Considerations
- You can upgrade a basic auth installation to OAuth with client secret by swapping the configuration parameters, but you cannot switch back to basic auth from any OAuth mode.
- You cannot switch between basic auth and OAuth with PKCE (deprecated), in either direction.
- A new basic auth installation requires a fresh installation including a separate PostgreSQL database/schema, unless migrating from an existing None auth installation (refer to Migrating from none auth).
- Users receive an auto-generated initial password when invited, which must be shared with them out of band. Any Organization Admin can change this password later.
- You cannot enable basic auth and OAuth with client secret at the same time.
- All basic auth users share a single
Defaultorganization that is provisioned at install time. Creating additional organizations is not supported.
Requirements and features
- Your initial password must be at least 12 characters long and contain at least one lowercase, uppercase, and symbol (refer to Configuration).
- The secret used for signing JWTs has no strict requirements, but should be a securely generated string of at least 32 characters. For example,
openssl rand -base64 32.
Migrating from none auth
Only supported in versions 0.7 and later.
00000000-0000-0000-0000-000000000000) so existing resources remain bound to it. Aside from the user swap, the resulting migrated installation behaves the same as a fresh basic auth install.
To migrate, apply the basic auth configuration shown in Configuration and then run helm upgrade.
Configuration
Changing the JWT secret will log out your users.
Default organization:
Helm
initialOrgAdminEmail and initialOrgAdminPassword values, and your user is auto-provisioned with the Organization Admin role. For more details, refer to Organization roles.
Connect these docs to Claude, VSCode, and more via MCP for real-time answers.

