Skip to content
Autentico

Docker Compose

The following docker-compose.yml runs Autentico with persistent data storage. Add a reverse proxy service (Caddy, nginx, Traefik) in the same compose file for TLS termination.

services:
  autentico:
    image: ghcr.io/eugenioenko/autentico:latest
    restart: unless-stopped
    ports:
      - "127.0.0.1:9999:9999"   # bind to localhost only — proxy handles TLS
    volumes:
      - autentico-data:/data
    environment:
      # Public URL — used in OIDC discovery, token issuer, and redirect validation
      AUTENTICO_APP_URL: https://auth.example.com


      # Database persistence
      AUTENTICO_DB_FILE_PATH: /data/autentico.db


      # Secrets — use Docker secrets or an env file in production
      # AUTENTICO_PRIVATE_KEY is a base64-encoded RSA PEM generated by `autentico init`
      AUTENTICO_PRIVATE_KEY: changeme-replace-with-base64-encoded-pem
      AUTENTICO_CSRF_SECRET_KEY: changeme-generate-a-random-32-char-string
      AUTENTICO_ACCESS_TOKEN_SECRET: changeme-generate-a-random-32-char-string
      AUTENTICO_REFRESH_TOKEN_SECRET: changeme-generate-a-random-32-char-string


      # Optional: SMTP for email OTP MFA
      # AUTENTICO_SMTP_HOST: smtp.example.com
      # AUTENTICO_SMTP_PORT: 587
      # AUTENTICO_SMTP_USERNAME: auth@example.com
      # AUTENTICO_SMTP_PASSWORD: your-smtp-password
      # AUTENTICO_SMTP_FROM: auth@example.com


volumes:
  autentico-data:

Secrets management

Section titled “Secrets management”

Do not commit secrets in docker-compose.yml. Use one of:

  • Docker secrets (secrets: block) — available in Swarm mode
  • .env file — place next to docker-compose.yml, add to .gitignore
  • External secret manager — Vault, AWS Secrets Manager, etc., injected at deploy time

Upgrading

Section titled “Upgrading”
Terminal window
docker compose pull
docker compose up -d

Autentico applies any new database migrations automatically at startup. Back up the SQLite database volume before upgrading.

Caddy reverse proxy example

Section titled “Caddy reverse proxy example”

Add a Caddy service to the same compose file:

  caddy:
    image: caddy:2-alpine
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy-data:/data
    depends_on:
      - autentico


volumes:
  caddy-data:

Caddyfile:

auth.example.com {
    reverse_proxy autentico:9999
}

Caddy handles TLS automatically via Let’s Encrypt.