OpenID

By default, users are attributed a unique ID based on their browser session. To authenticate users with OpenID Connect, configure the following:

OPENID_CLIENT_ID=your_client_id
OPENID_CLIENT_SECRET=your_client_secret
OPENID_SCOPES="openid profile"

Use the provider URL for standard OpenID Connect discovery:

OPENID_PROVIDER_URL=https://your-provider.com

Advanced: you can also provide a client metadata document via OPENID_CONFIG. This value must be a JSON/JSON5 object (for example, a CIMD document) and is parsed server‑side to populate OpenID settings.

Redirect URI: https://your-domain.com/login/callback

Access Control

Restrict access to specific users:

# Allow only specific email addresses
ALLOWED_USER_EMAILS=["[email protected]", "[email protected]"]

# Allow all users from specific domains
ALLOWED_USER_DOMAINS=["example.com", "company.org"]

Hugging Face Login

For Hugging Face authentication, you can use automatic client registration:

OPENID_CLIENT_ID=__CIMD__

This creates an OAuth app automatically when deployed. See the CIMD spec for details.

User Token Forwarding

When users log in via Hugging Face, you can forward their token for inference:

USE_USER_TOKEN=true

Auto-Login

Force authentication on all routes:

AUTOMATIC_LOGIN=true

Update on GitHub

Chat UI

OpenID

Access Control

Hugging Face Login

User Token Forwarding

Auto-Login