Kaiten
Authentication

Identity Provider

Configure any OIDC-compatible identity provider for human user authentication.

Identity Provider

Kaiten uses OIDC (OpenID Connect) for human user authentication. Any OIDC-compliant provider works — Clerk, Auth0, Keycloak, Okta, Google, etc.

What Kaiten Needs

For human user authentication, Kaiten requires:

  1. A JWKS Endpoint — URL where the provider publishes its public keys for JWT verification
  2. JWT Claims — The JWT must contain claims that Kaiten maps to its identity model

Required JWT Claims

ClaimKaiten FieldDescription
subUser external IDUnique user identifier from the IdP
org_id / organization_idOrganization external IDThe organization the user belongs to
emailUser emailFor display and notifications

Traefik Configuration

Authentication is handled by Traefik as an API gateway middleware. You need to configure the JWT validation plugin in your compose.yml:

labels:
  - "traefik.http.middlewares.my-jwt.plugin.jwt.Keys.0.URL=https://your-idp.example.com/.well-known/jwks.json"
  - "traefik.http.middlewares.my-jwt.plugin.jwt.Alg=RS256"
  - "traefik.http.middlewares.my-jwt.plugin.jwt.Issuers=https://your-idp.example.com"

Incoming Webhooks (User/Org Sync)

If your IdP supports outgoing webhooks, Kaiten can automatically sync:

  • Organization creation/update/deletion
  • User creation/update
  • Membership changes

Configure your IdP to send events to POST /api/webhooks/clerk (the endpoint name is historical but accepts standard OIDC webhook formats).

Next Step

For a concrete example, see the Clerk Setup Guide.

On this page

Identity ProviderWhat Kaiten NeedsRequired JWT ClaimsTraefik ConfigurationIncoming Webhooks (User/Org Sync)Next Step