Environment

Authelia has a layered configuration model. This section describes how to implement the environment configuration.

Environment variables are applied after the configuration file meaning anything specified as part of the environment overrides the configuration files.

Please Note: It is not possible to configure the access control rules section or OpenID Connect identity provider clients section using environment variables at this time.

Prefix

The environment variables must be prefixed with AUTHELIA_. All environment variables that start with this prefix must be for configuration. Any supplied environment variables that have this prefix and are not meant for configuration will likely result in an error or even worse misconfiguration.

Kubernetes

Please see the Kubernetes Integration: Enable Service Links documentation for specific requirements for using Authelia with Kubernetes.

Mapping

Configuration options are mapped by their name. Levels of indentation / subkeys are replaced by underscores.

For example this YAML configuration:

log:
  level: info
server:
  buffers:
    read: 4096

Can be replaced by this environment variable configuration:

AUTHELIA_LOG_LEVEL=info
AUTHELIA_SERVER_BUFFERS_READ=4096

Environment Variables

Configuration KeyEnvironment Variable
themeAUTHELIA_THEME
certificates_directoryAUTHELIA_CERTIFICATES_DIRECTORY
default_redirection_urlAUTHELIA_DEFAULT_REDIRECTION_URL
default_2fa_methodAUTHELIA_DEFAULT_2FA_METHOD
log.levelAUTHELIA_LOG_LEVEL
log.formatAUTHELIA_LOG_FORMAT
log.file_pathAUTHELIA_LOG_FILE_PATH
log.keep_stdoutAUTHELIA_LOG_KEEP_STDOUT
identity_providers.oidc.access_token_lifespanAUTHELIA_IDENTITY_PROVIDERS_OIDC_ACCESS_TOKEN_LIFESPAN
identity_providers.oidc.authorize_code_lifespanAUTHELIA_IDENTITY_PROVIDERS_OIDC_AUTHORIZE_CODE_LIFESPAN
identity_providers.oidc.id_token_lifespanAUTHELIA_IDENTITY_PROVIDERS_OIDC_ID_TOKEN_LIFESPAN
identity_providers.oidc.refresh_token_lifespanAUTHELIA_IDENTITY_PROVIDERS_OIDC_REFRESH_TOKEN_LIFESPAN
identity_providers.oidc.enable_client_debug_messagesAUTHELIA_IDENTITY_PROVIDERS_OIDC_ENABLE_CLIENT_DEBUG_MESSAGES
identity_providers.oidc.minimum_parameter_entropyAUTHELIA_IDENTITY_PROVIDERS_OIDC_MINIMUM_PARAMETER_ENTROPY
identity_providers.oidc.enforce_pkceAUTHELIA_IDENTITY_PROVIDERS_OIDC_ENFORCE_PKCE
identity_providers.oidc.enable_pkce_plain_challengeAUTHELIA_IDENTITY_PROVIDERS_OIDC_ENABLE_PKCE_PLAIN_CHALLENGE
identity_providers.oidc.cors.allowed_origins_from_client_redirect_urisAUTHELIA_IDENTITY_PROVIDERS_OIDC_CORS_ALLOWED_ORIGINS_FROM_CLIENT_REDIRECT_URIS
authentication_backend.password_reset.disableAUTHELIA_AUTHENTICATION_BACKEND_PASSWORD_RESET_DISABLE
authentication_backend.password_reset.custom_urlAUTHELIA_AUTHENTICATION_BACKEND_PASSWORD_RESET_CUSTOM_URL
authentication_backend.refresh_intervalAUTHELIA_AUTHENTICATION_BACKEND_REFRESH_INTERVAL
authentication_backend.file.pathAUTHELIA_AUTHENTICATION_BACKEND_FILE_PATH
authentication_backend.file.watchAUTHELIA_AUTHENTICATION_BACKEND_FILE_WATCH
authentication_backend.file.password.algorithmAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ALGORITHM
authentication_backend.file.password.argon2.variantAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_VARIANT
authentication_backend.file.password.argon2.iterationsAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_ITERATIONS
authentication_backend.file.password.argon2.memoryAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_MEMORY
authentication_backend.file.password.argon2.parallelismAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_PARALLELISM
authentication_backend.file.password.argon2.key_lengthAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_KEY_LENGTH
authentication_backend.file.password.argon2.salt_lengthAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_SALT_LENGTH
authentication_backend.file.password.sha2crypt.variantAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SHA2CRYPT_VARIANT
authentication_backend.file.password.sha2crypt.iterationsAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SHA2CRYPT_ITERATIONS
authentication_backend.file.password.sha2crypt.salt_lengthAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SHA2CRYPT_SALT_LENGTH
authentication_backend.file.password.pbkdf2.variantAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_PBKDF2_VARIANT
authentication_backend.file.password.pbkdf2.iterationsAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_PBKDF2_ITERATIONS
authentication_backend.file.password.pbkdf2.salt_lengthAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_PBKDF2_SALT_LENGTH
authentication_backend.file.password.bcrypt.variantAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_BCRYPT_VARIANT
authentication_backend.file.password.bcrypt.costAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_BCRYPT_COST
authentication_backend.file.password.scrypt.iterationsAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SCRYPT_ITERATIONS
authentication_backend.file.password.scrypt.block_sizeAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SCRYPT_BLOCK_SIZE
authentication_backend.file.password.scrypt.parallelismAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SCRYPT_PARALLELISM
authentication_backend.file.password.scrypt.key_lengthAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SCRYPT_KEY_LENGTH
authentication_backend.file.password.scrypt.salt_lengthAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SCRYPT_SALT_LENGTH
authentication_backend.file.password.iterationsAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ITERATIONS
authentication_backend.file.password.memoryAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_MEMORY
authentication_backend.file.password.parallelismAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_PARALLELISM
authentication_backend.file.password.key_lengthAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_KEY_LENGTH
authentication_backend.file.password.salt_lengthAUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SALT_LENGTH
authentication_backend.file.search.emailAUTHELIA_AUTHENTICATION_BACKEND_FILE_SEARCH_EMAIL
authentication_backend.file.search.case_insensitiveAUTHELIA_AUTHENTICATION_BACKEND_FILE_SEARCH_CASE_INSENSITIVE
authentication_backend.ldap.implementationAUTHELIA_AUTHENTICATION_BACKEND_LDAP_IMPLEMENTATION
authentication_backend.ldap.urlAUTHELIA_AUTHENTICATION_BACKEND_LDAP_URL
authentication_backend.ldap.timeoutAUTHELIA_AUTHENTICATION_BACKEND_LDAP_TIMEOUT
authentication_backend.ldap.start_tlsAUTHELIA_AUTHENTICATION_BACKEND_LDAP_START_TLS
authentication_backend.ldap.tls.minimum_versionAUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_MINIMUM_VERSION
authentication_backend.ldap.tls.maximum_versionAUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_MAXIMUM_VERSION
authentication_backend.ldap.tls.skip_verifyAUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_SKIP_VERIFY
authentication_backend.ldap.tls.server_nameAUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_SERVER_NAME
authentication_backend.ldap.base_dnAUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN
authentication_backend.ldap.additional_users_dnAUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_USERS_DN
authentication_backend.ldap.users_filterAUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERS_FILTER
authentication_backend.ldap.additional_groups_dnAUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_GROUPS_DN
authentication_backend.ldap.groups_filterAUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUPS_FILTER
authentication_backend.ldap.group_name_attributeAUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUP_NAME_ATTRIBUTE
authentication_backend.ldap.username_attributeAUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERNAME_ATTRIBUTE
authentication_backend.ldap.mail_attributeAUTHELIA_AUTHENTICATION_BACKEND_LDAP_MAIL_ATTRIBUTE
authentication_backend.ldap.display_name_attributeAUTHELIA_AUTHENTICATION_BACKEND_LDAP_DISPLAY_NAME_ATTRIBUTE
authentication_backend.ldap.permit_referralsAUTHELIA_AUTHENTICATION_BACKEND_LDAP_PERMIT_REFERRALS
authentication_backend.ldap.permit_unauthenticated_bindAUTHELIA_AUTHENTICATION_BACKEND_LDAP_PERMIT_UNAUTHENTICATED_BIND
authentication_backend.ldap.permit_feature_detection_failureAUTHELIA_AUTHENTICATION_BACKEND_LDAP_PERMIT_FEATURE_DETECTION_FAILURE
authentication_backend.ldap.userAUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER
session.nameAUTHELIA_SESSION_NAME
session.domainAUTHELIA_SESSION_DOMAIN
session.same_siteAUTHELIA_SESSION_SAME_SITE
session.expirationAUTHELIA_SESSION_EXPIRATION
session.inactivityAUTHELIA_SESSION_INACTIVITY
session.remember_me_durationAUTHELIA_SESSION_REMEMBER_ME_DURATION
session.redis.hostAUTHELIA_SESSION_REDIS_HOST
session.redis.portAUTHELIA_SESSION_REDIS_PORT
session.redis.usernameAUTHELIA_SESSION_REDIS_USERNAME
session.redis.database_indexAUTHELIA_SESSION_REDIS_DATABASE_INDEX
session.redis.maximum_active_connectionsAUTHELIA_SESSION_REDIS_MAXIMUM_ACTIVE_CONNECTIONS
session.redis.minimum_idle_connectionsAUTHELIA_SESSION_REDIS_MINIMUM_IDLE_CONNECTIONS
session.redis.tls.minimum_versionAUTHELIA_SESSION_REDIS_TLS_MINIMUM_VERSION
session.redis.tls.maximum_versionAUTHELIA_SESSION_REDIS_TLS_MAXIMUM_VERSION
session.redis.tls.skip_verifyAUTHELIA_SESSION_REDIS_TLS_SKIP_VERIFY
session.redis.tls.server_nameAUTHELIA_SESSION_REDIS_TLS_SERVER_NAME
session.redis.high_availability.sentinel_nameAUTHELIA_SESSION_REDIS_HIGH_AVAILABILITY_SENTINEL_NAME
session.redis.high_availability.sentinel_usernameAUTHELIA_SESSION_REDIS_HIGH_AVAILABILITY_SENTINEL_USERNAME
session.redis.high_availability.route_by_latencyAUTHELIA_SESSION_REDIS_HIGH_AVAILABILITY_ROUTE_BY_LATENCY
session.redis.high_availability.route_randomlyAUTHELIA_SESSION_REDIS_HIGH_AVAILABILITY_ROUTE_RANDOMLY
totp.disableAUTHELIA_TOTP_DISABLE
totp.issuerAUTHELIA_TOTP_ISSUER
totp.algorithmAUTHELIA_TOTP_ALGORITHM
totp.digitsAUTHELIA_TOTP_DIGITS
totp.periodAUTHELIA_TOTP_PERIOD
totp.skewAUTHELIA_TOTP_SKEW
totp.secret_sizeAUTHELIA_TOTP_SECRET_SIZE
duo_api.disableAUTHELIA_DUO_API_DISABLE
duo_api.hostnameAUTHELIA_DUO_API_HOSTNAME
duo_api.enable_self_enrollmentAUTHELIA_DUO_API_ENABLE_SELF_ENROLLMENT
access_control.default_policyAUTHELIA_ACCESS_CONTROL_DEFAULT_POLICY
ntp.addressAUTHELIA_NTP_ADDRESS
ntp.versionAUTHELIA_NTP_VERSION
ntp.max_desyncAUTHELIA_NTP_MAX_DESYNC
ntp.disable_startup_checkAUTHELIA_NTP_DISABLE_STARTUP_CHECK
ntp.disable_failureAUTHELIA_NTP_DISABLE_FAILURE
regulation.max_retriesAUTHELIA_REGULATION_MAX_RETRIES
regulation.find_timeAUTHELIA_REGULATION_FIND_TIME
regulation.ban_timeAUTHELIA_REGULATION_BAN_TIME
storage.local.pathAUTHELIA_STORAGE_LOCAL_PATH
storage.mysql.hostAUTHELIA_STORAGE_MYSQL_HOST
storage.mysql.portAUTHELIA_STORAGE_MYSQL_PORT
storage.mysql.databaseAUTHELIA_STORAGE_MYSQL_DATABASE
storage.mysql.usernameAUTHELIA_STORAGE_MYSQL_USERNAME
storage.mysql.timeoutAUTHELIA_STORAGE_MYSQL_TIMEOUT
storage.mysql.tls.minimum_versionAUTHELIA_STORAGE_MYSQL_TLS_MINIMUM_VERSION
storage.mysql.tls.maximum_versionAUTHELIA_STORAGE_MYSQL_TLS_MAXIMUM_VERSION
storage.mysql.tls.skip_verifyAUTHELIA_STORAGE_MYSQL_TLS_SKIP_VERIFY
storage.mysql.tls.server_nameAUTHELIA_STORAGE_MYSQL_TLS_SERVER_NAME
storage.postgres.hostAUTHELIA_STORAGE_POSTGRES_HOST
storage.postgres.portAUTHELIA_STORAGE_POSTGRES_PORT
storage.postgres.databaseAUTHELIA_STORAGE_POSTGRES_DATABASE
storage.postgres.usernameAUTHELIA_STORAGE_POSTGRES_USERNAME
storage.postgres.timeoutAUTHELIA_STORAGE_POSTGRES_TIMEOUT
storage.postgres.schemaAUTHELIA_STORAGE_POSTGRES_SCHEMA
storage.postgres.tls.minimum_versionAUTHELIA_STORAGE_POSTGRES_TLS_MINIMUM_VERSION
storage.postgres.tls.maximum_versionAUTHELIA_STORAGE_POSTGRES_TLS_MAXIMUM_VERSION
storage.postgres.tls.skip_verifyAUTHELIA_STORAGE_POSTGRES_TLS_SKIP_VERIFY
storage.postgres.tls.server_nameAUTHELIA_STORAGE_POSTGRES_TLS_SERVER_NAME
storage.postgres.ssl.modeAUTHELIA_STORAGE_POSTGRES_SSL_MODE
storage.postgres.ssl.root_certificateAUTHELIA_STORAGE_POSTGRES_SSL_ROOT_CERTIFICATE
storage.postgres.ssl.certificateAUTHELIA_STORAGE_POSTGRES_SSL_CERTIFICATE
notifier.disable_startup_checkAUTHELIA_NOTIFIER_DISABLE_STARTUP_CHECK
notifier.filesystem.filenameAUTHELIA_NOTIFIER_FILESYSTEM_FILENAME
notifier.smtp.hostAUTHELIA_NOTIFIER_SMTP_HOST
notifier.smtp.portAUTHELIA_NOTIFIER_SMTP_PORT
notifier.smtp.timeoutAUTHELIA_NOTIFIER_SMTP_TIMEOUT
notifier.smtp.usernameAUTHELIA_NOTIFIER_SMTP_USERNAME
notifier.smtp.identifierAUTHELIA_NOTIFIER_SMTP_IDENTIFIER
notifier.smtp.senderAUTHELIA_NOTIFIER_SMTP_SENDER
notifier.smtp.subjectAUTHELIA_NOTIFIER_SMTP_SUBJECT
notifier.smtp.startup_check_addressAUTHELIA_NOTIFIER_SMTP_STARTUP_CHECK_ADDRESS
notifier.smtp.disable_require_tlsAUTHELIA_NOTIFIER_SMTP_DISABLE_REQUIRE_TLS
notifier.smtp.disable_html_emailsAUTHELIA_NOTIFIER_SMTP_DISABLE_HTML_EMAILS
notifier.smtp.disable_starttlsAUTHELIA_NOTIFIER_SMTP_DISABLE_STARTTLS
notifier.smtp.tls.minimum_versionAUTHELIA_NOTIFIER_SMTP_TLS_MINIMUM_VERSION
notifier.smtp.tls.maximum_versionAUTHELIA_NOTIFIER_SMTP_TLS_MAXIMUM_VERSION
notifier.smtp.tls.skip_verifyAUTHELIA_NOTIFIER_SMTP_TLS_SKIP_VERIFY
notifier.smtp.tls.server_nameAUTHELIA_NOTIFIER_SMTP_TLS_SERVER_NAME
notifier.template_pathAUTHELIA_NOTIFIER_TEMPLATE_PATH
server.hostAUTHELIA_SERVER_HOST
server.portAUTHELIA_SERVER_PORT
server.pathAUTHELIA_SERVER_PATH
server.asset_pathAUTHELIA_SERVER_ASSET_PATH
server.enable_pprofAUTHELIA_SERVER_ENABLE_PPROF
server.enable_expvarsAUTHELIA_SERVER_ENABLE_EXPVARS
server.disable_healthcheckAUTHELIA_SERVER_DISABLE_HEALTHCHECK
server.tls.certificateAUTHELIA_SERVER_TLS_CERTIFICATE
server.headers.csp_templateAUTHELIA_SERVER_HEADERS_CSP_TEMPLATE
server.buffers.readAUTHELIA_SERVER_BUFFERS_READ
server.buffers.writeAUTHELIA_SERVER_BUFFERS_WRITE
server.timeouts.readAUTHELIA_SERVER_TIMEOUTS_READ
server.timeouts.writeAUTHELIA_SERVER_TIMEOUTS_WRITE
server.timeouts.idleAUTHELIA_SERVER_TIMEOUTS_IDLE
telemetry.metrics.enabledAUTHELIA_TELEMETRY_METRICS_ENABLED
telemetry.metrics.addressAUTHELIA_TELEMETRY_METRICS_ADDRESS
telemetry.metrics.buffers.readAUTHELIA_TELEMETRY_METRICS_BUFFERS_READ
telemetry.metrics.buffers.writeAUTHELIA_TELEMETRY_METRICS_BUFFERS_WRITE
telemetry.metrics.timeouts.readAUTHELIA_TELEMETRY_METRICS_TIMEOUTS_READ
telemetry.metrics.timeouts.writeAUTHELIA_TELEMETRY_METRICS_TIMEOUTS_WRITE
telemetry.metrics.timeouts.idleAUTHELIA_TELEMETRY_METRICS_TIMEOUTS_IDLE
webauthn.disableAUTHELIA_WEBAUTHN_DISABLE
webauthn.display_nameAUTHELIA_WEBAUTHN_DISPLAY_NAME
webauthn.attestation_conveyance_preferenceAUTHELIA_WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE
webauthn.user_verificationAUTHELIA_WEBAUTHN_USER_VERIFICATION
webauthn.timeoutAUTHELIA_WEBAUTHN_TIMEOUT
password_policy.standard.enabledAUTHELIA_PASSWORD_POLICY_STANDARD_ENABLED
password_policy.standard.min_lengthAUTHELIA_PASSWORD_POLICY_STANDARD_MIN_LENGTH
password_policy.standard.max_lengthAUTHELIA_PASSWORD_POLICY_STANDARD_MAX_LENGTH
password_policy.standard.require_uppercaseAUTHELIA_PASSWORD_POLICY_STANDARD_REQUIRE_UPPERCASE
password_policy.standard.require_lowercaseAUTHELIA_PASSWORD_POLICY_STANDARD_REQUIRE_LOWERCASE
password_policy.standard.require_numberAUTHELIA_PASSWORD_POLICY_STANDARD_REQUIRE_NUMBER
password_policy.standard.require_specialAUTHELIA_PASSWORD_POLICY_STANDARD_REQUIRE_SPECIAL
password_policy.zxcvbn.enabledAUTHELIA_PASSWORD_POLICY_ZXCVBN_ENABLED
password_policy.zxcvbn.min_scoreAUTHELIA_PASSWORD_POLICY_ZXCVBN_MIN_SCORE