Skip to main content

Automated install

To install authentik automatically (skipping the Out-of-box experience), you can use the following environment variables on the worker container:

AUTHENTIK_BOOTSTRAP_PASSWORD_HASH

Configure the default password for the akadmin user using a pre-hashed password. Only read on the first startup.

To generate a hash, run this command before your initial deployment:

docker compose run --rm server hash_password 'your-password'
Escaping $ in Docker Compose

Password hashes contain $ characters which Docker Compose interprets as variable references.

In .env files, use single quotes to prevent interpolation:

AUTHENTIK_BOOTSTRAP_PASSWORD_HASH='pbkdf2_sha256$1000000$xKKFuYtJEE27km09BD49x2$4+Z6j3utmouPF5mik0Z21L2P0og5IlmMmIJ46Tj3zCM='

In docker-compose.yml (inline environment), escape each $ with $$:

services:
    worker:
        environment:
            AUTHENTIK_BOOTSTRAP_PASSWORD_HASH: "pbkdf2_sha256$$1000000$$xKKFuYtJEE27km09BD49x2$$4+Z6j3utmouPF5mik0Z21L2P0og5IlmMmIJ46Tj3zCM="

See the Docker Compose documentation on .env file interpolation and Compose file interpolation for details.

AUTHENTIK_BOOTSTRAP_PASSWORD

warning

This option stores plaintext passwords in environment variables. Use AUTHENTIK_BOOTSTRAP_PASSWORD_HASH instead.

Configure the default password for the akadmin user. Only read on the first startup.

Setting both AUTHENTIK_BOOTSTRAP_PASSWORD and AUTHENTIK_BOOTSTRAP_PASSWORD_HASH will result in an error.

AUTHENTIK_BOOTSTRAP_TOKEN

Create a token for the default akadmin user. Only read on the first startup. The string you specify for this variable is the token key you can use to authenticate yourself to the API.

AUTHENTIK_BOOTSTRAP_EMAIL

Set the email address for the default akadmin user.

Kubernetes

In the Helm values, set the akadmin user password hash and token:

authentik:
    bootstrap_password_hash: "pbkdf2_sha256$1000000$xKKFuYtJEE27km09BD49x2$4+Z6j3utmouPF5mik0Z21L2P0og5IlmMmIJ46Tj3zCM="
    bootstrap_token: "your-token-here"
    bootstrap_email: "admin@authentik.company"
Helm escaping

When using password hashes in quoted YAML strings as shown above, no escaping of $ characters is required. The $ character only needs escaping when:

  • Using Helm templating syntax (e.g., {{ .Values.something }}) where $ has special meaning
  • Referencing values from environment variable substitution in your values file

Or store the password hash in a secret and reference it via envFrom:

global:
    envFrom:
        - secretRef:
              name: _some-secret_

where some-secret contains the environment variables as documented above.