SparkyFitness supports a flexible suite of authentication methods — email/password login, OpenID Connect (OIDC) single sign-on, TOTP-based two-factor authentication, and Passkeys — so you can match the security model of your organisation or home lab. Most settings are controlled through a combination of environment variables (for server-side enforcement) and the in-app Admin → Authentication Settings panel (for day-to-day configuration).Documentation Index
Fetch the complete documentation index at: https://mintlify.com/CodeWithCJ/SparkyFitness/llms.txt
Use this file to discover all available pages before exploring further.
Email/Password Login
By default, email/password login is enabled. Two environment variables let you control this behaviour.| Variable | Default | Purpose |
|---|---|---|
SPARKY_FITNESS_DISABLE_EMAIL_LOGIN | false | Set to true to hide the email/password form on the login page. Typically used when OIDC is your only login method. |
SPARKY_FITNESS_FORCE_EMAIL_LOGIN | true | Failsafe. When true, email/password login is always available regardless of in-app settings. Prevents lockout if OIDC is misconfigured. |
OpenID Connect (OIDC)
SparkyFitness uses theopenid-client library to support any standards-compliant OIDC Identity Provider (IdP) — Authentik, Authelia, Keycloak, Google, GitHub, Okta, and others. OIDC providers are stored in the database and managed through Admin → Authentication Settings in the app UI. You can configure multiple providers simultaneously.
You can also bootstrap a provider entirely through environment variables, which is convenient for declarative/GitOps deployments.
Configure via the Admin UI
Open Authentication Settings
Log in as an admin and navigate to Admin → Authentication Settings → OIDC Providers → Add Provider.
Enter the Issuer URL
Paste the Issuer URL provided by your IdP (e.g.
https://accounts.google.com or https://auth.example.com/application/o/my-app/). SparkyFitness appends /.well-known/openid-configuration to discover endpoints automatically.Enter the Client ID and Client Secret
Copy these values from your IdP’s application/client registration page. The Client Secret is stored encrypted and is masked in the admin UI after it is saved.
Set the Scope
Use
openid profile email. Other scopes have not been tested and may not work correctly.Copy the Redirect URI
The application generates a Redirect URI for you — copy it directly from the admin form and register it exactly in your IdP. Do not edit the URI manually.
Configure optional settings
- Auto-Register Users — when enabled, a new SparkyFitness account is created automatically on the user’s first successful OIDC login.
- Enable Email/Password Login — controls whether the traditional login form is shown alongside the OIDC button (can also be controlled globally via
SPARKY_FITNESS_DISABLE_EMAIL_LOGIN).
Configure via Environment Variables
When the variables below are all set, SparkyFitness upserts an OIDC provider record at startup. This is equivalent to configuring a provider through the UI and is useful for Docker Compose or Kubernetes deployments where you want the configuration in yourdocker-compose.yml or a secrets manager.
OIDC Authentication Flow
Understanding the flow helps diagnose problems:- The user clicks the Sign in with <Provider> button.
- SparkyFitness redirects the user’s browser to the IdP’s authorisation endpoint.
- The user authenticates with the IdP (and completes any MFA the IdP requires).
- The IdP redirects back to the SparkyFitness
oidc-callbackendpoint with a short-lived authorisation code. - SparkyFitness exchanges the code for an ID Token and Access Token at the IdP’s token endpoint.
- User identity is extracted from the ID Token and/or the UserInfo endpoint.
- If Auto-Register is enabled and the user is new, a SparkyFitness account is created. Otherwise, the existing account is linked and the session is established.
Advanced Settings
Token Endpoint Auth Method, Algorithms, and Timeout
Token Endpoint Auth Method, Algorithms, and Timeout
These settings are tested with their default values. Customising them is possible but not officially validated.
| Variable | Default | Description |
|---|---|---|
SPARKY_FITNESS_OIDC_TOKEN_AUTH_METHOD | client_secret_post | Method used to authenticate the app with the IdP token endpoint. |
SPARKY_FITNESS_OIDC_ID_TOKEN_SIGNED_ALG | RS256 | Algorithm expected for ID Token signatures. |
SPARKY_FITNESS_OIDC_USERINFO_SIGNED_ALG | none | Algorithm expected for UserInfo endpoint signatures. |
SPARKY_FITNESS_OIDC_TIMEOUT | 30000 | Request timeout in milliseconds. Increase if your IdP is slow to respond. |
Troubleshooting
Invalid Redirect URI
Invalid Redirect URI
The Redirect URI in SparkyFitness must exactly match the URI registered in your IdP — including the scheme (
https://), domain, port (if non-standard), and path. Copy it directly from the admin form rather than typing it manually.Incorrect Client ID or Secret
Incorrect Client ID or Secret
Double-check the values against your IdP’s application settings. Note that the secret is masked as
***** in the admin UI after saving; re-enter it if you suspect it was saved incorrectly.Issuer URL not reachable
Issuer URL not reachable
The SparkyFitness server (not your browser) makes the discovery request to
<issuer>/.well-known/openid-configuration. Ensure the URL is reachable from within your Docker network or server host, not just from your browser. Check with curl from inside the container if needed.Signature or algorithm mismatch errors
Signature or algorithm mismatch errors
If you see errors like invalid signature or algorithm mismatch, verify that
SPARKY_FITNESS_OIDC_ID_TOKEN_SIGNED_ALG and SPARKY_FITNESS_OIDC_USERINFO_SIGNED_ALG match what your IdP actually sends. Check your IdP’s application settings or its discovery document (/.well-known/openid-configuration) for the id_token_signing_alg_values_supported field.Two-Factor Authentication (TOTP)
SparkyFitness supports TOTP-based two-factor authentication (compatible with any authenticator app such as Google Authenticator, Aegis, or Bitwarden Authenticator). Users can enable TOTP from their account security settings.BETTER_AUTH_SECRET is also used to sign user sessions, so it should be a long random string regardless of whether 2FA is in use.
Passkeys
SparkyFitness supports WebAuthn Passkeys (FIDO2) as an authentication method. Users can register passkeys from their account security settings. Passkeys require HTTPS — ensure your instance is served over a secure connection (see the Reverse Proxy guide).Admin Access
TheSPARKY_FITNESS_ADMIN_EMAIL environment variable lets you designate an admin user by email address. On each server startup, if a user with this email exists, they are automatically granted admin privileges.
This variable is optional. If it is not set, no automatic admin promotion occurs. For your initial setup, set it to the email address you registered with so you can access Admin → Authentication Settings to configure OIDC and other options.