> ## Documentation Index
> Fetch the complete documentation index at: https://docs.alginte.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Enable Alginte's optional login — username/password or OIDC — before exposing it on a network.

Authentication in Alginte is **optional and off by default**, matching its
localhost-first trust model. When Alginte is reachable by more than a single trusted
operator, turn a login on.

<Warning>
  Without a login and without a network boundary, anyone who can reach the UI has full
  control of every connected Kafka cluster. Enable a login **or** keep Alginte behind a
  reverse proxy with network allow-listing (ideally both).
</Warning>

## Username / password

The simplest option is a single form-login account, set via environment variables (no
profile required):

```shell theme={null}
docker run -p 8888:8888 \
  -e SPRING_KAFKA_BOOTSTRAPSERVERS=<kafka-host>:9092 \
  -e ALGINTE_AUTH_USERNAME=admin \
  -e ALGINTE_AUTH_PASSWORD='<a-strong-password>' \
  alginte/alginte:latest
```

With these set, Alginte presents a login screen and requires the credentials before any
cluster access.

## OIDC (single sign-on)

Alginte also supports **OpenID Connect** login against an external identity provider
(Keycloak, and other standard OIDC providers), with an **allowlist** controlling which
authenticated users are admitted. This lets you delegate identity to your existing SSO
instead of managing a local credential.

See [OIDC provider setup](/operate/oidc-setup) for the full guide: what to register
at the provider, the property block, the mandatory allowlist, per-provider
walkthroughs (Keycloak, Google, Microsoft Entra ID, Okta), reverse-proxy notes, and
troubleshooting.

## Logout

Once a login is enabled, the signed-in user is shown in the UI with a **Sign out**
action that ends the session.
