From 54ef622b69007dbc17ac82cd3cdb7fbfeb8e54bb Mon Sep 17 00:00:00 2001
From: Classic298 <27028174+Classic298@users.noreply.github.com>
Date: Mon, 23 Mar 2026 15:19:49 +0100
Subject: [PATCH] Update env-configuration.mdx

---
 docs/reference/env-configuration.mdx | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/reference/env-configuration.mdx b/docs/reference/env-configuration.mdx
index c0554514..0533af62 100644
--- a/docs/reference/env-configuration.mdx
+++ b/docs/reference/env-configuration.mdx
@@ -156,6 +156,12 @@ After the admin account is created, sign-up is automatically disabled for securi
 - Default: `True`
 - Description: Allows both password and SSO authentication methods to coexist when set to True. When set to False, it disables all password-based login attempts on the /signin and /ldap endpoints, enforcing strict SSO-only authentication. Disable this setting in production environments with fully configured SSO to prevent credential-based account takeover attacks; keep it enabled if you require password authentication as a backup or have not yet completed SSO configuration. Should never be disabled if OAUTH/SSO is not being used.
 
+:::tip
+
+This SHOULD be set to `False` if you only use SSO/OAUTH for Login and expose your Open WebUI publicly as to prevent password based logins.
+
+:::
+
 :::danger
 
 This should **only** ever be set to `False` when [ENABLE_OAUTH_SIGNUP](https://docs.openwebui.com/reference/env-configuration/#enable_oauth_signup)