๐ Authentication & Access
Control who gets in, what they can do, and how your instance integrates with your identity stack.
Open WebUI is multi-user from day one. Whether you're running a personal instance or managing thousands of seats across an organization, you have full control over authentication, authorization, and programmatic access. Connect your identity provider, define granular permissions, and automate user lifecycle management, all without touching a line of code.
What's In This Sectionโ
| ๐ฅ RBAC | Roles, groups, and per-resource permissions. Define who can access what |
| ๐ SSO / OIDC | Federated authentication with Google, Microsoft, Okta, Keycloak, or any OIDC provider |
| ๐ LDAP | Authenticate against your existing directory service |
| ๐ SCIM 2.0 | Automated user and group provisioning and deprovisioning from your IdP |
| ๐ API Keys | Programmatic access for scripts, bots, pipelines, and integrations |
How It Fits Togetherโ
- Users authenticate via SSO, OIDC, LDAP, or local credentials.
- SCIM provisions users and groups automatically from your identity provider.
- RBAC determines access based on roles (Admin, User) and group memberships.
- Permissions are additive: each group membership adds capabilities, never removes them.
- API keys inherit the creating user's full permissions for programmatic access.
Quick Startโ
Solo or small team? Start simpleโ
Open WebUI works out of the box with local email/password authentication. No external identity provider required. Create accounts, assign admin or user roles, and you're done.
Organization? Layer in SSO and SCIMโ
- Set up SSO: Configure your identity provider for single sign-on
- Configure RBAC: Create groups, assign permissions, and set up access control lists
- Enable SCIM (optional): Automate user lifecycle from your IdP
- Generate API keys (optional): Enable programmatic access for automation
Key Conceptsโ
Additive permissionsโ
Open WebUI's security model is additive. Users start with their role's default permissions, and group memberships only ever add capabilities. A user's effective permissions are the union of everything granted by their role and all their groups.
Per-resource access controlโ
Models, Knowledge bases, Tools, and Skills all support fine-grained access control. Resources are private by default. The creator controls who can see and use them via user grants, group grants, or public visibility.
Admin vs. Userโ
There are two primary roles. Admins have full system access. Users have capabilities defined by default permissions plus group memberships. A third role, Pending, holds new sign-ups in a queue for admin approval.