Authentication
Aicser EE supports three authentication modes. You can enable more than one simultaneously.
Built-in JWT auth (default)
No extra configuration needed. Aicser signs JWT tokens with SECRET_KEY. Sessions expire after JWT_EXPIRY_SECONDS (default: 7 days, 604800 seconds).
This is active by default — no additional setup required.
Supabase auth
Supabase provides email/password, magic links, and OAuth providers (Google, GitHub, etc.).
Setup
- Create a project at supabase.com
- Go to Project Settings → API and copy the Project URL, service role key, and anon key
- Set in
deploy/.env:
SUPABASE_URL=https://your-project-ref.supabase.co
SUPABASE_SERVICE_ROLE_KEY=your-service-role-key
NEXT_PUBLIC_SUPABASE_URL=https://your-project-ref.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=your-anon-key
NEXT_PUBLIC_* values are Docker build args — rebuild the client after changing them:
cd deploy && make ee-recreate
Keycloak SSO
Keycloak provides enterprise SSO with LDAP/Active Directory, SAML, and OIDC.
Setup
- Deploy Keycloak (or use an existing instance)
- Create a realm and a client for Aicser
- Set in
deploy/.env:
KEYCLOAK_URL=https://your-keycloak.example.com
KEYCLOAK_REALM=your-realm-name
KEYCLOAK_CLIENT_ID=aicser
NEXT_PUBLIC_KEYCLOAK_URL=https://your-keycloak.example.com
NEXT_PUBLIC_KEYCLOAK_REALM=your-realm-name
NEXT_PUBLIC_KEYCLOAK_CLIENT_ID=aicser
Rebuild the client after setting NEXT_PUBLIC_* values:
cd deploy && make ee-recreate