Authentication and SSO
Make sure that NEXTAUTH_URL environment variable is configured
correctly if you want to use any authentication
method other than email/password.
Langfuse supports both email/password and SSO authentication.
Email/Password
Email/password authentication is enabled by default. Users can sign up and log in using their email and password.
Password Reset
If transactional emails are configured on your instance, users can reset their password by using the “Forgot password” link on the login page.
If transactional emails are not set up, passwords can be reset by following these steps:
- Update the email associated with your user account in database, such as by adding a prefix.
- You can then sign up again with a new password.
- Reassign any organizations you were associated with via the
organization_membershipstable in database. - Finally, remove the old user account from the
userstable in database.
Disable email/password authentication to use SSO
To disable email/password authentication, set AUTH_DISABLE_USERNAME_PASSWORD=true. In this case, you need to set up SSO instead.
If you decide to switch from email/password to SSO on a running instance, you can enable AUTH_<PROVIDER>_ALLOW_ACCOUNT_LINKING=true on the SSO provider. This will automatically merge accounts with the same email address.
Creation of default user
If you want to programmatically create a default user, check out the Headless Initialization documentation. This is useful if you want to initialize the instance without using the UI, e.g. when running Langfuse in a CI/CD pipeline or programmatically deploying Langfuse into many environments.
SSO
To enable OAuth/SSO provider sign-in for Langfuse, configure the required environment variables for the provider.
Use AUTH_<PROVIDER>_ALLOW_ACCOUNT_LINKING to allow merging accounts with the same email address. This is useful when users sign in with different providers or email/password but have the same email address. You need to be careful with this setting as it can lead to security issues if the emails are not verified.
Need another provider? Langfuse uses Auth.js, which integrates with many providers. Add a feature request on GitHub if you want us to add support for a specific provider.
| Configuration | Value |
|---|---|
| Required Variables | AUTH_GOOGLE_CLIENT_IDAUTH_GOOGLE_CLIENT_SECRET |
| Optional Variables | AUTH_GOOGLE_ALLOWED_DOMAINS=langfuse.com,google.com (list of allowed domains based on hd OAuth claim)See additional configuration section below for more options. |
| OAuth Redirect URL | /api/auth/callback/google |
GitHub
| Configuration | Value |
|---|---|
| Required Variables | AUTH_GITHUB_CLIENT_IDAUTH_GITHUB_CLIENT_SECRET |
| Optional Variables | See additional configuration section below. |
| OAuth Redirect URL | /api/auth/callback/github |
GitHub Enterprise
| Configuration | Value |
|---|---|
| Required Variables | AUTH_GITHUB_ENTERPRISE_CLIENT_IDAUTH_GITHUB_ENTERPRISE_CLIENT_SECRETAUTH_GITHUB_ENTERPRISE_BASE_URL |
| Optional Variables | See additional configuration section below. |
| OAuth Redirect URL | /api/auth/callback/github-enterprise |
Thanks to @jay0129 for the initial contribution of GitHub Enterprise support!
GitLab
| Configuration | Value |
|---|---|
| Required Variables | AUTH_GITLAB_CLIENT_IDAUTH_GITLAB_CLIENT_SECRET |
| Optional Variables | AUTH_GITLAB_ISSUERSee additional configuration section below for more options. |
| OAuth Redirect URL | /api/auth/callback/gitlab |
Azure AD/Entra ID
NextAuth Azure AD Provider Docs
| Configuration | Value |
|---|---|
| Required Variables | AUTH_AZURE_AD_CLIENT_IDAUTH_AZURE_AD_CLIENT_SECRETAUTH_AZURE_AD_TENANT_ID |
| Optional Variables | See additional configuration section below. |
| OAuth Redirect URL | /api/auth/callback/azure-ad |
Notes:
- #4764: Langfuse uses email to identify users. Thus, you need to add the
emailclaim in the token configurationn and all users must have anEmailin their user profile.
Okta
| Configuration | Value |
|---|---|
| Required Variables | AUTH_OKTA_CLIENT_IDAUTH_OKTA_CLIENT_SECRETAUTH_OKTA_ISSUER |
| Optional Variables | See additional configuration section below. |
| OAuth Redirect URL | /api/auth/callback/okta |
Auth0
| Configuration | Value |
|---|---|
| Required Variables | AUTH_AUTH0_CLIENT_IDAUTH_AUTH0_CLIENT_SECRETAUTH_AUTH0_ISSUER |
| Optional Variables | See additional configuration section below. |
| OAuth Redirect URL | /api/auth/callback/auth0 |
AWS Cognito
NextAuth Cognito Provider Docs
| Configuration | Value |
|---|---|
| Required Variables | AUTH_COGNITO_CLIENT_IDAUTH_COGNITO_CLIENT_SECRETAUTH_COGNITO_ISSUER |
| Optional Variables | See additional configuration section below. |
| OAuth Redirect URL | /api/auth/callback/cognito |
Keycloak
NextAuth Keycloak Provider Docs
| Configuration | Value |
|---|---|
| Required Variables | AUTH_KEYCLOAK_CLIENT_IDAUTH_KEYCLOAK_CLIENT_SECRETAUTH_KEYCLOAK_ISSUER |
| Optional Variables | See additional configuration section below. |
| OAuth Redirect URL | /api/auth/callback/keycloak |
Thanks to @RTae for the initial contribution of Keycloak support!
Custom OAuth Provider
NextAuth Custom OAuth Provider Docs (source)
| Configuration | Value |
|---|---|
| Required Variables | AUTH_CUSTOM_CLIENT_IDAUTH_CUSTOM_CLIENT_SECRETAUTH_CUSTOM_ISSUERAUTH_CUSTOM_NAME (any, used only in UI) |
| Optional Variables | AUTH_CUSTOM_SCOPE (defaults to "openid email profile")AUTH_CUSTOM_ID_TOKEN (Defaults to true, set to false if you want to make a request to the userinfo endpoint instead of extracting user information from the id_token claims)See additional configuration section below for more options. |
| OAuth Redirect URL | /api/auth/callback/custom |
HTTP Proxy for SSO
Langfuse supports HTTP proxy settings for SSO providers.
Configure AUTH_HTTPS_PROXY or AUTH_HTTP_PROXY to use a proxy for SSO provider requests.
Additional configuration
These are additional configuration variables. Replace <PROVIDER> with the provider name (e.g., GOOGLE, GITHUB, AZURE_AD, etc., see other variables of provider above).
| Variable | Description |
|---|---|
AUTH_DOMAINS_WITH_SSO_ENFORCEMENT | Comma-separated list of domains that are only allowed to sign in using SSO. Email/password sign in is disabled for these domains. E.g. domain1.com,domain2.com |
AUTH_DISABLE_SIGNUP | Set to true to disable sign up for new users. Only existing users can sign in. This affects all new users that try to sign up, also those who received an invite to a project and have no account yet. |
AUTH_SESSION_MAX_AGE | Set the maximum age of the session (JWT) in minutes. The default is 30 days (43200). The value must be greater than 5 minutes, as the front-end application refreshes its session every 5 minutes. |
AUTH_IGNORE_ACCOUNT_FIELDS | Comma-separated list of fields to ignore from the SSO IDP account when creating an account. Use this to correct errors with custom IDP providers. |
AUTH_<PROVIDER>_ALLOW_ACCOUNT_LINKING | Set to true to allow merging accounts with the same email address. This is useful when users sign in with different providers or email/password but have the same email address. You need to be careful with this setting as it can lead to security issues if the emails are not verified. |
AUTH_<PROVIDER>_AUTH_METHOD | Configure the token endpoint authentication method. Supported values: client_secret_basic (default), client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, none. Use none for PKCE flow. |
AUTH_<PROVIDER>_CHECKS | Configure the authentication checks. Supported values: nonce, none, pkce, state. Multiple values can be provided as comma-separated list. |
Troubleshooting
- Make sure that
NEXTAUTH_URLenvironment variable is configured correctly if you want to use any authentication method other than email/password. - Error: “Please sign in with the same provider that you used to create this account”. This error occurs when you try to sign in with a different provider than the one you used to create your account. To fix this, you need to sign in with the same provider that you used to create your account or allow for account linking/takeover by setting
AUTH_<PROVIDER>_ALLOW_ACCOUNT_LINKING=true(env depends on the provider, see above). - For password reset, see the Password Reset section.
- Langfuse authentication relies on email addresses. When using SSO, ensure that the user’s email address is included in their IDP profile.