Skip to content

LAM-1778: Fix stale self-hosted access control docs (Better Auth)#175

Open
laminar-coding-agent[bot] wants to merge 1 commit into
mainfrom
docs/lam-1778-self-host-access-control
Open

LAM-1778: Fix stale self-hosted access control docs (Better Auth)#175
laminar-coding-agent[bot] wants to merge 1 commit into
mainfrom
docs/lam-1778-self-host-access-control

Conversation

@laminar-coding-agent

@laminar-coding-agent laminar-coding-agent Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Docs Audit (LAM-1778)

Cross-referenced the most recent lmnr changes against the docs to find outdated information. One major change found and corrected.

🔴 False understanding of self-hosted access control

The Hosting Options page told self-hosters to create an allowed-emails.json file to restrict access by email. That mechanism (getEmailsConfig) was deleted in the NextAuth → Better Auth migration (lmnr #1874) and has no replacement. Following the old instructions does nothing.

Fix: Documented the actual current behavior:

  • OAuth provider credentials (AUTH_GITHUB_*, AUTH_GOOGLE_*) control how users sign in.
  • Enterprise SSO (Azure Entra ID, Okta, Keycloak) is supported via its own AUTH_* vars.
  • A <Note> clarifies there is no built-in email allow-list: anyone with an account at the configured provider can sign up.

All env var names verified against frontend/lib/auth.ts and frontend/lib/features/features.ts on dev.

Verification

  • grep "—" -> none
  • Marketing-word grep -> none
  • No remaining allowed-emails references in the docs repo

Generated with Claude Code


Note

Low Risk
Documentation-only change with no runtime or security behavior impact.

Overview
Self-hosted access control on the Hosting Options page is rewritten to match current Better Auth behavior after the NextAuth migration.

The section now explains that instances accept anyone who can reach them by default, and that GitHub/Google (AUTH_GITHUB_*, AUTH_GOOGLE_*) plus enterprise SSO (Azure Entra ID, Okta, Keycloak via AUTH_*) control how users sign in. The removed allowed-emails.json workflow and JSON example are gone.

A Note states that OAuth does not restrict who can sign up—there is no built-in email allow-list.

Reviewed by Cursor Bugbot for commit c141e0c. Bugbot is set up for automated code reviews on this repo. Configure here.

The allowed-emails.json email allow-list was removed in the NextAuth to
Better Auth migration (lmnr #1874). Document the actual current behavior:
OAuth provider credentials gate how users sign in, GitHub/Google plus
enterprise SSO are supported, and there is no built-in email allow-list.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@mintlify

mintlify Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
laminarai 🟢 Ready View Preview Jun 16, 2026, 11:41 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant