Configuration
Tinyauth can be configured using environment variables or CLI flags. The table below provides a comprehensive list of configuration options.
General Configuration
Section titled “General Configuration”| Environment | Flag | Description | Default |
|---|---|---|---|
TINYAUTH_APPURL | --appurl | The base URL where the app is hosted. | “ |
Database Configuration
Section titled “Database Configuration”| Environment | Flag | Description | Default |
|---|---|---|---|
TINYAUTH_DATABASE_PATH | --database.path | The path to the database, including file name. | ./tinyauth.db |
Analytics Configuration
Section titled “Analytics Configuration”| Environment | Flag | Description | Default |
|---|---|---|---|
TINYAUTH_ANALYTICS_ENABLED | --analytics.enabled | Enable periodic version information collection. | true |
Resources Configuration
Section titled “Resources Configuration”| Environment | Flag | Description | Default |
|---|---|---|---|
TINYAUTH_RESOURCES_ENABLED | --resources.enabled | Enable the resources server. | true |
TINYAUTH_RESOURCES_PATH | --resources.path | The directory where resources are stored. | ./resources |
Server Configuration
Section titled “Server Configuration”| Environment | Flag | Description | Default |
|---|---|---|---|
TINYAUTH_SERVER_PORT | --server.port | The port on which the server listens. | 3000 |
TINYAUTH_SERVER_ADDRESS | --server.address | The address on which the server listens. | 0.0.0.0 |
TINYAUTH_SERVER_SOCKETPATH | --server.socketpath | The path to the Unix socket. | “ |
Authentication Configuration
Section titled “Authentication Configuration”| Environment | Flag | Description | Default |
|---|---|---|---|
TINYAUTH_AUTH_IP_ALLOW | --auth.ip.allow | List of allowed IPs or CIDR ranges. | “ |
TINYAUTH_AUTH_IP_BLOCK | --auth.ip.block | List of blocked IPs or CIDR ranges. | “ |
TINYAUTH_AUTH_USERS | --auth.users | Comma-separated list of users (username:hashed_password). | “ |
TINYAUTH_AUTH_USERSFILE | --auth.usersfile | Path to the users file. | “ |
TINYAUTH_AUTH_SECURECOOKIE | --auth.securecookie | Enable secure cookies. | false |
TINYAUTH_AUTH_SESSIONEXPIRY | --auth.sessionexpiry | Session expiry time in seconds. | 86400 |
TINYAUTH_AUTH_SESSIONMAXLIFETIME | --auth.sessionmaxlifetime | Maximum session lifetime in seconds. | 0 |
TINYAUTH_AUTH_LOGINTIMEOUT | --auth.logintimeout | Login timeout in seconds. | 300 |
TINYAUTH_AUTH_LOGINMAXRETRIES | --auth.loginmaxretries | Maximum login retries. | 3 |
TINYAUTH_AUTH_TRUSTEDPROXIES | --auth.trustedproxies | Comma-separated list of trusted proxy addresses. | “ |
ACLs Configuration
Section titled “ACLs Configuration”| Environment | Flag | Description | Default |
|---|---|---|---|
TINYAUTH_APPS_[NAME]_CONFIG_DOMAIN | --apps.[name].config.domain | The domain of the app. | “ |
TINYAUTH_APPS_[NAME]_USERS_ALLOW | --apps.[name].users.allow | Comma-separated list of allowed users. | “ |
TINYAUTH_APPS_[NAME]_USERS_BLOCK | --apps.[name].users.block | Comma-separated list of blocked users. | “ |
TINYAUTH_APPS_[NAME]_OAUTH_WHITELIST | --apps.[name].oauth.whitelist | Comma-separated list of allowed OAuth groups. | “ |
TINYAUTH_APPS_[NAME]_OAUTH_GROUPS | --apps.[name].oauth.groups | Comma-separated list of required OAuth groups. | “ |
TINYAUTH_APPS_[NAME]_IP_ALLOW | --apps.[name].ip.allow | List of allowed IPs or CIDR ranges. | “ |
TINYAUTH_APPS_[NAME]_IP_BLOCK | --apps.[name].ip.block | List of blocked IPs or CIDR ranges. | “ |
TINYAUTH_APPS_[NAME]_IP_BYPASS | --apps.[name].ip.bypass | List of IPs or CIDR ranges that bypass authentication. | “ |
TINYAUTH_APPS_[NAME]_RESPONSE_HEADERS | --apps.[name].response.headers | Custom headers to add to the response. | “ |
TINYAUTH_APPS_[NAME]_RESPONSE_BASICAUTH_USERNAME | --apps.[name].response.basicauth.username | Basic auth username. | “ |
TINYAUTH_APPS_[NAME]_RESPONSE_BASICAUTH_PASSWORD | --apps.[name].response.basicauth.password | Basic auth password. | “ |
TINYAUTH_APPS_[NAME]_RESPONSE_BASICAUTH_PASSWORDFILE | --apps.[name].response.basicauth.passwordfile | Path to the file containing the basic auth password. | “ |
TINYAUTH_APPS_[NAME]_PATH_ALLOW | --apps.[name].path.allow | Comma-separated list of allowed paths. | “ |
TINYAUTH_APPS_[NAME]_PATH_BLOCK | --apps.[name].path.block | Comma-separated list of blocked paths. | “ |
TINYAUTH_APPS_[NAME]_LDAP_GROUPS | --apps.[name].ldap.groups | Comma-separated list of required LDAP groups. | “ |
OAuth Configuration
Section titled “OAuth Configuration”| Environment | Flag | Description | Default |
|---|---|---|---|
TINYAUTH_OAUTH_WHITELIST | --oauth.whitelist | Comma-separated list of allowed OAuth domains. | “ |
TINYAUTH_OAUTH_AUTOREDIRECT | --oauth.autoredirect | The OAuth provider to use for automatic redirection. | “ |
TINYAUTH_OAUTH_PROVIDERS_[NAME]_CLIENTID | --oauth.providers.[name].clientid | OAuth client ID. | “ |
TINYAUTH_OAUTH_PROVIDERS_[NAME]_CLIENTSECRET | --oauth.providers.[name].clientsecret | OAuth client secret. | “ |
TINYAUTH_OAUTH_PROVIDERS_[NAME]_CLIENTSECRETFILE | --oauth.providers.[name].clientsecretfile | Path to the file containing the OAuth client secret. | “ |
TINYAUTH_OAUTH_PROVIDERS_[NAME]_SCOPES | --oauth.providers.[name].scopes | OAuth scopes. | “ |
TINYAUTH_OAUTH_PROVIDERS_[NAME]_REDIRECTURL | --oauth.providers.[name].redirecturl | OAuth redirect URL. | “ |
TINYAUTH_OAUTH_PROVIDERS_[NAME]_AUTHURL | --oauth.providers.[name].authurl | OAuth authorization URL. | “ |
TINYAUTH_OAUTH_PROVIDERS_[NAME]_TOKENURL | --oauth.providers.[name].tokenurl | OAuth token URL. | “ |
TINYAUTH_OAUTH_PROVIDERS_[NAME]_USERINFOURL | --oauth.providers.[name].userinfourl | OAuth userinfo URL. | “ |
TINYAUTH_OAUTH_PROVIDERS_[NAME]_INSECURE | --oauth.providers.[name].insecure | Allow insecure OAuth connections. | false |
TINYAUTH_OAUTH_PROVIDERS_[NAME]_NAME | --oauth.providers.[name].name | Provider name in UI. | “ |
OIDC Configuration
Section titled “OIDC Configuration”| Environment | Flag | Description | Default |
|---|---|---|---|
TINYAUTH_OIDC_PRIVATEKEYPATH | --oidc.privatekeypath | Path to the private key file, including file name. | ./tinyauth_oidc_key |
TINYAUTH_OIDC_PUBLICKEYPATH | --oidc.publickeypath | Path to the public key file, including file name. | ./tinyauth_oidc_key.pub |
TINYAUTH_OIDC_CLIENTS_[NAME]_CLIENTID | --oidc.clients.[name].clientid | OIDC client ID. | “ |
TINYAUTH_OIDC_CLIENTS_[NAME]_CLIENTSECRET | --oidc.clients.[name].clientsecret | OIDC client secret. | “ |
TINYAUTH_OIDC_CLIENTS_[NAME]_CLIENTSECRETFILE | --oidc.clients.[name].clientsecretfile | Path to the file containing the OIDC client secret. | “ |
TINYAUTH_OIDC_CLIENTS_[NAME]_TRUSTEDREDIRECTURIS | --oidc.clients.[name].trustedredirecturis | List of trusted redirect URIs. | “ |
TINYAUTH_OIDC_CLIENTS_[NAME]_NAME | --oidc.clients.[name].name | Client name in UI. | “ |
UI Configuration
Section titled “UI Configuration”| Environment | Flag | Description | Default |
|---|---|---|---|
TINYAUTH_UI_TITLE | --ui.title | The title of the UI. | Tinyauth |
TINYAUTH_UI_FORGOTPASSWORDMESSAGE | --ui.forgotpasswordmessage | Message displayed on the forgot password page. | You can change your password by changing the configuration. |
TINYAUTH_UI_BACKGROUNDIMAGE | --ui.backgroundimage | Path to the background image. | /background.jpg |
TINYAUTH_UI_WARNINGSENABLED | --ui.warningsenabled | Enable UI warnings. | true |
LDAP Configuration
Section titled “LDAP Configuration”| Environment | Flag | Description | Default |
|---|---|---|---|
TINYAUTH_LDAP_ADDRESS | --ldap.address | LDAP server address. | “ |
TINYAUTH_LDAP_BINDDN | --ldap.binddn | Bind DN for LDAP authentication. | “ |
TINYAUTH_LDAP_BINDPASSWORD | --ldap.bindpassword | Bind password for LDAP authentication. | “ |
TINYAUTH_LDAP_BASEDN | --ldap.basedn | Base DN for LDAP searches. | “ |
TINYAUTH_LDAP_INSECURE | --ldap.insecure | Allow insecure LDAP connections. | false |
TINYAUTH_LDAP_SEARCHFILTER | --ldap.searchfilter | LDAP search filter. | (uid=%s) |
TINYAUTH_LDAP_AUTHCERT | --ldap.authcert | Certificate for mTLS authentication. | “ |
TINYAUTH_LDAP_AUTHKEY | --ldap.authkey | Certificate key for mTLS authentication. | “ |
TINYAUTH_LDAP_GROUPCACHETTL | --ldap.groupcachettl | Cache duration for LDAP group membership in seconds. | 900 |
Logging Configuration
Section titled “Logging Configuration”| Environment | Flag | Description | Default |
|---|---|---|---|
TINYAUTH_LOG_LEVEL | --log.level | Log level (trace, debug, info, warn, error). | info |
TINYAUTH_LOG_JSON | --log.json | Enable JSON formatted logs. | false |
TINYAUTH_LOG_STREAMS_HTTP_ENABLED | --log.streams.http.enabled | Enable this log stream. | true |
TINYAUTH_LOG_STREAMS_HTTP_LEVEL | --log.streams.http.level | Log level for this stream. Use global if empty. | “ |
TINYAUTH_LOG_STREAMS_APP_ENABLED | --log.streams.app.enabled | Enable this log stream. | true |
TINYAUTH_LOG_STREAMS_APP_LEVEL | --log.streams.app.level | Log level for this stream. Use global if empty. | “ |
TINYAUTH_LOG_STREAMS_AUDIT_ENABLED | --log.streams.audit.enabled | Enable this log stream. | false |
TINYAUTH_LOG_STREAMS_AUDIT_LEVEL | --log.streams.audit.level | Log level for this stream. Use global if empty. | “ |