Enabling Authentication
This guide covers the step-by-step process to enable and configure authentication in Obot. Authentication must be setup to use one of the external providers in order to function properly. The bootstrap user is not implemented to operate as a regular user.
If any MCP servers were created with authentication disabled, they will be deleted when authentication is enabled.
Step 1: Set Environment Variables
Enabling authentication begins with launching Obot with additional configuration options in the form of environment variables. See the Docker or Kubernetes deployment guides for full setup details.
- Docker
- Kubernetes
docker run \
... # other flags
-e OBOT_SERVER_ENABLE_AUTHENTICATION=true \
-e OBOT_BOOTSTRAP_TOKEN=your-secret-token \
-e [email protected] \
ghcr.io/obot-platform/obot:latest
config:
# Required: Enable authentication
OBOT_SERVER_ENABLE_AUTHENTICATION: "true"
# Required: Set a bootstrap token for initial login
OBOT_BOOTSTRAP_TOKEN: "your-secret-token"
# Required: Set the owner email (can also be configured in the UI later)
OBOT_SERVER_AUTH_OWNER_EMAILS: "[email protected]"
# Optional: Set additional admin emails
OBOT_SERVER_AUTH_ADMIN_EMAILS: "[email protected],[email protected]"
| Variable | Required | Description |
|---|---|---|
OBOT_SERVER_ENABLE_AUTHENTICATION | Yes | Enables authentication |
OBOT_BOOTSTRAP_TOKEN | No | Token used for initial admin login before an auth provider is configured. If not set, a token will be generated and printed to the logs. |
OBOT_SERVER_AUTH_OWNER_EMAILS | No | Email address that will have owner access after logging in via the auth provider. If not set, the bootstrap user will be prompted to log in via the auth provider and set themselves as the owner. |
OBOT_SERVER_AUTH_ADMIN_EMAILS | No | Additional email addresses that will have admin access |
Step 2: Start Obot and Login
Start (or restart) your Obot deployment with the new environment variables. Navigate to your Obot installation and use the bootstrap token to login. You'll now see User Management options enabled in the left navigation.
Step 3: Configure Authentication Provider
- Go to Auth Providers under the User Management section in the left navigation
- Click Configure on your desired provider (GitHub, Google, Entra, Okta)
- Follow the provider-specific configuration steps
For detailed provider configuration, see the Auth Providers documentation.
Post-Setup
Once you have configured an authentication provider:
- Users can login using the configured authentication provider
- Users with emails matching
OBOT_SERVER_AUTH_OWNER_EMAILSwill have owner access - Users with emails matching
OBOT_SERVER_AUTH_ADMIN_EMAILSwill have admin access
Note that you can always assign the owner or admin role to additional users through the User pages.
Troubleshooting
Bootstrap Token Not Working
- Ensure
OBOT_SERVER_ENABLE_AUTHENTICATION=trueis set - Check that you're using the correct token
- If an auth provider has already been configured, set
OBOT_SERVER_FORCE_ENABLE_BOOTSTRAP=trueto re-enable bootstrap login
Authentication Provider Issues
- Verify callback URLs match between Obot and your OAuth provider
- Check that client ID and secret are correct
- Ensure proper scopes and permissions are configured
Next Steps
- Review Auth Providers configuration for detailed provider setup