ACG Docs
Authentication

Authentication

ai-cost-gate ships with a built-in admin token. Pro buyers can integrate SSO via OIDC.

ai-cost-gate's admin dashboard and /internal/* endpoints are protected by a single admin token by default. Pro buyers can replace this with full OIDC SSO.

Built-in admin token

Set ADMIN_TOKEN=... in .env and visit the dashboard at /admin/login. The token is rotated by changing the env var and restarting the container.

This is enough for:

  • A single user.
  • A small team sharing one token.
  • A homelab or staging environment.

OIDC SSO (Pro only)

Pro buyers can enable OIDC SSO so each operator signs in with their own identity. To set this up:

  1. In your IdP (Okta, Google Workspace, Auth0, etc.), create an OIDC app with redirect URI https://ai-cost-gate.example.com/admin/callback.
  2. Set the OIDC env vars in your .env:
OIDC_ISSUER=https://your-idp.example.com
OIDC_CLIENT_ID=...
OIDC_CLIENT_SECRET=...
OIDC_ADMIN_GROUP=ai-cost-gate-admins
  1. Restart ai-cost-gate. The /admin/login page will show a "Sign in with SSO" button.

Email verification for the buyer portal

This portal (acg-protal) uses Better Auth for buyer accounts. The verification flow is documented under Email verification.

Adding a social provider

See Providers for the current list of supported providers and how to enable them.

Environment variables

Reference for the environment variables ai-cost-gate reads at startup.

Providers

Social sign-in providers supported by the buyer portal.

On this page

Built-in admin tokenOIDC SSO (Pro only)Email verification for the buyer portalAdding a social provider