Account Settings
Manage your account security and external identity provider integrations.
OIDC Settings
Enable OIDC
Master switch to enable or disable OIDC authentication. When disabled, the OIDC login button is hidden and all OIDC-related settings are ignored.
Provider Name
The display name shown on the login button. Set this to the name of your identity provider so users know where they're signing in.
Examples:
Authentik
Authelia
Keycloak
My SSO
Issuer URL
The OpenID Connect issuer URL from your identity provider. Cleanuparr uses this to automatically discover your provider's endpoints (authorization, token, user info, etc.).
This URL must use HTTPS (except localhost for development purposes). You can find it in your provider's application or client settings — it is sometimes called the "Discovery URL" or "OpenID Configuration URL".
Where to find it:
| Provider | Issuer URL format |
|---|---|
| Authentik | https://auth.example.com/application/o/cleanuparr/ |
| Authelia | https://auth.example.com |
| Keycloak | https://keycloak.example.com/realms/your-realm |
If you are unsure, visit {your-provider-url}/.well-known/openid-configuration in a browser. The issuer field in the JSON response is the value you need.
Client ID
The client identifier assigned to Cleanuparr by your identity provider. You get this when you create a new application/client in your provider.
Where to find it:
| Provider | Location |
|---|---|
| Authentik | Applications → your app → Provider → Client ID |
| Authelia | Configuration file → identity_providers → oidc → clients → client_id |
| Keycloak | Clients → your client → Client ID |
Client Secret
The client secret assigned by your identity provider. This is optional — whether you need it depends on your provider's configuration:
- Confidential client (most common): A secret is required. Your provider generates one when you create the application.
- Public client: No secret is needed. Some providers support this for applications that cannot securely store a secret.
If you are unsure, your provider most likely requires a secret.
Scopes
Space-separated list of OIDC scopes to request from your identity provider. Scopes control what information Cleanuparr receives about the authenticated user.
Default: openid profile email
You typically do not need to change this. The default scopes request the user's identity (openid), profile information (profile), and email address (email).
Only change this if your provider requires different scopes or you have a specific need. The openid scope is always required.
Redirect URL
The base URL where Cleanuparr is accessible from the outside. Cleanuparr appends callback paths automatically — you only need to provide the base URL.
Leave this empty to let Cleanuparr auto-detect the URL from incoming requests. Set it explicitly if:
- Cleanuparr is behind a reverse proxy
- The auto-detected URL is incorrect
- You access Cleanuparr via a custom domain
Examples:
https://cleanuparr.example.com
https://media.example.com/cleanuparr
This URL must match the redirect URI configured in your identity provider. In your provider, set the redirect/callback URI to:
- Login callback:
https://cleanuparr.example.com/api/auth/oidc/callback - Link callback:
https://cleanuparr.example.com/api/account/oidc/link/callback
Replace https://cleanuparr.example.com with your actual base URL.
Link Account
Linking an account is optional. By default, when no account is linked, any user who can authenticate with your identity provider and has access to this app is allowed to sign in. Your provider controls who has access — if a user can log in to the configured OIDC client, they are permitted into Cleanuparr.
If you want to restrict access to a single identity, click the Link Account button to connect your Cleanuparr account to a specific user from your provider. This opens your provider's login page, where you authenticate and authorize Cleanuparr. Once linked, only that specific identity can sign in via OIDC — all other users from your provider will be rejected.
Steps to link:
- Fill in all OIDC settings above and click Save OIDC Settings.
- Click Link Account.
- Sign in with your identity provider when prompted.
- You are redirected back to Cleanuparr with a success message.
You can re-link at any time by clicking Re-link. This replaces the currently linked identity with the new one.
Exclusive Mode
When enabled, only OIDC login is allowed. Username/password login and Plex login are completely disabled. This is useful if you want to enforce that all authentication goes through your identity provider.
Lockout risk: If your identity provider goes down or becomes unreachable while exclusive mode is active, you will not be able to sign in to Cleanuparr. To recover, you would need to directly modify the database to disable exclusive mode.
Only enable this if your identity provider is reliable and you have a recovery plan.