# authentik SSO

Use this guide when your organization signs in with authentik. Lettermint connects to an authentik OAuth2/OIDC provider.

{/* Screenshot placeholder: /docs/images/sso/providers/authentik-oauth-provider.png */}

## Before you start

You need administrator access to authentik. Create an application and OAuth2/OIDC provider pair, then register the Lettermint OIDC callback URL from the SSO guide in the provider redirect URI configuration.

## authentik setup

1. In the authentik Admin interface, go to **Applications** > **Applications**.
2. Choose **Create with provider**.
3. Create the application, then select **OAuth2/OIDC** as the provider type.
4. Add the Lettermint OIDC callback URL from the SSO guide to the provider redirect URI list.
5. Use the authorization code flow.
6. Copy the client ID and client secret.
7. Note the application slug for the discovery URL.

## Lettermint setup

In the Lettermint SSO setup screen, choose **authentik** and enter:

| Field | Value |
|-------|-------|
| Domain | Your managed email domain, for example `example.com`. |
| Metadata URL | `https://{instance}/application/o/{slug}/.well-known/openid-configuration` |
| Client ID | The authentik client ID. |
| Client secret | The authentik client secret. |

Replace `{instance}` with your authentik hostname and `{slug}` with the application slug.

## References

- [authentik: OAuth 2.0 provider](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/)
- [authentik: Create an OAuth2 provider](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/create-oauth2-provider/)