Skip to content

Latest commit

 

History

History
475 lines (378 loc) · 19.4 KB

File metadata and controls

475 lines (378 loc) · 19.4 KB
title Authentication setup
description Set up user authentication for your documentation site with OAuth, JWT, or shared links to control access to pages and API references.
keywords
authentication
auth
OAuth
JWT
password
[Pro plans](https://mintlify.com/pricing?ref=authentication) include password authentication.

Enterprise plans include all authentication methods.

Authentication is only available for documentation hosted on a custom domain or Mintlify subdomain (for example, `docs.example.com` or `example.mintlify.cc`). Authentication is **not supported** when using a [custom basepath](/deploy/docs-subpath) (for example, `example.com/docs`).

Authentication requires users to log in before accessing your documentation.

When you enable authentication, users must log in to access any content. You can configure specific pages or groups as public while keeping other pages protected.

Configure authentication

Select the handshake method that you want to configure.

Password authentication provides access control only and does **not** support user-specific features like group-based access control or API playground pre-filling.

Password prerequisites

  • Your security requirements allow sharing passwords among users.

Password setup

1. In your dashboard, go to [Authentication](https://dashboard.mintlify.com/products/authentication). 2. Enable authentication. 3. In the **Password Protection** section, enter a secure password
After you enter a password, your site redeploys. When it finishes deploying, anyone who visits your site must enter the password to access your content.
Securely share the password and documentation URL with authorized users.

Password example

You host your documentation at docs.foo.com and you need basic access control without tracking individual users. You want to prevent public access while keeping setup simple.

Create a strong password in your dashboard. Share credentials with authorized users.

Mintlify dashboard prerequisites

  • Everyone who needs to access your documentation must be a member of your Mintlify organization.

Mintlify dashboard setup

1. In your dashboard, go to [Authentication](https://dashboard.mintlify.com/products/authentication). 2. Enable authentication. 3. In the **Custom Authentication** section, click **Mintlify Auth**. 4. Click **Enable Mintlify Auth**.
After you enable Mintlify authentication, your site redeploys. When it finishes deploying, anyone who visits your site must log in to your Mintlify organization to access your content.
1. In your dashboard, go to [Members](https://dashboard.mintlify.com/settings/organization/members). 2. Add each person who should have access to your documentation. 3. Assign appropriate roles based on their editing permissions.

Mintlify dashboard example

You host your documentation at docs.foo.com and your entire team has access to your dashboard. You want to restrict access to team members only.

Enable Mintlify authentication in your dashboard settings.

Verify team access by checking that all team members are active in your organization.

OAuth 2.0 prerequisites

  • An OAuth or OIDC server that supports the Authorization Code Flow.
  • Ability to create an API endpoint accessible by OAuth access tokens (optional, to enable group-based access control).

OAuth 2.0 setup

1. In your dashboard, go to [Authentication](https://dashboard.mintlify.com/products/authentication). 2. Enable authentication. 3. In the **Custom Authentication** section, click **OAuth**. 4. Configure these fields: * **Authorization URL**: Your OAuth endpoint. * **Client ID**: Your OAuth 2.0 client identifier. * **Client Secret**: Your OAuth 2.0 client secret. * **Scopes** (optional): Permissions to request. Copy the **entire** scope string (for example, for a scope like `provider.users.docs`, copy the complete `provider.users.docs`). Use multiple scopes if you need different access levels. * **Additional authorization parameters** (optional): Additional query parameters to add to the initial authorization request. * **Token URL**: Your OAuth token exchange endpoint. * **Info API URL** (optional): Endpoint on your server that Mintlify calls to retrieve user info. Required for group-based access control. If omitted, the OAuth flow only verifies identity. * **Logout URL** (optional): The native logout URL for your OAuth provider. When users log out, Mintlify validates the logout redirect against this configured URL for security. The redirect only succeeds if it exactly matches the configured `logoutUrl`. If you do not configure a logout URL, users redirect to `/login`. Mintlify redirects users with a `GET` request and does not append query parameters, so include any parameters (for example, `returnTo`) directly in the URL. * **Redirect URL** (optional): The URL to redirect users to after authentication. 5. Click **Save changes**.
After you configure your OAuth settings, your site redeploys. When it finishes deploying, anyone who visits your site must log in to your OAuth provider to access your content.
1. Copy the **Redirect URL** from your [authentication settings](https://dashboard.mintlify.com/products/authentication). 2. Add the redirect URL as an authorized redirect URL for your OAuth server. To enable group-based access control, create an API endpoint that: * Responds to `GET` requests. * Accepts an `Authorization: Bearer ` header for authentication. * Returns user data in the `User` format. See [User data format](#user-data-format) for more information.
Mintlify calls this endpoint with the OAuth access token to retrieve user information. No additional query parameters are sent.

Add this endpoint URL to the **Info API URL** field in your [authentication settings](https://dashboard.mintlify.com/products/authentication).

OAuth 2.0 example

You host your documentation at foo.com/docs and you have an existing OAuth server at auth.foo.com that supports the Authorization Code Flow.

Configure your OAuth server details in your dashboard:

  • Authorization URL: https://auth.foo.com/authorization
  • Client ID: ydybo4SD8PR73vzWWd6S0ObH
  • Scopes: ['provider.users.docs']
  • Token URL: https://auth.foo.com/exchange
  • Info API URL: https://api.foo.com/docs/user-info
  • Logout URL: https://auth.foo.com/logout?returnTo=https%3A%2F%2Ffoo.com%2Fdocs

Create a user info endpoint at api.foo.com/docs/user-info, which requires an OAuth access token with the provider.users.docs scope, and returns:

{
  "groups": ["engineering", "admin"],
  "expiresAt": 1735689600,
  "apiPlaygroundInputs": {
    "header": {
      "Authorization": "Bearer user_abc123"
    }
  }
}
Control session length with the `expiresAt` field in your user info response. This is a Unix timestamp (seconds since epoch) indicating when the session should expire. See [User data format](#user-data-format) for more details.

Configure your OAuth server to allow redirects to your callback URL.

JWT prerequisites

  • An authentication system that can generate and sign JWTs.
  • A backend service that can create redirect URLs.

JWT setup

1. In your dashboard, go to [Authentication](https://dashboard.mintlify.com/products/authentication). 2. Enable authentication. 3. In the **Custom Authentication** section, click **JWT**. 4. Enter the URL of your existing login flow. 5. Click **Save changes**. 6. Click **Generate new key**. 7. Store your key securely where it can be accessed by your backend.
After you generate a private key, your site redeploys. When it finishes deploying, anyone who visits your site must log in to your JWT authentication system to access your content.
Modify your existing login flow to include these steps after user authentication:
* Create a JWT containing the authenticated user's info in the `User` format. See [User data format](#user-data-format) for more information.
* Sign the JWT with your secret key, using the EdDSA algorithm.
* Create a redirect URL back to the `/login/jwt-callback` path of your docs, including the JWT as the hash.

JWT example

You host your documentation at docs.foo.com with an existing authentication system at foo.com. You want to extend your login flow to grant access to the docs while keeping your docs separate from your dashboard (or you don't have a dashboard).

Create a login endpoint at https://foo.com/docs-login that extends your existing authentication.

After verifying user credentials:

  • Generate a JWT with user data in Mintlify's format.
  • Sign the JWT and redirect to https://docs.foo.com/login/jwt-callback#{SIGNED_JWT}.
```ts TypeScript import * as jose from 'jose'; import { Request, Response } from 'express';

const TWO_WEEKS_IN_MS = 1000 * 60 * 60 * 24 * 7 * 2; const DOCS_HOST = 'docs.example.com';

const signingKey = await jose.importPKCS8(process.env.MINTLIFY_PRIVATE_KEY, 'EdDSA');

export async function handleRequest(req: Request, res: Response) { const user = { host: DOCS_HOST, // Must match your docs URL expiresAt: Math.floor((Date.now() + TWO_WEEKS_IN_MS) / 1000), // 2 week session expiration groups: res.locals.user.groups, apiPlaygroundInputs: { header: { "Authorization": Bearer ${res.locals.user.apiKey}, }, }, };

const jwt = await new jose.SignJWT(user) .setProtectedHeader({ alg: 'EdDSA' }) .setExpirationTime('10 s') // 10 second JWT expiration .sign(signingKey);

return res.redirect(https://${DOCS_HOST}/login/jwt-callback#${jwt}); }


```python Python
import jwt # pyjwt
import os

from datetime import datetime, timedelta
from fastapi.responses import RedirectResponse

private_key = os.getenv(MINTLIFY_JWT_PEM_SECRET_NAME, '')
DOCS_HOST = 'docs.example.com'

@router.get('/auth')
async def return_mintlify_auth_status(current_user):
  jwt_token = jwt.encode(
    payload={
      'host': DOCS_HOST, # Must match your docs URL
      'exp': int((datetime.now() + timedelta(seconds=10)).timestamp()),    # 10 second JWT expiration
      'expiresAt': int((datetime.now() + timedelta(weeks=2)).timestamp()), # 2 week session expiration
      'groups': ['admin'] if current_user.is_admin else [],
      'apiPlaygroundInputs': {
        'header': {
          'Authorization': f'Bearer {current_user.api_key}',
        },
      },
    },
    key=private_key,
    algorithm='EdDSA'
  )

  return RedirectResponse(url=f'https://{DOCS_HOST}/login/jwt-callback#{jwt_token}', status_code=302)

Redirect unauthenticated users

When an unauthenticated user tries to access a protected page, the redirect to your login URL preserves the user's intended destination.

  1. User attempts to visit a protected page: https://docs.foo.com/quickstart.
  2. Redirect to your login URL with a redirect query parameter: https://foo.com/docs-login?redirect=%2Fquickstart.
  3. After authentication, redirect to https://docs.foo.com/login/jwt-callback?redirect=%2Fquickstart#{SIGNED_JWT}.
  4. User lands in their original destination.

Make pages public

When using authentication, all pages require authentication to access by default. You can make specific pages viewable without authentication at the page or group level with the public property.

Individual pages

To make a page public, add public: true to the page's frontmatter.

---
title: "Public page"
public: true
---

Groups of pages

To make all pages in a group public, add "public": true beneath the group's name in the navigation object of your docs.json.

{
  "navigation": {
    "groups": [
      {
        "group": "Public group",
        "public": true,
        "icon": "play",
        "pages": [
          "quickstart",
          "installation",
          "settings"
        ]
      },
      {
        "group": "Private group",
        "icon": "pause",
        "pages": [
          "private-information",
          "secret-settings"
        ]
      }
    ]
  }
}

Control access with groups

When you use OAuth or JWT authentication, you can restrict specific pages to certain user groups. This is useful when you want different users to see different content based on their role or attributes.

Manage groups through user data passed during authentication. See User data format for details.

{
  "groups": ["admin", "beta-users"],
  "expiresAt": 1735689600
}

Specify which groups can access specific pages using the groups property in frontmatter.

---
title: "Admin dashboard"
groups: ["admin"]
---

Users must belong to at least one of the listed groups to access the page. If a user tries to access a page without the required group, they'll receive a 404 error.

How groups interact with public pages

  • All pages require authentication by default.
  • Pages with a groups property are only accessible to authenticated users in those groups.
  • Pages without a groups property are accessible to all authenticated users.
  • Pages with public: true and no groups property are accessible to everyone.
---
title: "Public guide"
public: true
---
---
title: "API reference"
---
---
title: "Advanced configurations"
groups: ["pro", "enterprise"]
---

User data format

When using OAuth or JWT authentication, your system returns user data that controls session length, group membership, and content personalization.

```tsx Format type User = { host?: string; expiresAt?: number; groups?: string[]; content?: Record; apiPlaygroundInputs?: { server?: Record; header?: Record; query?: Record; cookie?: Record; path?: Record; }; }; ```
{
  "host": "docs.example.com",
  "expiresAt": 1735689600,
  "groups": ["admin", "beta-users"],
  "content": {
    "firstName": "Jane",
    "company": "Acme Corp"
  },
  "apiPlaygroundInputs": {
    "header": {
      "Authorization": "Bearer user_abc123"
    },
    "server": {
      "baseUrl": "https://api.foo.com"
    }
  }
}
**Required for JWT authentication.** The hostname of your documentation site. The string must exactly match the domain where you deploy your documentation. Mintlify validates that the JWT's host matches the requesting host to prevent token reuse across different sites. Session expiration time in seconds since epoch. When the current time passes this value, the user must re-authenticate.

For JWT: This differs from the JWT's exp claim, which determines when a JWT is considered invalid. Set the JWT exp claim to a short duration (10 seconds or less) for security. Use expiresAt for the actual session length (hours to weeks).

List of groups the user belongs to. Pages with matching `groups` in their frontmatter are accessible to this user.

Example: A user with groups: ["admin", "engineering"] can access pages tagged with either the admin or engineering groups.

Custom data accessible in MDX pages via the `user` variable for [personalized content](/create/personalization#dynamic-mdx-content). Pre-fills API playground fields with user-specific values. When a user authenticates, these values populate the corresponding input fields in the API playground. Users can override pre-filled values, and their overrides persist in local storage.

Only values that match the current endpoint's security scheme are applied.

Header values to pre-fill, keyed by header name. Query parameter values to pre-fill, keyed by parameter name. Cookie values to pre-fill, keyed by cookie name. Server variable values to pre-fill, keyed by variable name. Path parameter values to pre-fill, keyed by parameter name.

Feature availability

Some features behave differently or are unavailable when you enable authentication. Mintlify does not support serving arbitrary files publicly on an authenticated site. All hosted files, including llms.txt, llms-full.txt, and skill.md, are subject to the same authentication requirements as your documentation pages.

Feature Public Fully authenticated (all pages protected) Partially authenticated (some public pages)
llms.txt and llms-full.txt Full support Available behind authentication, so AI tools may not be able to access the files Available behind authentication, so AI tools may not be able to access the files
MCP server Full support Requires authentication to connect Available without authentication for public pages and with authentication for protected pages
Markdown export Full support Full support, respects user groups Full support, respects user groups
PDF export Full support Not supported Not supported
Search Full support Full support, respects user groups Full support, respects user groups
Assistant Full support Full support, respects user groups Full support, respects user groups
skill.md Full support Not supported Not supported
Sitemap Full support Available behind authentication, but excludes pages in groups Available behind authentication, but excludes pages in groups
robots.txt Full support Available behind authentication Available behind authentication