Skip to main content
Sourcebot supports a wide range of different authentication providers through it’s integration with Auth.js. This page highlights how to configure the various supported providers. If theres an authentication provider you’d like us to support, please reach out.

Core Authentication Providers

Email / Password

Email / password authentication is enabled by default. It can be disabled by setting AUTH_CREDENTIALS_LOGIN_ENABLED to false.

Email codes

Email codes are 6 digit codes sent to a provided email. Email codes are enabled when transactional emails are configured using the following environment variables:
  • AUTH_EMAIL_CODE_LOGIN_ENABLED
  • SMTP_CONNECTION_URL
  • EMAIL_FROM_ADDRESS
See transactional emails for more details.

Enterprise Authentication Providers

The following authentication providers require an enterprise license to be enabled.

GitHub

Auth.js GitHub Provider Docs Authentication using both a GitHub OAuth App and a GitHub App is supported. In both cases, you must provide Sourcebot the CLIENT_ID and SECRET_ID and configure the callback URL correctly (more info in Auth.js docs). When using a GitHub App for auth, enable the following permissions:
  • “Email addresses” account permissions (read)
  • "Metadata" repository permissions (read) (only needed if enabling permission syncing)
Required environment variables:
  • AUTH_EE_GITHUB_CLIENT_ID
  • AUTH_EE_GITHUB_CLIENT_SECRET
Optional environment variables:
  • AUTH_EE_GITHUB_BASE_URL - Base URL for GitHub Enterprise (defaults to https://github.com)

GitLab

Auth.js GitLab Provider Docs Authentication using GitLab is supported via a OAuth2.0 app installed on the GitLab instance. Follow the instructions in the GitLab docs to create an app. The callback URL should be configurd to <sourcebot_deployment_url>/api/auth/callback/gitlab, and the following scopes need to be set:
ScopeRequiredNotes
read_userYesAllows Sourcebot to read basic user information required for authentication.
read_apiConditionalRequired only when permission syncing is enabled. Enables Sourcebot to list all repositories and projects for the authenticated user.
Required environment variables:
  • AUTH_EE_GITLAB_CLIENT_ID
  • AUTH_EE_GITLAB_CLIENT_SECRET
Optional environment variables:

Google

Auth.js Google Provider Docs Required environment variables:
  • AUTH_EE_GOOGLE_CLIENT_ID
  • AUTH_EE_GOOGLE_CLIENT_SECRET

GCP IAP

If you’re running Sourcebot in an environment that blocks egress, make sure you allow the IAP IP ranges
Custom provider built to enable automatic Sourcebot account registration/login when using GCP IAP. Required environment variables
  • AUTH_EE_GCP_IAP_ENABLED
  • AUTH_EE_GCP_IAP_AUDIENCE
    • This can be found by selecting the ⋮ icon next to the IAP-enabled backend service and pressing Get JWT audience code

Okta

Auth.js Okta Provider Docs Required environment variables:
  • AUTH_EE_OKTA_CLIENT_ID
  • AUTH_EE_OKTA_CLIENT_SECRET
  • AUTH_EE_OKTA_ISSUER

Keycloak

Auth.js Keycloak Provider Docs Required environment variables:
  • AUTH_EE_KEYCLOAK_CLIENT_ID
  • AUTH_EE_KEYCLOAK_CLIENT_SECRET
  • AUTH_EE_KEYCLOAK_ISSUER

Microsoft Entra ID

Auth.js Microsoft Entra ID Provider Docs Required environment variables:
  • AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_ID
  • AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_SECRET
  • AUTH_EE_MICROSOFT_ENTRA_ID_ISSUER