your Lociz
- **[Turkish (tr)](https://www.locize.app/register?invitation=x3Ov59Gdrk2b76gn5pSVCwuekDs817YOYElXJn9zCYClPG2XlBORQDRygZmdBH4B)**
- **[Ukrainian (uk)](https://www.locize.app/register?invitation=4Z060E9kPjmOqO8BmRSvuIujLydZiRCc0lu90iwQSaCche1tSdFcGOrdlDgPZ2ec)**
- **[Uyghur (ug)](https://www.locize.app/register?invitation=TeQX9ECX0oqhtkyBswm8BeOqlSaA5dKZaptvaEpYlfBhGBSl8PGIYfdVvPvgQnQF)**
+ - **[Ukrainian (uk)](https://www.locize.app/register?invitation=4Z060E9kPjmOqO8BmRSvuIujLydZiRCc0lu90iwQSaCche1tSdFcGOrdlDgPZ2ec)**
- **[Vietnamese (vi)](https://www.locize.app/register?invitation=rhADX8GuhgQmYrmbHT13YVg2WqMLJpgPdh1OBuujn9GoNUVW6RPipYvC20aH1xcQ)**