> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tracecat.com/llms.txt
> Use this file to discover all available pages before exploring further.

# OIDC

> Authenticate into Tracecat using OpenID Connect: register an OIDC client with your IdP, map claims, and enable SSO sign-in across the platform.

## Configuration

In your `.env` file, enable the OIDC auth type.

```bash theme={null}
TRACECAT__AUTH_TYPES=oidc
```

## Required environment variables

Set the following variables for your provider:

* `TRACECAT__PUBLIC_APP_URL`
* `OIDC_ISSUER`
* `OIDC_CLIENT_ID`
* `OIDC_CLIENT_SECRET`
* `OIDC_SCOPES` (optional, defaults to `openid profile email`)

## Instructions

<Steps>
  <Step title="Create an OIDC application with your identity provider">
    Register Tracecat as an application with your provider and allow the standard
    OpenID Connect scopes needed for sign-in.
  </Step>

  <Step title="Configure the redirect URI">
    Set the provider redirect URI to `<your-domain>/auth/oauth/callback`.

    For the local Docker Compose deployment, use `http://localhost/auth/oauth/callback`.
  </Step>

  <Step title="Configure environment variables in Tracecat">
    Add the public Tracecat URL, issuer URL, and client credentials to your `.env`
    file. Tracecat generates OAuth callback URLs from
    `TRACECAT__PUBLIC_APP_URL`, so this must match the external URL users visit.

    Example:

    ```bash theme={null}
    TRACECAT__PUBLIC_APP_URL=https://tracecat.example.com
    OIDC_ISSUER=https://issuer.example.com
    OIDC_CLIENT_ID=tracecat
    OIDC_CLIENT_SECRET=replace-me
    OIDC_SCOPES="openid profile email"
    ```
  </Step>

  <Step title="Restart Tracecat">
    Restart the application so the new auth configuration is loaded.
  </Step>
</Steps>