Skip to content

Quickstart

You need Docker and Docker Compose. Nothing else. No JDK, no database client, no external dependencies.

No repo clone required. Pull the image directly from GitHub Container Registry.

  1. Grab the compose file and env template

    Terminal window
    mkdir kotauth && cd kotauth
    curl -O https://raw.githubusercontent.com/inumansoul/kotauth/main/docker-compose.yml
    curl -O https://raw.githubusercontent.com/inumansoul/kotauth/main/.env.example
    cp .env.example .env
  2. Set your secret key

    Open .env and generate a secret key:

    Terminal window
    KAUTH_SECRET_KEY= # paste output of: openssl rand -hex 32

    KAUTH_BASE_URL defaults to http://localhost:8080. Change it if deploying remotely.

    Caution: Do not skip KAUTH_SECRET_KEY. Without it, SMTP configuration cannot be saved and sessions will be lost on every container restart.

  3. Start the stack

    Terminal window
    docker compose up -d

    Kotauth pulls from GHCR and starts on port 8080. PostgreSQL is bundled — no external database needed. Flyway runs all migrations automatically on first boot.

    To also start Redis for distributed sessions and rate limiting:

    Terminal window
    docker compose --profile redis up -d
  4. Open the admin console

    http://localhost:8080/admin

    On first run, master workspace admin credentials are printed to the startup log. Find them with:

    Terminal window
    docker compose logs kotauth | grep "Admin credentials"

    Caution: Change the master workspace admin password immediately after first login.

  5. Create a workspace

    In the admin console, click New Workspace and enter a slug (e.g. my-app). A workspace is a fully isolated tenant — it gets its own user directory, applications, signing keys, and settings.

  6. Verify OIDC discovery

    Your workspace’s OIDC discovery document is immediately available:

    http://localhost:8080/t/my-app/.well-known/openid-configuration

    This is the URL you’ll give to any OAuth2 / OIDC library as the issuer or discovery URL.


After startup you have:

URLDescription
http://localhost:8080/adminAdmin console
http://localhost:8080/t/{slug}/authorizeAuthorization endpoint for workspace slug
http://localhost:8080/t/{slug}/.well-known/openid-configurationOIDC discovery document
http://localhost:8080/t/{slug}/api/v1/docsSwagger UI (REST API)
http://localhost:8080/healthLiveness probe
http://localhost:8080/health/readyReadiness probe

Once inside your workspace in the admin console:

  1. Go to Applications → New Application
  2. Set the type: Public (for SPAs / mobile) or Confidential (for server-side apps)
  3. Add your redirect URI (e.g. http://localhost:3000/callback)
  4. Copy the client_id — this is what you pass to your OAuth2 library

Your app is now registered. Point your OAuth2 library at the discovery document URL and use the client_id. Done.