Skip to content
Paquetier

Authentication

Paquetier supports multiple authentication methods that can be used independently or combined.

Local Authentication

Section titled “Local Authentication”

Username and password authentication is enabled by default. Users register with a username, email, and password (minimum 15 characters with at least one special character).

To disable local authentication (e.g. when using OAuth2 exclusively):

PAQUETIER_LOCAL_AUTH=false

OAuth2 / SSO

Section titled “OAuth2 / SSO”

Paquetier supports generic OAuth2 for single sign-on with any compatible identity provider.

Configuration

Section titled “Configuration”

Set the following environment variables:

PAQUETIER_OAUTH2_CLIENT_ID=your-client-id
PAQUETIER_OAUTH2_CLIENT_SECRET=your-client-secret
PAQUETIER_OAUTH2_AUTH_URL=https://idp.example.com/authorize
PAQUETIER_OAUTH2_TOKEN_URL=https://idp.example.com/token
PAQUETIER_OAUTH2_REDIRECT_URL=https://paquetier.example.com/auth/callback

When OAuth2 is configured, a “Sign in with SSO” option appears on the login page.

Registration Control

Section titled “Registration Control”

By default, anyone can register a new account. To restrict registration (e.g. after setting up the admin account):

PAQUETIER_REGISTRATION_OPEN=false

When registration is closed, only existing users can sign in. New users must be created by an admin or through OAuth2.

API Key Authentication

Section titled “API Key Authentication”

Users can create API keys for programmatic access. API keys use the Authorization: Bearer paquetier_... header format and are valid for the API and CLI but not the web UI.

Session Duration

Section titled “Session Duration”

JWT sessions expire after 72 hours by default. To change this:

PAQUETIER_SESSION_EXPIRES=24h