AppFlowy-GoTrue

AppFlowy-GoTrue

Docker app from vmalinics0's Repository

Overview

Step 4/7: GoTrue authentication service for AppFlowy Cloud — handles user sign-up, login, JWT issuance, OAuth, email magic links, and SAML. Part of the AppFlowy Cloud stack.

AppFlowy Cloud — Unraid Community Apps Templates

Unraid Community Apps templates for self-hosting AppFlowy Cloud — the open-source, privacy-first collaborative workspace (Notion alternative).

Services

Container Image Role
AppFlowy-Postgres pgvector/pgvector:pg16 Primary database
AppFlowy-Redis redis:7 Cache & pub/sub
AppFlowy-MinIO minio/minio S3-compatible object storage
AppFlowy-GoTrue appflowyinc/gotrue Authentication (JWT, OAuth, email)
AppFlowy-Cloud appflowyinc/appflowy_cloud Core backend API + WebSocket
AppFlowy-Admin appflowyinc/admin_frontend Admin web console (/console)
AppFlowy-Web appflowyinc/appflowy_web Browser client (/)
AppFlowy-Worker appflowyinc/appflowy_worker Background job processor
AppFlowy-Search appflowyinc/appflowy_search Full-text & semantic search
AppFlowy-AI (optional) appflowyinc/appflowy_ai LLM chat & embeddings
AppFlowy-Nginx nginx:stable-alpine Reverse proxy (public entry point)
AppFlowy-Certbot (optional) certbot/certbot Automated Let's Encrypt TLS certificates

Prerequisites

1. Create the appflowy Docker network

All containers communicate on a shared custom bridge network.

Via SSH or the Unraid terminal:

docker network create appflowy

2. Download the nginx config

Before starting AppFlowy-Nginx, place the custom config at:

/mnt/user/appdata/AppFlowy-Nginx/nginx.conf
mkdir -p /mnt/user/appdata/AppFlowy-Nginx/ssl
curl -o /mnt/user/appdata/AppFlowy-Nginx/nginx.conf \
  https://raw.githubusercontent.com/vmalinics0/unraid-appflowy/main/nginx/nginx.conf

The nginx.conf in this repo uses Unraid container names (AppFlowy-Cloud, AppFlowy-GoTrue, etc.) instead of the default compose service names.

Deploy Order

Deploy containers in this order (each group can be deployed in parallel). The install step number is shown in each app's description in Community Apps.

Step 1 — AppFlowy-Postgres
Step 2 — AppFlowy-Redis
Step 3 — AppFlowy-MinIO
Step 4 — AppFlowy-GoTrue        (waits for Postgres)
Step 5 — AppFlowy-Cloud         (waits for GoTrue, Postgres, Redis, MinIO)
Step 6 — AppFlowy-Admin         \
          AppFlowy-Web            | (wait for AppFlowy-Cloud)
          AppFlowy-Worker         |
          AppFlowy-Search         |
          AppFlowy-AI (optional)  /
Step 7 — AppFlowy-Nginx          (deploy last)

Required Configuration

Set these values consistently across all templates before starting:

Setting Where to set Notes
YOUR_SERVER_IP All templates Your Unraid server's LAN IP or domain
Postgres Password AppFlowy-Postgres, AppFlowy-GoTrue, AppFlowy-Cloud, AppFlowy-Worker, AppFlowy-Search, AppFlowy-AI Must be identical everywhere
JWT Secret AppFlowy-GoTrue, AppFlowy-Cloud, AppFlowy-Search, AppFlowy-AI Min 32 chars; must be identical everywhere
MinIO credentials AppFlowy-MinIO, AppFlowy-Cloud, AppFlowy-Worker, AppFlowy-Search, AppFlowy-AI Access key + secret key
Admin email/password AppFlowy-GoTrue Login for /console

Accessing AppFlowy

URL Service
http://YOUR_SERVER_IP/ AppFlowy Web (browser client)
http://YOUR_SERVER_IP/console Admin console
http://YOUR_SERVER_IP/minio/ MinIO web UI

Native desktop/mobile clients: point them to http://YOUR_SERVER_IP as the server URL.

TLS / HTTPS

Three nginx config files are provided; choose one:

Config file Use when
nginx/nginx.conf HTTP only (default, no TLS)
nginx/nginx-https-custom.conf You have your own TLS certificate
nginx/nginx-letsencrypt.conf Automated Let's Encrypt certificates

Option A — User-provided certificate

  1. Place your certificate and key in /mnt/user/appdata/AppFlowy-Nginx/ssl/:
    • certificate.crt
    • private_key.key
  2. Point the AppFlowy-Nginx nginx.conf path to nginx-https-custom.conf.
  3. Update all http:// URLs in every template to https://.
  4. Update APPFLOWY_WS_BASE_URL in AppFlowy-Web from ws:// to wss://.
  5. Restart all containers.

Option B — Automated Let's Encrypt (AppFlowy-Certbot)

Requires a public domain name with port 80 reachable from the internet.

  1. Create the required host directories:
    mkdir -p /mnt/user/appdata/AppFlowy-Nginx/letsencrypt
    mkdir -p /mnt/user/appdata/AppFlowy-Nginx/certbot-webroot
    
  2. Download nginx-letsencrypt.conf and edit it — replace YOUR_DOMAIN (two occurrences) with your actual domain:
    curl -o /mnt/user/appdata/AppFlowy-Nginx/nginx-letsencrypt.conf \
      https://raw.githubusercontent.com/vmalinics0/unraid-appflowy/main/nginx/nginx-letsencrypt.conf
    
  3. Point the AppFlowy-Nginx nginx.conf path to nginx-letsencrypt.conf and restart it.
  4. In Community Apps, install AppFlowy-Certbot. Edit its Extra Parameters field — replace yourdomain.com and admin@yourdomain.com with your real values. Start it; it will obtain the certificate and exit (this is normal).
  5. Restart AppFlowy-Nginx to load the new certificate.
  6. Update all http:// URLs in every template to https:// and APPFLOWY_WS_BASE_URL from ws:// to wss://.
  7. Schedule AppFlowy-Certbot to restart monthly (e.g. via the Unraid User Scripts plugin) for automatic renewal. After each renewal, restart AppFlowy-Nginx.

Submitting to Community Apps

  1. Fork / create a public GitHub repository.
  2. Push all files from this directory into the repo root.
  3. Submit the repository URL at https://ca.unraid.net/submit.
  4. Run Validate and Scan in the CA submission flow.

Support

Upstream

Install AppFlowy-GoTrue on Unraid in a few clicks.

Find AppFlowy-GoTrue in Community Apps on your Unraid server, review the template, and click Install. Unraid handles the Docker app or plugin setup from the published template.

Open the Apps tab on your Unraid server Search Community Apps for AppFlowy-GoTrue Review the template variables and paths Click Install

Requirements

Custom Docker network named "appflowy" must exist before deploying any container in this stack. Create it via SSH or the Unraid terminal: docker network create appflowy — Network Type is pre-set to "appflowy" by default, verify it is selected.

Download Statistics

352,043
Total Downloads

Related apps

Details

Repository
appflowyinc/gotrue:latest
Last Updated2026-06-24
First Seen2026-05-26

Runtime arguments

Network
custom:appflowy
Shell
sh
Privileged
false

Template configuration

Base URLVariable

Public-facing GoTrue URL. Set to http://YOUR_SERVER_IP/gotrue (or your domain with /gotrue). Must be reachable by clients for OAuth redirects.

Target
API_EXTERNAL_URL
Default
http://YOUR_SERVER_IP/gotrue
Value
http://YOUR_SERVER_IP/gotrue
Admin EmailVariable

Email address of the initial admin account created on first start.

Target
GOTRUE_ADMIN_EMAIL
Default
admin@example.com
Value
admin@example.com
Admin PasswordVariable

Password for the initial admin account.

Target
GOTRUE_ADMIN_PASSWORD
Default
changeme_admin_password
Value
changeme_admin_password
JWT SecretVariable

Shared JWT signing secret. MUST be identical to APPFLOWY_GOTRUE_JWT_SECRET in AppFlowy-Cloud. Minimum 32 characters. Keep private.

Target
GOTRUE_JWT_SECRET
Default
changeme_jwt_secret_min32chars!!
Value
changeme_jwt_secret_min32chars!!
Database URLVariable

GoTrue PostgreSQL connection string. Update user, password, and host if you changed them. Uses the auth schema.

Target
DATABASE_URL
Default
postgres://postgres:changeme_strong_password@AppFlowy-Postgres:5432/postgres?search_path=auth
Value
postgres://postgres:changeme_strong_password@AppFlowy-Postgres:5432/postgres?search_path=auth
JWT Expiry (seconds)Variable

JWT token lifetime in seconds. Default: 604800 (7 days).

Target
GOTRUE_JWT_EXP
Default
604800
Value
604800
Auto-confirm EmailVariable

Set true to skip email confirmation (recommended for initial setup). Set false to require email confirmation — you must also configure SMTP.

Target
GOTRUE_MAILER_AUTOCONFIRM
Default
true
Value
true
Disable Public SignupVariable

Set true to allow only invited users to sign up.

Target
GOTRUE_DISABLE_SIGNUP
Default
false
Value
false
Rate Limit (emails/min)Variable

Maximum emails GoTrue can send per minute.

Target
GOTRUE_RATE_LIMIT_EMAIL_SENT
Default
100
Value
100
DB DriverVariable

Database driver — always postgres.

Target
GOTRUE_DB_DRIVER
Default
postgres
Value
postgres
Site URLVariable

Deep-link scheme for the AppFlowy native app.

Target
GOTRUE_SITE_URL
Default
appflowy-flutter://
Value
appflowy-flutter://
URI Allow ListVariable

Allowed OAuth redirect URIs. ** permits all; restrict for production.

Target
GOTRUE_URI_ALLOW_LIST
Default
**
Value
**
JWT Admin GroupVariable

JWT group name for admin users.

Target
GOTRUE_JWT_ADMIN_GROUP_NAME
Default
supabase_admin
Value
supabase_admin
Internal PortVariable

GoTrue internal listen port. Do not change.

Target
PORT
Default
9999
Value
9999
Mailer Confirm PathVariable

URL path for email confirmation links.

Target
GOTRUE_MAILER_URLPATHS_CONFIRMATION
Default
/gotrue/verify
Value
/gotrue/verify
Mailer Invite PathVariable

URL path for invite links.

Target
GOTRUE_MAILER_URLPATHS_INVITE
Default
/gotrue/verify
Value
/gotrue/verify
Mailer Recovery PathVariable

URL path for password recovery links.

Target
GOTRUE_MAILER_URLPATHS_RECOVERY
Default
/gotrue/verify
Value
/gotrue/verify
Mailer Email-Change PathVariable

URL path for email-change confirmation links.

Target
GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE
Default
/gotrue/verify
Value
/gotrue/verify
SMTP HostVariable

SMTP server hostname (e.g. smtp.gmail.com). Required if GOTRUE_MAILER_AUTOCONFIRM=false.

Target
GOTRUE_SMTP_HOST
SMTP PortVariable

SMTP port. Use 465 for TLS/SMTPS, 587 for STARTTLS.

Target
GOTRUE_SMTP_PORT
Default
465
Value
465
SMTP UserVariable

SMTP sender email address.

Target
GOTRUE_SMTP_USER
SMTP PasswordVariable

SMTP password.

Target
GOTRUE_SMTP_PASS
SMTP Admin EmailVariable

Admin email used as the From address.

Target
GOTRUE_SMTP_ADMIN_EMAIL
SMTP Max FrequencyVariable

Minimum interval between emails to the same address. Use 1ns for no limit.

Target
GOTRUE_SMTP_MAX_FREQUENCY
Default
1ns
Value
1ns
Magic Link Template URLVariable

Optional: public URL to a custom magic-link email HTML template.

Target
GOTRUE_MAILER_TEMPLATES_MAGIC_LINK
Google OAuth EnabledVariable

Enable Google OAuth login.

Target
GOTRUE_EXTERNAL_GOOGLE_ENABLED
Default
false
Value
false
Google Client IDVariable

Google OAuth client ID.

Target
GOTRUE_EXTERNAL_GOOGLE_CLIENT_ID
Google Client SecretVariable

Google OAuth client secret.

Target
GOTRUE_EXTERNAL_GOOGLE_SECRET
Google Redirect URIVariable

Google OAuth redirect URI.

Target
GOTRUE_EXTERNAL_GOOGLE_REDIRECT_URI
Default
http://YOUR_SERVER_IP/gotrue/callback
Value
http://YOUR_SERVER_IP/gotrue/callback
GitHub OAuth EnabledVariable

Enable GitHub OAuth login.

Target
GOTRUE_EXTERNAL_GITHUB_ENABLED
Default
false
Value
false
GitHub Client IDVariable

GitHub OAuth app client ID.

Target
GOTRUE_EXTERNAL_GITHUB_CLIENT_ID
GitHub Client SecretVariable

GitHub OAuth app client secret.

Target
GOTRUE_EXTERNAL_GITHUB_SECRET
GitHub Redirect URIVariable

GitHub OAuth redirect URI.

Target
GOTRUE_EXTERNAL_GITHUB_REDIRECT_URI
Default
http://YOUR_SERVER_IP/gotrue/callback
Value
http://YOUR_SERVER_IP/gotrue/callback
Discord OAuth EnabledVariable

Enable Discord OAuth login.

Target
GOTRUE_EXTERNAL_DISCORD_ENABLED
Default
false
Value
false
Discord Client IDVariable

Discord OAuth application client ID.

Target
GOTRUE_EXTERNAL_DISCORD_CLIENT_ID
Discord Client SecretVariable

Discord OAuth application client secret.

Target
GOTRUE_EXTERNAL_DISCORD_SECRET
Discord Redirect URIVariable

Discord OAuth redirect URI.

Target
GOTRUE_EXTERNAL_DISCORD_REDIRECT_URI
Default
http://YOUR_SERVER_IP/gotrue/callback
Value
http://YOUR_SERVER_IP/gotrue/callback
SAML EnabledVariable

Enable SAML 2.0 single sign-on.

Target
GOTRUE_SAML_ENABLED
Default
false
Value
false
SAML Private KeyVariable

PEM-encoded private key for SAML 2.0 signing.

Target
GOTRUE_SAML_PRIVATE_KEY