---
title: Integrate with Beszel
sidebar_label: Beszel
support_level: community
---

## What is Beszel

> Beszel is a lightweight server monitoring platform that provides Docker statistics, historical data, and configurable alerts.
> It features a user-friendly web interface, supports multi-user management, OAuth authentication, and offers a REST API for integration with other applications.
> Designed for simplicity, Beszel is easy to set up and operates efficiently without requiring public internet exposure.
>
> -- https://beszel.dev/
>
> This guide explains how to configure Beszel to use authentik as the OAuth provider for logging in to the Web GUI.

## Preparation

- `beszel.company` is the FQDN of the Beszel installation.
- `authentik.company` is the FQDN of the authentik installation.

:::info

This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.

:::

## authentik configuration

The steps to configure authentik include creating an email verification scope mapping, creating an application and provider pair in authentik, obtaining the Client ID and Client Secret values, setting the redirect URI, and selecting a signing key.

### Create an email verification scope mapping in authentik

Beszel requires the email scope to return a value of `email_verified: True`. As of [authentik 2025.10](/docs/releases/2025/v2025.10.md#default-oauth-scope-mappings) the default behavior is to return `email_verified: False`, so a custom scope mapping is required for Beszel to allow authentication.

Refer to [Email scope verification](/docs/add-secure-apps/providers/oauth2/index.mdx#email-scope-verification) for instructions on how to create the required custom scope mapping.

### Create an application and provider in authentik

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)

- **Application**: provide a descriptive name (`Beszel`), a slug (`beszel`), an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: OAuth2/OpenID
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and any required configurations.
    - Note the **Client ID** and **Client Secret** values because they will be required later.
    - Set a `Strict` redirect URI to `https://beszel.company/api/oauth2-redirect`.
    - Select any available signing key.
    - **Advanced protocol settings** > **Scopes**:
        - Add `OAuth Mapping: OpenID 'email' with "email_verified"` to the **Selected Scopes**.
        - Remove the `authentik default OAuth Mapping: OpenID 'email'` scope.
- **Configure Bindings** _(optional):_ you can create a [binding](https://docs.goauthentik.io/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user’s **My applications** page.

3. Click **Submit** to save the new application and provider.

:::info
Beszel uses PocketBase as its server backend, and when you install Beszel you automatically get PocketBase as part of Beszel, so you do not need to separately [integrate PocketBase](../../platforms/pocketbase/index.md).
:::

## Beszel configuration

1. Sign in to Beszel and access the superusers dashboard by navigating to `https://beszel.company/\_/#/settings`.
2. Toggle off **Hide collection create and edit controls**, then click the **Save changes** button.
3. Open the **users** collection by clicking the **Collections** icon on the sidebar or head to `https://beszel.company/\_/#/collections?collection=pb_users_auth`.
4. Click the gear icon next to the collection's name, then select the **Options** tab in the popup on the right.
5. Enable the **OAuth2** authentication method by clicking the **OAuth2** tab and toggling **Enable**.
6. Click **+ Add provider**, then select **OpenID Connect**.
7. Enter the following details from the authentik provider:
    - Set **Client ID** to the Client ID copied from authentik.
    - Set **Client secret** to the Client Secret copied from authentik.
    - Set **Display name** to `authentik`.
    - Set **Auth URL** to `https://authentik.company/application/o/authorize/`.
    - Set **Token URL** to `https://authentik.company/application/o/token/`.
    - Make sure **Fetch user info from** is set to `User info URL`, then set **User info URL** to `https://authentik.company/application/o/userinfo/`

## Test the login

- Open your web browser and go to: `https://beszel.company`.
- Click **authentik** to log in.
- You should be redirected to authentik (following the login flow you configured). After logging in, authentik will redirect you back to `https://beszel.company`.
- If you successfully return to the Beszel WebGUI, the login is working correctly.

## User Creation

1. Manually Creating Users:
    - Users are not created automatically when logging in with authentik. The owner must manually create each user in Beszel.
    - To create users, go to the System Settings where you configured OpenID Connect.
    - The URL for user creation is: `https://beszel.company/\_/#/collections?collection=pb_users_auth`.
    - Click **+ New record** and enter the user's **email** (must match the authentik email address).

2. Automatically Creating Users:
    - Set the following environment variable: **USER_CREATION=true**
    - Depending on your deployment method, you can set this as a Docker environment variable or in the systemd service file.