- You cannot change an existing installation from basic auth mode to OAuth with PKCE (deprecated) or vice versa - installations must be either one or the other. A basic auth installation requires a completely fresh installation including a separate PostgreSQL database/schema, unless migrating from an existing
Nonetype installation (see below). - Users must be given their initial auto-generated password once they are invited. This password may be changed later by any Organization Admin.
- You cannot use both basic auth and OAuth with client secret at the same time.
Requirements and features
- There is a single
Defaultorganization that is provisioned during initial installation, and creating additional organizations is not supported - Your initial password (configured below) must be least 12 characters long and have at least one lowercase, uppercase, and symbol
- There are no strict requirements for the secret used for signing JWTs, but we recommend securely generating a string of at least 32 characters. For example:
openssl rand -base64 32
Migrating from none auth
Only supported in versions 0.7 and above. Migrating an installation from None auth mode replaces the single “default” user with a user with the configured credentials and keeps all existing resources. The single pre-existing workspace ID post-migration remains00000000-0000-0000-0000-000000000000, but everything else about the migrated installation is standard for a basic auth installation.
To migrate, simply update your configuration as shown below and run helm upgrade as usual.
Configuration
Changing the JWT secret will log out your users
Helm
initialOrgAdminEmail and initialOrgAdminPassword values, and your user will be auto-provisioned with role Organization Admin. See the admin guide for more details on organization roles.

Connect these docs to Claude, VSCode, and more via MCP for real-time answers.

