# Authelia secrets — set all of these in Portainer stack environment variables
# Generate random values with: openssl rand -hex 32

# Core secrets
AUTHELIA_JWT_SECRET=
AUTHELIA_SESSION_SECRET=
AUTHELIA_STORAGE_ENCRYPTION_KEY=

# OIDC HMAC secret (signs OIDC tokens)
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET=

# OIDC client secrets — store as bcrypt hashes here, plaintext in each client app
# Generate hash: docker run --rm authelia/authelia:4.38 authelia crypto hash generate bcrypt --password <plaintext>
AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI=
AUTHELIA_OIDC_CLIENT_SECRET_LINKDING=

# Note: the OIDC JWK private key is managed directly in /srv/authelia/config/configuration.yml
# (never committed to git). See the inline comment in that file.