Authentication and SSO
Langfuse supports both email/password and SSO authentication.
Email/Password
Email/password authentication is enabled by default. Users can sign up and log in using their email and password.
To disable email/password authentication, set AUTH_DISABLE_USERNAME_PASSWORD=true. In this case, you need to set up SSO instead.
If you want to provision a default user for your Langfuse instance, you can use the LANGFUSE_INIT_* environment variables.
Password Reset
-
If transactional emails are configured on your instance via the
SMTP_CONNECTION_URLandEMAIL_FROM_ADDRESSenvironments, users can reset their password by using the “Forgot password” link on the login page. -
If transactional emails are not set up, passwords can be reset by following these steps:
- Update the email associated with your user account in database, such as by adding a prefix.
- You can then sign up again with a new password.
- Reassign any organizations you were associated with via the
organization_membershipstable in database. - Finally, remove the old user account from the
userstable in database.
SSO
To enable OAuth/SSO provider sign-in for Langfuse, add the following environment variables:
| Provider | Variables | OAuth Redirect URL |
|---|---|---|
AUTH_GOOGLE_CLIENT_IDAUTH_GOOGLE_CLIENT_SECRETAUTH_GOOGLE_ALLOW_ACCOUNT_LINKING=true (optional)AUTH_GOOGLE_ALLOWED_DOMAINS=langfuse.com,google.com(optional, list of allowed domains based on hd OAuth claim) | /api/auth/callback/google | |
| GitHub | AUTH_GITHUB_CLIENT_IDAUTH_GITHUB_CLIENT_SECRETAUTH_GITHUB_ALLOW_ACCOUNT_LINKING=true (optional) | /api/auth/callback/github |
| GitHub Enterprise | AUTH_GITHUB_ENTERPRISE_CLIENT_IDAUTH_GITHUB_ENTERPRISE_CLIENT_SECRETAUTH_GITHUB_ENTERPRISE_BASE_URLAUTH_GITHUB_ENTERPRISE_ALLOW_ACCOUNT_LINKING=false (optional) | /api/auth/callback/github-enterprise |
| GitLab | AUTH_GITLAB_CLIENT_IDAUTH_GITLAB_CLIENT_SECRETAUTH_GITLAB_ISSUER (optional)AUTH_GITLAB_ALLOW_ACCOUNT_LINKING=true (optional) | /api/auth/callback/gitlab |
| AzureAD/Entra ID | AUTH_AZURE_AD_CLIENT_IDAUTH_AZURE_AD_CLIENT_SECRETAUTH_AZURE_AD_TENANT_IDAUTH_AZURE_ALLOW_ACCOUNT_LINKING=true (optional) | /api/auth/callback/azure-ad |
| Okta | AUTH_OKTA_CLIENT_IDAUTH_OKTA_CLIENT_SECRETAUTH_OKTA_ISSUERAUTH_OKTA_ALLOW_ACCOUNT_LINKING=true (optional) | /api/auth/callback/okta |
| Auth0 | AUTH_AUTH0_CLIENT_IDAUTH_AUTH0_CLIENT_SECRETAUTH_AUTH0_ISSUERAUTH_AUTH0_ALLOW_ACCOUNT_LINKING=true (optional) | /api/auth/callback/auth0 |
| AWS Cognito | AUTH_COGNITO_CLIENT_IDAUTH_COGNITO_CLIENT_SECRETAUTH_COGNITO_ISSUERAUTH_COGNITO_ALLOW_ACCOUNT_LINKING=true (optional) | /api/auth/callback/cognito |
| Keycloak | AUTH_KEYCLOAK_CLIENT_IDAUTH_KEYCLOAK_CLIENT_SECRETAUTH_KEYCLOAK_ISSUERAUTH_KEYCLOAK_ALLOW_ACCOUNT_LINKING=true (optional) | /api/auth/callback/keycloak |
| Custom OAuth (source) | AUTH_CUSTOM_CLIENT_IDAUTH_CUSTOM_CLIENT_SECRETAUTH_CUSTOM_ISSUERAUTH_CUSTOM_NAME (any, used only in UI)AUTH_CUSTOM_ALLOW_ACCOUNT_LINKING=true (optional)AUTH_CUSTOM_SCOPE (optional, defaults to "openid email profile") | /api/auth/callback/custom |
Use *_ALLOW_ACCOUNT_LINKING to allow merging accounts with the same email address. This is useful when users sign in with different providers or email/password but have the same email address. You need to be careful with this setting as it can lead to security issues if the emails are not verified.
Need another provider? Langfuse uses Auth.js, which integrates with many providers. Add a feature request on GitHub if you want us to add support for a specific provider.
Additional configuration
| Variable | Description |
|---|---|
AUTH_DOMAINS_WITH_SSO_ENFORCEMENT | Comma-separated list of domains that are only allowed to sign in using SSO. Email/password sign in is disabled for these domains. E.g. domain1.com,domain2.com |
AUTH_DISABLE_SIGNUP | Set to true to disable sign up for new users. Only existing users can sign in. This affects all new users that try to sign up, also those who received an invite to a project and have no account yet. |
AUTH_SESSION_MAX_AGE | Set the maximum age of the session (JWT) in minutes. The default is 30 days (43200). The value must be greater than 5 minutes, as the front-end application refreshes its session every 5 minutes. |