Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/danny-avila/LibreChat/llms.txt

Use this file to discover all available pages before exploring further.

LibreChat supports multiple authentication methods. Configure them using environment variables and librechat.yaml.

Local Authentication

Email and password authentication is enabled by default.
ALLOW_EMAIL_LOGIN
boolean
default:"true"
Enable email/password authentication
ALLOW_REGISTRATION
boolean
default:"true"
Allow new user registration
ALLOW_PASSWORD_RESET
boolean
default:"false"
Enable password reset functionality
ALLOW_UNVERIFIED_EMAIL_LOGIN
boolean
default:"true"
Allow login without email verification

Social Login (OAuth)

Enable social authentication providers.
ALLOW_SOCIAL_LOGIN
boolean
default:"false"
Enable OAuth social login
ALLOW_SOCIAL_REGISTRATION
boolean
default:"false"
Allow registration via social providers

Configure Providers in YAML

registration:
  socialLogins: ['github', 'google', 'discord', 'openid', 'facebook', 'apple', 'saml']

Google OAuth

GOOGLE_CLIENT_ID
string
required
Google OAuth client ID
GOOGLE_CLIENT_SECRET
string
required
Google OAuth client secret
GOOGLE_CALLBACK_URL
string
default:"/oauth/google/callback"
OAuth callback URL
GOOGLE_CLIENT_ID=your-client-id
GOOGLE_CLIENT_SECRET=your-client-secret
GOOGLE_CALLBACK_URL=/oauth/google/callback

GitHub OAuth

GITHUB_CLIENT_ID
string
required
GitHub OAuth client ID
GITHUB_CLIENT_SECRET
string
required
GitHub OAuth client secret
GITHUB_CALLBACK_URL
string
default:"/oauth/github/callback"
OAuth callback URL

GitHub Enterprise

GITHUB_ENTERPRISE_BASE_URL
string
Base URL for GitHub Enterprise server
GITHUB_ENTERPRISE_USER_AGENT
string
User agent for GitHub Enterprise API
GITHUB_CLIENT_ID=your-client-id
GITHUB_CLIENT_SECRET=your-client-secret
GITHUB_CALLBACK_URL=/oauth/github/callback

# For GitHub Enterprise
GITHUB_ENTERPRISE_BASE_URL=https://github.company.com

Discord OAuth

DISCORD_CLIENT_ID
string
required
Discord OAuth client ID
DISCORD_CLIENT_SECRET
string
required
Discord OAuth client secret
DISCORD_CALLBACK_URL
string
default:"/oauth/discord/callback"
OAuth callback URL
.env
DISCORD_CLIENT_ID=your-client-id
DISCORD_CLIENT_SECRET=your-client-secret
DISCORD_CALLBACK_URL=/oauth/discord/callback

Facebook OAuth

FACEBOOK_CLIENT_ID
string
required
Facebook OAuth client ID
FACEBOOK_CLIENT_SECRET
string
required
Facebook OAuth client secret
FACEBOOK_CALLBACK_URL
string
default:"/oauth/facebook/callback"
OAuth callback URL
.env
FACEBOOK_CLIENT_ID=your-client-id
FACEBOOK_CLIENT_SECRET=your-client-secret
FACEBOOK_CALLBACK_URL=/oauth/facebook/callback

Apple OAuth

APPLE_CLIENT_ID
string
required
Apple OAuth client ID (Service ID)
APPLE_TEAM_ID
string
required
Apple Developer Team ID
APPLE_KEY_ID
string
required
Apple Key ID for the private key
APPLE_PRIVATE_KEY_PATH
string
required
Path to Apple private key file (.p8)
APPLE_CALLBACK_URL
string
default:"/oauth/apple/callback"
OAuth callback URL
.env
APPLE_CLIENT_ID=com.yourcompany.service
APPLE_TEAM_ID=TEAM123456
APPLE_KEY_ID=KEY123456
APPLE_PRIVATE_KEY_PATH=/path/to/AuthKey.p8
APPLE_CALLBACK_URL=/oauth/apple/callback

OpenID Connect

Generic OpenID Connect provider support.
OPENID_CLIENT_ID
string
required
OpenID Connect client ID
OPENID_CLIENT_SECRET
string
required
OpenID Connect client secret
OPENID_ISSUER
string
required
OpenID Connect issuer URL
OPENID_SESSION_SECRET
string
required
Session secret for OpenID authentication
OPENID_SCOPE
string
default:"openid profile email"
OAuth scopes to request
OPENID_CALLBACK_URL
string
default:"/oauth/openid/callback"
OAuth callback URL

User Mapping

OPENID_USERNAME_CLAIM
string
User info property for username
OPENID_NAME_CLAIM
string
User info property for display name
OPENID_EMAIL_CLAIM
string
User info claim for email/identifier
Defaults to: email → preferred_username → upn

Role-Based Access

OPENID_REQUIRED_ROLE
string
Required role for access
OPENID_REQUIRED_ROLE_TOKEN_KIND
string
Token kind for role validation
OPENID_REQUIRED_ROLE_PARAMETER_PATH
string
Path to role in token
OPENID_ADMIN_ROLE
string
Role that grants admin access
OPENID_ADMIN_ROLE_PARAMETER_PATH
string
Path to admin role in token

UI Customization

OPENID_BUTTON_LABEL
string
Custom label for OpenID login button
OPENID_IMAGE_URL
string
Custom icon URL for OpenID login button
OPENID_AUTO_REDIRECT
boolean
default:"false"
Automatically redirect to OpenID provider on login page
Only use if OpenID is your sole authentication method

Advanced Options

OPENID_USE_PKCE
boolean
default:"false"
Use PKCE (Proof Key for Code Exchange) for enhanced security
OPENID_REUSE_TOKENS
boolean
Reuse OpenID tokens for authentication instead of MongoDB session
OPENID_JWKS_URL_CACHE_ENABLED
boolean
default:"true"
Enable caching of JWKS signing key verification
OPENID_JWKS_URL_CACHE_TIME
number
default:"600000"
JWKS cache time in milliseconds (10 minutes)
OPENID_ON_BEHALF_FLOW_FOR_USERINFO_REQUIRED
boolean
Trigger token exchange flow for userinfo endpoint
OPENID_ON_BEHALF_FLOW_USERINFO_SCOPE
string
default:"user.read"
Scope for on-behalf flow (e.g., Microsoft Graph API)
OPENID_USE_END_SESSION_ENDPOINT
boolean
Use OpenID Connect end session endpoint for logout
OPENID_POST_LOGOUT_REDIRECT_URI
string
URL to redirect after OpenID logout
Defaults to $/login
OPENID_AUDIENCE
string
Optional audience parameter for authorization requests
OPENID_CLIENT_ID=your-client-id
OPENID_CLIENT_SECRET=your-client-secret
OPENID_ISSUER=https://accounts.google.com
OPENID_SESSION_SECRET=your-session-secret
OPENID_SCOPE="openid profile email"
OPENID_CALLBACK_URL=/oauth/openid/callback

SAML Authentication

If OpenID is enabled, SAML is automatically disabled
SAML_ENTRY_POINT
string
required
SAML Identity Provider entry point URL
SAML_ISSUER
string
required
SAML Service Provider issuer
SAML_CERT
string
required
SAML Identity Provider certificate
SAML_CALLBACK_URL
string
default:"/oauth/saml/callback"
SAML callback URL
SAML_SESSION_SECRET
string
required
Session secret for SAML authentication

Attribute Mappings

SAML_EMAIL_CLAIM
string
SAML attribute for email
SAML_USERNAME_CLAIM
string
SAML attribute for username
SAML_GIVEN_NAME_CLAIM
string
SAML attribute for first name
SAML_FAMILY_NAME_CLAIM
string
SAML attribute for last name
SAML_PICTURE_CLAIM
string
SAML attribute for profile picture
SAML_NAME_CLAIM
string
SAML attribute for full name

UI Customization

SAML_BUTTON_LABEL
string
Custom label for SAML login button
SAML_IMAGE_URL
string
Custom icon URL for SAML login button

Signature Settings

SAML_USE_AUTHN_RESPONSE_SIGNED
boolean
Whether the SAML Response should be signed
  • true: Entire SAML Response will be signed
  • false or unset: Only SAML Assertion will be signed (default)
.env
SAML_ENTRY_POINT=https://idp.example.com/sso
SAML_ISSUER=librechat
SAML_CERT=MIIDXTCCAkWgAwIBAgIJAKL...
SAML_CALLBACK_URL=/oauth/saml/callback
SAML_SESSION_SECRET=your-session-secret

# Optional attribute mappings
SAML_EMAIL_CLAIM=email
SAML_USERNAME_CLAIM=username
SAML_GIVEN_NAME_CLAIM=firstName
SAML_FAMILY_NAME_CLAIM=lastName

LDAP Authentication

LDAP_URL
string
required
LDAP server URL
LDAP_BIND_DN
string
required
LDAP bind distinguished name
LDAP_BIND_CREDENTIALS
string
required
LDAP bind password
LDAP_USER_SEARCH_BASE
string
required
Base DN for user search
LDAP_SEARCH_FILTER
string
default:"mail="
LDAP search filter
LDAP_SEARCH_FILTER="mail="
LDAP_CA_CERT_PATH
string
Path to CA certificate for LDAP TLS
LDAP_TLS_REJECT_UNAUTHORIZED
boolean
Reject unauthorized TLS certificates
LDAP_STARTTLS
boolean
Enable STARTTLS
LDAP_LOGIN_USES_USERNAME
boolean
default:"false"
Use username instead of email for login

Attribute Mappings

LDAP_ID
string
LDAP attribute for user ID
LDAP_USERNAME
string
LDAP attribute for username
LDAP_EMAIL
string
LDAP attribute for email
LDAP_FULL_NAME
string
LDAP attribute for full name
LDAP_URL=ldap://ldap.example.com:389
LDAP_BIND_DN=cn=admin,dc=example,dc=com
LDAP_BIND_CREDENTIALS=admin-password
LDAP_USER_SEARCH_BASE=ou=users,dc=example,dc=com
LDAP_SEARCH_FILTER="mail="

# Set minimum password length to 1 for LDAP
MIN_PASSWORD_LENGTH=1
Set MIN_PASSWORD_LENGTH=1 when using LDAP to bypass local password validation, as LDAP servers handle their own password policies.

Microsoft Entra ID Integration

USE_ENTRA_ID_FOR_PEOPLE_SEARCH
boolean
default:"false"
Enable Entra ID people search in permissions/sharing system
Searches both local database and Entra ID
ENTRA_ID_INCLUDE_OWNERS_AS_MEMBERS
boolean
default:"false"
Consider Entra ID group owners as members
OPENID_GRAPH_SCOPES
string
default:"User.Read,People.Read,GroupMember.Read.All"
Microsoft Graph API scopes for people/group search
.env
USE_ENTRA_ID_FOR_PEOPLE_SEARCH=true
ENTRA_ID_INCLUDE_OWNERS_AS_MEMBERS=false
OPENID_GRAPH_SCOPES=User.Read,People.Read,GroupMember.Read.All

SharePoint Integration

Requires Entra ID (OpenID) authentication
ENABLE_SHAREPOINT_FILEPICKER
boolean
Enable SharePoint file picker in chat and agent panels
SHAREPOINT_BASE_URL
string
SharePoint tenant base URL
SHAREPOINT_BASE_URL=https://yourtenant.sharepoint.com
SHAREPOINT_PICKER_SHAREPOINT_SCOPE
string
SharePoint scope for file picker
SHAREPOINT_PICKER_SHAREPOINT_SCOPE=https://yourtenant.sharepoint.com/AllSites.Read
SHAREPOINT_PICKER_GRAPH_SCOPE
string
default:"Files.Read.All"
Microsoft Graph API scope for file picker

Two-Factor Authentication

Two-factor authentication (2FA) is available through the API endpoints:
  • POST /auth/2fa/enable - Enable 2FA for user
  • POST /auth/2fa/verify - Verify 2FA code
  • POST /auth/2fa/confirm - Confirm 2FA setup
  • POST /auth/2fa/disable - Disable 2FA
  • POST /auth/2fa/backup/regenerate - Regenerate backup codes
No additional configuration required.

Build docs developers (and LLMs) love

Get started for freeTalk to us