Feature Request: Environment Variable to Hide Password Login Method #2446

New Issue

GiteaMirror · 2026-02-28T20:13:59-06:00

GiteaMirror commented

2026-02-28 20:13:59 -06:00

Originally created by @dojoca on GitHub (Sep 4, 2025).

Verified feature request does not already exist?

I have searched and found no existing issue

💻

Would you like to implement this feature?

Pitch: what problem are you trying to solve?

I have ActualBudget deployed with OpenID authentication (using Authentik) and need to balance two conflicting requirements:

Users should only see and use SSO login - I want a clean, secure login experience that directs users to our corporate identity provider with 2FA
API/CLI tools need password authentication - My backup scripts, automation, and CLI tools require password-based API access to function

Currently, ActualBudget's authentication options are all-or-nothing:

ACTUAL_OPENID_ENFORCE=true completely disables password auth, breaking my API scripts
ACTUAL_OPENID_ENFORCE=false shows a "Select the login method" UI that confuses users and provides an unwanted password login path

This creates a security and user experience problem where I have to choose between functional automation or clean SSO-only user experience.

Describe your ideal solution to this problem

Add a new environment variable ACTUAL_HIDE_PASSWORD_LOGIN=true that:

Hides password login from the web UI - Users only see the OpenID login button, no "Select login method" option
Keeps password authentication functional for API calls - Background scripts and CLI tools continue working
Maintains backward compatibility - Defaults to false (current behavior)
Works alongside existing OpenID settings - Complements rather than replaces ACTUAL_OPENID_ENFORCE

The implementation would affect only the frontend login component while leaving all backend authentication endpoints unchanged.

Example usage - docker compose
environment:

ACTUAL_OPENID_ENFORCE=false
ACTUAL_HIDE_PASSWORD_LOGIN=true
ACTUAL_OPENID_DOMAIN=authentik.company.com
This gives users a seamless SSO experience while maintaining full API functionality for automation.

Teaching and learning

Discoverability:

Document this variable alongside other OpenID/authentication environment variables
Include it in the "Authentication" section of the deployment docs
Add it to docker-compose examples for enterprise/SSO deployments

Documentation should include:

Clear explanation of when to use this vs ACTUAL_OPENID_ENFORCE
Example docker-compose configurations for common SSO scenarios
Security best practices (e.g., using complex passwords when this option is enabled)
API authentication examples showing how scripts continue to work

Potential user confusion to address:

"Why can't I see password login?" - Documentation should explain this is intentional when the variable is set
"My API stopped working" - Clear examples showing API calls still use the same password endpoint
"What's the difference from OPENID_ENFORCE?" - Comparison table showing the behavior differences

Originally created by @dojoca on GitHub (Sep 4, 2025). ### Verified feature request does not already exist? - [x] I have searched and found no existing issue ### 💻 - [ ] Would you like to implement this feature? ### Pitch: what problem are you trying to solve? I have ActualBudget deployed with OpenID authentication (using Authentik) and need to balance two conflicting requirements: Users should only see and use SSO login - I want a clean, secure login experience that directs users to our corporate identity provider with 2FA API/CLI tools need password authentication - My backup scripts, automation, and CLI tools require password-based API access to function Currently, ActualBudget's authentication options are all-or-nothing: - ACTUAL_OPENID_ENFORCE=true completely disables password auth, breaking my API scripts - ACTUAL_OPENID_ENFORCE=false shows a "Select the login method" UI that confuses users and provides an unwanted password login path This creates a security and user experience problem where I have to choose between functional automation or clean SSO-only user experience. ### Describe your ideal solution to this problem Add a new environment variable ACTUAL_HIDE_PASSWORD_LOGIN=true that: Hides password login from the web UI - Users only see the OpenID login button, no "Select login method" option Keeps password authentication functional for API calls - Background scripts and CLI tools continue working Maintains backward compatibility - Defaults to false (current behavior) Works alongside existing OpenID settings - Complements rather than replaces ACTUAL_OPENID_ENFORCE The implementation would affect only the frontend login component while leaving all backend authentication endpoints unchanged. Example usage - docker compose environment: - ACTUAL_OPENID_ENFORCE=false - ACTUAL_HIDE_PASSWORD_LOGIN=true - ACTUAL_OPENID_DOMAIN=authentik.company.com This gives users a seamless SSO experience while maintaining full API functionality for automation. ### Teaching and learning Discoverability: Document this variable alongside other OpenID/authentication environment variables Include it in the "Authentication" section of the deployment docs Add it to docker-compose examples for enterprise/SSO deployments Documentation should include: Clear explanation of when to use this vs ACTUAL_OPENID_ENFORCE Example docker-compose configurations for common SSO scenarios Security best practices (e.g., using complex passwords when this option is enabled) API authentication examples showing how scripts continue to work Potential user confusion to address: "Why can't I see password login?" - Documentation should explain this is intentional when the variable is set "My API stopped working" - Clear examples showing API calls still use the same password endpoint "What's the difference from OPENID_ENFORCE?" - Comparison table showing the behavior differences

GiteaMirror added the needs votes feature labels 2026-02-28 20:13:59 -06:00

GiteaMirror closed this issue

2026-02-28 20:13:59 -06:00

GiteaMirror commented

2026-02-28 20:13:59 -06:00

@github-actions[bot] commented on GitHub (Sep 4, 2025):

✨ Thanks for sharing your idea! ✨

This repository uses a voting-based system for feature requests. While enhancement issues are automatically closed, we still welcome feature requests! The voting system helps us gauge community interest in potential features. We also encourage community contributions for any feature requests marked as needing votes (just post a comment first so we can help guide you toward a successful contribution).

The enhancement backlog can be found here: https://github.com/actualbudget/actual/issues?q=label%3A%22needs+votes%22+sort%3Areactions-%2B1-desc+

Don’t forget to upvote the top comment with 👍!

@github-actions[bot] commented on GitHub (Sep 4, 2025): :sparkles: Thanks for sharing your idea! :sparkles: This repository uses a voting-based system for feature requests. While enhancement issues are automatically closed, we still welcome feature requests! The voting system helps us gauge community interest in potential features. We also encourage community contributions for any feature requests marked as needing votes (just post a comment first so we can help guide you toward a successful contribution). The enhancement backlog can be found here: https://github.com/actualbudget/actual/issues?q=label%3A%22needs+votes%22+sort%3Areactions-%2B1-desc+ Don’t forget to upvote the top comment with 👍!

GiteaMirror commented

2026-02-28 20:14:00 -06:00

@jfdoming commented on GitHub (Sep 4, 2025):

It's an interesting idea. I wonder if it might be better to support user-scoped PATs instead.

@jfdoming commented on GitHub (Sep 4, 2025): It's an interesting idea. I wonder if it might be better to support user-scoped PATs instead.

GiteaMirror commented

2026-02-28 20:14:00 -06:00

@QasimK commented on GitHub (Feb 15, 2026):

My Actual Budget instance is only accessible to authenticated clients behind my VPN, and the password introduces unnecessary friction to using the application.

However, my request is slightly smaller than this request. I want to remove the login screen if ACTUAL_HIDE_PASSWORD_LOGIN was set and directly start the app. No relation to OpenID.

I'd be willing to implement this. Is there anything I should know before I start?

@QasimK commented on GitHub (Feb 15, 2026): My Actual Budget instance is only accessible to authenticated clients behind my VPN, and the password introduces unnecessary friction to using the application. However, my request is slightly smaller than this request. I want to remove the login screen if `ACTUAL_HIDE_PASSWORD_LOGIN` was set and directly start the app. No relation to OpenID. I'd be willing to implement this. Is there anything I should know before I start?

GiteaMirror referenced this issue

2026-02-28 20:54:16 -06:00

[PR #2446] Provide "api/category-groups-get" API endpoint #4305

Sign in to join this conversation.

Branches Tags

master

matiss/oxlint-no-floating-promises-require-array-sort-compare

ai/custom-theme-dual-prefs

claude/fix-simplefin-batch-sync-O8LcD

matiss/fix-6804

claude/fix-simplefin-ssrf-T31gX

claude/release-notes-validation-X7rvR

add-claude-github-actions-1772738270730

react-query-rules

react-query-useSchedules

matiss/separate-lint-format

dependabot/npm_and_yarn/ajv-6.14.0

cursor/sync-performance-notification-9899

react-query-prefs

matiss/chunked-sync-and-progress-ux

v26.2.1

copilot/sub-pr-6880

fix-react-query-clear-on-close-budget

copilot/sub-pr-6140

feat/auto-note

feat/scoped-bank-sync

cursor/desktop-transactions-react-table-1d0c

fix-exhaustive-deps-App

copilot/fix-find-replace-bug

release/v26.2.0-pre

matiss/browser-tests

mobile-fix-drag-and-drop-across-groups

budget-table-v2

PayeeAutocomplete2

pglite

bugfix/plugins/fix-plugins-sw

feat/plugins/plugins-core-package

prerelease

matiss/unicode-minus-fix

cursor/fix-actual-github-issue-6206-gemini-3-pro-preview-9c37

TransactionFormPage

cursor/implement-mortgage-and-loan-account-type-78ca

tests-update-fill-with-pressSequentially

mobile/link-modal

deps/25.11

cursor/fix-update-vrt-apply-ci-job-dispatch-b324

sync-server-plugins

cursor/propose-patch-for-github-issue-5680-2a18

fix/compiler-preserve-inner-dollar-escapes

cursor/analyze-actual-budget-issue-and-propose-fix-5b70

coderabbitai/docstrings/0c070e5

cursor/add-wip-prefix-and-comment-to-prs-d78d

jfdoming/08-21-auto-focus-on-navigate-in-all-browsers

show-totals-on-mobile-budget-banners

allow-child-transactions-make-transfer

mobile-calculator-keyboard

payee-geolocation

enhance/restore_scroll_position

dm-fix-second-click-on-mobile-new-transaction-2

scrollToLocationBudget

alert-autofix-38

tsconfig-composite

mobile-fix-uncategorized-transactions-on-tracking-budgets

server-budget-handlers

fix-sql-injection-in-cleanup-template

non-chrome-draggable-workaround

mobile-budget-page-swipe-navigation

ts-db-all

stable

dark-theme-with-brand-colors

fix-mobile-delete-group

ts-db-select

UnderKoen/reconcile-context-menu

master-before-server-merge

v25.2.1

ts-runQuery

rename-redux-hooks

UnderKoen/3557-persist-state-in-history

remove-redux-CLOSE_BUDGET

fix-exhaustive-deps-errors-FinancesApp

redux-toolkit-createSlice-backup

accounts-function-component

ts-useSplitsExpanded

loot-core-server-package

useTransactios-in-TransactionEdit

react-aria-input

move-redux-to-desktop-client

QueryState-type

fix-themes-applied-late

mobile-vrts

revert-3295-spendingCardFix

react-aria-button-4

split-payee-on-mobile

twk3/pin-apis-crdt

notes-tag-autocomplete

ts-LoadBackup

dnd-kit

package-upgrades

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/actual#2446