This installation method is for test-setups and small-scale productive setups.
- A host with at least 2 CPU cores and 2 GB of RAM
- Docker Compose
Download the latest
docker-compose.yml from here. Place it in a directory of your choice.
If this is a fresh authentik install run the following commands to generate a password:
# You can also use openssl instead: `openssl rand -base64 36`
sudo apt-get install -y pwgen
# Because of a PostgreSQL limitation, only passwords up to 99 chars are supported
# See https://www.postgresql.org/message-id/09512C4F-8CB9-4021-B455-EF4C4F0D55A0@amazon.com
echo "PG_PASS=$(pwgen -s 40 1)" >> .env
echo "AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)" >> .env
# Skip if you don't want to enable error reporting
echo "AUTHENTIK_ERROR_REPORTING__ENABLED=true" >> .env
Email configuration (optional, but recommended)
It is also recommended to configure global email credentials. These are used by authentik to notify you about alerts and configuration issues. They can also be used by Email stages to send verification/recovery emails.
To configure email credentials, append this block to your
# SMTP Host Emails are sent to
# Optionally authenticate (don't add quotation marks to your password)
# Use StartTLS
# Use SSL
# Email address authentik will send from, should have a correct @domain
Configure for port 80/443
By default, authentik listens on port 9000 for HTTP and 9443 for HTTPS. To change the default and instead use ports 80 and 443, you can set the following variables in
Be sure to run
docker-compose up -d to rebuild with the new port numbers.
Afterwards, run these commands to finish:
docker-compose up -d
docker-compose.yml file statically references the latest version available at the time of downloading the compose file, which can be overridden with the
AUTHENTIK_TAG environment variable.
authentik is then reachable (by default) on port 9000 (HTTP) and port 9443 (HTTPS).
To start the initial setup, navigate to
https://<your server's IP or hostname>:9000/if/flow/initial-setup/.
There you will be prompted to set a password for the akadmin user (the default user).
The server assumes to have local timezone as UTC.
All internals are handled in UTC; whenever a time is displayed to the user in UI it gets localized.
Do not update or mount
/etc/localtime in the authentik containers.
This will not give any advantages.
On the contrary, it will cause problems with OAuth and SAML authentication,
e.g. see this GitHub issue.
The Docker-Compose project contains the following containers:
This is the backend service, which does all the logic, plus runs the API and the SSO functionality. It also runs the frontend, hosts the JS/CSS files, and serves the files you've uploaded for icons/etc.
This container executes background tasks, everything you can see on the System Tasks page in the frontend.
redis (for cache)
postgresql (default database)