For every authentication-related question or issue, please join our Slack.
Keep supports various authentication providers and architectures to accommodate different deployment strategies and security needs, from development environments to production setups.

Authentication Providers

  • No Authentication - Quick setup for testing or internal use cases.
  • DB - Simple username/password authentication. Works well for small teams or for dev/stage environments. Users and hashed password are stored on DB.
  • Auth0 - Utilize Auth0 for scalable, auth0-based authentication.
  • Keycloak - Utilize Keycloak for enterprise authentication methods such as SSO/SAML/OIDC, advanced RBAC with custom roles, resource-level permissions, and integration with user directories (LDAP).
  • AzureAD - Utilize Azure AD for SSO/SAML/OIDC nterprise authentication.
  • Okta - Utilize Okta for SSO/OIDC authentication.
  • OneLogin - Utilize OneLogin for SSO/OIDC authentication.
Choosing the right authentication strategy depends on your specific use case, security requirements, and deployment environment. You can read more about each authentication provider.

Authentication Features Comparison

Identity ProviderRBACSAML/OIDC/SSOLDAPResource-based permissionUser ManagementGroup ManagementOn PremLicense
No AuthOSS
DB
(Predefiend roles)		OSS
Auth0
(Predefiend roles)		🚧🚧🚧EE
Keycloak
(Custom roles)		EE
Oauth2Proxy
(Predefiend roles)		N/AN/AOSS
Azure AD
(Predefiend roles)		By Azure ADBy Azure ADEE
Okta
(Predefiend roles)		OSS
OneLogin
(Predefiend roles)		OSS

How To Configure

Some authentication providers require additional environment variables. These will be covered in detail on the specific authentication provider pages.
The authentication scheme on Keep is controlled with environment variables both on the backend (Keep API) and the frontend (Keep UI).
Identity ProviderEnvironment VariableAdditional Variables Required
No AuthAUTH_TYPE=NOAUTHNone
DBAUTH_TYPE=DBKEEP_JWT_SECRET
Auth0AUTH_TYPE=AUTH0AUTH0_DOMAIN, AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET
KeycloakAUTH_TYPE=KEYCLOAKKEYCLOAK_URL, KEYCLOAK_REALM, KEYCLOAK_CLIENT_ID, KEYCLOAK_CLIENT_SECRET
Oauth2ProxyAUTH_TYPE=OAUTH2PROXYOAUTH2_PROXY_USER_HEADER, OAUTH2_PROXY_ROLE_HEADER, OAUTH2_PROXY_AUTO_CREATE_USER
AzureADAUTH_TYPE=AZUREADSee AzureAD Configuration
OktaAUTH_TYPE=OKTAOKTA_DOMAIN, OKTA_CLIENT_ID, OKTA_CLIENT_SECRET
OneLoginAUTH_TYPE=ONELOGINSee OneLogin Configuration
For more details on each authentication strategy, including setup instructions and implications, refer to the respective sections.