-
Notifications
You must be signed in to change notification settings - Fork 1
API Reference
Kolin edited this page Jun 13, 2026
·
2 revisions
All endpoints are under the base path /sso/. Admin endpoints require an API key passed as:
Authorization: MediaBrowser Token="<your-api-key>"
Generate an API key in Jellyfin under Administration → API Keys.
| Method | Path | Description |
|---|---|---|
GET |
/sso/OID/start/{provider} |
Initiates the OIDC flow. Redirects the browser to the identity provider. |
GET |
/sso/OID/redirect/{provider} |
OIDC callback endpoint. The identity provider redirects here after login. |
POST |
/sso/OID/Auth/{provider} |
Client-side authentication. Used by the web UI after the redirect. |
| Method | Path | Auth Required | Description |
|---|---|---|---|
POST |
/sso/OID/Add/{provider} |
API key | Add or update an OIDC provider configuration. |
GET |
/sso/OID/Del/{provider} |
API key | Delete an OIDC provider configuration. |
GET |
/sso/OID/Get |
API key + elevated | List all OIDC provider configurations. |
GET |
/sso/OID/GetNames |
None | List OIDC provider names (public, used by UI). |
GET |
/sso/OID/States |
API key + elevated | List active OIDC flows (debug). |
{
"oidEndpoint": "https://your-idp.example.com",
"oidClientId": "jellyfin",
"oidSecret": "your-client-secret",
"enabled": true,
"enableAuthorization": true,
"enableAllFolders": false,
"enabledFolders": [],
"adminRoles": ["jellyfin-admins"],
"roles": ["jellyfin-users"],
"roleClaim": "groups",
"oidScopes": ["groups"],
"defaultUsernameClaim": "preferred_username",
"avatarUrlFormat": "",
"enableFolderRoles": false,
"folderRoleMapping": [],
"enableLiveTvRoles": false,
"enableLiveTv": false,
"enableLiveTvManagement": false,
"liveTvRoles": [],
"liveTvManagementRoles": [],
"disableHttps": false,
"disablePushedAuthorization": false,
"doNotValidateEndpoints": false,
"doNotValidateIssuerName": false,
"doNotLoadProfile": false,
"schemeOverride": "",
"portOverride": null
}| Method | Path | Description |
|---|---|---|
GET |
/sso/SAML/start/{provider} |
Initiates the SAML flow. |
GET |
/sso/SAML/p/{provider} |
Alias for start. |
POST |
/sso/SAML/post/{provider} |
SAML assertion callback (ACS endpoint). |
POST |
/sso/SAML/p/{provider} |
Alias for post (ACS endpoint). |
POST |
/sso/SAML/Auth/{provider} |
Client-side authentication. |
| Method | Path | Auth Required | Description |
|---|---|---|---|
POST |
/sso/SAML/Add/{provider} |
API key | Add or update a SAML provider configuration. |
GET |
/sso/SAML/Del/{provider} |
API key | Delete a SAML provider configuration. |
GET |
/sso/SAML/Get |
API key + elevated | List all SAML provider configurations. |
GET |
/sso/SAML/GetNames |
None | List SAML provider names (public). |
| Method | Path | Auth Required | Description |
|---|---|---|---|
POST |
/sso/{mode}/Link/{provider}/{jellyfinUserId} |
User or admin | Link an SSO identity to a Jellyfin user. |
DELETE |
/sso/{mode}/Link/{provider}/{jellyfinUserId}/{canonicalName} |
User or admin | Remove a specific SSO link. |
GET |
/sso/oid/links/{jellyfinUserId} |
User or admin | List all OIDC links for a user. |
GET |
/sso/saml/links/{jellyfinUserId} |
User or admin | List all SAML links for a user. |
{mode} is oid or saml.
Users may only modify their own links. Admins may modify any user's links.
| Method | Path | Auth Required | Description |
|---|---|---|---|
POST |
/sso/Unregister/{username} |
API key + elevated | Remove a user from SSO and assign a new auth provider. |
Unregister request body (plain string):
"Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider"
All endpoints return standard HTTP status codes:
| Code | Meaning |
|---|---|
200 |
Success |
400 |
Bad request (malformed input) |
401 |
Unauthorized (missing or invalid API key) |
403 |
Forbidden (insufficient permissions) |
404 |
Provider not found |
500 |
Internal server error (check Jellyfin logs) |
Getting Started
Configuration
Providers
Reference
Development