Configuration

This page details all the authentik configuration options that you can set via environment variables.

About authentik configurations

info

The double-underscores are intentional, as all these settings are translated to YAML internally, and a double-underscore indicates the next level (a subsetting).

All of these variables can be set to values, but you can also use a URI-like format to load values from other places:

• env://<name> Loads the value from the environment variable <name>. Fallback can be optionally set like env://<name>?<default>
• file://<name> Loads the value from the file <name>. Fallback can be optionally set like file://<name>?<default>

Set your environment variables

Docker Compose

If you are using Docker Compose, edit your .env file to append any keys that you want to add, and then run the following command to apply them:

docker compose up -d

Kubernetes

If you are running in Kubernetes, edit your values.yaml file to append any keys that you want to add, and then run the following commands to apply:

helm repo update
helm upgrade --install authentik authentik/authentik -f values.yaml

Verify your configuration settings

To check if your config has been applied correctly, you can run the following command to output the full config:

Docker Compose

docker compose run --rm worker dump_config

Kubernetes

kubectl exec -it deployment/authentik-worker -c worker -- ak dump_config

PostgreSQL Settings

authentik requires a PostgreSQL database to store its configuration and data. Below are the settings to configure the database connection.

Connection settings

• AUTHENTIK_POSTGRESQL__HOST: Hostname or IP address of your PostgreSQL server.
• AUTHENTIK_POSTGRESQL__PORT: Port on which PostgreSQL is listening. Defaults to the standard PostgreSQL port 5432.
• AUTHENTIK_POSTGRESQL__USER: Username that authentik will use to authenticate with PostgreSQL.
• AUTHENTIK_POSTGRESQL__PASSWORD: Password for PostgreSQL authentication. If not set, it defaults to the value of the POSTGRES_PASSWORD environment variable (this fallback is specific to the default Docker Compose setup).
• AUTHENTIK_POSTGRESQL__NAME: The name of the database for authentik to use.

Hot-reloading

The AUTHENTIK_POSTGRESQL__HOST, AUTHENTIK_POSTGRESQL__PORT, AUTHENTIK_POSTGRESQL__USER, and AUTHENTIK_POSTGRESQL__PASSWORD settings support hot-reloading and can be changed without restarting authentik. However, adding or removing read replicas requires a restart.

SSL/TLS settings

Configure SSL/TLS to secure the connection to your PostgreSQL server.

• AUTHENTIK_POSTGRESQL__SSLMODE: Controls the SSL verification mode. Defaults to verify-ca.

  • disable: No SSL is used.
  • allow: Use SSL if available, but don't perform verification.
  • prefer: Attempt an SSL connection first, fall back to non-SSL if it fails.
  • require: Require an SSL connection, but without certificate verification.
  • verify-ca: Require SSL and verify that the server certificate is signed by a trusted CA.
  • verify-full: Require SSL, verify the CA, and verify that the server hostname matches the certificate.

• AUTHENTIK_POSTGRESQL__SSLROOTCERT: Path to the CA certificate file for verifying the server's certificate. Required for verify-ca and verify-full modes.

• AUTHENTIK_POSTGRESQL__SSLCERT: Path to the client SSL certificate file. Required if the PostgreSQL server is configured for mutual TLS and requires client certificates.

• AUTHENTIK_POSTGRESQL__SSLKEY: Path to the private key for the client certificate (SSLCERT).

For more details, see Django's PostgreSQL documentation or the PostgreSQL documentation.

Connection management

These settings control connection persistence and behavior, which is particularly important when using a connection pooler like PgBouncer.

• AUTHENTIK_POSTGRESQL__CONN_MAX_AGE: The maximum age of a database connection in seconds.

  • 0 (default): Connections are closed after each request.
  • greater than 0: Enables persistent connections, with the value defining the maximum lifetime.
  • None: Unlimited persistence. Use with caution, especially with connection poolers. See Django's documentation on persistent connections for more details.

• AUTHENTIK_POSTGRESQL__CONN_HEALTH_CHECKS: Enables health checks on persistent connections before reuse. Defaults to false. This helps prevent errors from stale connections that may have been terminated by the database or a pooler. See Django's documentation for details.

• AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS: Disables server-side cursors. Defaults to false. Server-side cursors can improve performance for large result sets but are incompatible with connection poolers in transaction pooling mode (like PgBouncer). Set this to true if you use a transaction-based pooler or encounter cursor-related errors. See Django's documentation for more details.

Advanced Settings

• AUTHENTIK_POSTGRESQL__DEFAULT_SCHEMA authentik: 2024.12.0+

  The name of the database schema for authentik to use. Defaults to public.

  This can only be set before authentik is started for the first time. If you specify a custom schema, it must already exist in the database, and the user that authentik connects with must have permissions to access it. The search_path for the database user must also be configured to include this schema.

• AUTHENTIK_POSTGRESQL__CONN_OPTIONS

  Arbitrary libpq parameter key words for the database connection. A list of parameter key words can be found in the PostgreSQL documentation.

  • Parameters passed with this setting will override those passed with other settings.
  • These parameters are not applied to read replicas.
  • Parameter keywords should be formatted as a base64-encoded JSON dictionary.

Read Replicas

You can configure additional read replica databases to distribute database load and improve performance. When read replicas are configured, authentik automatically routes query operations between the primary database (for writes) and read replica databases (for queries). By default, the primary database won't be used for queries when read replicas are available. If you want the primary database to also handle queries, add it as a read replica.

To configure authentik to use read replicas, add the settings below to your configuration file. If you have multiple read replicas, add settings for each one by using a unique index starting from 0 (e.g., 0, 1, 2, etc.).

The same PostgreSQL settings as described above are used for each read replica. For example, for the first read replica (index 0):

• AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__HOST
• AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__NAME
• AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__USER
• AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__PORT
• AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__PASSWORD
• AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__SSLMODE
• AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__SSLROOTCERT
• AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__SSLCERT
• AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__SSLKEY
• AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__CONN_MAX_AGE
• AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__CONN_HEALTH_CHECKS
• AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__DISABLE_SERVER_SIDE_CURSORS
• AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__CONN_OPTIONS

Additionally, you can set arbitrary connection parameters on all read replicas with:

• AUTHENTIK_POSTGRESQL__REPLICA_CONN_OPTIONS

  Arbitrary libpq parameter key words for all read replicas database connections. A list of options can be found in the PostgreSQL documentation.

  • Parameters passed with this setting will override those passed with other settings.
  • Parameter key words should be formatted as a base64-encoded JSON dictionary.

Using a PostgreSQL Connection Pooler

When your PostgreSQL databases are running behind a connection pooler (like PgBouncer or PgPool), you need to adjust several settings to ensure compatibility:

• AUTHENTIK_POSTGRESQL__CONN_MAX_AGE:

  A connection pooler running in session pool mode (which is the default for PgBouncer) can be incompatible with unlimited persistent connections (null setting). When the connection from the pooler to the database is dropped, the pooler will wait for the client to disconnect before releasing the connection. However, this will never happen as authentik keeps the connection indefinitely.

  To address this incompatibility, either configure the connection pooler to run in transaction pool mode or set this value lower than any timeout that might cause the connection to be dropped (down to 0 to disable persistent connections).

• AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS:

  When using a connection pooler in transaction pool mode (e.g., PgPool, or PgBouncer in transaction or statement pool mode), you must set this option to true. This is required because server-side cursors maintain state across multiple queries, which is incompatible with transaction-based pooling where connections may change between queries.

Deprecated Settings

• AUTHENTIK_POSTGRESQL__USE_PGBOUNCER: Adjusts the database configuration to support connections to a PgBouncer connection pooler. This setting is deprecated and will be removed in a future version. Instead, use the configuration described in the Using a PostgreSQL Connection Pooler section.
• AUTHENTIK_POSTGRESQL__USE_PGPOOL: Adjusts the database configuration to support connections to a Pgpool connection pooler. This setting is deprecated and will be removed in a future version. Instead, use the configuration described in the Using a PostgreSQL Connection Pooler section.

Redis Settings

• AUTHENTIK_REDIS__HOST: Redis server host when not using configuration URL
• AUTHENTIK_REDIS__PORT: Redis server port when not using configuration URL
• AUTHENTIK_REDIS__DB: Redis server database when not using configuration URL
• AUTHENTIK_REDIS__USERNAME: Redis server username when not using configuration URL
• AUTHENTIK_REDIS__PASSWORD: Redis server password when not using configuration URL
• AUTHENTIK_REDIS__TLS: Redis server connection using TLS when not using configuration URL
• AUTHENTIK_REDIS__TLS_REQS: Redis server TLS connection requirements when not using configuration URL. Defaults to "none". Allowed values are "none" and "required".
• AUTHENTIK_REDIS__TLS_CA_CERT: Path to the Redis server TLS CA root when not using configuration URL. Defaults to null.

Result Backend Settings

• AUTHENTIK_RESULT_BACKEND__URL: Result backend configuration URL, uses the Redis Settings by default

Cache Settings

• AUTHENTIK_CACHE__URL: Cache configuration URL, uses the Redis Settings by default

• AUTHENTIK_CACHE__TIMEOUT: Timeout for cached data until it expires in seconds, defaults to 300

• AUTHENTIK_CACHE__TIMEOUT_FLOWS: Timeout for cached flow plans until they expire in seconds, defaults to 300

• AUTHENTIK_CACHE__TIMEOUT_POLICIES: Timeout for cached policies until they expire in seconds, defaults to 300

• AUTHENTIK_CACHE__TIMEOUT_REPUTATION: Timeout for cached reputation until they expire in seconds, defaults to 300

  info

  AUTHENTIK_CACHE__TIMEOUT_REPUTATION only applies to the cache expiry, see AUTHENTIK_REPUTATION__EXPIRY to control how long reputation is persisted for.

Channel Layer Settings (inter-instance communication)

• AUTHENTIK_CHANNEL__URL: Channel layers configuration URL, uses the Redis Settings by default

Worker settings

AUTHENTIK_WORKER__PROCESSES

Configure how many worker processes should be started for Dramatiq to use. In environments where scaling with multiple replicas of the authentik worker is not possible, this number can be increased to handle higher loads.

Defaults to 1. In environments where scaling with multiple replicas of the authentik worker is not possible, this number can be increased to handle higher loads.

AUTHENTIK_WORKER__THREADS

Configure how many Dramatiq threads are started per worker. In environments where scaling with multiple replicas of the authentik worker is not possible, this number can be increased to handle higher loads.

Defaults to 2. A value below 2 threads is not recommended, unless you have multiple worker replicas.

AUTHENTIK_WORKER__CONSUMER_LISTEN_TIMEOUT

Configure how long a worker waits for a PostgreSQL LISTEN notification.

Defaults to seconds=30.

AUTHENTIK_WORKER__TASK_MAX_RETRIES

Configure how many times a failing task will be retried before abandoning.

Defaults to 20.

AUTHENTIK_WORKER__TASK_DEFAULT_TIME_LIMIT

Configure the default duration a task can run for before it is aborted. Some tasks will override this setting based on other settings, such as LDAP source synchronization tasks.

Defaults to minutes=10.

AUTHENTIK_WORKER__TASK_PURGE_INTERVAL

Configure the interval at which old tasks are cleaned up.

Defaults to days=1.

AUTHENTIK_WORKER__TASK_EXPIRATION

Configure how long tasks are kept in the database before they are deleted.

Defaults to days=30.

AUTHENTIK_WORKER__SCHEDULER_INTERVAL

Configure how often the task scheduler runs.

Defaults to seconds=60.

Listen Settings

AUTHENTIK_LISTEN__HTTP

Listening address:port for HTTP.

Applies to the Server, the Worker, and Proxy outposts.

Defaults to 0.0.0.0:9000.

AUTHENTIK_LISTEN__HTTPS

Listening address:port for HTTPS.

Applies to the Server and Proxy outposts.

Defaults to 0.0.0.0:9443.

AUTHENTIK_LISTEN__LDAP

Listening address:port for LDAP.

Applies to LDAP outposts.

Defaults to 0.0.0.0:3389.

AUTHENTIK_LISTEN__LDAPS

Listening address:port for LDAPS.

Applies to LDAP outposts.

Defaults to 0.0.0.0:6636.

AUTHENTIK_LISTEN__METRICS

Listening address:port for Prometheus metrics.

Applies to all.

Defaults to 0.0.0.0:9300.

AUTHENTIK_LISTEN__DEBUG

Listening address:port for Go Debugging metrics.

Applies to all, except the worker.

Defaults to 0.0.0.0:9900.

AUTHENTIK_LISTEN__DEBUG_PY

Listening address:port for Python debugging server, see Debugging.

Applies to the Server and the Worker.

Defaults to 0.0.0.0:9901.

AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS

List of comma-separated CIDRs that proxy headers should be accepted from.

Applies to the Server.

Requests directly coming from one an address within a CIDR specified here are able to set proxy headers, such as X-Forwarded-For. Requests coming from other addresses will not be able to set these headers.

Defaults to 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fe80::/10, ::1/128.

Media Storage Settings

These settings affect where media files are stored. Those files include applications and sources icons. By default, they are stored on disk in the /media directory of the authentik container. S3 storage is also supported.

• AUTHENTIK_STORAGE__MEDIA__BACKEND: Where to store files. Valid values are file and s3. For file storage, files are stored in a /media directory in the container. For s3, see below.
• AUTHENTIK_STORAGE__MEDIA__S3__REGION: S3 region where the bucket has been created. May be omitted depending on which S3 provider you use. No default.
• AUTHENTIK_STORAGE__MEDIA__S3__USE_SSL: Whether to use HTTPS when talking to the S3 storage providers. Defaults to true.
• AUTHENTIK_STORAGE__MEDIA__S3__ENDPOINT: Endpoint to use to talk to the S3 storage provider. Override the previous region and use_ssl settings. Must be a valid URL in the form of https://s3.provider. No default.
• AUTHENTIK_STORAGE__MEDIA__S3__SESSION_PROFILE: Profile to use when using AWS SDK authentication. No default. Supports hot-reloading.
• AUTHENTIK_STORAGE__MEDIA__S3__ACCESS_KEY: Access key to authenticate to S3. May be omitted if using AWS SDK authentication. Supports hot-reloading.
• AUTHENTIK_STORAGE__MEDIA__S3__SECRET_KEY: Secret key to authenticate to S3. May be omitted if using AWS SDK authentication. Supports hot-reloading.
• AUTHENTIK_STORAGE__MEDIA__S3__SECURITY_TOKEN: Security token to authenticate to S3. May be omitted. Supports hot-reloading.
• AUTHENTIK_STORAGE__MEDIA__S3__BUCKET_NAME: Name of the bucket to use to store files.
• AUTHENTIK_STORAGE__MEDIA__S3__CUSTOM_DOMAIN: Domain to use to create URLs for users. Mainly useful for non-AWS providers. May include a port. Must include the bucket. Example: s3.company:8080/authentik-media.
• AUTHENTIK_STORAGE__MEDIA__S3__SECURE_URLS: Whether URLs created use HTTPS (set to true by default) or HTTP.

authentik Settings

AUTHENTIK_SECRET_KEY

Secret key used for cookie signing. Changing this will invalidate active sessions.

caution

Prior to 2023.6.0 the secret key was also used for unique user IDs. When running a pre-2023.6.0 version of authentik the key should not be changed after the first install.

AUTHENTIK_LOG_LEVEL

Log level for the server and worker containers. Possible values: debug, info, warning, error.

Starting with 2021.12.3, you can also set the log level to trace. This has no effect on the core authentik server, but shows additional messages for the embedded outpost.

danger

Setting the log level to trace will include sensitive details in logs, so it shouldn't be used in most cases.

Logs generated with trace should be treated with care as they can give others access to your instance, and can potentially include things like session cookies to authentik and other pages.

Defaults to info.

AUTHENTIK_COOKIE_DOMAIN

Which domain the session cookie should be set to. By default, the cookie is set to the domain authentik is accessed under.

AUTHENTIK_EVENTS__CONTEXT_PROCESSORS__GEOIP

Path to the GeoIP City database. Defaults to /geoip/GeoLite2-City.mmdb. If the file is not found, authentik will skip GeoIP support.

AUTHENTIK_EVENTS__CONTEXT_PROCESSORS__ASN

Path to the GeoIP ASN database. Defaults to /geoip/GeoLite2-ASN.mmdb. If the file is not found, authentik will skip GeoIP support.

AUTHENTIK_DISABLE_UPDATE_CHECK

Disable the inbuilt update-checker. Defaults to false.

AUTHENTIK_ERROR_REPORTING

• AUTHENTIK_ERROR_REPORTING__ENABLED

  Enable error reporting. Defaults to false.

  Error reports are sent to https://sentry.io and are used for debugging and general feedback. Anonymous performance data is also sent.

• AUTHENTIK_ERROR_REPORTING__SENTRY_DSN

  Sets the DSN for the Sentry API endpoint.

  When error reporting is enabled, the default Sentry DSN will allow the authentik developers to receive error reports and anonymous performance data, which is used for general feedback about authentik, and in some cases, may be used for debugging purposes.

  Users can create their own hosted Sentry account (or self-host Sentry) and opt to collect this data themselves.

• AUTHENTIK_ERROR_REPORTING__ENVIRONMENT

  The environment tag associated with all data sent to Sentry. Defaults to customer.

  When error reporting has been enabled to aid in debugging issues, this should be set to a unique value, such as an email address.

• AUTHENTIK_ERROR_REPORTING__SEND_PII

  Whether or not to send personal data, like usernames. Defaults to false.

• AUTHENTIK_ERROR_REPORTING__EXTRA_ARGS

  Base64-encoded sentry_init arguments. See Sentry's documentation for available options.

AUTHENTIK_EMAIL

• AUTHENTIK_EMAIL__HOST

  Default: localhost

• AUTHENTIK_EMAIL__PORT

  Default: 25

• AUTHENTIK_EMAIL__USERNAME

  Default: `` (Don't add quotation marks)

• AUTHENTIK_EMAIL__PASSWORD

  Default: `` (Don't add quotation marks)

• AUTHENTIK_EMAIL__USE_TLS

  Default: false

• AUTHENTIK_EMAIL__USE_SSL

  Default: false

• AUTHENTIK_EMAIL__TIMEOUT

  Default: 10

• AUTHENTIK_EMAIL__FROM

  Default: authentik@localhost

  Email address authentik will send from, should have a correct @domain

  To change the sender's display name, use a format like Name <account@domain>.

AUTHENTIK_OUTPOSTS

• AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE

  Placeholders:

  • %(type)s: Outpost type; proxy, ldap, etc
  • %(version)s: Current version; 2021.4.1
  • %(build_hash)s: Build hash if you're running a beta version

  Placeholder for outpost docker images. Default: ghcr.io/goauthentik/%(type)s:%(version)s.

• AUTHENTIK_OUTPOSTS__DISCOVER

  Configure the automatic discovery of integrations. Defaults to true.

  By default, the following is discovered:

  • Kubernetes in-cluster config
  • Kubeconfig
  • Existence of a docker socket

AUTHENTIK_LDAP__TASK_TIMEOUT_HOURS

Timeout in hours for LDAP synchronization tasks.

Defaults to 2.

AUTHENTIK_LDAP__PAGE_SIZE

Page size for LDAP synchronization. Controls the number of objects created in a single task.

Defaults to 50.

AUTHENTIK_LDAP__TLS__CIPHERS

Allows configuration of TLS Cliphers for LDAP connections used by LDAP sources. Setting applies to all sources.

Defaults to null.

AUTHENTIK_REPUTATION__EXPIRY

Configure how long reputation scores should be saved for in seconds. Note that this is different than AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION, as reputation is saved to the database every 5 minutes.

Defaults to 86400.

AUTHENTIK_SESSION_STORAGEauthentik: 2024.4.0+

Deprecated

This setting is removed as of version 2025.4. Sessions are now exclusively stored in the database. See our 2025.4 release notes for more information.

If you are running a version earlier than 2025.4, you can configure if the sessions are stored in the cache or the database. Defaults to cache. Allowed values are cache and db. Note that changing this value will invalidate all previous sessions.

AUTHENTIK_SESSIONS__UNAUTHENTICATED_AGEauthentik: 2025.4.0+

Configure how long unauthenticated sessions last for. Does not impact how long authenticated sessions are valid for. See the user login stage for session validity.

Defaults to days=1.

AUTHENTIK_WEB__WORKERS

Configure how many gunicorn worker processes should be started (see https://docs.gunicorn.org/en/stable/design.html).

Defaults to 2. A value below 2 workers is not recommended. In environments where scaling with multiple replicas of the authentik server is not possible, this number can be increased to handle higher loads.

AUTHENTIK_WEB__THREADS

Configure how many gunicorn threads a worker processes should have (see https://docs.gunicorn.org/en/stable/design.html).

Defaults to 4.

AUTHENTIK_WEB__PATH

info

Requires authentik 2024.8

Configure the path under which authentik is serverd. For example to access authentik under https://my.domain/authentik/, set this to /authentik/. Value must contain both a leading and trailing slash.

Defaults to /.

System settingsauthentik: 2024.2.0+

Additional settings are configurable using the Admin interface, under System -> Settings or using the API.

Custom python settings

To modify additional settings further than the options above allow, you can create a custom Python file and mount it to /data/user_settings.py. This file will be loaded on startup by both the server and the worker. All default settings are here

caution

Using these custom settings is not supported and can prevent your authentik instance from starting. Use with caution.