From c141e0c45497efadb63d6889931422905df029ae Mon Sep 17 00:00:00 2001 From: "kolbeyang@gmail.com" Date: Tue, 16 Jun 2026 23:38:54 +0000 Subject: [PATCH] docs: correct self-hosted access control for Better Auth (LAM-1778) The allowed-emails.json email allow-list was removed in the NextAuth to Better Auth migration (lmnr #1874). Document the actual current behavior: OAuth provider credentials gate how users sign in, GitHub/Google plus enterprise SSO are supported, and there is no built-in email allow-list. Co-Authored-By: Claude Opus 4.7 --- hosting-options.mdx | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/hosting-options.mdx b/hosting-options.mdx index eedc70f..3f2f4c9 100644 --- a/hosting-options.mdx +++ b/hosting-options.mdx @@ -58,20 +58,18 @@ For production self-hosting options, see the [GitHub repository](https://github. ### Access control -By default, any user can access your self-hosted instance. To restrict access to specific GitHub users, enable GitHub OAuth: +By default, a self-hosted instance accepts sign-in from anyone who can reach it. To require users to authenticate through an OAuth provider, set that provider's credentials. GitHub and Google are configured directly: ```bash AUTH_GITHUB_ID=your_github_oauth_app_id AUTH_GITHUB_SECRET=your_github_oauth_app_secret + +AUTH_GOOGLE_ID=your_google_oauth_client_id +AUTH_GOOGLE_SECRET=your_google_oauth_client_secret ``` -Then create an `allowed-emails.json` file in your project root: +Enterprise SSO providers (Azure Entra ID, Okta, Keycloak) are also supported through their own `AUTH_*` variables. -```json -{ - "emails": [ - "user1@example.com", - "user2@example.com" - ] -} -``` + +Configuring a provider controls *how* users sign in, not *who* can sign in: anyone with an account at that provider can still create an account on your instance. There is no built-in email allow-list. +