Authentik
Use Authentik as the identity provider for Perch sign-ins.
Your redirect URI
Add this exact URL as a redirect URI in Authentik:
https://your-hub-url/api/auth/custom/callbackSetup in Authentik
Start a new provider
Log in to Authentik as an admin, go to Applications → Applications, and click New Provider. Give the application a name (like “Perch”) and click Next.
Choose OAuth2 / OIDC
Select OAuth2/OIDC as the provider type and click Next.
Add the redirect URI
Under Redirect URIs, add https://your-hub-url/api/auth/custom/callback, then click Submit.
Copy the credentials
Open the new application, click into the linked provider, and copy the Client ID and Client Secret.
Setup in Perch
Open the Custom OIDC card in Perch (Admin → Auth) and add the Client ID and Client Secret. For the URLs, pull them from your Authentik discovery document:
https://your-authentik-url/application/o/<app-slug>/.well-known/openid-configurationSwap <app-slug> for the slug on the application’s detail page, open that URL in your browser, and copy the values across:
| Perch field | Discovery doc key |
|---|---|
| Authorization URL | authorization_endpoint |
| Token URL | token_endpoint |
| Userinfo URL | userinfo_endpoint |
Set Scopes to openid email, then enable the provider.
Access control
By default, any Authentik user can sign in to Perch through the provider. To narrow that down, bind a policy to the Perch application in Authentik under Applications → Bindings.