SSO / OAuth

Perch lets your team sign in with external providers, so nobody needs a separate Perch password. Enable any combination of providers, and mix them freely with local accounts.

OAuth settings live at Admin → Auth.

How it works

When someone signs in with an OAuth provider, Perch finds or creates a local account matched to their email. If an account with that email already exists, it gets linked automatically. New accounts start with the member role, so promote them from the Users page if they need more.

Providers

GitHub

Sign in with a GitHub account, with optional org restriction.

Google

Google and Google Workspace, with optional domain restriction.

Microsoft

Microsoft and Azure AD / Entra ID accounts.

GitLab

GitLab.com or your own self-hosted instance.

Discord

Sign in with Discord (verified email required).

Okta

Okta OIDC for your organization.

Custom OIDC

Running your own identity provider? The custom OIDC option covers anything that speaks standard OIDC.

Overview

Generic OIDC setup for any provider.

Authentik

Self-hosted Authentik.

Keycloak

Realms and clients in Keycloak.

Authelia

Config-file client registration.

Dex

OIDC bridge in front of other backends.

Disabling a provider

Flip the toggle in the provider’s modal to turn it off. Existing accounts linked to that provider keep working, but new sign-ins through it will fail until you re-enable it.

Maintenance mode blocks SSO too

When maintenance mode is on (toggled from the Instance page), Perch blocks OAuth sign-ins right alongside password logins. The seeded admin account is the one exception.