Docker
ghcr.io/eugenioenko/autentico:latestThe image is a minimal Linux container with just the autentico binary. All configuration is via environment variables.
docker run -d \ --name autentico \ -p 9999:9999 \ -v autentico-data:/data \ -e AUTENTICO_APP_URL=https://auth.example.com \ -e AUTENTICO_DB_FILE_PATH=/data/autentico.db \ -e AUTENTICO_PRIVATE_KEY="<base64-encoded-pem>" \ -e AUTENTICO_CSRF_SECRET_KEY=changeme-at-least-32-chars \ -e AUTENTICO_ACCESS_TOKEN_SECRET=changeme-at-least-32-chars \ -e AUTENTICO_REFRESH_TOKEN_SECRET=changeme-at-least-32-chars \ ghcr.io/eugenioenko/autentico:latestMount the /data volume to persist the SQLite database across container restarts. The RSA private key is passed via the AUTENTICO_PRIVATE_KEY environment variable — generate it once with autentico init and store it in your secrets manager.
Environment variables
Section titled “Environment variables”All configuration is done via Bootstrap Settings. The most important ones:
| Variable | Required | Notes |
|---|---|---|
AUTENTICO_APP_URL | Yes | Public-facing URL, used in OIDC discovery and redirects |
AUTENTICO_DB_FILE_PATH | Yes | Path to SQLite database file inside the container |
AUTENTICO_PRIVATE_KEY | Yes | Base64-encoded RSA private key PEM; generated by autentico init |
AUTENTICO_CSRF_SECRET_KEY | Yes | At least 32 random characters |
AUTENTICO_ACCESS_TOKEN_SECRET | Yes | At least 32 random characters |
AUTENTICO_REFRESH_TOKEN_SECRET | Yes | At least 32 random characters |
AUTENTICO_APP_LISTEN_PORT | No | Defaults to 9999 |
AUTENTICO_ENABLE_CORS | No | Set to true if your SPA frontend is on a different origin |
Health check
Section titled “Health check”Autentico exposes /.well-known/openid-configuration which returns 200 and can be used as a health check:
HEALTHCHECK --interval=30s --timeout=5s \ CMD wget -qO- http://localhost:9999/.well-known/openid-configuration || exit 1Autentico logs structured HTTP access logs to stdout. Collect them with your Docker logging driver or forward to a log aggregator.