Automated install
To install authentik automatically (skipping the Out-of-box experience), you can use the following environment variables on the worker container:
These can't be defined using the file-based syntax (file://), so you can't pass them in as secrets in a Docker Compose installation.
AUTHENTIK_BOOTSTRAP_PASSWORD_HASH
Configure the default password for the akadmin user using a pre-hashed Django password value. Only read on the first startup.
This stores the hash directly as authentik's local password verifier. Because authentik never sees the raw password, hashed-password imports do not propagate the password to LDAP or Kerberos integrations, even when password writeback is enabled.
To generate a hash, run this command before your initial deployment:
docker compose run --rm server hash_password 'your-password'
The generated hash includes a random salt, so running the command multiple times for the same password produces different output. Use the complete output as the value of AUTHENTIK_BOOTSTRAP_PASSWORD_HASH.
$ in Docker ComposePassword hashes contain $ characters which Docker Compose interprets as variable references.
In .env files, use single quotes to prevent interpolation:
AUTHENTIK_BOOTSTRAP_PASSWORD_HASH='pbkdf2_sha256$1000000$xKKFuYtJEE27km09BD49x2$4+Z6j3utmouPF5mik0Z21L2P0og5IlmMmIJ46Tj3zCM='
In docker-compose.yml (inline environment), escape each $ with $$:
services:
worker:
environment:
AUTHENTIK_BOOTSTRAP_PASSWORD_HASH: "pbkdf2_sha256$$1000000$$xKKFuYtJEE27km09BD49x2$$4+Z6j3utmouPF5mik0Z21L2P0og5IlmMmIJ46Tj3zCM="
See the Docker Compose documentation on .env file interpolation and Compose file interpolation for details.
AUTHENTIK_BOOTSTRAP_PASSWORD
This option stores plaintext passwords in environment variables. Use AUTHENTIK_BOOTSTRAP_PASSWORD_HASH instead.
Configure the default password for the akadmin user. Only read on the first startup.
Setting both AUTHENTIK_BOOTSTRAP_PASSWORD and AUTHENTIK_BOOTSTRAP_PASSWORD_HASH will result in an error.
Other hashed-password import paths
For post-install automation, hashed passwords can also be set via blueprints with the password_hash user attribute, or via the /api/v3/core/users/<id>/set_password_hash/ API endpoint with the hash provided in the password field. The API endpoint requires the authentik_core.reset_user_password permission and can target regular users or service accounts.
These paths share the same local-verifier-only behavior as AUTHENTIK_BOOTSTRAP_PASSWORD_HASH.
AUTHENTIK_BOOTSTRAP_TOKEN
Create a token for the default akadmin user. Only read on the first startup. The string you specify for this variable is the token key you can use to authenticate yourself to the API.
AUTHENTIK_BOOTSTRAP_EMAIL
Set the email address for the default akadmin user.
Kubernetes
In the Helm values, set the akadmin user password hash and token:
authentik:
bootstrap_password_hash: "pbkdf2_sha256$1000000$xKKFuYtJEE27km09BD49x2$4+Z6j3utmouPF5mik0Z21L2P0og5IlmMmIJ46Tj3zCM="
bootstrap_token: "your-token-here"
bootstrap_email: "admin@authentik.company"
When using password hashes in quoted YAML strings as shown above, no escaping of $ characters is required. The $ character only needs escaping when:
- Using Helm templating syntax (e.g.,
{{ .Values.something }}) where$has special meaning - Referencing values from environment variable substitution in your values file
Or store the password hash in a secret and reference it via envFrom:
global:
envFrom:
- secretRef:
name: _some-secret_
where some-secret contains the environment variables as documented above.