Skip to main content

Authentication Modes

For self-hosted deployments, LlamaCloud supports authenticating users via OIDC and Basic Auth (email/password).

note

OIDC and Basic Auth are the only supported authentication modes at the moment. If you have questions or would like to request a new feature, please don't hesitate to reach out to enterprise-support@runllama.ai.

Basic Auth (Email/Password)

Basic auth is a simple authentication mode that allows you to authenticate users via email and password. This is useful for self-hosted deployments where you may not have an existing identity provider and is perfect for staging deployments. For production deployments, we recommend configuring OIDC.

Configuration

In your values.yaml file, you can configure the following:

backend:
  config:
    basicAuth:
      enabled: true
      validEmailDomain: "llamaindex.ai" # this is optional, but a way to restrict access to only users with a specific email domain
      jwtSecret: "your-jwt-secret" # default is a random string
      # existingSecretName: "existing-basic-auth-secret" # if you want to use an existing secret for the JWT secret
      # the secretKeyRef.key must be "byoc-jwt-secret"

After you've configured the above, you should see the following in the UI:

LlamaCloud Basic Auth Configuration

To get started, administrators can click Create Account to get set up and then proceed to inviting other users to the organization you've created.

Notes

  • In basic auth mode, users can update their settings under Settings > Personal.

OIDC (OpenID Connect)

Requirements

  1. Your IdP supports using a discovery URL or issuer URL.
  2. The required scopes are openid, profile, and email.
  3. Please make sure the redirect URL is set to <your-host>/api/v1/auth/callback.

In your values.yaml file, you can configure the following:

backend:
  config:
    oidc:
      clientId: "your-client-id"
      clientSecret: "your-client-secret"
      # Example with Microsoft Entra ID
      discoveryUrl: "https://login.microsoftonline.com/<your-tenant-id>/v2.0/.well-known/openid-configuration"

After you've configured the above, you should see the following in the UI:

LlamaCloud OIDC Configuration

Possible Gotchas

  • A valid OIDC discovery URL must end in .well-known/openid-configuration.
  • In test environments, you may need to disable SSL verification if your OIDC provider does not have a valid SSL certificate. This is not recommended for production environments. To bypass SSL verification, you can add the following to your values.yaml file: 
    • backend:
        extraEnvVariables:
          - name: OIDC_VERIFY_SSL
            value: false