Skip to content

Authentication

All authentication settings are configured in the [auth] section of your config.toml file.

General Authentication Settings ([auth])

  • token_secret\ Strong secret key for signing JWTs (create with openssl rand -hex 32). This is required.
  • session_lifetime\ Lifetime of user sessions in seconds. Default is 86400 (1 day).
  • admin_emails\ A list of email addresses for administrator accounts. This is required.
  • email_password_resets\ Enables password resets via email. Default is false.

Info

To use email password resets, you must also configure SMTP settings in the [notifications.smtp_config] section.

Info

When setting up MediaManager for the first time, you should add your email to admin_emails in the [auth] config section. MediaManager will then use this email instead of the default admin email. Your account will automatically be created as an admin account, allowing you to manage other users, media and settings.

OpenID Connect Settings ([auth.openid_connect])

OpenID Connect allows you to integrate with external identity providers like Google, Microsoft Azure AD, Keycloak, or any other OIDC-compliant provider.

  • enabled\ Set to true to enable OpenID Connect authentication. Default is false.
  • client_id\ Client ID provided by your OpenID Connect provider.
  • client_secret\ Client secret provided by your OpenID Connect provider.
  • configuration_endpoint\ OpenID Connect configuration endpoint URL. Do not include a trailing slash. Usually ends with /.well-known/openid-configuration.
  • name\ Display name for the OpenID Connect provider shown on the login page.

Configuration for your OpenID Connect Provider

Redirect URI

The OpenID server will likely require a redirect URI. This URL will usually look something like this:

{MEDIAMANAGER_URL}/api/v1/auth/oauth/callback

Warning

It is very important that you set the correct callback URI, otherwise it won't work!

Authentik Example

Here is an example configuration for the OpenID Connect provider for Authentik.

authentik-redirect-url-example

Example Configuration

Here's a complete example of the authentication section in your config.toml:

config.toml
[auth]
token_secret = "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6"
session_lifetime = 604800  # 1 week
admin_emails = ["admin@example.com", "manager@example.com"]
email_password_resets = true

[auth.openid_connect]
enabled = true
client_id = "mediamanager-client"
client_secret = "your-secret-key-here"
configuration_endpoint = "https://auth.example.com/.well-known/openid-configuration"
name = "Authentik"