Docker

Configure Authentication

Copy page

Set up authentication and authorization for user sign-in and team management

Configure user authentication, admin credentials, and optional OAuth providers.

Note
Note

For a feature overview of authentication and authorization, see Access Control.

Architecture

The framework uses two components for access control:

ComponentPurpose
Better AuthUser authentication, sessions, and OAuth providers
SpiceDBFine-grained authorization and permission checks

Better Auth handles user sign-in and supports many authentication plugins including GitHub, Microsoft, SAML, passkeys, and more. See the Better Auth documentation to add additional sign-in methods.

SpiceDB manages organization and project-level permissions using a relationship-based access control model.

Prerequisites

  • Docker Compose environment running (see Local Development)
  • At least one AI provider API key configured

Environment Variables Reference

Authentication

VariableRequiredDescription
BETTER_AUTH_SECRETYesSecret for session encryption (32+ chars)
INKEEP_AGENTS_MANAGE_UI_USERNAMEYesInitial admin email address
INKEEP_AGENTS_MANAGE_UI_PASSWORDYesInitial admin password (8+ chars)

Authorization

VariableRequiredDescription
SPICEDB_ENDPOINTYesSpiceDB gRPC endpoint (default: localhost:50051)
SPICEDB_PRESHARED_KEYYesSpiceDB preshared key for authentication

OAuth Providers (Optional)

VariableRequiredDescription
PUBLIC_GOOGLE_CLIENT_IDNoGoogle OAuth client ID
GOOGLE_CLIENT_SECRETNoGoogle OAuth client secret

Email (Optional)

VariableRequiredDescription
RESEND_API_KEYNoResend API key (recommended for cloud deployments)
SMTP_HOSTNoSMTP server hostname
SMTP_PORTNoSMTP server port
SMTP_USERNoSMTP username
SMTP_PASSWORDNoSMTP password
SMTP_SECURENoUse TLS (default: false)
SMTP_FROM_ADDRESSNoFrom email address
SMTP_FROM_NAMENoFrom display name
SMTP_REPLY_TONoReply-to address (defaults to from address)

Configuring Authentication

Authentication is enabled by default. Configure the required environment variables to set up your admin credentials and session security.

Generate a secret

Create a secure secret for session encryption:

openssl rand -base64 32

Configure environment variables

Add these to your .env file:

.env
# Authentication secret (paste your generated secret)
BETTER_AUTH_SECRET=<your-generated-secret>

# Initial admin credentials
INKEEP_AGENTS_MANAGE_UI_USERNAME=admin@example.com
INKEEP_AGENTS_MANAGE_UI_PASSWORD=<secure-password-8-chars-min>

# Authorization (SpiceDB)
SPICEDB_ENDPOINT=localhost:50051
SPICEDB_PRESHARED_KEY=dev-secret-key

Restart services

docker compose up -d

Sign in

Open http://localhost:3000 and sign in with the credentials you configured.

Configuring Email (Optional)

Email configuration is optional. When not configured, invitation links and password reset links are displayed in the UI for manual sharing.

When email is configured:

  • Team invitations are sent via email automatically
  • Users can reset their password via the Forgot password link on the login page

Add your Resend API key:

.env
RESEND_API_KEY=re_xxxxx
SMTP_FROM_ADDRESS=notifications@yourdomain.com
SMTP_FROM_NAME=Your Company

Option 2: Generic SMTP

Use any SMTP provider (Mailgun, SendGrid, self-hosted, etc.):

.env
SMTP_HOST=smtp.example.com
SMTP_PORT=587
SMTP_USER=your-username
SMTP_PASSWORD=your-password
SMTP_FROM_ADDRESS=notifications@yourdomain.com
SMTP_FROM_NAME=Your Company

Local Development with Mailpit

The Docker Compose setup includes Mailpit for local email testing. Emails are captured and viewable at http://localhost:8025.

.env
SMTP_HOST=localhost
SMTP_PORT=1025
SMTP_FROM_ADDRESS=notifications@localhost
SMTP_FROM_NAME=Inkeep Local

Adding OAuth Providers

Google OAuth

Create OAuth application

  1. Go to the Google Cloud Console
  2. Navigate to APIs & ServicesCredentials
  3. Click Create CredentialsOAuth client ID
  4. Select Web application

Configure redirect URI

Add this authorized redirect URI:

{your-app-url}/api/auth/callback/google

For local development: http://localhost:3000/api/auth/callback/google

Add credentials to environment

.env
PUBLIC_GOOGLE_CLIENT_ID=<your-client-id>
GOOGLE_CLIENT_SECRET=<your-client-secret>

Restart services

docker compose up -d

The Google sign-in option will now appear on the login page.

Troubleshooting

"Invalid credentials" on first login

Verify these environment variables are set correctly:

  • INKEEP_AGENTS_MANAGE_UI_USERNAME — must be a valid email format
  • INKEEP_AGENTS_MANAGE_UI_PASSWORD — must be at least 8 characters

Google sign-in not appearing or not working

  • Ensure both PUBLIC_GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET are set
  • Verify the redirect URI in Google Cloud Console matches your app URL exactly

Users can't see projects

Organization Members need explicit project-level roles to access projects. Either:

  • Assign them a project role via Project SettingsMembers
  • Promote them to organization Admin (gives access to all projects)

The Forgot password option on the login page is only visible when email is configured. Configure SMTP or Resend to enable self-service password reset. See Configuring Email.

Local Development

Previous Page

Azure VM

Deploy to Azure VM with Docker Compose

On this page

Architecture
Prerequisites
Environment Variables Reference
Authentication
Authorization
OAuth Providers (Optional)
Email (Optional)
Configuring Authentication
Generate a secret
Configure environment variables
Restart services
Sign in
Configuring Email (Optional)
Option 1: Resend (Recommended for Cloud)
Option 2: Generic SMTP
Local Development with Mailpit
Adding OAuth Providers
Google OAuth
Create OAuth application
Configure redirect URI
Add credentials to environment
Restart services
Troubleshooting
"Invalid credentials" on first login
Google sign-in not appearing or not working
Users can't see projects
Forgot password link not showing