Binary Deployment
The binary is the simplest deployment option — a single executable with no runtime dependencies. Suitable for VMs, bare metal, or any environment where containers aren’t preferred.
Basic setup
Section titled “Basic setup”-
Download the binary for your platform from the GitHub Releases page and install it. See Installation for platform-specific download commands.
-
Create a
.envfile with your Bootstrap Settings:Terminal window AUTENTICO_APP_URL=https://auth.example.comAUTENTICO_DB_FILE_PATH=/var/lib/autentico/autentico.dbAUTENTICO_COOKIE_SECRET=<random-32+-char-string>AUTENTICO_ADMIN_TOKEN=<secure-admin-token> -
Start Autentico:
Terminal window autentico startThe server reads its
.envfrom the current directory, or from the path inAUTENTICO_ENV_FILE.
Running as a systemd service
Section titled “Running as a systemd service”Create /etc/systemd/system/autentico.service:
[Unit]Description=Autentico OIDC Identity ProviderAfter=network.target
[Service]Type=simpleUser=autenticoWorkingDirectory=/opt/autenticoExecStart=/usr/local/bin/autentico startEnvironmentFile=/opt/autentico/.envRestart=on-failureRestartSec=5
[Install]WantedBy=multi-user.targetThen:
sudo systemctl daemon-reloadsudo systemctl enable --now autenticosudo systemctl status autenticoData directory
Section titled “Data directory”Autentico writes one persistent file:
| File | Purpose |
|---|---|
autentico.db (path from AUTENTICO_DB_FILE_PATH) | SQLite database — all users, clients, sessions, settings |
The RSA private key is passed as the AUTENTICO_PRIVATE_KEY environment variable (a base64-encoded PEM string). It is not written to disk. Store it in your secrets manager or .env file alongside your other bootstrap secrets.
Back up the database file. Use sqlite3 .backup for a hot backup while the server is running.
Reverse proxy
Section titled “Reverse proxy”Autentico listens on HTTP — put it behind a TLS-terminating reverse proxy (nginx, Caddy, Traefik) before exposing it to the internet. See Reverse Proxy.