Environment

Environment variables are applied after the configuration file meaning anything specified as part of the environment overrides the configuration files.

Note

It is not possible to configure several sections at this time, these include but may not be limited to the rules section in access control, the clients section in the OpenID Connect 1.0 Provider, the cookies section of in session, and the authz section in the server endpoints.

Prefix

The environment variables must be prefixed with AUTHELIA_. All environment variables that start with this prefix must be for configuration. Any supplied environment variables that have this prefix and are not meant for configuration will likely result in an error or even worse misconfiguration.

Kubernetes

Please see the Kubernetes Integration: Enable Service Links documentation for specific requirements for using Authelia with Kubernetes.

Mapping

Configuration options are mapped by their name. Levels of indentation / subkeys are replaced by underscores.

For example this YAML configuration:

configuration.yml
log:
  level: 'info'
server:
  buffers:
    read: 4096

Can be replaced by this environment variable configuration:

AUTHELIA_LOG_LEVEL=info
AUTHELIA_SERVER_BUFFERS_READ=4096

Environment Variables

Configuration Key Environment Variable
theme AUTHELIA_THEME
certificates_directory AUTHELIA_CERTIFICATES_DIRECTORY
default_2fa_method AUTHELIA_DEFAULT_2FA_METHOD
log.level AUTHELIA_LOG_LEVEL
log.format AUTHELIA_LOG_FORMAT
log.file_path AUTHELIA_LOG_FILE_PATH
log.keep_stdout AUTHELIA_LOG_KEEP_STDOUT
identity_providers.oidc.enable_client_debug_messages AUTHELIA_IDENTITY_PROVIDERS_OIDC_ENABLE_CLIENT_DEBUG_MESSAGES
identity_providers.oidc.minimum_parameter_entropy AUTHELIA_IDENTITY_PROVIDERS_OIDC_MINIMUM_PARAMETER_ENTROPY
identity_providers.oidc.enforce_pkce AUTHELIA_IDENTITY_PROVIDERS_OIDC_ENFORCE_PKCE
identity_providers.oidc.enable_pkce_plain_challenge AUTHELIA_IDENTITY_PROVIDERS_OIDC_ENABLE_PKCE_PLAIN_CHALLENGE
identity_providers.oidc.enable_jwt_access_token_stateless_introspection AUTHELIA_IDENTITY_PROVIDERS_OIDC_ENABLE_JWT_ACCESS_TOKEN_STATELESS_INTROSPECTION
identity_providers.oidc.discovery_signed_response_alg AUTHELIA_IDENTITY_PROVIDERS_OIDC_DISCOVERY_SIGNED_RESPONSE_ALG
identity_providers.oidc.discovery_signed_response_key_id AUTHELIA_IDENTITY_PROVIDERS_OIDC_DISCOVERY_SIGNED_RESPONSE_KEY_ID
identity_providers.oidc.require_pushed_authorization_requests AUTHELIA_IDENTITY_PROVIDERS_OIDC_REQUIRE_PUSHED_AUTHORIZATION_REQUESTS
identity_providers.oidc.cors.endpoints AUTHELIA_IDENTITY_PROVIDERS_OIDC_CORS_ENDPOINTS
identity_providers.oidc.cors.allowed_origins_from_client_redirect_uris AUTHELIA_IDENTITY_PROVIDERS_OIDC_CORS_ALLOWED_ORIGINS_FROM_CLIENT_REDIRECT_URIS
identity_providers.oidc.lifespans.access_token AUTHELIA_IDENTITY_PROVIDERS_OIDC_LIFESPANS_ACCESS_TOKEN
identity_providers.oidc.lifespans.authorize_code AUTHELIA_IDENTITY_PROVIDERS_OIDC_LIFESPANS_AUTHORIZE_CODE
identity_providers.oidc.lifespans.id_token AUTHELIA_IDENTITY_PROVIDERS_OIDC_LIFESPANS_ID_TOKEN
identity_providers.oidc.lifespans.refresh_token AUTHELIA_IDENTITY_PROVIDERS_OIDC_LIFESPANS_REFRESH_TOKEN
identity_providers.oidc.lifespans.jwt_secured_authorization AUTHELIA_IDENTITY_PROVIDERS_OIDC_LIFESPANS_JWT_SECURED_AUTHORIZATION
identity_providers.oidc AUTHELIA_IDENTITY_PROVIDERS_OIDC
authentication_backend.password_reset.disable AUTHELIA_AUTHENTICATION_BACKEND_PASSWORD_RESET_DISABLE
authentication_backend.password_reset.custom_url AUTHELIA_AUTHENTICATION_BACKEND_PASSWORD_RESET_CUSTOM_URL
authentication_backend.refresh_interval AUTHELIA_AUTHENTICATION_BACKEND_REFRESH_INTERVAL
authentication_backend.file.path AUTHELIA_AUTHENTICATION_BACKEND_FILE_PATH
authentication_backend.file.watch AUTHELIA_AUTHENTICATION_BACKEND_FILE_WATCH
authentication_backend.file.password.algorithm AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ALGORITHM
authentication_backend.file.password.argon2.variant AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_VARIANT
authentication_backend.file.password.argon2.iterations AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_ITERATIONS
authentication_backend.file.password.argon2.memory AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_MEMORY
authentication_backend.file.password.argon2.parallelism AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_PARALLELISM
authentication_backend.file.password.argon2.key_length AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_KEY_LENGTH
authentication_backend.file.password.argon2.salt_length AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_SALT_LENGTH
authentication_backend.file.password.sha2crypt.variant AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SHA2CRYPT_VARIANT
authentication_backend.file.password.sha2crypt.iterations AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SHA2CRYPT_ITERATIONS
authentication_backend.file.password.sha2crypt.salt_length AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SHA2CRYPT_SALT_LENGTH
authentication_backend.file.password.pbkdf2.variant AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_PBKDF2_VARIANT
authentication_backend.file.password.pbkdf2.iterations AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_PBKDF2_ITERATIONS
authentication_backend.file.password.pbkdf2.salt_length AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_PBKDF2_SALT_LENGTH
authentication_backend.file.password.bcrypt.variant AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_BCRYPT_VARIANT
authentication_backend.file.password.bcrypt.cost AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_BCRYPT_COST
authentication_backend.file.password.scrypt.iterations AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SCRYPT_ITERATIONS
authentication_backend.file.password.scrypt.block_size AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SCRYPT_BLOCK_SIZE
authentication_backend.file.password.scrypt.parallelism AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SCRYPT_PARALLELISM
authentication_backend.file.password.scrypt.key_length AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SCRYPT_KEY_LENGTH
authentication_backend.file.password.scrypt.salt_length AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SCRYPT_SALT_LENGTH
authentication_backend.file.search.email AUTHELIA_AUTHENTICATION_BACKEND_FILE_SEARCH_EMAIL
authentication_backend.file.search.case_insensitive AUTHELIA_AUTHENTICATION_BACKEND_FILE_SEARCH_CASE_INSENSITIVE
authentication_backend.ldap.address AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDRESS
authentication_backend.ldap.implementation AUTHELIA_AUTHENTICATION_BACKEND_LDAP_IMPLEMENTATION
authentication_backend.ldap.timeout AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TIMEOUT
authentication_backend.ldap.start_tls AUTHELIA_AUTHENTICATION_BACKEND_LDAP_START_TLS
authentication_backend.ldap.tls.minimum_version AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_MINIMUM_VERSION
authentication_backend.ldap.tls.maximum_version AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_MAXIMUM_VERSION
authentication_backend.ldap.tls.skip_verify AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_SKIP_VERIFY
authentication_backend.ldap.tls.server_name AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_SERVER_NAME
authentication_backend.ldap.base_dn AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN
authentication_backend.ldap.additional_users_dn AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_USERS_DN
authentication_backend.ldap.users_filter AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERS_FILTER
authentication_backend.ldap.additional_groups_dn AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_GROUPS_DN
authentication_backend.ldap.groups_filter AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUPS_FILTER
authentication_backend.ldap.group_search_mode AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUP_SEARCH_MODE
authentication_backend.ldap.attributes.distinguished_name AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_DISTINGUISHED_NAME
authentication_backend.ldap.attributes.username AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_USERNAME
authentication_backend.ldap.attributes.display_name AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_DISPLAY_NAME
authentication_backend.ldap.attributes.mail AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_MAIL
authentication_backend.ldap.attributes.member_of AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_MEMBER_OF
authentication_backend.ldap.attributes.group_name AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_GROUP_NAME
authentication_backend.ldap.permit_referrals AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PERMIT_REFERRALS
authentication_backend.ldap.permit_unauthenticated_bind AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PERMIT_UNAUTHENTICATED_BIND
authentication_backend.ldap.permit_feature_detection_failure AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PERMIT_FEATURE_DETECTION_FAILURE
authentication_backend.ldap.user AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER
session.name AUTHELIA_SESSION_NAME
session.same_site AUTHELIA_SESSION_SAME_SITE
session.expiration AUTHELIA_SESSION_EXPIRATION
session.inactivity AUTHELIA_SESSION_INACTIVITY
session.remember_me AUTHELIA_SESSION_REMEMBER_ME
session AUTHELIA_SESSION
session.redis.host AUTHELIA_SESSION_REDIS_HOST
session.redis.port AUTHELIA_SESSION_REDIS_PORT
session.redis.username AUTHELIA_SESSION_REDIS_USERNAME
session.redis.database_index AUTHELIA_SESSION_REDIS_DATABASE_INDEX
session.redis.maximum_active_connections AUTHELIA_SESSION_REDIS_MAXIMUM_ACTIVE_CONNECTIONS
session.redis.minimum_idle_connections AUTHELIA_SESSION_REDIS_MINIMUM_IDLE_CONNECTIONS
session.redis.tls.minimum_version AUTHELIA_SESSION_REDIS_TLS_MINIMUM_VERSION
session.redis.tls.maximum_version AUTHELIA_SESSION_REDIS_TLS_MAXIMUM_VERSION
session.redis.tls.skip_verify AUTHELIA_SESSION_REDIS_TLS_SKIP_VERIFY
session.redis.tls.server_name AUTHELIA_SESSION_REDIS_TLS_SERVER_NAME
session.redis.high_availability.sentinel_name AUTHELIA_SESSION_REDIS_HIGH_AVAILABILITY_SENTINEL_NAME
session.redis.high_availability.sentinel_username AUTHELIA_SESSION_REDIS_HIGH_AVAILABILITY_SENTINEL_USERNAME
session.redis.high_availability.route_by_latency AUTHELIA_SESSION_REDIS_HIGH_AVAILABILITY_ROUTE_BY_LATENCY
session.redis.high_availability.route_randomly AUTHELIA_SESSION_REDIS_HIGH_AVAILABILITY_ROUTE_RANDOMLY
totp.disable AUTHELIA_TOTP_DISABLE
totp.issuer AUTHELIA_TOTP_ISSUER
totp.algorithm AUTHELIA_TOTP_ALGORITHM
totp.digits AUTHELIA_TOTP_DIGITS
totp.period AUTHELIA_TOTP_PERIOD
totp.skew AUTHELIA_TOTP_SKEW
totp.secret_size AUTHELIA_TOTP_SECRET_SIZE
totp.allowed_algorithms AUTHELIA_TOTP_ALLOWED_ALGORITHMS
totp.allowed_digits AUTHELIA_TOTP_ALLOWED_DIGITS
totp.allowed_periods AUTHELIA_TOTP_ALLOWED_PERIODS
totp.disable_reuse_security_policy AUTHELIA_TOTP_DISABLE_REUSE_SECURITY_POLICY
duo_api.disable AUTHELIA_DUO_API_DISABLE
duo_api.hostname AUTHELIA_DUO_API_HOSTNAME
duo_api.enable_self_enrollment AUTHELIA_DUO_API_ENABLE_SELF_ENROLLMENT
access_control.default_policy AUTHELIA_ACCESS_CONTROL_DEFAULT_POLICY
ntp.address AUTHELIA_NTP_ADDRESS
ntp.version AUTHELIA_NTP_VERSION
ntp.max_desync AUTHELIA_NTP_MAX_DESYNC
ntp.disable_startup_check AUTHELIA_NTP_DISABLE_STARTUP_CHECK
ntp.disable_failure AUTHELIA_NTP_DISABLE_FAILURE
regulation.max_retries AUTHELIA_REGULATION_MAX_RETRIES
regulation.find_time AUTHELIA_REGULATION_FIND_TIME
regulation.ban_time AUTHELIA_REGULATION_BAN_TIME
storage.local.path AUTHELIA_STORAGE_LOCAL_PATH
storage.mysql.address AUTHELIA_STORAGE_MYSQL_ADDRESS
storage.mysql.database AUTHELIA_STORAGE_MYSQL_DATABASE
storage.mysql.username AUTHELIA_STORAGE_MYSQL_USERNAME
storage.mysql.timeout AUTHELIA_STORAGE_MYSQL_TIMEOUT
storage.mysql.tls.minimum_version AUTHELIA_STORAGE_MYSQL_TLS_MINIMUM_VERSION
storage.mysql.tls.maximum_version AUTHELIA_STORAGE_MYSQL_TLS_MAXIMUM_VERSION
storage.mysql.tls.skip_verify AUTHELIA_STORAGE_MYSQL_TLS_SKIP_VERIFY
storage.mysql.tls.server_name AUTHELIA_STORAGE_MYSQL_TLS_SERVER_NAME
storage.postgres.address AUTHELIA_STORAGE_POSTGRES_ADDRESS
storage.postgres.database AUTHELIA_STORAGE_POSTGRES_DATABASE
storage.postgres.username AUTHELIA_STORAGE_POSTGRES_USERNAME
storage.postgres.timeout AUTHELIA_STORAGE_POSTGRES_TIMEOUT
storage.postgres.schema AUTHELIA_STORAGE_POSTGRES_SCHEMA
storage.postgres.tls.minimum_version AUTHELIA_STORAGE_POSTGRES_TLS_MINIMUM_VERSION
storage.postgres.tls.maximum_version AUTHELIA_STORAGE_POSTGRES_TLS_MAXIMUM_VERSION
storage.postgres.tls.skip_verify AUTHELIA_STORAGE_POSTGRES_TLS_SKIP_VERIFY
storage.postgres.tls.server_name AUTHELIA_STORAGE_POSTGRES_TLS_SERVER_NAME
notifier.disable_startup_check AUTHELIA_NOTIFIER_DISABLE_STARTUP_CHECK
notifier.filesystem.filename AUTHELIA_NOTIFIER_FILESYSTEM_FILENAME
notifier.smtp.address AUTHELIA_NOTIFIER_SMTP_ADDRESS
notifier.smtp.timeout AUTHELIA_NOTIFIER_SMTP_TIMEOUT
notifier.smtp.username AUTHELIA_NOTIFIER_SMTP_USERNAME
notifier.smtp.identifier AUTHELIA_NOTIFIER_SMTP_IDENTIFIER
notifier.smtp.sender AUTHELIA_NOTIFIER_SMTP_SENDER
notifier.smtp.subject AUTHELIA_NOTIFIER_SMTP_SUBJECT
notifier.smtp.startup_check_address AUTHELIA_NOTIFIER_SMTP_STARTUP_CHECK_ADDRESS
notifier.smtp.disable_require_tls AUTHELIA_NOTIFIER_SMTP_DISABLE_REQUIRE_TLS
notifier.smtp.disable_html_emails AUTHELIA_NOTIFIER_SMTP_DISABLE_HTML_EMAILS
notifier.smtp.disable_starttls AUTHELIA_NOTIFIER_SMTP_DISABLE_STARTTLS
notifier.smtp.tls.minimum_version AUTHELIA_NOTIFIER_SMTP_TLS_MINIMUM_VERSION
notifier.smtp.tls.maximum_version AUTHELIA_NOTIFIER_SMTP_TLS_MAXIMUM_VERSION
notifier.smtp.tls.skip_verify AUTHELIA_NOTIFIER_SMTP_TLS_SKIP_VERIFY
notifier.smtp.tls.server_name AUTHELIA_NOTIFIER_SMTP_TLS_SERVER_NAME
notifier.template_path AUTHELIA_NOTIFIER_TEMPLATE_PATH
server.address AUTHELIA_SERVER_ADDRESS
server.asset_path AUTHELIA_SERVER_ASSET_PATH
server.disable_healthcheck AUTHELIA_SERVER_DISABLE_HEALTHCHECK
server.tls.certificate AUTHELIA_SERVER_TLS_CERTIFICATE
server.tls.key AUTHELIA_SERVER_TLS_KEY
server.tls.client_certificates AUTHELIA_SERVER_TLS_CLIENT_CERTIFICATES
server.headers.csp_template AUTHELIA_SERVER_HEADERS_CSP_TEMPLATE
server.endpoints.enable_pprof AUTHELIA_SERVER_ENDPOINTS_ENABLE_PPROF
server.endpoints.enable_expvars AUTHELIA_SERVER_ENDPOINTS_ENABLE_EXPVARS
server.buffers.read AUTHELIA_SERVER_BUFFERS_READ
server.buffers.write AUTHELIA_SERVER_BUFFERS_WRITE
server.timeouts.read AUTHELIA_SERVER_TIMEOUTS_READ
server.timeouts.write AUTHELIA_SERVER_TIMEOUTS_WRITE
server.timeouts.idle AUTHELIA_SERVER_TIMEOUTS_IDLE
telemetry.metrics.enabled AUTHELIA_TELEMETRY_METRICS_ENABLED
telemetry.metrics.address AUTHELIA_TELEMETRY_METRICS_ADDRESS
telemetry.metrics.buffers.read AUTHELIA_TELEMETRY_METRICS_BUFFERS_READ
telemetry.metrics.buffers.write AUTHELIA_TELEMETRY_METRICS_BUFFERS_WRITE
telemetry.metrics.timeouts.read AUTHELIA_TELEMETRY_METRICS_TIMEOUTS_READ
telemetry.metrics.timeouts.write AUTHELIA_TELEMETRY_METRICS_TIMEOUTS_WRITE
telemetry.metrics.timeouts.idle AUTHELIA_TELEMETRY_METRICS_TIMEOUTS_IDLE
webauthn.disable AUTHELIA_WEBAUTHN_DISABLE
webauthn.display_name AUTHELIA_WEBAUTHN_DISPLAY_NAME
webauthn.attestation_conveyance_preference AUTHELIA_WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE
webauthn.user_verification AUTHELIA_WEBAUTHN_USER_VERIFICATION
webauthn.timeout AUTHELIA_WEBAUTHN_TIMEOUT
password_policy.standard.enabled AUTHELIA_PASSWORD_POLICY_STANDARD_ENABLED
password_policy.standard.min_length AUTHELIA_PASSWORD_POLICY_STANDARD_MIN_LENGTH
password_policy.standard.max_length AUTHELIA_PASSWORD_POLICY_STANDARD_MAX_LENGTH
password_policy.standard.require_uppercase AUTHELIA_PASSWORD_POLICY_STANDARD_REQUIRE_UPPERCASE
password_policy.standard.require_lowercase AUTHELIA_PASSWORD_POLICY_STANDARD_REQUIRE_LOWERCASE
password_policy.standard.require_number AUTHELIA_PASSWORD_POLICY_STANDARD_REQUIRE_NUMBER
password_policy.standard.require_special AUTHELIA_PASSWORD_POLICY_STANDARD_REQUIRE_SPECIAL
password_policy.zxcvbn.enabled AUTHELIA_PASSWORD_POLICY_ZXCVBN_ENABLED
password_policy.zxcvbn.min_score AUTHELIA_PASSWORD_POLICY_ZXCVBN_MIN_SCORE
privacy_policy.enabled AUTHELIA_PRIVACY_POLICY_ENABLED
privacy_policy.require_user_acceptance AUTHELIA_PRIVACY_POLICY_REQUIRE_USER_ACCEPTANCE
privacy_policy.policy_url AUTHELIA_PRIVACY_POLICY_POLICY_URL
identity_validation.reset_password.jwt_lifespan AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_LIFESPAN
identity_validation.reset_password.jwt_algorithm AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_ALGORITHM
identity_validation.elevated_session.code_lifespan AUTHELIA_IDENTITY_VALIDATION_ELEVATED_SESSION_CODE_LIFESPAN
identity_validation.elevated_session.elevation_lifespan AUTHELIA_IDENTITY_VALIDATION_ELEVATED_SESSION_ELEVATION_LIFESPAN
identity_validation.elevated_session.characters AUTHELIA_IDENTITY_VALIDATION_ELEVATED_SESSION_CHARACTERS
identity_validation.elevated_session.require_second_factor AUTHELIA_IDENTITY_VALIDATION_ELEVATED_SESSION_REQUIRE_SECOND_FACTOR
identity_validation.elevated_session.skip_second_factor AUTHELIA_IDENTITY_VALIDATION_ELEVATED_SESSION_SKIP_SECOND_FACTOR