centersl/lobehub
1
0
Fork 0
mirror of https://github.com/lobehub/lobehub.git synced 2026-03-26 13:19:34 +07:00
Code Issues Packages Projects Releases Wiki Activity
Files
98f93ef2f0eed1ef474192d80ffc46de31d49e94
lobehub/docs/self-hosting/environment-variables/auth.mdx
BrandonStudio 98f93ef2f0 🐛 fix(auth): revert authority URL and tenant ID for Microsoft authentication. (#11930) 
🔧 feat(auth): revert authority URL and tenant ID for Microsoft authentication
2026-02-02 13:35:54 +08:00

233 lines
6.9 KiB
Plaintext
Raw Blame History

---
title: LobeHub Authentication Service Environment Variables
description: >-
Explore the essential environment variables for configuring authentication
services in LobeHub, including Better Auth, OAuth SSO, and
provider-specific details.
tags:
- Authentication Service
- Better Auth
- OAuth SSO
---
# Authentication Service
LobeHub provides a complete authentication service capability when deployed. The following are the relevant environment variables. You can use these environment variables to easily define the identity verification services that need to be enabled in LobeHub.
## Better Auth
### General Settings
#### `AUTH_SECRET`
- Type: Required
- Description: Key used to encrypt session tokens. You can generate the key using the command: `openssl rand -base64 32`.
- Default: `-`
- Example: `Tfhi2t2pelSMEA8eaV61KaqPNEndFFdMIxDaJnS1CUI=`
#### `AUTH_EMAIL_VERIFICATION`
- Type: Optional
- Description: Set to `1` to require email verification before users can sign in. Users must verify their email address after registration.
- Default: `0`
- Example: `1`
#### `AUTH_SSO_PROVIDERS`
- Type: Optional
- Description: Comma-separated list of enabled SSO providers. The order determines the display order of providers on the login page.
- Default: `-`
- Example: `google,github,microsoft,cognito`
#### `AUTH_ALLOWED_EMAILS`
- Type: Optional
- Description: Comma-separated list of allowed emails or domains for registration. Supports full email addresses (e.g., `user@example.com`) or domain names (e.g., `example.com`). Leave empty to allow all emails.
- Default: `-`
- Example: `example.com,admin@other.com`
#### `AUTH_DISABLE_EMAIL_PASSWORD`
- Type: Optional
- Description: Set to `1` to disable email/password authentication, forcing users to use SSO login only. When enabled, the email input will be hidden on the login page and the signup page will redirect to login.
- Default: `0`
- Example: `1`
#### `JWKS_KEY`
- Type: Required
- Description: JWKS (JSON Web Key Set) key for signing and verifying JWTs. Used for OIDC JWT token signing and internal service call authentication tokens. Must be a JWKS JSON string containing an RS256 RSA key pair.
- Default: `-`
<GenerateJWKSKey />
#### `INTERNAL_JWT_EXPIRATION`
- Type: Optional
- Description: Expiration time for internal JWT tokens used in lambda → async calls. Format: number followed by unit (s=seconds, m=minutes, h=hours). Should be as short as possible for security, but long enough to account for network latency and server processing time.
- Default: `30s`
- Example: `30s`, `1m`, `1h`
### Email Service (SMTP)
These settings are required for email verification and password reset features.
#### `SMTP_HOST`
- Type: Required (for email features)
- Description: SMTP server hostname.
- Default: `-`
- Example: `smtp.gmail.com`
#### `SMTP_PORT`
- Type: Required (for email features)
- Description: SMTP server port. Usually `587` for TLS or `465` for SSL.
- Default: `-`
- Example: `587`
#### `SMTP_SECURE`
- Type: Optional
- Description: Use secure connection. Set to `true` for port 465 (SSL), `false` for port 587 (TLS).
- Default: `false`
- Example: `false`
#### `SMTP_USER`
- Type: Required (for email features)
- Description: SMTP authentication username, usually your email address.
- Default: `-`
- Example: `your-email@example.com`
#### `SMTP_PASS`
- Type: Required (for email features)
- Description: SMTP authentication password. For Gmail, use an app-specific password.
- Default: `-`
- Example: `your-app-specific-password`
#### `SMTP_FROM`
- Type: Optional
- Description: Sender email address. Required for AWS SES where `SMTP_USER` is not a valid email address. If not set, defaults to `SMTP_USER`.
- Default: Value of `SMTP_USER`
- Example: `noreply@example.com`
### Google
#### `AUTH_GOOGLE_ID`
- Type: Required
- Description: Client ID of the Google OAuth application. Get it from [Google Cloud Console](https://console.cloud.google.com/apis/credentials).
- Default: `-`
- Example: `123456789.apps.googleusercontent.com`
#### `AUTH_GOOGLE_SECRET`
- Type: Required
- Description: Client Secret of the Google OAuth application.
- Default: `-`
- Example: `GOCSPX-xxxxxxxxxxxxxxxxxxxx`
### GitHub
#### `AUTH_GITHUB_ID`
- Type: Required
- Description: Client ID of the GitHub OAuth application. Get it from [GitHub Developer Settings](https://github.com/settings/developers).
- Default: `-`
- Example: `Ov23xxxxxxxxxxxxx`
#### `AUTH_GITHUB_SECRET`
- Type: Required
- Description: Client Secret of the GitHub OAuth application.
- Default: `-`
- Example: `xxxxxxxxxxxxxxxxxxxxxxxxxxxxx`
### Microsoft
#### `AUTH_MICROSOFT_ID`
- Type: Required
- Description: Client ID of the Microsoft Entra ID (Azure AD) application. Get it from [Azure Portal](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade).
- Default: `-`
- Example: `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`
#### `AUTH_MICROSOFT_SECRET`
- Type: Required
- Description: Client Secret of the Microsoft Entra ID application.
- Default: `-`
- Example: `xxxxxxxxxxxxxxxxxxxxxxxxxxxxx`
#### `AUTH_MICROSOFT_AUTHORITY_URL`
- Type: Optional
- Description: Authority URL for the Microsoft Entra ID. This is used to specify the endpoint for authentication requests.
- Default: `https://login.microsoftonline.com`
- Example: `https://login.partner.microsoftonline.cn`
#### `AUTH_MICROSOFT_TENANT_ID`
- Type: Optional
- Description: Directory (tenant) ID for single-tenant Microsoft Entra ID applications.
- Default: `common`
- Example: `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`
### AWS Cognito
#### `AUTH_COGNITO_ID`
- Type: Required
- Description: Client ID of the AWS Cognito User Pool App Client. Get it from [AWS Cognito Console](https://console.aws.amazon.com/cognito).
- Default: `-`
- Example: `xxxxxxxxxxxxxxxxxxxxx`
#### `AUTH_COGNITO_SECRET`
- Type: Required
- Description: Client Secret of the AWS Cognito App Client.
- Default: `-`
- Example: `xxxxxxxxxxxxxxxxxxxxxxxxxxxxx`
#### `AUTH_COGNITO_ISSUER`
- Type: Required
- Description: The Cognito User Pool issuer URL. Format: `https://cognito-idp.{region}.amazonaws.com/{userPoolId}`
- Default: `-`
- Example: `https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxx`
### Feishu
#### `AUTH_FEISHU_APP_ID`
- Type: Required
- Description: App ID of the Feishu application. Get it from [Feishu Open Platform](https://open.feishu.cn/app).
- Default: `-`
- Example: `cli_xxxxxxxxxxxxxxxx`
#### `AUTH_FEISHU_APP_SECRET`
- Type: Required
- Description: App Secret of the Feishu application.
- Default: `-`
- Example: `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`
### WeChat
#### `AUTH_WECHAT_ID`
- Type: Required
- Description: App ID of the WeChat Open Platform application. Get it from [WeChat Open Platform](https://open.weixin.qq.com/).
- Default: `-`
- Example: `wxxxxxxxxxxxxxxxxxxx`
#### `AUTH_WECHAT_SECRET`
- Type: Required
- Description: App Secret of the WeChat application.
- Default: `-`
- Example: `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`
Reference in New Issue View Git Blame Copy Permalink