Add an Authentik user
Authentik at auth.saxobroko.com is the single sign-on (SSO) server for homelab apps protected by Cloudflare Access — including docs.saxobroko.com and dash.saxobroko.com.
Adding someone here lets them pass the Cloudflare login wall. It does not automatically create Jellyfin users — see Add a Jellyfin user.
What you need
- Authentik admin login — Vaultwarden
- Browser — from Australia or on home network (auth has WAF exceptions for OIDC)
Reference: Authentik.
Create the user
- Open auth.saxobroko.com.
- Log in as admin → open Admin interface (top right or
/if/admin/). - Go to Directory → Users.
- Click Create (or +).
- Fill in:
- Username — short login name (e.g.
ryan) - Name — display name
- Email — required for Cloudflare Access OIDC — use a real address the person controls
- Password — set a temporary strong password; share securely
- Groups — add to any group used by Access policies if configured (default setup often allows any Authentik user for SaxDocs).
- Save.
Confirm email (critical for Access)
Cloudflare Access expects an email claim in the token.
- Directory → Users → open the new user.
- Verify Email field is filled — not blank.
- If login fails with "email not returned", fix email and provider scopes — Authentik troubleshooting.
Give them access to SaxDocs
Current policy (see Authentik):
- Cloudflare Access app for
docs.saxobroko.com - Allow policy: any authenticated Authentik user
So creating the Authentik user is usually enough — no extra Cloudflare step.
To verify:
- Incognito window → docs.saxobroko.com
- Should redirect to Authentik login
- Sign in with new username/password → SaxDocs loads
Give them access to other apps
| App | Extra step |
|---|---|
| Homepage (dash) | Usually same Authentik user if forward-auth is configured |
| Jellyfin | Separate Jellyfin user — Add Jellyfin user |
| Vaultwarden | Separate vault account — invite or create in Vaultwarden admin |
| New Access-protected hostname | Zero Trust → Access → Application → add to allow policy |
Reset password
- Admin → Directory → Users → select user.
- Set password or send recovery flow if email is configured.
Remove access
- Directory → Users → deactivate or delete user.
- They immediately fail Cloudflare Access on next login.
Do not delete the Authentik admin account you are logged in as
Keep at least one admin user. Deleting all admins locks you out of SSO configuration.
What not to do
| Do not | Why |
|---|---|
Put auth.saxobroko.com behind Cloudflare Access |
Causes login loop |
| Store passwords in SaxDocs | Use Vaultwarden |
| Share one user account for whole family | Cannot revoke one person; audit trail blurred |