Loading behavior and Discovery

There are several options which affect the loading of files:

Name Argument Environment Variable Description
Files/Directories --config, -c X_AUTHELIA_CONFIG A list of file or directory (non-recursive) paths to load configuration files from
Filters --config.experimental.filters X_AUTHELIA_CONFIG_FILTERS A list of filters applied to every file from the Files or Directories options

Note: when specifying directories and files, the individual files specified must not be within any of the directories specified.

Configuration options can be discovered via either the Argument or Environment Variable, but not both at the same time. If both are specified the Argument takes precedence and the Environment Variable is ignored. It is generally recommended that if you’re using a container that you use the Environment Variable as this will allow you to execute other commands from the context of the container more easily.


The only supported configuration file format is YAML.

It’s important that you sufficiently validate your configuration file. While we produce console errors for users in many misconfiguration scenarios it’s not perfect. Each file type has recommended methods for validation.


Authelia loads configuration.yml as the configuration if you just run it. You can override this behavior with the following syntax:

YAML Validation

We recommend utilizing VSCodium or VSCode, both with the YAML Extension by RedHat to validate this file type.

This extension allows validation of the format and schema of a YAML file. To facilitate schema validation we publish a set of JSON schemas which you can include as a special comment in order to validate the YAML file further. See the JSON Schema reference guide for more information including instructions on how to utilize the schemas.

Multiple Configuration Files

You can have multiple configuration files which will be merged in the order specified. If duplicate keys are specified the last one to be specified is the one that takes precedence. Example:

Authelia’s configuration files use the YAML format. A template with all possible options can be found at the root of the repository here.

Important Note: You should not have configuration sections such as Access Control Rules or OpenID Connect 1.0 clients configured in multiple files. If you wish to split these into their own files that is fine, but if you have two files that specify these sections and expect them to merge properly you are asking for trouble.


By default, the container looks for a configuration file at /config/configuration.yml.


This is an example of how to override the configuration files loaded in docker:

docker run -d --volume /path/to/config:/config authelia:authelia:latest authelia --config=/config/configuration.yaml --config=/config/configuration.acl.yaml

See the Docker Documentation for more information on the docker run command.

Docker Compose

An excerpt from a docker compose that allows you to specify multiple configuration files is as follows:

    container_name: 'authelia'
    image: 'authelia/authelia:latest'
      - 'authelia'
      - '--config=/config/configuration.yaml'
      - '--config=/config/configuration.acl.yaml'

See the compose file reference for more information.


An excerpt from a Kubernetes container that allows you to specify multiple configuration files is as follows:

kind: Deployment
apiVersion: apps/v1
  name: authelia
  namespace: authelia
  labels: authelia authelia
  replicas: 1
    matchLabels: authelia authelia
      labels: authelia authelia
      enableServiceLinks: false
        - name: authelia
            - authelia
            - '--config=/configuration.yaml'
            - '--config=/configuration.acl.yaml'

See the Kubernetes workloads documentation or the Container API docs for more information.

File Filters

Experimental file filters exist which allow modification of all configuration files after reading them from the filesystem but before parsing their content. These filters are NOT covered by our Standard Versioning Policy at least at this time, however we will make every effort to avoid breaking them unnecessarily and we include several of these filters within our CI testing regiment.

There WILL be a point where:

  • the name of the CLI argument will change (we suggest using the environment variable which will not)
  • the expand-env filter might be removed

The filters are configured as a list of filter names by the --config.experimental.filters CLI argument and X_AUTHELIA_CONFIG_FILTERS environment variable. We recommend using the environment variable as it ensures commands executed from the container use the same filters and it’s likely to be a permanent value whereas the argument will likely change. If both the CLI argument and environment variable are used the environment variable is completely ignored.

Filters can either be used on their own, in combination, or not at all. The filters are processed in order as they are defined. You can preview the output of the YAML files when processed via the filters using the authelia config template command.

Important Note: the filters are applied in order and thus if the output of one filter outputs a string that contains syntax for a subsequent filter it will be filtered. It is therefore suggested the template filter is the only filter and if it isn’t that it’s last.


Expand Environment Variable Filter

The name used to enable this filter is expand-env.

This filter is the most common filter type used by many other applications. It is similar to using envsubst where it replaces a string like $EXAMPLE or ${EXAMPLE} with the value of the EXAMPLE environment variable.

This filter utilizes os.ExpandEnv but does not include any environment variables that look like they’re an Authelia secret. This filter is very limited in what we can achieve, and there are known limitations with this filter which may not be possible for us to work around. We discourage it’s usage as the template is much more robust and we have a lot more freedom to make adjustments to this filter compared to the expand-env filter.

Known Limitations:

  • Has no way to handle escaping a $ so treats all $ values as an expansion value. This can be escaped using $$ as an indication that it should be a $ literal. However this functionality likely will not work under all circumstances.

Go Template Filter

The name used to enable this filter is template.

This filter uses the Go template engine to render the configuration files. It uses similar syntax to Jinja2 templates with different function names.

Comprehensive examples are beyond what we support and people wishing to use this should consult the official Go template engine documentation for syntax instructions. We also log the generated output at each filter stage as a base64 string when trace logging is enabled.


In addition to the standard builtin functions we support several other functions which should operate similar.

See the Templating Reference Guide for more information.