--- title: Configure ZITADEL Authentication Service for LobeChat description: >- Learn how to configure ZITADEL Authentication Service for LobeChat deployment, including creating ZITADEL applications, setting up environment variables, and enabling single sign-on (SSO). tags: - ZITADEL Authentication - LobeChat Deployment - Single Sign-On (SSO) - Environment Variables - ZITADEL Applications --- # Configure ZITADEL Authentication Service ### Create ZITADEL Application Log in to the console of your ZITADEL instance using an account with at least a [`Project Owner` role](https://zitadel.com/docs/guides/manage/console/managers#roles), navigate to (or [create](https://zitadel.com/docs/guides/manage/console/projects#create-a-project)) the project you'd like to host your application in, and click the **New** button to create an application. Create ZITADEL Application S1 Fill in the name, choose **Web** as the application type, and click **Continue**. Create ZITADEL Application S2 Choose **Code** as the authentication method. Create ZITADEL Application S3 In the **Redirect URIs** field, fill in: ``` http(s)://your-domain/api/auth/callback/zitadel ``` Create ZITADEL Application S4 - You can fill in or modify redirect URIs after creating the application, but make sure the filled URL is consistent with the deployed URL. - Replace `http(s)://your-domain` with the actual URL that LobeChat is deployed to. Confirm the configuration and click **Create**. Create ZITADEL Application S5 Save the **ClientId** and **ClientSecret** for later use. Create ZITADEL Application S6 In the application settings page, navigate to the **Token Settings** tab, enable **User Info inside ID Token** option, and click **Save**. Create ZITADEL Application S7 Navigate to the **URLs** tab, and save the **issuer** URL. Create ZITADEL Application S8 ### Configure Environment Variables When deploying LobeChat, you need to configure the following environment variables: | Environment Variable | Type | Description | | --- | --- | --- | | `NEXT_AUTH_SECRET` | Required | Key used to encrypt Auth.js session tokens. You can generate a key using the following command: `openssl rand -base64 32` | | `NEXT_AUTH_SSO_PROVIDERS` | Required | Select the single sign-on provider for LoboChat. Use `zitadel` for ZITADEL. | | `AUTH_ZITADEL_ID` | Required | Client ID (`ClientId` as shown in ZITADEL) of the ZITADEL application | | `AUTH_ZITADEL_SECRET` | Required | Client Secret (`ClientSecret` as shown in ZITADEL) of the ZITADEL application | | `AUTH_ZITADEL_ISSUER` | Required | Issuer URL of the ZITADEL application | | `NEXTAUTH_URL` | Required | The URL is used to specify the callback address for the execution of OAuth authentication in Auth.js. It needs to be set only when the default address is incorrect. `https://example.com/api/auth` | You can refer to the related variable details at [📘Environment Variables](/docs/self-hosting/environment-variables/auth#zitadel). After successful deployment, users will be able to authenticate and use LobeChat using existing users configured in ZITADEL.