First-run setup

Welcome.

Fill this in once. After you submit, the site goes live and you can sign in via the OIDC provider you configure here. The first sign-in whose claims match the bootstrap admin claim becomes the first admin.

Environment

Two environment values are required: ENCRYPTION_SECRET signs session cookies, NEXT_PUBLIC_URL is the URL your IdP will redirect back to. Everything else is configured below.

OKENCRYPTION_SECRETSet, at least 32 characters.
OKNEXT_PUBLIC_URLCallback will be registered as http://localhost:3000/api/auth/callback.

Identity provider

Sign-in is delegated to an OIDC provider. Any compliant IdP (Keycloak, Authentik, Auth0, your own) works. Roles are assigned from claims via the rules you configure in /admin/globals/auth after sign-in.

Provider label

Shown on the sign-in button: 'Sign in with {label}'.

Discovery URL

The provider's OIDC discovery URL.

Client ID

Client secret

Scopes

Space- or comma-separated. 'openid' is always added.

Allow insecure http:// redirect (local IdP testing)

Bootstrap admin claim

Optional. The first user whose claims match this 'path=value' becomes admin regardless of mapping rules. Clear it after the first sign-in.

Brand

The visual identity of the public site. Logo and fonts are editable later through /admin/globals/brand.

Site name

Primary color

An oklch() value. Drives the --primary CSS variable across the site.

Server facts

Shown in the hero, footer, FAQ, and across the site.

Server IP

Minecraft version

Discord URL

Default language

Adding more languages later requires a container restart so Payload can pick them up (ADR 0002).

Locale code

BCP-47, e.g. 'en', 'fr', 'pt-BR'.

Display name