Enable SSO

How SSO works in Dekart

Dekart runs in anonymous mode by default. To enable team login (Google OAuth, OIDC, AWS ALB, or Google IAP), your instance needs an SSO key set as DEKART_LICENSE_KEY.

Enter your work email and you will receive an SSO key with setup instructions.

Add the key to your instance

Set the key as an environment variable:

DEKART_LICENSE_KEY=<your-sso-key>

If you run with Docker Compose:

services:
  dekart:
    environment:
      - DEKART_LICENSE_KEY=${DEKART_LICENSE_KEY}

Without the key, SSO config will fail on startup with a clear error message.

Choose your SSO method

After DEKART_LICENSE_KEY is set, pick the method that matches your environment.

Google OAuth 2.0

Users sign in directly with Google OAuth.

Google OAuth 2.0 configuration

Google IAP

Dekart is behind Google IAP and trusts IAP signed headers.

Google IAP configuration

Amazon Load Balancer

ALB/Cognito forwards auth headers to Dekart.

Amazon Load Balancer configuration Amazon Load Balancer Terraform example

OIDC reverse proxy

A trusted reverse proxy (oauth2-proxy, Keycloak, etc.) authenticates users and forwards JWT to Dekart.

OIDC JWT header configuration Keycloak + Postgres + OIDC Setup

Validate

Before inviting your team, verify:

DEKART_LICENSE_KEY is set in the running instance
Your OIDC/JWKS/issuer/audience values match your identity provider
Login flow reaches your IdP and returns to Dekart
Users can access shared maps and team features after login

Edit this page on GitHub

Enable SSO

How SSO works in Dekart#

Add the key to your instance#

Choose your SSO method#

Google OAuth 2.0#

Google IAP#

Amazon Load Balancer#

OIDC reverse proxy#

Validate#