Authentication
Releval supports email/password authentication by default, with optional OAuth providers for single sign-on.
Registration
| Variable | Default | Description |
|---|---|---|
Registration__Enabled | false | Whether self-registration is allowed. When disabled, new members must be added through admin invitations. |
Registration__AllowedDomain | (none) | Restrict registration to a specific email domain |
Restricting Registration
When self-registration is enabled, you can limit it to a single email domain so only users from your organization can register:
- Environment Variable
- appsettings.json
environment:
- Registration__Enabled=true
- Registration__AllowedDomain=example.com
{
"Registration": {
"Enabled": true,
"AllowedDomain": "example.com"
}
}
This only allows email addresses ending in @example.com to register. Users outside this domain can still be
added via admin invitation.
To disable self-registration entirely and require admin invitations:
- Environment Variable
- appsettings.json
environment:
- Registration__Enabled=false
{
"Registration": {
"Enabled": false
}
}
OAuth Providers
Releval supports Google and GitHub as external authentication providers. When configured, users see additional login options on the sign-in page.
Google
| Variable | Description |
|---|---|
Authentication__Google__ClientId | Google OAuth 2.0 client ID |
Authentication__Google__ClientSecret | Google OAuth 2.0 client secret |
To set up Google authentication:
- Create a project in the Google Cloud Console
- Navigate to APIs & Services > Credentials
- Create an OAuth 2.0 Client ID (Web application type)
- Add
https://<your-releval-host>/api/auth/login-googleas an authorized redirect URI - Set the client ID and secret:
- Environment Variable
- appsettings.json
environment:
- Authentication__Google__ClientId=your-client-id.apps.googleusercontent.com
- Authentication__Google__ClientSecret=your-client-secret
{
"Authentication": {
"Google": {
"ClientId": "your-client-id.apps.googleusercontent.com",
"ClientSecret": "your-client-secret"
}
}
}
GitHub
| Variable | Description |
|---|---|
Authentication__GitHub__ClientId | GitHub OAuth App client ID |
Authentication__GitHub__ClientSecret | GitHub OAuth App client secret |
To set up GitHub authentication:
- Go to Settings > Developer Settings > OAuth Apps in GitHub
- Create a new OAuth App
- Set the Authorization callback URL to
https://<your-releval-host>/api/auth/login-github - Set the client ID and secret:
- Environment Variable
- appsettings.json
environment:
- Authentication__GitHub__ClientId=your-client-id
- Authentication__GitHub__ClientSecret=your-client-secret
{
"Authentication": {
"GitHub": {
"ClientId": "your-client-id",
"ClientSecret": "your-client-secret"
}
}
}
JWT Settings
JWT tokens are used for App Client authentication via the OAuth 2.0 client credentials flow.
| Variable | Default | Description |
|---|---|---|
JwtSettings__Key | (default key) | Secret key for signing JWT tokens |
JwtSettings__Issuer | (required) | Token issuer, e.g. https://${RELEVAL_HOST} |
JwtSettings__Audience | (required) | Token audience, e.g. https://${RELEVAL_HOST} |
JwtSettings__ExpireTimeSpan | 01:00:00 | Token expiration (1 hour) |
Change the default JWT key for production deployments. The key must be at least 512 bits (64 bytes) for the HS512 algorithm.
Encryption at rest
Releval encrypts sensitive data at rest (such as endpoint authentication credentials) using the ASP.NET Core Data Protection key ring. There is no separate encryption key to configure.
Persist the Data Protection keys directory (/app/keys by default) on a durable volume. If the key ring is lost — for example when the container falls back to ephemeral in-memory keys — previously encrypted values can no longer be decrypted. See Data Protection.
Password Policy
Releval enforces the following password requirements:
- Minimum 8 characters
- At least one uppercase letter
- At least one lowercase letter
- At least one digit
- At least one non-alphanumeric character