πŸš€ DeploymentΒΆ

Typarr ships as a single Docker image with no external dependencies β€” just point it at an OIDC provider and add a data volume, and you’re up.

⚑ Quick start (demo)¢

To try Typarr without setting up an OIDC provider, disable authentication:

docker run -d \
    --name typarr \
    -e TYPARR_AUTH_DISABLED=true \
    -p 5000:5000 \
    -v data:/data \
    ghcr.io/confirm/typarr

See also

See Disabling authentication for more information.

🐳 Docker¢

Docker imageΒΆ

To deploy Typarr, use the following Docker image:

ghcr.io/confirm/typarr

See also

Check the Git tags for explicit Docker image versions.

Docker commandΒΆ

To deploy Typarr via a simple docker command, use the following CLI arguments:

docker run -d \
    --name typarr \
    --read-only \
    --tmpfs /tmp \
    -e TYPARR_OIDC_DISCOVERY_URL=https://sso.example.com/.well-known/openid-configuration \
    -e TYPARR_OIDC_CLIENT_SECRET=change-me \
    -e TYPARR_TRUSTED_PROXIES='*' \
    -p 5000:5000 \
    -v data:/data \
    ghcr.io/confirm/typarr

Hint

It’s recommended to deploy Typarr via Docker Compose.

Docker ComposeΒΆ

Use the following docker-compose.yml file to start Typarr:

---
services:

  typarr:

    image: ghcr.io/confirm/typarr

    environment:
      TYPARR_OIDC_DISCOVERY_URL: https://sso.example.com/.well-known/openid-configuration
      TYPARR_OIDC_CLIENT_SECRET: change-me
      TYPARR_TRUSTED_PROXIES: '*'

    ports:
      - '5000:5000'

    read_only: true

    tmpfs:
      - /tmp

    volumes:
      - data:/data

    restart: unless-stopped

volumes:
  data:

Then bring the stack up with:

docker compose up -d

πŸ” Authentication setupΒΆ

OIDCΒΆ

Typarr requires an OpenID Connect (OIDC) provider for authentication. Any provider that supports OpenID Connect Discovery is supported (e.g. Keycloak, Authentik, Azure AD, Okta, Zitadel).

Register a new client (application) with your OIDC provider:

  1. Set the client ID to TYPARR_OIDC_CLIENT_ID, or vice-versa

  2. Set the redirect URI (callback URL) to:

    https://typarr.example.com/oidc/callback

  3. Set the post-logout redirect URI to:

    https://typarr.example.com/login

  4. Ensure the following scopes are enabled: openid, email, profile.

  5. Make sure the ID token includes a claim with the user’s group memberships (see TYPARR_OIDC_GROUPS_CLAIM).

  6. Make sure a user matches an admin group (see TYPARR_ADMIN_GROUPS)

  7. Set the TYPARR_OIDC_CLIENT_SECRET to the client secret

Hint

See 🎚 Configuration for the full list of environment variables.

Disabling authenticationΒΆ

For local development, demo environments or external authentication, you can disable the built-in OIDC authentication entirely by setting the TYPARR_AUTH_DISABLED environment variable:

TYPARR_AUTH_DISABLED=true

Warning

When authentication is disabled, all requests are treated as a built-in no-auth user with full administrator privileges. OIDC configuration is not required in this mode.

In production this is only safe when Typarr sits behind a reverse proxy or gateway that already handles authentication (e.g. OAuth2 Proxy, Authelia, or a cloud IAP).

Reverse proxyΒΆ

When Typarr runs behind a reverse proxy (e.g. nginx, Traefik, Caddy), set TYPARR_TRUSTED_PROXIES so that X-Forwarded-For and X-Forwarded-Proto headers are respected. This ensures OIDC redirect URIs are built with https://.

TYPARR_TRUSTED_PROXIES=*

Set it to * to trust all sources, or to a comma-separated list of proxy IP addresses (e.g. 127.0.0.1,10.0.0.0/8) for stricter control.

Hint

When TYPARR_TRUSTED_PROXIES is not set, forwarded headers are ignored.