User management

Every person who uses Truke KF has a user record in the KF database. This page covers managing those records. For how people prove who they are — passwords, single sign-on, reverse-proxy SSO, and API tokens — see authentication.

User records

Each user has:

  • a uid — a stable, space-free identifier (often a username or the local-part of an email address), used as the key for access control and never reused;
  • a name and an email (the email is always present and is used for notifications);
  • an ACL label string that controls which items the user can see and edit — see access control.

Add, change, or remove users through the administration interface at /admin/users.

Built-in (local) accounts

The default configuration stores credentials in the KF database — no external service is required. A local user has a username and a password and signs in through the password form. This is enough for small teams; larger organisations usually add single sign-on.

To pre-provision a user for single sign-on, add them in /admin/users and leave the password empty: they sign in through their identity provider, and KF fills in the rest on first login.

Authentication methods

KF supports four ways to authenticate, all configured in the [auth] section of

kf.ini and all resolving to the same user record and ACL:

  • Local password accounts (above).
  • Single sign-on (OIDC) with a provider such as Google, Microsoft Entra, or Keycloak.
  • Reverse-proxy SSO for SAML / LDAP / MFA environments.
  • Personal access tokens for API and MCP clients.

See authentication for configuration and step-by-step setup.