Control access to your documentation by authenticating users.
Pro plans include password authentication.Custom plans include all authentication methods.
Authentication requires users to log in before accessing your documentation.When you enable authentication, users must log in to access any content. You can configure specific pages or groups as public while keeping other pages protected.
In the Password Protection section, enter a secure password
After you enter a password, your site redploys. When it finishes deploying, anyone who visits your site must enter the password to access your content.
2
Distribute access.
Securely share the password and documentation URL with authorized users.
Your host your documentation at docs.foo.com and you need basic access control without tracking individual users. You want to prevent public access while keeping setup simple.Create a strong password in your dashboard. Share credentials with authorized users. That’s it!
In the Custom Authentication section, click Mintlify Auth.
Click Enable Mintlify Auth.
After you enable Mintlify authentication, your site redeploys. When it finishes deploying, anyone who visits your site must log in to your Mintlify organization to access your content.
Your host your documentation at docs.foo.com and your entire team has access to your dashboard. You want to restrict access to team members only.Enable Mintlify authentication in your dashboard settings.Verify team access by checking that all team members are active in your organization.
In the Custom Authentication section, click OAuth.
Configure these fields:
Authorization URL: Your OAuth endpoint.
Client ID: Your OAuth 2.0 client identifier.
Client Secret: Your OAuth 2.0 client secret.
Scopes (optional): Permissions to request. Copy the entire scope string (for example, for a scope like provider.users.docs, copy the complete provider.users.docs). Use multiple scopes if you need different access levels.
Additional authorization parameters (optional): Additional query parameters to add to the initial authorization request.
Token URL: Your OAuth token exchange endpoint.
Info API URL (optional): Endpoint on your server that Mintlify calls to retrieve user info. Required for group-based access control. If omitted, the OAuth flow only verifies identity.
Logout URL (optional): The native logout URL for your OAuth provider. Mintlify redirects users to this URL with a GET request when they log out. Mintlify does not append query parameters, so include any parameters (for example, returnTo) directly in the URL. Configure a page to redirect users to on a successful logout.
Redirect URL (optional): The URL to redirect users to after authentication.
Click Save changes.
After you configure your OAuth settings, your site redeploys. When it finishes deploying, anyone who visits your site must log in to your OAuth provider to access your content.
Add the redirect URL as an authorized redirect URL for your OAuth server.
3
Create your user info endpoint (optional).
To enable group-based access control, create an API endpoint that:
Responds to GET requests.
Accepts an Authorization: Bearer <access_token> header for authentication.
Returns user data in the User format. See User data format for more information.
Mintlify calls this endpoint with the OAuth access token to retrieve user information. No additional query parameters are sent.Add this endpoint URL to the Info API URL field in your authentication settings.
Your host your documentation at foo.com/docs and you have an existing OAuth server at auth.foo.com that supports the Authorization Code Flow.Configure your OAuth server details in your dashboard:
Control session length with the expiresAt field in your user info response. This is a Unix timestamp (seconds since epoch) indicating when the session should expire. See User data format for more details.
Configure your OAuth server to allow redirects to your callback URL.
Store your key securely where it can be accessed by your backend.
After you generate a private key, your site redeploys. When it finishes deploying, anyone who visits your site must log in to your JWT authentication system to access your content.
2
Integrate Mintlify authentication into your login flow.
Modify your existing login flow to include these steps after user authentication:
Create a JWT containing the authenticated user’s info in the User format. See User data format for more information.
Sign the JWT with your secret key, using the EdDSA algorithm.
Create a redirect URL back to the /login/jwt-callback path of your docs, including the JWT as the hash.
Your host your documentation at docs.foo.com with an existing authentication system at foo.com. You want to extend your login flow to grant access to the docs while keeping your docs separate from your dashboard (or you don’t have a dashboard).Create a login endpoint at https://foo.com/docs-login that extends your existing authentication.After verifying user credentials:
Generate a JWT with user data in Mintlify’s format.
Sign the JWT and redirect to https://docs.foo.com/login/jwt-callback#{SIGNED_JWT}.
Report incorrect code
Copy
Ask AI
import * as jose from 'jose';import { Request, Response } from 'express';const TWO_WEEKS_IN_MS = 1000 * 60 * 60 * 24 * 7 * 2;const signingKey = await jose.importPKCS8(process.env.MINTLIFY_PRIVATE_KEY, 'EdDSA');export async function handleRequest(req: Request, res: Response) { const user = { expiresAt: Math.floor((Date.now() + TWO_WEEKS_IN_MS) / 1000), // 2 week session expiration groups: res.locals.user.groups, }; const jwt = await new jose.SignJWT(user) .setProtectedHeader({ alg: 'EdDSA' }) .setExpirationTime('10 s') // 10 second JWT expiration .sign(signingKey); return res.redirect(`https://docs.foo.com/login/jwt-callback#${jwt}`);}
When using authentication, all pages require authentication to access by default. You can make specific pages viewable without authentication at the page or group level with the public property.
When you use OAuth or JWT authentication, you can restrict specific pages to certain user groups. This is useful when you want different users to see different content based on their role or attributes.Manage groups through user data passed during authentication. See User data format for details.
Specify which groups can access specific pages using the groups property in frontmatter.
Example page restricted to the admin group
Report incorrect code
Copy
Ask AI
---title: "Admin dashboard"groups: ["admin"]---
Users must belong to at least one of the listed groups to access the page. If a user tries to access a page without the required group, they’ll receive a 404 error.
Session expiration time in seconds since epoch. When the current time passes this value, the user must re-authenticate.
For JWT: This differs from the JWT’s exp claim, which determines when a JWT is considered invalid. Set the JWT exp claim to a short duration (10 seconds or less) for security. Use expiresAt for the actual session length (hours to weeks).
List of groups the user belongs to. Pages with matching groups in their frontmatter are accessible to this user.Example: A user with groups: ["admin", "engineering"] can access pages tagged with either the admin or engineering groups.
