Skip to main content
LibreChat supports multiple authentication methods. Configure them using environment variables and librechat.yaml.

Local Authentication

Email and password authentication is enabled by default.
ALLOW_EMAIL_LOGIN
boolean
default:"true"
Enable email/password authentication
ALLOW_REGISTRATION
boolean
default:"true"
Allow new user registration
ALLOW_PASSWORD_RESET
boolean
default:"false"
Enable password reset functionality
ALLOW_UNVERIFIED_EMAIL_LOGIN
boolean
default:"true"
Allow login without email verification

Social Login (OAuth)

Enable social authentication providers.
ALLOW_SOCIAL_LOGIN
boolean
default:"false"
Enable OAuth social login
ALLOW_SOCIAL_REGISTRATION
boolean
default:"false"
Allow registration via social providers

Configure Providers in YAML

registration:
  socialLogins: ['github', 'google', 'discord', 'openid', 'facebook', 'apple', 'saml']

Google OAuth

GOOGLE_CLIENT_ID
string
required
Google OAuth client ID
GOOGLE_CLIENT_SECRET
string
required
Google OAuth client secret
GOOGLE_CALLBACK_URL
string
default:"/oauth/google/callback"
OAuth callback URL
GOOGLE_CLIENT_ID=your-client-id
GOOGLE_CLIENT_SECRET=your-client-secret
GOOGLE_CALLBACK_URL=/oauth/google/callback

GitHub OAuth

GITHUB_CLIENT_ID
string
required
GitHub OAuth client ID
GITHUB_CLIENT_SECRET
string
required
GitHub OAuth client secret
GITHUB_CALLBACK_URL
string
default:"/oauth/github/callback"
OAuth callback URL

GitHub Enterprise

GITHUB_ENTERPRISE_BASE_URL
string
Base URL for GitHub Enterprise server
GITHUB_ENTERPRISE_USER_AGENT
string
User agent for GitHub Enterprise API
GITHUB_CLIENT_ID=your-client-id
GITHUB_CLIENT_SECRET=your-client-secret
GITHUB_CALLBACK_URL=/oauth/github/callback

# For GitHub Enterprise
GITHUB_ENTERPRISE_BASE_URL=https://github.company.com

Discord OAuth

DISCORD_CLIENT_ID
string
required
Discord OAuth client ID
DISCORD_CLIENT_SECRET
string
required
Discord OAuth client secret
DISCORD_CALLBACK_URL
string
default:"/oauth/discord/callback"
OAuth callback URL
.env
DISCORD_CLIENT_ID=your-client-id
DISCORD_CLIENT_SECRET=your-client-secret
DISCORD_CALLBACK_URL=/oauth/discord/callback

Facebook OAuth

FACEBOOK_CLIENT_ID
string
required
Facebook OAuth client ID
FACEBOOK_CLIENT_SECRET
string
required
Facebook OAuth client secret
FACEBOOK_CALLBACK_URL
string
default:"/oauth/facebook/callback"
OAuth callback URL
.env
FACEBOOK_CLIENT_ID=your-client-id
FACEBOOK_CLIENT_SECRET=your-client-secret
FACEBOOK_CALLBACK_URL=/oauth/facebook/callback

Apple OAuth

APPLE_CLIENT_ID
string
required
Apple OAuth client ID (Service ID)
APPLE_TEAM_ID
string
required
Apple Developer Team ID
APPLE_KEY_ID
string
required
Apple Key ID for the private key
APPLE_PRIVATE_KEY_PATH
string
required
Path to Apple private key file (.p8)
APPLE_CALLBACK_URL
string
default:"/oauth/apple/callback"
OAuth callback URL
.env
APPLE_CLIENT_ID=com.yourcompany.service
APPLE_TEAM_ID=TEAM123456
APPLE_KEY_ID=KEY123456
APPLE_PRIVATE_KEY_PATH=/path/to/AuthKey.p8
APPLE_CALLBACK_URL=/oauth/apple/callback

OpenID Connect

Generic OpenID Connect provider support.
OPENID_CLIENT_ID
string
required
OpenID Connect client ID
OPENID_CLIENT_SECRET
string
required
OpenID Connect client secret
OPENID_ISSUER
string
required
OpenID Connect issuer URL
OPENID_SESSION_SECRET
string
required
Session secret for OpenID authentication
OPENID_SCOPE
string
default:"openid profile email"
OAuth scopes to request
OPENID_CALLBACK_URL
string
default:"/oauth/openid/callback"
OAuth callback URL

User Mapping

OPENID_USERNAME_CLAIM
string
User info property for username
OPENID_NAME_CLAIM
string
User info property for display name
OPENID_EMAIL_CLAIM
string
User info claim for email/identifier
Defaults to: email → preferred_username → upn

Role-Based Access

OPENID_REQUIRED_ROLE
string
Required role for access
OPENID_REQUIRED_ROLE_TOKEN_KIND
string
Token kind for role validation
OPENID_REQUIRED_ROLE_PARAMETER_PATH
string
Path to role in token
OPENID_ADMIN_ROLE
string
Role that grants admin access
OPENID_ADMIN_ROLE_PARAMETER_PATH
string
Path to admin role in token

UI Customization

OPENID_BUTTON_LABEL
string
Custom label for OpenID login button
OPENID_IMAGE_URL
string
Custom icon URL for OpenID login button
OPENID_AUTO_REDIRECT
boolean
default:"false"
Automatically redirect to OpenID provider on login page
Only use if OpenID is your sole authentication method

Advanced Options

OPENID_USE_PKCE
boolean
default:"false"
Use PKCE (Proof Key for Code Exchange) for enhanced security
OPENID_REUSE_TOKENS
boolean
Reuse OpenID tokens for authentication instead of MongoDB session
OPENID_JWKS_URL_CACHE_ENABLED
boolean
default:"true"
Enable caching of JWKS signing key verification
OPENID_JWKS_URL_CACHE_TIME
number
default:"600000"
JWKS cache time in milliseconds (10 minutes)
OPENID_ON_BEHALF_FLOW_FOR_USERINFO_REQUIRED
boolean
Trigger token exchange flow for userinfo endpoint
OPENID_ON_BEHALF_FLOW_USERINFO_SCOPE
string
default:"user.read"
Scope for on-behalf flow (e.g., Microsoft Graph API)
OPENID_USE_END_SESSION_ENDPOINT
boolean
Use OpenID Connect end session endpoint for logout
OPENID_POST_LOGOUT_REDIRECT_URI
string
URL to redirect after OpenID logout
Defaults to $/login
OPENID_AUDIENCE
string
Optional audience parameter for authorization requests
OPENID_CLIENT_ID=your-client-id
OPENID_CLIENT_SECRET=your-client-secret
OPENID_ISSUER=https://accounts.google.com
OPENID_SESSION_SECRET=your-session-secret
OPENID_SCOPE="openid profile email"
OPENID_CALLBACK_URL=/oauth/openid/callback

SAML Authentication

If OpenID is enabled, SAML is automatically disabled
SAML_ENTRY_POINT
string
required
SAML Identity Provider entry point URL
SAML_ISSUER
string
required
SAML Service Provider issuer
SAML_CERT
string
required
SAML Identity Provider certificate
SAML_CALLBACK_URL
string
default:"/oauth/saml/callback"
SAML callback URL
SAML_SESSION_SECRET
string
required
Session secret for SAML authentication

Attribute Mappings

SAML_EMAIL_CLAIM
string
SAML attribute for email
SAML_USERNAME_CLAIM
string
SAML attribute for username
SAML_GIVEN_NAME_CLAIM
string
SAML attribute for first name
SAML_FAMILY_NAME_CLAIM
string
SAML attribute for last name
SAML_PICTURE_CLAIM
string
SAML attribute for profile picture
SAML_NAME_CLAIM
string
SAML attribute for full name

UI Customization

SAML_BUTTON_LABEL
string
Custom label for SAML login button
SAML_IMAGE_URL
string
Custom icon URL for SAML login button

Signature Settings

SAML_USE_AUTHN_RESPONSE_SIGNED
boolean
Whether the SAML Response should be signed
  • true: Entire SAML Response will be signed
  • false or unset: Only SAML Assertion will be signed (default)
.env
SAML_ENTRY_POINT=https://idp.example.com/sso
SAML_ISSUER=librechat
SAML_CERT=MIIDXTCCAkWgAwIBAgIJAKL...
SAML_CALLBACK_URL=/oauth/saml/callback
SAML_SESSION_SECRET=your-session-secret

# Optional attribute mappings
SAML_EMAIL_CLAIM=email
SAML_USERNAME_CLAIM=username
SAML_GIVEN_NAME_CLAIM=firstName
SAML_FAMILY_NAME_CLAIM=lastName

LDAP Authentication

LDAP_URL
string
required
LDAP server URL
LDAP_BIND_DN
string
required
LDAP bind distinguished name
LDAP_BIND_CREDENTIALS
string
required
LDAP bind password
LDAP_USER_SEARCH_BASE
string
required
Base DN for user search
LDAP_SEARCH_FILTER
string
default:"mail="
LDAP search filter
LDAP_SEARCH_FILTER="mail="
LDAP_CA_CERT_PATH
string
Path to CA certificate for LDAP TLS
LDAP_TLS_REJECT_UNAUTHORIZED
boolean
Reject unauthorized TLS certificates
LDAP_STARTTLS
boolean
Enable STARTTLS
LDAP_LOGIN_USES_USERNAME
boolean
default:"false"
Use username instead of email for login

Attribute Mappings

LDAP_ID
string
LDAP attribute for user ID
LDAP_USERNAME
string
LDAP attribute for username
LDAP_EMAIL
string
LDAP attribute for email
LDAP_FULL_NAME
string
LDAP attribute for full name
LDAP_URL=ldap://ldap.example.com:389
LDAP_BIND_DN=cn=admin,dc=example,dc=com
LDAP_BIND_CREDENTIALS=admin-password
LDAP_USER_SEARCH_BASE=ou=users,dc=example,dc=com
LDAP_SEARCH_FILTER="mail="

# Set minimum password length to 1 for LDAP
MIN_PASSWORD_LENGTH=1
Set MIN_PASSWORD_LENGTH=1 when using LDAP to bypass local password validation, as LDAP servers handle their own password policies.

Microsoft Entra ID Integration

USE_ENTRA_ID_FOR_PEOPLE_SEARCH
boolean
default:"false"
Enable Entra ID people search in permissions/sharing system
Searches both local database and Entra ID
ENTRA_ID_INCLUDE_OWNERS_AS_MEMBERS
boolean
default:"false"
Consider Entra ID group owners as members
OPENID_GRAPH_SCOPES
string
default:"User.Read,People.Read,GroupMember.Read.All"
Microsoft Graph API scopes for people/group search
.env
USE_ENTRA_ID_FOR_PEOPLE_SEARCH=true
ENTRA_ID_INCLUDE_OWNERS_AS_MEMBERS=false
OPENID_GRAPH_SCOPES=User.Read,People.Read,GroupMember.Read.All

SharePoint Integration

Requires Entra ID (OpenID) authentication
ENABLE_SHAREPOINT_FILEPICKER
boolean
Enable SharePoint file picker in chat and agent panels
SHAREPOINT_BASE_URL
string
SharePoint tenant base URL
SHAREPOINT_BASE_URL=https://yourtenant.sharepoint.com
SHAREPOINT_PICKER_SHAREPOINT_SCOPE
string
SharePoint scope for file picker
SHAREPOINT_PICKER_SHAREPOINT_SCOPE=https://yourtenant.sharepoint.com/AllSites.Read
SHAREPOINT_PICKER_GRAPH_SCOPE
string
default:"Files.Read.All"
Microsoft Graph API scope for file picker

Two-Factor Authentication

Two-factor authentication (2FA) is available through the API endpoints:
  • POST /auth/2fa/enable - Enable 2FA for user
  • POST /auth/2fa/verify - Verify 2FA code
  • POST /auth/2fa/confirm - Confirm 2FA setup
  • POST /auth/2fa/disable - Disable 2FA
  • POST /auth/2fa/backup/regenerate - Regenerate backup codes
No additional configuration required.