auths
Classes
SigninResponse
Bases: Token, UserProfileImageResponse
Response model for sign-in operations, containing the token and user profile.
- Code Reference routers auths Classes AuthsClient Functions add_user
SigninForm
Bases: BaseModel
Form data for user sign-in.
- Code Reference routers auths Classes AuthsClient Functions signin
LdapForm
Bases: BaseModel
Form data for LDAP sign-in.
- Code Reference routers auths Classes AuthsClient Functions signin_ldap
SignupForm
Bases: BaseModel
Form data for user sign-up.
- Code Reference models auths Classes AddUserForm
- Code Reference routers auths Classes AuthsClient Functions signup
AddUserForm
Bases: SignupForm
Form data for adding a new user (admin only).
- Code Reference routers auths Classes AuthsClient Functions add_user
SessionUserResponse
Bases: Token, UserProfileImageResponse
Response model for the current session user.
- Code Reference routers auths Classes AuthsClient Functions
- Code Reference models auths Classes SessionUserInfoResponse
Attributes
expires_at
The timestamp when the session expires (in epoch seconds).
permissions
The user's permissions.
Dict Fields
workspace(dict, required): Workspace-related permissionsmodels(bool, required): Access to models in workspaceknowledge(bool, required): Access to knowledge in workspaceprompts(bool, required): Access to prompts in workspacetools(bool, required): Access to tools in workspacemodels_import(bool, required): Permission to import modelsmodels_export(bool, required): Permission to export modelsprompts_import(bool, required): Permission to import promptsprompts_export(bool, required): Permission to export promptstools_import(bool, required): Permission to import toolstools_export(bool, required): Permission to export tools
sharing(dict, required): Sharing-related permissionsmodels(bool, required): Permission to share modelspublic_models(bool, required): Permission to share models publiclyknowledge(bool, required): Permission to share knowledgepublic_knowledge(bool, required): Permission to share knowledge publiclyprompts(bool, required): Permission to share promptspublic_prompts(bool, required): Permission to share prompts publiclytools(bool, required): Permission to share toolspublic_tools(bool, required): Permission to share tools publiclynotes(bool, required): Permission to share notespublic_notes(bool, required): Permission to share notes publicly
chat(dict, required): Chat-related permissionscontrols(bool, required): Access to chat controlsvalves(bool, required): Access to chat valvessystem_prompt(bool, required): Access to system prompt configurationparams(bool, required): Access to chat parametersfile_upload(bool, required): Permission to upload filesdelete(bool, required): Permission to delete chatsdelete_message(bool, required): Permission to delete messagescontinue_response(bool, required): Permission to continue responsesregenerate_response(bool, required): Permission to regenerate responsesrate_response(bool, required): Permission to rate responsesedit(bool, required): Permission to edit chatsshare(bool, required): Permission to share chatsexport(bool, required): Permission to export chatsstt(bool, required): Permission to use speech-to-texttts(bool, required): Permission to use text-to-speechcall(bool, required): Permission to make callsmultiple_models(bool, required): Permission to use multiple modelstemporary(bool, required): Permission to use temporary chatstemporary_enforced(bool, required): Enforced temporary chat usage
features(dict, required): Feature-related permissionsapi_keys(bool, required): Access to API keys featurenotes(bool, required): Access to notes featurefolders(bool, required): Access to folders featurechannels(bool, required): Access to channels featuredirect_tool_servers(bool, required): Access to direct tool serversweb_search(bool, required): Access to web search featureimage_generation(bool, required): Access to image generation featurecode_interpreter(bool, required): Access to code interpreter feature
SessionUserInfoResponse
Bases: SessionUserResponse, UserStatus
Detailed response model for the current session user, including status and profile details.
- Code Reference routers auths Classes AuthsClient Functions get_session_user
UpdatePasswordForm
Bases: BaseModel
Form data for updating the user's password.
- Code Reference routers auths Classes AuthsClient Functions update_password
UpdateTimezoneForm
Bases: BaseModel
Form data for updating user timezone.
- Code Reference routers auths Classes AuthsClient Functions update_timezone
SignoutResponse
Bases: BaseModel
Response model for sign-out operations.
- Code Reference routers auths Classes AuthsClient Functions sign_out
AdminConfig
Bases: BaseModel
Configuration settings for the admin.
- Code Reference routers auths Classes AuthsClient Functions
- Code Reference routers auths Classes AuthsClient Functions update_admin_config
Attributes
ENABLE_API_KEYS_ENDPOINT_RESTRICTIONS
Whether to restrict API key usage to specific endpoints.
API_KEYS_ALLOWED_ENDPOINTS
Comma-separated list of allowed endpoints for API keys.
FOLDER_MAX_FILE_COUNT
Maximum number of files allowed in a folder.
AUTOMATION_MAX_COUNT
Maximum number of automations allowed per user.
AUTOMATION_MIN_INTERVAL
Minimum interval (in seconds) between automation executions.
PENDING_USER_OVERLAY_TITLE
Title for the overlay shown to pending users.
PENDING_USER_OVERLAY_CONTENT
Content for the overlay shown to pending users.
AdminDetails
Bases: BaseModel
Details of the admin user.
- Code Reference routers auths Classes AuthsClient Functions get_admin_details
LdapServerConfig
Bases: BaseModel
Configuration for the LDAP server.
- Code Reference routers auths Classes AuthsClient Functions
- Code Reference routers auths Classes AuthsClient Functions update_ldap_server
Attributes
LdapConfigForm
Bases: BaseModel
Form data for updating LDAP configuration status.
- Code Reference routers auths Classes AuthsClient Functions update_ldap_config
LdapConfigResponse
Bases: BaseModel
Response model for LDAP configuration status.
- Code Reference routers auths Classes AuthsClient Functions
OAuthConfigForm
Bases: BaseModel
All OAuth/OIDC provider settings exposed to the admin Authentication page.
Every field is optional so partial updates are accepted by
AuthsClient.update_oauth_config; omitted fields are left unchanged.
Values are persisted under the oauth.* config namespace. Comma-list
fields (OAUTH_ALLOWED_DOMAINS, OAUTH_ADMIN_ROLES, OAUTH_ALLOWED_ROLES)
are returned as a comma-joined string and accepted back the same way.
Persistence caveat: unless the backend runs with
ENABLE_OAUTH_PERSISTENT_CONFIG=true, reads of oauth.* keys return
compiled/env defaults and writes are not reflected on read.
- Code Reference routers auths Classes AuthsClient Functions
- Code Reference routers auths Classes AuthsClient Functions update_oauth_config
Attributes
ENABLE_OAUTH_SIGNUP
Allow new users to sign up via OAuth/OIDC.
OAUTH_MERGE_ACCOUNTS_BY_EMAIL
Auto-link OAuth logins to existing local accounts with a matching email.
OAUTH_AUTO_REDIRECT
Auto-redirect users to the OAuth provider on load (skip the login page).
OAUTH_ALLOWED_DOMAINS
Comma-separated email domains permitted to sign in (* = all).
OAUTH_BLOCKED_GROUPS
JSON array (as a string) of provider group names blocked from sign-in.
ENABLE_OAUTH_ROLE_MANAGEMENT
Enable mapping provider roles/groups to Open WebUI roles.
OAUTH_ROLES_CLAIM
JWT claim name carrying role/group info (default roles).
OAUTH_ADMIN_ROLES
Comma-separated role/group names that grant the admin role (default admin).
OAUTH_ALLOWED_ROLES
Comma-separated role/group names permitted to sign in.
ENABLE_OAUTH_GROUP_MANAGEMENT
Map provider groups to Open WebUI groups on login.
ENABLE_OAUTH_GROUP_CREATION
Allow creating Open WebUI groups for provider groups that don't yet exist.
OAUTH_GROUP_CLAIM
JWT claim name carrying group membership (default groups).
OAUTH_GROUP_DEFAULT_SHARE
Default access for auto-created groups: True (public), False (private), or 'members'.
OAUTH_PROVIDER_NAME
Display name for the SSO provider shown in the UI (default SSO).
OPENID_PROVIDER_URL
OIDC issuer /.well-known/openid-configuration discovery URL.
OAUTH_CLIENT_ID
OAuth/OIDC client ID registered with the provider.
OAUTH_CLIENT_SECRET
OAuth/OIDC client secret registered with the provider.
OPENID_REDIRECT_URI
Redirect URI registered with the provider for the authorization callback.
OAUTH_SCOPES
Space-separated scopes requested during login (default openid email profile).
OAUTH_CODE_CHALLENGE_METHOD
PKCE code challenge method; S256 is the supported value when used.
OAUTH_TOKEN_ENDPOINT_AUTH_METHOD
Token endpoint auth method (e.g. client_secret_post, client_secret_basic).
OPENID_END_SESSION_ENDPOINT
Provider end-session URL used for RP-initiated logout.
OAUTH_TIMEOUT
HTTP timeout (seconds) for the login OAuth flow; empty string disables it.
OAUTH_CLIENT_TIMEOUT
HTTP timeout (seconds) for OAuth client operations (e.g. MCP tool servers); empty disables it.
OAUTH_EMAIL_CLAIM
JWT claim name for the user email (default email).
OAUTH_USERNAME_CLAIM
JWT claim name for the username/display name (default name).
OAUTH_PICTURE_CLAIM
JWT claim name for the avatar/picture URL (default picture).
OAUTH_SUB_CLAIM
JWT claim name for the subject identifier (default sub).
OAUTH_AUDIENCE
Audience (aud) value sent to the provider, e.g. an API/resource identifier.
OAUTH_UPDATE_EMAIL_ON_LOGIN
Overwrite the local user's email with the provider value on each login.
OAUTH_UPDATE_NAME_ON_LOGIN
Overwrite the local user's name with the provider value on each login.
OAUTH_UPDATE_PICTURE_ON_LOGIN
Overwrite the local user's avatar with the provider value on each login.
ApiKey
Bases: BaseModel
API Key model.
- Code Reference routers auths Classes AuthsClient Functions
TokenExchangeForm
Bases: BaseModel
Form data for OAuth token exchange.
Used to exchange an external OAuth provider's access token for an Open WebUI JWT.
- Code Reference routers auths Classes AuthsClient Functions token_exchange