Dory Docs
Deploy

Dory Auth and SSO Configuration

Before rolling Dory out to a team, decide how users sign in, who can join, how members are invited, and how access is removed during offboarding.

Supported Auth Options

Current configurable auth capabilities include:

  • Email and password login.
  • Email verification.
  • GitHub OAuth login.
  • Google OAuth login.
  • Bootstrapped initial admin user.
  • Organization and member management.

Core Auth Variables

VariablePurpose
BETTER_AUTH_SECRETAuthentication secret.
BETTER_AUTH_URLPublic URL used for generated links and callbacks.
TRUSTED_ORIGINSTrusted origins, usually including the public Dory URL.
NEXT_PUBLIC_REQUIRE_EMAIL_VERIFICATIONWhether email verification is required.

Production deployments should use HTTPS and keep BETTER_AUTH_URL aligned with the public URL.

Initial Admin User

DORY_INIT_USER_EMAIL=admin@example.com
DORY_INIT_USER_PASSWORD=change_this_password

Dory creates or updates this user and ensures a default organization exists.

Email Verification

NEXT_PUBLIC_REQUIRE_EMAIL_VERIFICATION=true
RESEND_API_KEY=replace_with_resend_key
EMAIL_FROM="Dory <noreply@example.com>"

EMAIL_FROM must be verified by the email provider.

GitHub Login

Configure GitHub OAuth when your team uses GitHub identities. Confirm callback URLs, client ID, client secret, and public application URL.

Google Login

Configure Google OAuth when your organization uses Google Workspace identities. Confirm callback URLs, client ID, client secret, and allowed domains if needed.

OAuth provider configuration:

GitHub:

GITHUB_CLIENT_ID=replace_with_client_id
GITHUB_CLIENT_SECRET=replace_with_client_secret

Google:

GOOGLE_CLIENT_ID=replace_with_client_id
GOOGLE_CLIENT_SECRET=replace_with_client_secret

Configure OAuth callback URLs using the same public domain as BETTER_AUTH_URL.

Provisioning and Offboarding

Define who can invite members, whether email verification is required, which organization new users join, and how admins review access. During offboarding, revoke Dory membership, database roles, MCP tokens, OAuth access, and shared secrets.

Team Provisioning Flow

Create an initial admin first, verify email or OAuth settings, invite team members, then assign database access through least-privilege database credentials.

FAQ

Check that BETTER_AUTH_URL matches the public reverse-proxy URL.

Why are verification emails missing?

Check RESEND_API_KEY, EMAIL_FROM, sender-domain verification, and spam folders.

Is SSO required?

No. SSO is optional, but recommended for teams that need centralized identity, easier onboarding, and cleaner offboarding.

Dory Environment Variables

Configure Dory authentication, AI providers, email, OAuth, MCP origins, and init users for deployment.

Reference

Dory reference docs for AI providers, keyboard shortcuts, SQL snippets, settings, MCP access, and FAQ.

On this page

Dory Auth and SSO ConfigurationSupported Auth OptionsCore Auth VariablesInitial Admin UserEmail VerificationGitHub LoginGoogle LoginProvisioning and OffboardingTeam Provisioning FlowFAQWhy do login links redirect to the wrong URL?Why are verification emails missing?Is SSO required?Related Docs