# Authentik Docs

Docs copied from authentik

# Welcome to authentik

## What is authentik?[​](https://goauthentik.io/docs/#what-is-authentik "Direct link to What is authentik?")

authentik is an open-source Identity Provider, focused on flexibility and versatility. With authentik, site administrators, application developers, and security engineers a dependable and secure solution for authentication in almost any type of environment. There are robust recovery actions available for the users and applications, including user profile and password management. You can quickly edit, deactivate, or even impersonate a user profile, and set a new password for new users or reset an existing password.

You can use authentik in an existing environment to add support for new protocols, so introducing authentik to your current tech stack doesn't present re-architecting challenges. We already support all of the major providers, such as OAuth2, SAML, LDAP, and SCIM, so you can pick the protocol that you need for each application.

The authentik product provides the following consoles:

<div class="theme-doc-markdown markdown" id="bkmrk-admin-interface%3A-a-v">- **Admin interface**: a visual tool for the creation and management of users and groups, tokens and credentials, application integrations, events, and the Flows that define standard and customizable login and authentication processes. Easy-to-read visual dashboards display system status, recent logins and authentication events, and application usage.
- **User interface**: this console view in authentik displays all of the applications and integrations in which you have implemented authentik. Click on the app that you want to access to open it, or drill down to edit its configuration in the admin interface
- **Flows**: [*Flows*](https://goauthentik.io/docs/flow) are the steps by which the various *Stages* of a login and authentication process occurs. A stage represents a single verification or logic step in the sign-on process. authentik allows for the customization and exact definition of these flows.

</div>## Installation[​](https://goauthentik.io/docs/#installation "Direct link to Installation")

Refer to the installation steps in either [Docker-compose](https://goauthentik.io/docs/installation/docker-compose) or [Kubernetes](https://goauthentik.io/docs/installation/kubernetes).

For more information about configuration, Beta versions, and additional installation options, see our main [Installation](https://goauthentik.io/docs/installation) section.

## Screenshots[​](https://goauthentik.io/docs/#screenshots "Direct link to Screenshots")

authentik can use Light or Dark mode for the Admin interface, User interface and the flow interface.

<div class="theme-doc-markdown markdown" id="bkmrk-"><div class="before-after-slider"><div class="before-after-slider__first-photo-container">![](https://goauthentik.io/img/screen_flow_dark.jpg)</div><div class="before-after-slider__second-photo-container">![](https://goauthentik.io/img/screen_flow_light.jpg)</div><div class="before-after-slider__delimiter"><div><div class="before-after-slider__delimiter-icon">  
</div></div></div></div><div class="before-after-slider"><div class="before-after-slider__first-photo-container">![](https://goauthentik.io/img/screen_apps_dark.jpg)</div><div class="before-after-slider__second-photo-container">![](https://goauthentik.io/img/screen_apps_light.jpg)</div><div class="before-after-slider__delimiter"><div><div class="before-after-slider__delimiter-icon">  
</div></div></div></div><div class="before-after-slider"><div class="before-after-slider__first-photo-container">![](https://goauthentik.io/img/screen_admin_dark.jpg)</div><div class="before-after-slider__second-photo-container">![](https://goauthentik.io/img/screen_admin_light.jpg)</div><div class="before-after-slider__delimiter"><div></div></div></div></div><footer class="theme-doc-footer docusaurus-mt-lg" id="bkmrk--1"><div class="theme-doc-footer-edit-meta-row row"><div class="col"></div></div></footer>

# Docker Compose installation

This installation method is for test-setups and small-scale production setups.

## Requirements[​](https://goauthentik.io/docs/installation/docker-compose#requirements "Direct link to Requirements")

- A host with at least 2 CPU cores and 2 GB of RAM
- Docker
- Docker Compose

## Preparation[​](https://goauthentik.io/docs/installation/docker-compose#preparation "Direct link to Preparation")

To download the latest `docker-compose.yml` open your terminal and navigate to the directory of your choice. Run the following command:

```
wget https://goauthentik.io/docker-compose.yml

```

<div class="language-shell codeBlockContainer_Ckt0 theme-code-block" id="bkmrk-"><div class="codeBlockContent_biex"><div class="buttonGroup__atx"><button aria-label="Copy code to clipboard" class="clean-btn" title="Copy" type="button"><svg class="copyButtonIcon_y97N" viewbox="0 0 24 24"></svg><svg class="copyButtonSuccessIcon_LjdS" viewbox="0 0 24 24"></svg></button>  
</div></div></div>If this is a fresh authentik installation, you need to generate a password and a secret key. If you don't already have a password generator installed, you can run this command to install **pwgen**, a popular generator:

```
# You can also use openssl instead: `openssl rand -base64 36`
sudo apt-get install -y pwgen

```

<div class="language-shell codeBlockContainer_Ckt0 theme-code-block" id="bkmrk--1"><div class="codeBlockContent_biex"><div class="buttonGroup__atx"><button aria-label="Copy code to clipboard" class="clean-btn" title="Copy" type="button"><svg class="copyButtonIcon_y97N" viewbox="0 0 24 24"></svg><svg class="copyButtonSuccessIcon_LjdS" viewbox="0 0 24 24"></svg></button>  
</div></div></div>Next, run the following commands to generate a password and secret key and write them to your `.env` file:

```
echo "PG_PASS=$(pwgen -s 40 1)" >> .env
echo "AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)" >> .env
# Because of a PostgreSQL limitation, only passwords up to 99 chars are supported
# See https://www.postgresql.org/message-id/09512C4F-8CB9-4021-B455-EF4C4F0D55A0@amazon.com

```

<div class="language-shell codeBlockContainer_Ckt0 theme-code-block" id="bkmrk--2"><div class="codeBlockContent_biex"><div class="buttonGroup__atx"><button aria-label="Copy code to clipboard" class="clean-btn" title="Copy" type="button"><svg class="copyButtonIcon_y97N" viewbox="0 0 24 24"></svg><svg class="copyButtonSuccessIcon_LjdS" viewbox="0 0 24 24"></svg></button>  
</div></div></div>To enable error reporting, run the following command:

```
echo "AUTHENTIK_ERROR_REPORTING__ENABLED=true" >> .env

```

<div class="language-shell codeBlockContainer_Ckt0 theme-code-block" id="bkmrk--3"><div class="codeBlockContent_biex"><div class="buttonGroup__atx"><button aria-label="Copy code to clipboard" class="clean-btn" title="Copy" type="button"><svg class="copyButtonIcon_y97N" viewbox="0 0 24 24"></svg><svg class="copyButtonSuccessIcon_LjdS" viewbox="0 0 24 24"></svg></button>  
</div></div></div>## Email configuration (optional but recommended)[​](https://goauthentik.io/docs/installation/docker-compose#email-configuration-optional-but-recommended "Direct link to Email configuration (optional but recommended)")

It is also recommended to configure global email credentials. These are used by authentik to notify you about alerts and configuration issues. They can also be used by [Email stages](https://goauthentik.io/docs/flow/stages/email/) to send verification/recovery emails.

To configure email credentials, append this block to your `.env` file

```
# SMTP Host Emails are sent to
AUTHENTIK_EMAIL__HOST=localhost
AUTHENTIK_EMAIL__PORT=25
# Optionally authenticate (don't add quotation marks to your password)
AUTHENTIK_EMAIL__USERNAME=
AUTHENTIK_EMAIL__PASSWORD=
# Use StartTLS
AUTHENTIK_EMAIL__USE_TLS=false
# Use SSL
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10
# Email address authentik will send from, should have a correct @domain
AUTHENTIK_EMAIL__FROM=authentik@localhost

```

<div class="language-shell codeBlockContainer_Ckt0 theme-code-block" id="bkmrk--4"><div class="codeBlockContent_biex"><div class="buttonGroup__atx"><button aria-label="Copy code to clipboard" class="clean-btn" title="Copy" type="button"><svg class="copyButtonIcon_y97N" viewbox="0 0 24 24"></svg><svg class="copyButtonSuccessIcon_LjdS" viewbox="0 0 24 24"></svg></button>  
</div></div></div>## Configure for port 80/443[​](https://goauthentik.io/docs/installation/docker-compose#configure-for-port-80443 "Direct link to Configure for port 80/443")

By default, authentik listens internally on port 9000 for HTTP and 9443 for HTTPS. To change the exposed ports to 80 and 443, you can set the following variables in `.env`:

```
COMPOSE_PORT_HTTP=80
COMPOSE_PORT_HTTPS=443

```

<div class="language-shell codeBlockContainer_Ckt0 theme-code-block" id="bkmrk--5"><div class="codeBlockContent_biex"><div class="buttonGroup__atx"><button aria-label="Copy code to clipboard" class="clean-btn" title="Copy" type="button"><svg class="copyButtonIcon_y97N" viewbox="0 0 24 24"></svg><svg class="copyButtonSuccessIcon_LjdS" viewbox="0 0 24 24"></svg></button>  
</div></div></div>See [Configuration](https://goauthentik.io/docs/installation/configuration) to change the internal ports. Be sure to run `docker-compose up -d` to rebuild with the new port numbers.

## Startup[​](https://goauthentik.io/docs/installation/docker-compose#startup "Direct link to Startup")

<p class="callout danger">DANGER  
The server assumes to have local timezone as UTC. All internals are handled in UTC; whenever a time is displayed to the user in UI, the time shown is localized. Do not update or mount `/etc/timezone` or `/etc/localtime` in the authentik containers. This will not give any advantages. It will cause problems with OAuth and SAML authentication, e.g. [see this GitHub issue](https://github.com/goauthentik/authentik/issues/3005).</p>

<div class="theme-admonition theme-admonition-warning alert alert--danger admonition_LlT9" id="bkmrk--6"></div>Afterwards, run these commands to finish:

```
docker-compose pull
docker-compose up -d

```

<div class="language-shell codeBlockContainer_Ckt0 theme-code-block" id="bkmrk--7"><div class="codeBlockContent_biex"><div class="buttonGroup__atx"><button aria-label="Copy code to clipboard" class="clean-btn" title="Copy" type="button"><svg class="copyButtonIcon_y97N" viewbox="0 0 24 24"></svg><svg class="copyButtonSuccessIcon_LjdS" viewbox="0 0 24 24"></svg></button>  
</div></div></div>The `docker-compose.yml` file statically references the latest version available at the time of downloading the compose file. Each time you upgrade to a newer version of authentik, you download a new `docker-compose.yml` file, which points to the latest available version. For more information, refer to the **Upgrading** section in the [Release Notes](https://goauthentik.io/docs/releases).

To start the initial setup, navigate to `http://<your server's IP or hostname>:9000/if/flow/initial-setup/`.

There you are prompted to set a password for the akadmin user (the default user).

An explanation about what each service in the docker compose file does, see [Architecture](https://goauthentik.io/docs/core/architecture).

# Configuration

These are all the configuration options you can set via environment variables.

Append any of the following keys to your `.env` file, and run `docker-compose up -d` to apply them.

<p class="callout info">**Info**  
The double-underscores are intentional, as all these settings are translated to yaml internally, a double-underscore indicates the next level.</p>

All of these variables can be set to values, but you can also use a URI-like format to load values from other places:

- `env://<name>` Loads the value from the environment variable `<name>`. Fallback can be optionally set like `env://<name>?<default>`
- `file://<name>` Loads the value from the file `<name>`. Fallback can be optionally set like `file://<name>?<default>`

## Checking settings[​](https://goauthentik.io/docs/installation/configuration#checking-settings "Direct link to Checking settings")

To check if your config has been applied correctly, you can run the following command to output the full config:

```
docker-compose run --rm worker dump_config
# Or for kubernetes
kubectl exec -it deployment/authentik-worker -c authentik -- ak dump_config

```

<div class="codeBlockContainer_Ckt0 theme-code-block" id="bkmrk-"><div class="codeBlockContent_biex"><div class="buttonGroup__atx"><button aria-label="Copy code to clipboard" class="clean-btn" title="Copy" type="button"><svg class="copyButtonIcon_y97N" viewbox="0 0 24 24"></svg><svg class="copyButtonSuccessIcon_LjdS" viewbox="0 0 24 24"></svg></button>  
</div></div></div>## PostgreSQL Settings[​](https://goauthentik.io/docs/installation/configuration#postgresql-settings "Direct link to PostgreSQL Settings")

- `AUTHENTIK_POSTGRESQL__HOST`: Hostname of your PostgreSQL Server
- `AUTHENTIK_POSTGRESQL__NAME`: Database name
- `AUTHENTIK_POSTGRESQL__USER`: Database user
- `AUTHENTIK_POSTGRESQL__PORT`: Database port, defaults to 5432
- `AUTHENTIK_POSTGRESQL__PASSWORD`: Database password, defaults to the environment variable `POSTGRES_PASSWORD`
- `AUTHENTIK_POSTGRESQL__USE_PGBOUNCER`: Adjust configuration to support connection to PgBouncer
- `AUTHENTIK_POSTGRESQL__SSLMODE`: Strictness of ssl verification. Defaults to `verify-ca`
- `AUTHENTIK_POSTGRESQL__SSLROOTCERT`: CA root for server ssl verification
- `AUTHENTIK_POSTGRESQL__SSLCERT`: Path to x509 client certificate to authenticate to server
- `AUTHENTIK_POSTGRESQL__SSLKEY`: Path to private key of `SSLCERT` certificate

## Redis Settings[​](https://goauthentik.io/docs/installation/configuration#redis-settings "Direct link to Redis Settings")

- `AUTHENTIK_REDIS__HOST`: Hostname of your Redis Server
- `AUTHENTIK_REDIS__PORT`: Redis port, defaults to 6379
- `AUTHENTIK_REDIS__PASSWORD`: Password for your Redis Server
- `AUTHENTIK_REDIS__TLS`: Use TLS to connect to Redis, defaults to false
- `AUTHENTIK_REDIS__TLS_REQS`: Redis TLS requirements, defaults to "none"
- `AUTHENTIK_REDIS__DB`: Database, defaults to 0
- `AUTHENTIK_REDIS__CACHE_TIMEOUT`: Timeout for cached data until it expires in seconds, defaults to 300
- `AUTHENTIK_REDIS__CACHE_TIMEOUT_FLOWS`: Timeout for cached flow plans until they expire in seconds, defaults to 300
- `AUTHENTIK_REDIS__CACHE_TIMEOUT_POLICIES`: Timeout for cached policies until they expire in seconds, defaults to 300
- `AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION`: Timeout for cached reputation until they expire in seconds, defaults to 300

## Listen Setting[​](https://goauthentik.io/docs/installation/configuration#listen-setting "Direct link to Listen Setting")

- `AUTHENTIK_LISTEN__HTTP`: Listening address:port (e.g. `0.0.0.0:9000`) for HTTP (Server and Proxy outpost)
- `AUTHENTIK_LISTEN__HTTPS`: Listening address:port (e.g. `0.0.0.0:9443`) for HTTPS (Server and Proxy outpost)
- `AUTHENTIK_LISTEN__LDAP`: Listening address:port (e.g. `0.0.0.0:3389`) for LDAP (LDAP outpost)
- `AUTHENTIK_LISTEN__LDAPS`: Listening address:port (e.g. `0.0.0.0:6636`) for LDAPS (LDAP outpost)
- `AUTHENTIK_LISTEN__METRICS`: Listening address:port (e.g. `0.0.0.0:9300`) for Prometheus metrics (All)
- `AUTHENTIK_LISTEN__DEBUG`: Listening address:port (e.g. `0.0.0.0:9900`) for Go Debugging metrics (All)
- `AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS`: List of CIDRs that proxy headers should be accepted from (Server)
    
    Defaults to `127.0.0.0/8`, `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`, `fe80::/10`, `::1/128`.
    
    Requests directly coming from one an address within a CIDR specified here are able to set proxy headers, such as `X-Forwarded-For`. Requests coming from other addresses will not be able to set these headers.

## authentik Settings[​](https://goauthentik.io/docs/installation/configuration#authentik-settings "Direct link to authentik Settings")

### `AUTHENTIK_SECRET_KEY`[​](https://goauthentik.io/docs/installation/configuration#authentik_secret_key "Direct link to authentik_secret_key")

Secret key used for cookie signing and unique user IDs, don't change this after the first install.

### `AUTHENTIK_LOG_LEVEL`[​](https://goauthentik.io/docs/installation/configuration#authentik_log_level "Direct link to authentik_log_level")

Log level for the server and worker containers. Possible values: debug, info, warning, error

Starting with 2021.12.3, you can also set the log level to *trace*. This has no affect on the core authentik server, but shows additional messages for the embedded outpost.

<p class="callout danger">DANGER  
Setting the log level to `trace` will include sensitive details in logs, so it shouldn't be used in most cases.  
  
Logs generated with `trace` should be treated with care as they can give others access to your instance, and can potentially include things like session cookies to authentik **and other pages**.</p>

Defaults to `info`.

### `AUTHENTIK_COOKIE_DOMAIN`[​](https://goauthentik.io/docs/installation/configuration#authentik_cookie_domain "Direct link to authentik_cookie_domain")

Which domain the session cookie should be set to. By default, the cookie is set to the domain authentik is accessed under.

### `AUTHENTIK_GEOIP`[​](https://goauthentik.io/docs/installation/configuration#authentik_geoip "Direct link to authentik_geoip")

Path to the GeoIP database. Defaults to `/geoip/GeoLite2-City.mmdb`. If the file is not found, authentik will skip GeoIP support.

### `AUTHENTIK_DISABLE_UPDATE_CHECK`[​](https://goauthentik.io/docs/installation/configuration#authentik_disable_update_check "Direct link to authentik_disable_update_check")

Disable the inbuilt update-checker. Defaults to `false`.

### `AUTHENTIK_ERROR_REPORTING`[​](https://goauthentik.io/docs/installation/configuration#authentik_error_reporting "Direct link to authentik_error_reporting")

- `AUTHENTIK_ERROR_REPORTING__ENABLED`
    
    Enable error reporting. Defaults to `false`.
    
    Error reports are sent to [https://sentry.io](https://sentry.io/), and are used for debugging and general feedback. Anonymous performance data is also sent.
- `AUTHENTIK_ERROR_REPORTING__SENTRY_DSN`
    
    Sets the DSN for the Sentry API endpoint.
    
    When error reporting is enabled, the default Sentry DSN will allow the authentik developers to receive error reports and anonymous performance data, which is used for general feedback about authentik, and in some cases, may be used for debugging purposes.
    
    Users can create their own hosted Sentry account (or self-host Sentry) and opt to collect this data themselves.
- `AUTHENTIK_ERROR_REPORTING__ENVIRONMENT`
    
    The environment tag associated with all data sent to Sentry. Defaults to `customer`.
    
    When error reporting has been enabled to aid in debugging issues, this should be set to a unique value, such as an e-mail address.
- `AUTHENTIK_ERROR_REPORTING__SEND_PII`
    
    Whether or not to send personal data, like usernames. Defaults to `false`.

### `AUTHENTIK_EMAIL`[​](https://goauthentik.io/docs/installation/configuration#authentik_email "Direct link to authentik_email")

- `AUTHENTIK_EMAIL__HOST`
    
    Default: `localhost`
- `AUTHENTIK_EMAIL__PORT`
    
    Default: `25`
- `AUTHENTIK_EMAIL__USERNAME`
    
    Default: `` (Don't add quotation marks)
- `AUTHENTIK_EMAIL__PASSWORD`
    
    Default: `` (Don't add quotation marks)
- `AUTHENTIK_EMAIL__USE_TLS`
    
    Default: `false`
- `AUTHENTIK_EMAIL__USE_SSL`
    
    Default: `false`
- `AUTHENTIK_EMAIL__TIMEOUT`
    
    Default: `10`
- `AUTHENTIK_EMAIL__FROM`
    
    Default: `authentik@localhost`
    
    Email address authentik will send from, should have a correct @domain
    
    To change the sender's display name, use a format like `Name <account@domain>`.

### `AUTHENTIK_OUTPOSTS`[​](https://goauthentik.io/docs/installation/configuration#authentik_outposts "Direct link to authentik_outposts")

- `AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE`
    
    Placeholders:
    
    
    - `%(type)s`: Outpost type; proxy, ldap, etc
    - `%(version)s`: Current version; 2021.4.1
    - `%(build_hash)s`: Build hash if you're running a beta version
    
    Placeholder for outpost docker images. Default: `ghcr.io/goauthentik/%(type)s:%(version)s`.
- `AUTHENTIK_OUTPOSTS__DISCOVER`
    
    Configure the automatic discovery of integrations. Defaults to `true`.
    
    By default, the following is discovered:
    
    
    - Kubernetes in-cluster config
    - Kubeconfig
    - Existence of a docker socket

### `AUTHENTIK_AVATARS`[​](https://goauthentik.io/docs/installation/configuration#authentik_avatars "Direct link to authentik_avatars")

Configure how authentik should show avatars for users. Following values can be set:

Default: `gravatar,initials`

- `none`: Disables per-user avatars and just shows a 1x1 pixel transparent picture
- `gravatar`: Uses gravatar with the user's email address
- `initials`: Generated avatars based on the user's name
- Any URL: If you want to use images hosted on another server, you can set any URL.
    
    Additionally, these placeholders can be used:
    
    
    - `%(username)s`: The user's username
    - `%(mail_hash)s`: The email address, md5 hashed
    - `%(upn)s`: The user's UPN, if set (otherwise an empty string)

Starting with authentik 2022.8, you can also use an attribute path like `attributes.something.avatar`, which can be used in combination with the file field to allow users to upload custom avatars for themselves.

Starting with authentik 2023.2, multiple modes can be set, and authentik will fallback to the next mode when no avatar could be found. For example, setting this to `gravatar,initials` will attempt to get an avatar from Gravatar, and if the user has not configured on there, it will fallback to a generated avatar.

`AUTHENTIK_DEFAULT_USER_CHANGE_NAME`[​](https://goauthentik.io/docs/installation/configuration#authentik_default_user_change_name "Direct link to authentik_default_user_change_name")

<p class="callout info">INFO  
Requires authentik 2021.12.5</p>

Enable the ability for users to change their name, defaults to `true`.

### `AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL`[​](https://goauthentik.io/docs/installation/configuration#authentik_default_user_change_email "Direct link to authentik_default_user_change_email")

<p class="callout info">INFO  
Requires authentik 2021.12.1</p>

Enable the ability for users to change their Email address, defaults to `false`.

### `AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME`[​](https://goauthentik.io/docs/installation/configuration#authentik_default_user_change_username "Direct link to authentik_default_user_change_username")

<p class="callout info">Info  
Requires authentik 2021.12.1</p>

Enable the ability for users to change their Usernames, defaults to `false`.

### `AUTHENTIK_GDPR_COMPLIANCE`[​](https://goauthentik.io/docs/installation/configuration#authentik_gdpr_compliance "Direct link to authentik_gdpr_compliance")

<p class="callout info">Info  
Requires authentik 2021.12.1</p>

When enabled, all the events caused by a user will be deleted upon the user's deletion. Defaults to `true`.

### `AUTHENTIK_DEFAULT_TOKEN_LENGTH`[​](https://goauthentik.io/docs/installation/configuration#authentik_default_token_length "Direct link to authentik_default_token_length")

<p class="callout info">Info  
Requires authentik 2022.4.1</p>

Configure the length of generated tokens. Defaults to 60.

### `AUTHENTIK_IMPERSONATION`[​](https://goauthentik.io/docs/installation/configuration#authentik_impersonation "Direct link to authentik_impersonation")

<p class="callout info">Info  
Requires authentik 2022.4.2</p>

Globally enable/disable impersonation. Defaults to `true`.

### `AUTHENTIK_FOOTER_LINKS`[​](https://goauthentik.io/docs/installation/configuration#authentik_footer_links "Direct link to authentik_footer_links")

<p class="callout info">Info  
Requires authentik 2021.12.1</p>

This option configures the footer links on the flow executor pages.

The setting can be used as follows:

```
AUTHENTIK_FOOTER_LINKS='[{"name": "Link Name","href":"https://goauthentik.io"}]'

```

<div class="codeBlockContainer_Ckt0 theme-code-block" id="bkmrk--2"><div class="codeBlockContent_biex"><div class="buttonGroup__atx"><button aria-label="Copy code to clipboard" class="clean-btn" title="Copy" type="button"><svg class="copyButtonIcon_y97N" viewbox="0 0 24 24"></svg><svg class="copyButtonSuccessIcon_LjdS" viewbox="0 0 24 24"></svg></button>  
</div></div></div>### `AUTHENTIK_LDAP__TASK_TIMEOUT_HOURS`[​](https://goauthentik.io/docs/installation/configuration#authentik_ldap__task_timeout_hours "Direct link to authentik_ldap__task_timeout_hours")

<p class="callout info">INFO  
Requires authentik 2023.1</p>

<div class="theme-admonition theme-admonition-info alert alert--info admonition_LlT9" id="bkmrk--3"></div>Timeout in hours for LDAP synchronization tasks.

Defaults to `2`.

### `AUTHENTIK_LDAP__PAGE_SIZE`[​](https://goauthentik.io/docs/installation/configuration#authentik_ldap__page_size "Direct link to authentik_ldap__page_size")

<p class="callout info">INFO  
Requires authentik 2023.6.1</p>

Page size for LDAP synchronization. Controls the number of objects created in a single task.

Defaults to `50`.

### `AUTHENTIK_LDAP__TLS__CIPHERS`[​](https://goauthentik.io/docs/installation/configuration#authentik_ldap__tls__ciphers "Direct link to authentik_ldap__tls__ciphers") 

<p class="callout info">INFO  
Requires authentik 2022.7</p>

Allows configuration of TLS Cliphers for LDAP connections used by LDAP sources. Setting applies to all sources.

Defaults to `null`.

`AUTHENTIK_WEB__WORKERS`[​](https://goauthentik.io/docs/installation/configuration#authentik_web__workers "Direct link to authentik_web__workers")

<p class="callout info">INFO  
Requires authentik 2022.9</p>

Configure how many gunicorn worker processes should be started (see [https://docs.gunicorn.org/en/stable/design.html](https://docs.gunicorn.org/en/stable/design.html)).

If running in Kubernetes, the default value is set to 2 and should in most cases not be changed, as scaling can be done with multiple pods running the web server. Otherwise, authentik will use 1 worker for each 4 CPU cores + 1 as a value below 2 workers is not recommended.

### `AUTHENTIK_WEB__THREADS`[​](https://goauthentik.io/docs/installation/configuration#authentik_web__threads "Direct link to authentik_web__threads")

<p class="callout info">INFO  
Requires authentik 2022.9</p>

<div class="theme-admonition theme-admonition-info alert alert--info admonition_LlT9" id="bkmrk--4"></div>Configure how many gunicorn threads a worker processes should have (see  
 [https://docs.gunicorn.org/en/stable/design.html](https://docs.gunicorn.org/en/stable/design.html)).

Defaults to 4.

## Custom python settings[​](https://goauthentik.io/docs/installation/configuration#custom-python-settings "Direct link to Custom python settings")

To modify additional settings further than the options above allow, you can create a custom python file and mount it to `/data/user_settings.py`. This file will be loaded on startup by both the server and the worker. All default settings are [here](https://github.com/goauthentik/authentik/blob/main/authentik/root/settings.py)

<p class="callout danger">CAUTION  
Using these custom settings is not supported and can prevent your authentik instance from starting. Use with caution.</p>

<div class="theme-admonition theme-admonition-caution alert alert--warning admonition_LlT9" id="bkmrk--5"></div>