authentik/website/docs/install-config/configuration/configuration.mdx

---
title: Configuration
---

This page details all the authentik configuration options that you can set via environment variables.

## About authentik configurations

:::info
The double-underscores are intentional, as all these settings are translated to YAML internally, and a double-underscore indicates the next level (a subsetting).
:::

All of these variables can be set to values, but you can also use a URI-like format to load values from other places:

- `env://<name>` Loads the value from the environment variable `<name>`. Fallback can be optionally set like `env://<name>?<default>`
- `file://<name>` Loads the value from the file `<name>`. Fallback can be optionally set like `file://<name>?<default>`

## Set your environment variables

import TabItem from "@theme/TabItem";
import Tabs from "@theme/Tabs";

<Tabs groupId="platform">
  <TabItem value="docker-compose" label="Docker Compose" default>
    If you are using Docker Compose, edit your <code>.env</code> file to append any keys that you want to add, and then run the following command to apply them:

    ```
    docker compose up -d
    ```

  </TabItem>
  <TabItem value="kubernetes" label="Kubernetes">
    If you are running in Kubernetes, edit your <code>values.yaml</code> file to append any keys that you want to add, and then run the following commands to apply:

    ```
    helm repo update
    helm upgrade --install authentik authentik/authentik -f values.yaml
    ```

  </TabItem>

</Tabs>

## Verify your configuration settings

To check if your config has been applied correctly, you can run the following command to output the full config:

<Tabs groupId="platform">
  <TabItem value="docker-compose" label="Docker Compose" default>

    ```
    docker compose run --rm worker ak dump_config
    ```

  </TabItem>
  <TabItem value="kubernetes" label="Kubernetes">

    ```
    kubectl exec -it deployment/authentik-worker -c worker -- ak dump_config
    ```

  </TabItem>

</Tabs>

## PostgreSQL Settings

authentik requires a PostgreSQL database to store its configuration and data. Below are the settings to configure the database connection.

### Connection settings

- `AUTHENTIK_POSTGRESQL__HOST`: Hostname or IP address of your PostgreSQL server.
- `AUTHENTIK_POSTGRESQL__PORT`: Port on which PostgreSQL is listening. Defaults to the standard PostgreSQL port `5432`.
- `AUTHENTIK_POSTGRESQL__USER`: Username that authentik will use to authenticate with PostgreSQL.
- `AUTHENTIK_POSTGRESQL__PASSWORD`: Password for PostgreSQL authentication. If not set, it defaults to the value of the `POSTGRES_PASSWORD` environment variable (this fallback is specific to the default Docker Compose setup).
- `AUTHENTIK_POSTGRESQL__NAME`: The name of the database for authentik to use.

:::info Hot-reloading
The `AUTHENTIK_POSTGRESQL__HOST`, `AUTHENTIK_POSTGRESQL__PORT`, `AUTHENTIK_POSTGRESQL__USER`, and `AUTHENTIK_POSTGRESQL__PASSWORD` settings support hot-reloading and can be changed without restarting authentik. However, adding or removing read replicas requires a restart.
:::

### SSL/TLS settings

Configure SSL/TLS to secure the connection to your PostgreSQL server.

- `AUTHENTIK_POSTGRESQL__SSLMODE`: Controls the SSL verification mode. Defaults to `verify-ca`.
    - `disable`: No SSL is used.
    - `allow`: Use SSL if available, but don't perform verification.
    - `prefer`: Attempt an SSL connection first, fall back to non-SSL if it fails.
    - `require`: Require an SSL connection, but without certificate verification.
    - `verify-ca`: Require SSL and verify that the server certificate is signed by a trusted CA.
    - `verify-full`: Require SSL, verify the CA, and verify that the server hostname matches the certificate.

- `AUTHENTIK_POSTGRESQL__SSLROOTCERT`: Path to the CA certificate file for verifying the server's certificate. Required for `verify-ca` and `verify-full` modes.

- `AUTHENTIK_POSTGRESQL__SSLCERT`: Path to the client SSL certificate file. Required if the PostgreSQL server is configured for mutual TLS and requires client certificates.

- `AUTHENTIK_POSTGRESQL__SSLKEY`: Path to the private key for the client certificate (`SSLCERT`).

For more details, see [Django's PostgreSQL documentation](https://docs.djangoproject.com/en/stable/ref/databases/#postgresql-connection-settings) or the [PostgreSQL documentation](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION).

### Connection management

These settings control connection persistence and behavior, which is particularly important when using a connection pooler like PgBouncer.

- `AUTHENTIK_POSTGRESQL__CONN_MAX_AGE`: The maximum age of a database connection in seconds.
    - `0` (default): Connections are closed after each request.
    - greater than `0`: Enables persistent connections, with the value defining the maximum lifetime.
    - `None`: Unlimited persistence. Use with caution, especially with connection poolers.
      See [Django's documentation on persistent connections](https://docs.djangoproject.com/en/stable/ref/databases/#persistent-connections) for more details.

- `AUTHENTIK_POSTGRESQL__CONN_HEALTH_CHECKS`: Enables health checks on persistent connections before reuse. Defaults to `false`. This helps prevent errors from stale connections that may have been terminated by the database or a pooler. See [Django's documentation](https://docs.djangoproject.com/en/stable/ref/settings/#conn-health-checks) for details.

- `AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS`: Disables server-side cursors. Defaults to `false`. Server-side cursors can improve performance for large result sets but are incompatible with connection poolers in transaction pooling mode (like PgBouncer). **Set this to `true` if you use a transaction-based pooler or encounter cursor-related errors.** See [Django's documentation](https://docs.djangoproject.com/en/stable/ref/databases/#transaction-pooling-and-server-side-cursors) for more details.

### Advanced Settings

- `AUTHENTIK_POSTGRESQL__DEFAULT_SCHEMA`

    The name of the database schema for authentik to use. Defaults to `public`.

    This can only be set before authentik is started for the first time. If you specify a custom schema, it must already exist in the database, and the user that authentik connects with must have permissions to access it. The `search_path` for the database user must also be configured to include this schema.

- `AUTHENTIK_POSTGRESQL__CONN_OPTIONS`

    Arbitrary `libpq` parameter keywords for the database connection. A list of parameter keywords can be found [in the PostgreSQL documentation](https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS).
    - Parameters passed with this setting will override those passed with other settings.
    - These parameters are not applied to read replicas.
    - Parameter keywords should be formatted as a base64-encoded JSON dictionary.

### Read Replicas

You can configure additional read replica databases to distribute database load and improve performance. When read replicas are configured, authentik automatically routes query operations between the primary database (for writes) and read replica databases (for queries). By default, the primary database won't be used for queries when read replicas are available. If you want the primary database to also handle queries, add it as a read replica.

To configure authentik to use read replicas, add the settings below to your [configuration file](./configuration.mdx#set-your-environment-variables). If you have multiple read replicas, add settings for each one by using a unique index starting from `0` (e.g., `0`, `1`, `2`, etc.).

The same PostgreSQL settings as described above are used for each read replica. For example, for the first read replica (index `0`):

- `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__HOST`
- `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__NAME`
- `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__USER`
- `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__PORT`
- `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__PASSWORD`
- `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__SSLMODE`
- `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__SSLROOTCERT`
- `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__SSLCERT`
- `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__SSLKEY`
- `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__CONN_MAX_AGE`
- `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__CONN_HEALTH_CHECKS`
- `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__DISABLE_SERVER_SIDE_CURSORS`
- `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__CONN_OPTIONS`

Additionally, you can set arbitrary connection parameters on all read replicas with:

- `AUTHENTIK_POSTGRESQL__REPLICA_CONN_OPTIONS`

    Arbitrary `libpq` parameter keywords for all read replicas database connections. A list of options can be found [in the PostgreSQL documentation](https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS).
    - Parameters passed with this setting will override those passed with other settings.
    - Parameter keywords should be formatted as a base64-encoded JSON dictionary.

### Using a PostgreSQL Connection Pooler

When your PostgreSQL databases are running behind a connection pooler (like PgBouncer or PgPool), you need to adjust several settings to ensure compatibility:

- `AUTHENTIK_POSTGRESQL__CONN_MAX_AGE`:

    A connection pooler running in session pool mode (which is the default for PgBouncer) can be incompatible with unlimited persistent connections (`null` setting). When the connection from the pooler to the database is dropped, the pooler will wait for the client to disconnect before releasing the connection. However, this will _never_ happen as authentik keeps the connection indefinitely.

    To address this incompatibility, either configure the connection pooler to run in transaction pool mode or set this value lower than any timeout that might cause the connection to be dropped (down to `0` to disable persistent connections).

- `AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS`:

    When using a connection pooler in transaction pool mode (e.g., PgPool, or PgBouncer in transaction or statement pool mode), you must set this option to `true`. This is required because server-side cursors maintain state across multiple queries, which is incompatible with transaction-based pooling where connections may change between queries.

### Deprecated Settings

- `AUTHENTIK_POSTGRESQL__USE_PGBOUNCER`: Adjusts the database configuration to support connections to a PgBouncer connection pooler. This setting is deprecated and will be removed in a future version. Instead, use the configuration described in the [Using a PostgreSQL Connection Pooler](#using-a-postgresql-connection-pooler) section.
- `AUTHENTIK_POSTGRESQL__USE_PGPOOL`: Adjusts the database configuration to support connections to a Pgpool connection pooler. This setting is deprecated and will be removed in a future version. Instead, use the configuration described in the [Using a PostgreSQL Connection Pooler](#using-a-postgresql-connection-pooler) section.

## Cache Settings

- `AUTHENTIK_CACHE__TIMEOUT`: Timeout for cached data until it expires in seconds, defaults to 300
- `AUTHENTIK_CACHE__TIMEOUT_FLOWS`: Timeout for cached flow plans until they expire in seconds, defaults to 300
- `AUTHENTIK_CACHE__TIMEOUT_POLICIES`: Timeout for cached policies until they expire in seconds, defaults to 300

## Worker settings

##### `AUTHENTIK_WORKER__PROCESSES`

Configure how many worker processes should be started for Dramatiq to use. In environments where scaling with multiple replicas of the authentik worker is not possible, this number can be increased to handle higher loads.

Defaults to 1. In environments where scaling with multiple replicas of the authentik worker is not possible, this number can be increased to handle higher loads.

##### `AUTHENTIK_WORKER__THREADS`

Configure how many Dramatiq threads are started per worker. In environments where scaling with multiple replicas of the authentik worker is not possible, this number can be increased to handle higher loads.

Defaults to 2. A value below 2 threads is not recommended, unless you have multiple worker replicas.

##### `AUTHENTIK_WORKER__CONSUMER_LISTEN_TIMEOUT`

Configure how long a worker waits for a PostgreSQL `LISTEN` notification.

Defaults to `seconds=30`.

##### `AUTHENTIK_WORKER__TASK_MAX_RETRIES`

Configure how many times a failing task will be retried before abandoning.

Defaults to 5.

##### `AUTHENTIK_WORKER__TASK_DEFAULT_TIME_LIMIT`

Configure the default duration a task can run for before it is aborted. Some tasks will override this setting based on other settings, such as LDAP source synchronization tasks.

Defaults to `minutes=10`.

##### `AUTHENTIK_WORKER__TASK_PURGE_INTERVAL`

Configure the interval at which old tasks are cleaned up.

Defaults to `days=1`.

##### `AUTHENTIK_WORKER__TASK_EXPIRATION`

Configure how long tasks are kept in the database before they are deleted.

Defaults to `days=30`.

##### `AUTHENTIK_WORKER__SCHEDULER_INTERVAL`

Configure how often the task scheduler runs.

Defaults to `seconds=60`.

## Listen Settings

##### `AUTHENTIK_LISTEN__HTTP`

List of comma-separated `address:port` values for HTTP.

Applies to the Server, the Worker, and Proxy outposts.

Defaults to `[::]:9000`.

##### `AUTHENTIK_LISTEN__HTTPS`

List of comma-separated `address:port` values for HTTPS.

Applies to the Server and Proxy outposts.

Defaults to `[::]:9443`.

##### `AUTHENTIK_LISTEN__LDAP`

List of comma-separated `address:port` values for LDAP.

Applies to LDAP outposts.

Defaults to `[::]:3389`.

##### `AUTHENTIK_LISTEN__LDAPS`

List of comma-separated `address:port` values for LDAPS.

Applies to LDAP outposts.

Defaults to `[::]:6636`.

##### `AUTHENTIK_LISTEN__METRICS`

List of comma-separated `address:port` values for Prometheus metrics.

Applies to all.

Defaults to `[::]:9300`.

##### `AUTHENTIK_LISTEN__DEBUG`

Listening address:port for Go Debugging metrics.

Applies to all, except the worker.

Defaults to `0.0.0.0:9900`.

##### `AUTHENTIK_LISTEN__DEBUG_PY`

Listening address:port for Python debugging server, see [Debugging](../../developer-docs/setup/debugging.md).

Applies to the Server and the Worker.

Defaults to `0.0.0.0:9901`.

##### `AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS`

List of comma-separated CIDRs that proxy headers should be accepted from.

Applies to the Server.

Requests directly coming from one an address within a CIDR specified here are able to set proxy headers, such as `X-Forwarded-For`. Requests coming from other addresses will not be able to set these headers.

Defaults to `127.0.0.0/8`, `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`, `fe80::/10`, `::1/128`.

## Storage settings

These settings affect where files are stored. By default, they are stored on disk in the `/data` directory of the authentik container. S3 storage is also supported.

#### `AUTHENTIK_STORAGE__BACKEND`

This parameter defines where to store files. Valid values are `file` and `s3`. For `file` storage, files are stored in a `/data` directory in the container. For `s3`, see below.

Defaults to `file`.

### File storage backend settings

#### `AUTHENTIK_STORAGE__FILE__PATH`

Where to store files on disk.

Defaults to `/data`.

#### `AUTHENTIK_STORAGE__FILE__URL_EXPIRY`

How long generated URLs for file access are valid for.

Defaults to `minutes=15`.

### S3 storage backend settings

For more information on S3 storage, see [S3 storage setup](../../sys-mgmt/ops/storage-s3.md).

#### `AUTHENTIK_STORAGE__S3__REGION`

S3 region where the bucket has been created. May be omitted depending on which S3 provider you use.

Defaults to not set.

#### `AUTHENTIK_STORAGE__S3__ENDPOINT`

Endpoint to use to talk to the S3 storage provider. Overrides the previous region and use_ssl settings.

Must be a valid URL in the form of `https://s3.provider`.

Defaults to not set.

#### `AUTHENTIK_STORAGE__S3__USE_SSL`

Whether to use HTTPS when talking to the S3 storage providers.

Defaults to `true`.

#### `AUTHENTIK_STORAGE__S3__ADDRESSING_STYLE`

Configure the addressing style used to address a bucket.

Valid values are `auto` and `path`.

Defaults to `auto`.

#### `AUTHENTIK_STORAGE__S3__SIGNATURE_VERSION`

Configure the signing method used for S3 requests.

Defaults to `s3v4`.

Set to `s3` for legacy S3-compatible providers that do not support signature v4.

#### `AUTHENTIK_STORAGE__S3__SESSION_PROFILE`

Profile to use when using AWS SDK authentication.

Supports hot-reloading.

Defaults to not set.

#### `AUTHENTIK_STORAGE__S3__ACCESS_KEY`

Access key to authenticate to S3. May be omitted if using AWS SDK authentication.

Supports hot-reloading.

Defaults to not set.

#### `AUTHENTIK_STORAGE__S3__SECRET_KEY`

Secret key to authenticate to S3. May be omitted if using AWS SDK authentication.

Supports hot-reloading.

Defaults to not set.

#### `AUTHENTIK_STORAGE__S3__SECURITY_TOKEN`

Security token to authenticate to S3. May be omitted.

Supports hot-reloading.

Defaults to not set.

#### `AUTHENTIK_STORAGE__S3__BUCKET_NAME`

Name of the bucket to use to store files.

#### `AUTHENTIK_STORAGE__S3__CUSTOM_DOMAIN`

Domain to use to create URLs for users. Mainly useful for non-AWS providers.

May include a port. Must include the bucket.

Example: `s3.company:8080/authentik-data`.

Defaults to not set.

#### `AUTHENTIK_STORAGE__S3__SECURE_URLS`

Whether URLs created use HTTPS or HTTP.

Defaults to `true`.

#### `AUTHENTIK_STORAGE__S3__URL_EXPIRY`

How long generated URLs for file access are valid for.

Defaults to `minutes=15`.

### Media storage settings

These settings affect where media files are stored. Those files include applications and sources icons.

#### `AUTHENTIK_STORAGE__MEDIA__BACKEND`

Overrides [`AUTHENTIK_STORAGE__BACKEND`](#authentik_storage__backend)

#### `AUTHENTIK_STORAGE__MEDIA__FILE__[...]`

Overrides [`AUTHENTIK_STORAGE__FILE__[...]`](#file-storage-backend-settings) settings.

#### `AUTHENTIK_STORAGE__MEDIA__S3__[...]`

Overrides [`AUTHENTIK_STORAGE__S3__[...]`](#s3-storage-backend-settings) settings.

These settings affect where media files are stored. Those files include applications and sources icons. By default, they use the same storage settings as the main storage configuration. S3 storage is also supported.

### Reports storage settings

These settings affect where CSV reports are stored.

#### `AUTHENTIK_STORAGE__REPORTS__BACKEND`

Overrides [`AUTHENTIK_STORAGE__BACKEND`](#authentik_storage__backend)

#### `AUTHENTIK_STORAGE__REPORTS__FILE__[...]`

Overrides [`AUTHENTIK_STORAGE__FILE__[...]`](#file-storage-backend-settings) settings.

#### `AUTHENTIK_STORAGE__REPORTS__S3__[...]`

Overrides [`AUTHENTIK_STORAGE__S3__[...]`](#s3-storage-backend-settings) settings.

## authentik Settings

### `AUTHENTIK_SECRET_KEY`

Secret key used for cookie signing. Changing this will invalidate active sessions.

:::caution
Prior to 2023.6.0 the secret key was also used for unique user IDs. When running a pre-2023.6.0 version of authentik the key should _not_ be changed after the first install.
:::

### `AUTHENTIK_LOG_LEVEL`

Log level for the server and worker containers. Possible values: `debug`, `info`, `warning`, `error`.

Starting with 2021.12.3, you can also set the log level to `trace`. This has no effect on the core authentik server, but shows additional messages for the embedded outpost.

:::danger
Setting the log level to `trace` will include sensitive details in logs, so it shouldn't be used in most cases.

Logs generated with `trace` should be treated with care as they can give others access to your instance, and can potentially include things like session cookies to authentik **and other pages**.
:::

Defaults to `info`.

### `AUTHENTIK_COOKIE_DOMAIN`

Which domain the session cookie should be set to. By default, the cookie is set to the domain authentik is accessed under.

### `AUTHENTIK_EVENTS__CONTEXT_PROCESSORS__GEOIP`

Path to the GeoIP City database. Defaults to `/geoip/GeoLite2-City.mmdb`. If the file is not found, authentik will skip GeoIP support.

### `AUTHENTIK_EVENTS__CONTEXT_PROCESSORS__ASN`

Path to the GeoIP ASN database. Defaults to `/geoip/GeoLite2-ASN.mmdb`. If the file is not found, authentik will skip GeoIP support.

### `AUTHENTIK_DISABLE_UPDATE_CHECK`

Disable the inbuilt update-checker. Defaults to `false`.

### `AUTHENTIK_ERROR_REPORTING`

- `AUTHENTIK_ERROR_REPORTING__ENABLED`

    Enable error reporting. Defaults to `false`.

    Error reports are sent to https://sentry.io and are used for debugging and general feedback. Anonymous performance data is also sent.

- `AUTHENTIK_ERROR_REPORTING__SENTRY_DSN`

    Sets the DSN for the Sentry API endpoint.

    When error reporting is enabled, the default Sentry DSN will allow the authentik developers to receive error reports and anonymous performance data, which is used for general feedback about authentik, and in some cases, may be used for debugging purposes.

    Users can create their own hosted Sentry account (or self-host Sentry) and opt to collect this data themselves.

- `AUTHENTIK_ERROR_REPORTING__ENVIRONMENT`

    The environment tag associated with all data sent to Sentry. Defaults to `customer`.

    When error reporting has been enabled to aid in debugging issues, this should be set to a unique value, such as an email address.

- `AUTHENTIK_ERROR_REPORTING__SEND_PII`

    Whether or not to send personal data, like usernames. Defaults to `false`.

- `AUTHENTIK_ERROR_REPORTING__EXTRA_ARGS`

    Base64-encoded sentry_init arguments. See [Sentry's documentation](https://docs.sentry.io/platforms/python/configuration/options/) for available options.

### `AUTHENTIK_EMAIL`

- `AUTHENTIK_EMAIL__HOST`

    Default: `localhost`

- `AUTHENTIK_EMAIL__PORT`

    Default: `25`

- `AUTHENTIK_EMAIL__USERNAME`

    Default: `` (Don't add quotation marks)

- `AUTHENTIK_EMAIL__PASSWORD`

    Default: `` (Don't add quotation marks)

- `AUTHENTIK_EMAIL__USE_TLS`

    Default: `false`

- `AUTHENTIK_EMAIL__USE_SSL`

    Default: `false`

- `AUTHENTIK_EMAIL__TIMEOUT`

    Default: `10`

- `AUTHENTIK_EMAIL__FROM`

    Default: `authentik@localhost`

    Email address authentik will send from, should have a correct @domain

    To change the sender's display name, use a format like `Name <account@domain>`.

### `AUTHENTIK_OUTPOSTS`

- `AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE`

    Placeholders:
    - `%(type)s`: Outpost type; proxy, ldap, etc
    - `%(version)s`: Current version; 2021.4.1
    - `%(build_hash)s`: Build hash if you're running a beta version

    Placeholder for outpost docker images. Default: `ghcr.io/goauthentik/%(type)s:%(version)s`.

- `AUTHENTIK_OUTPOSTS__DISCOVER`

    Configure the automatic discovery of integrations. Defaults to `true`.

    By default, the following is discovered:
    - Kubernetes in-cluster config
    - Kubeconfig
    - Existence of a docker socket

### `AUTHENTIK_LDAP__TASK_TIMEOUT_HOURS`

Timeout in hours for LDAP synchronization tasks.

Defaults to `2`.

### `AUTHENTIK_LDAP__PAGE_SIZE`

Page size for LDAP synchronization. Controls the number of objects created in a single task.

Defaults to `50`.

### `AUTHENTIK_LDAP__TLS__CIPHERS`

Allows configuration of TLS Ciphers for LDAP connections used by LDAP sources. Setting applies to all sources.

Defaults to `null`.

### `AUTHENTIK_REPUTATION__EXPIRY`

Configure how long reputation scores should be saved for in seconds.

Defaults to `86400`.

### `AUTHENTIK_SESSION_STORAGE`

:::info Deprecated
This setting is removed as of version 2025.4. Sessions are now exclusively stored in the database. See our [2025.4 release notes](../../releases/2025.4#sessions-are-now-stored-in-the-database) for more information.
:::

If you are running a version earlier than 2025.4, you can configure if the sessions are stored in the cache or the database. Defaults to `cache`. Allowed values are `cache` and `db`. Note that changing this value will invalidate all previous sessions.

### `AUTHENTIK_SESSIONS__UNAUTHENTICATED_AGE`:ak-version[2025.4]

Configure how long unauthenticated sessions last for. Does not impact how long authenticated sessions are valid for. See the [user login stage](../../add-secure-apps/flows-stages/stages/user_login/index.md) for session validity.

Defaults to `days=1`.

### `AUTHENTIK_WEB__WORKERS`

Configure how many gunicorn worker processes should be started (see https://docs.gunicorn.org/en/stable/design.html).

Defaults to 2. A value below 2 workers is not recommended. In environments where scaling with multiple replicas of the authentik server is not possible, this number can be increased to handle higher loads.

### `AUTHENTIK_WEB__THREADS`

Configure how many gunicorn threads a worker processes should have (see https://docs.gunicorn.org/en/stable/design.html).

Defaults to 4.

### `AUTHENTIK_WEB__MAX_REQUESTS`

The maximum number of requests a worker will process before restarting. If this is set to zero then the automatic worker restarts are disabled (see https://gunicorn.org/reference/settings/#max_requests).

Defaults to 1000.

### `AUTHENTIK_WEB__MAX_REQUESTS_JITTER`

The maximum jitter to add to the `AUTHENTIK_WEB__MAX_REQUESTS` setting (see https://gunicorn.org/reference/settings/#max_requests_jitter).

Defaults to 50.

### `AUTHENTIK_WEB__PATH`

Configure the path under which authentik is served. For example to access authentik under `https://my.domain/authentik/`, set this to `/authentik/`. Value _must_ contain both a leading and trailing slash.

Defaults to `/`.

### `AUTHENTIK_WEB__TIMEOUT_HTTP`

Configure the timeouts for the web HTTP/HTTPS Server. Accepts duration in the format of "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

- `AUTHENTIK_WEB__TIMEOUT_HTTP_READ_HEADER`

Defaults to `5s`

- `AUTHENTIK_WEB__TIMEOUT_HTTP_READ`

Defaults to `30s`

- `AUTHENTIK_WEB__TIMEOUT_HTTP_WRITE`

Defaults to `60s`

- `AUTHENTIK_WEB__TIMEOUT_HTTP_IDLE`

Defaults to `120s`

## Advanced settings

##### `AUTHENTIK_SKIP_MIGRATIONS`

Whether to skip running migrations on starting authentik. This is destined to advanced setups and not recommended in normal use.

Defaults to `false`.

## System settings

Additional [system settings](../../sys-mgmt/settings.md) are configurable using the Admin interface, under **System** > **Settings** or using the API.

## Custom python settings

To modify additional settings further than the options above allow, you can create a custom Python file and mount it to `/data/user_settings.py`. This file will be loaded on startup by both the server and the worker. All default settings are [here](https://github.com/goauthentik/authentik/blob/main/authentik/root/settings.py)

:::caution
Using these custom settings is not supported and can prevent your authentik instance from starting. Use with caution.
:::