Integrate with Beszel
Support level: Community
What is Beszel?
Beszel is a lightweight server monitoring platform with Docker and Podman statistics, historical data, alerts, multi-user support, OAuth authentication, automatic backups, and a REST API.
Preparation
The following placeholders are used in this guide:
beszel.companyis the FQDN of the Beszel installation.authentik.companyis the FQDN of the authentik installation.
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
authentik configuration
In authentik versions earlier than 2026.5, all Redirect URIs are automatically treated as Authorization type. If you are using one of these older authentik versions, add only the Authorization URL to your Redirect URIs and do not configure a Post Logout URI.
To support the integration of Beszel with authentik, you need to create an email verification scope mapping and an application/provider pair in authentik.
Create an email verification scope mapping in authentik
Beszel requires the email scope to return a value of email_verified: True. As of authentik 2025.10, the default behavior is to return email_verified: False, so a custom scope mapping is required for Beszel to allow authentication.
Refer to Email scope verification for instructions on how to create the required custom scope mapping.
Create an application and provider in authentik
-
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to Applications > Applications and click New Application to open the application wizard.
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- Choose a Provider type: select OAuth2/OpenID Connect as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the Client ID and Client Secret values because they will be required later.
- Add a Redirect URI of type
StrictAuthorizationashttps://beszel.company/api/oauth2-redirect. - Select any available signing key.
- Advanced protocol settings > Scopes:
- Add
OAuth Mapping: OpenID 'email' with "email_verified"to the Selected Scopes. - Remove the
authentik default OAuth Mapping: OpenID 'email'scope.
- Add
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
-
Click Submit to save the new application and provider.
Beszel uses PocketBase as its server backend. When you install Beszel, PocketBase is included as part of Beszel, so you do not need to separately integrate PocketBase.
Beszel configuration
- Sign in to Beszel and open the PocketBase superuser dashboard at
https://beszel.company/_/#/settings. - Toggle off Hide collection create and edit controls, then click Save changes.
- Open the users collection by clicking the Collections icon in the sidebar or by navigating to
https://beszel.company/_/#/collections?collection=pb_users_auth. - Click the gear icon next to the collection name, then select the Options tab.
- Open the OAuth2 section and toggle Enable.
- Click + Add provider, then select OpenID Connect.
- Enter the following details from the authentik provider:
- Client ID: enter the Client ID from authentik.
- Client secret: enter the Client Secret from authentik.
- Display name:
authentik - Auth URL:
https://authentik.company/application/o/authorize/ - Token URL:
https://authentik.company/application/o/token/ - Fetch user info from:
User info URL - User info URL:
https://authentik.company/application/o/userinfo/
- Click Set provider config.
- Click Save changes.
- Return to
https://beszel.company/_/#/settings, toggle Hide collection create and edit controls back on, then click Save changes.
User creation and password login
Beszel does not create users automatically by default. Before a user can sign in with authentik, either create the user manually in the users collection with an email address that matches their authentik email address, or enable automatic user creation by setting the USER_CREATION=true environment variable on the Beszel hub.
To disable password-based login and require OAuth/OIDC authentication instead, set the DISABLE_PASSWORD_AUTH=true environment variable on the Beszel hub. Avoid changing this setting directly in PocketBase, because Beszel will overwrite it with the environment variable value on restart.
Configuration verification
To confirm that authentik is properly configured with Beszel, open Beszel and click authentik to sign in. You should be redirected to authentik and returned to the Beszel web interface after a successful login.