feat: add AUTH_<PROVIDER>_ID_TOKEN_SIGNED_RESPONSE_ALG

[labuzniq]

This variable has been added in PR langfuse/langfuse#12333

It has been merged and released into version 3.170.0 of Langfuse.

Disclaimer: Experimental PR review

Greptile Summary

This PR adds documentation for the new AUTH_<PROVIDER>_ID_TOKEN_SIGNED_RESPONSE_ALG environment variable introduced in Langfuse v3.170.0, which lets operators configure the JWT signing algorithm expected from an OIDC provider's ID Token. The change is a single-row addition to the "Additional configuration" table in the SSO docs.

Confidence Score: 5/5

Safe to merge — purely additive documentation change with no functional impact.

Only P2 style findings (grammar and missing default value note); the documentation entry is accurate and consistent with the referenced implementation PR.

No files require special attention.

Important Files Changed

Filename	Overview
content/self-hosting/security/authentication-and-sso.mdx	Adds one documentation row for the new AUTH__ID_TOKEN_SIGNED_RESPONSE_ALG env var; minor grammar and missing-default-value observations only.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[OIDC Provider] -->|Signs ID Token with configured algorithm| B["AUTH_PROVIDER_ID_TOKEN_SIGNED_RESPONSE_ALG\ne.g. RS256, ES256, HS256"]
    B --> C{Provider type}
    C -->|GitHub / WorkOS| D[Setting ignored — provider-managed]
    C -->|All other OIDC providers| E[Langfuse validates token\nusing specified algorithm]

Loading

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
content/self-hosting/security/authentication-and-sso.mdx:298
Minor grammar nit — "Configure algorithm" is missing the article "the".

```suggestion
| `AUTH_<PROVIDER>_ID_TOKEN_SIGNED_RESPONSE_ALG` | Configure the algorithm used to sign the ID Token by the provider. Supported values: `RS256`, `RS384`, `RS512`, `ES256`, `ES384`, `ES512`, `PS256`, `PS384`, `PS512`, `HS256`, `HS384`, `HS512`. This setting is ignored by the GitHub and WorkOS providers. |
```

### Issue 2 of 2
content/self-hosting/security/authentication-and-sso.mdx:298
**Missing default value**

Other entries in this table (e.g., `AUTH_<PROVIDER>_CLIENT_AUTH_METHOD`) document their default value. It would be helpful to note what the default algorithm is when this variable is unset — presumably `RS256` based on common OIDC provider defaults — so operators know when they actually need to configure it.

_{Reviews (1): Last reviewed commit: "feat: add AUTH_<PROVIDER>_ID_TOKEN_SIGNE..." | Re-trigger Greptile}

[claude]

Claude Code Review

This pull request is from a fork — automated review is disabled. A repository maintainer can comment @claude review to run a one-time review.

[vercel]

@labuzniq is attempting to deploy a commit to the langfuse Team on Vercel.

A member of the Team first needs to authorize it.

[CLAassistant]

All committers have signed the CLA.