From 97471cfd9dfcff11d56d0545d56bbf0e75a653f4 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Mon, 8 Sep 2025 18:28:59 +0200 Subject: [PATCH] Update env-configuration.md --- docs/getting-started/env-configuration.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/docs/getting-started/env-configuration.md b/docs/getting-started/env-configuration.md index 7fe17265..a0653320 100644 --- a/docs/getting-started/env-configuration.md +++ b/docs/getting-started/env-configuration.md @@ -2832,6 +2832,26 @@ If the OAuth picture claim is disabled by setting `OAUTH_PICTURE_CLAIM` to `''` ::: +#### `OAUTH_SESSION_TOKEN_ENCRYPTION_KEY` + +- Type: `str` +- Default: Falls back to the value of `WEBUI_SECRET_KEY`. +- Description: Specifies the secret key used to encrypt and decrypt OAuth tokens stored server-side in the database. This is a critical security component for protecting user credentials at rest. If not set, it defaults to using the main `WEBUI_SECRET_KEY`, but it is highly recommended to set it to a unique, securely generated value for production environments. + +:::warning + +**Required for Multi-Replica Deployments** +In any production environment running more than one instance of Open WebUI (e.g., Docker Swarm, Kubernetes), this variable **MUST** be explicitly set to a persistent, shared secret. If left unset, each replica will generate or use a different key, causing session decryption to fail intermittently as user requests are load-balanced across instances. + +::: + +#### `ENABLE_OAUTH_ID_TOKEN_COOKIE` + +- Type: `bool` +- Default: `True` +- Description: Controls whether the legacy `oauth_id_token` cookie is set in the browser upon a successful OAuth login. This is provided for **backward compatibility** with custom tools or older versions that might rely on scraping this cookie. The new, recommended approach is to use the server-side session management. +- Usage: For new and secure deployments, it is recommended to set this to `False` to minimize the information exposed to the client-side. Keep it as `True` only if you have integrations that depend on the old cookie-based method. + #### `WEBUI_AUTH_TRUSTED_EMAIL_HEADER` - Type: `str`