Invenio-Accounts depends on many existing community packages, so a large part of the configuration is defined by these packages.

Please refer to the documentation of each package for a full overview over which configration variables that are available:

Below we only cover the most important configuration options for Invenio-Accounts.

Secret key

The SECRET_KEY (see Flask documentation) is the most important configuration variable. A large part of the security of a web application is based on the secrecy of the value. In case the secret key is leaked, it is imperative that a new secret key is created.


Server-side session data can be saved in different data stores (e.g. Redis), you must therefore provide a factory that returns the KV session store object:

invenio_accounts.config.ACCOUNTS_SESSION_STORE_FACTORY = 'invenio_accounts.sessions:default_session_store_factory'

Import path or function of factory used to generate the session store object.

When ACCOUNTS_SESSION_REDIS_URL will use redis as cache system otherwise otherwise it will use the in-memory backend simplekv.memory.DictStore.

invenio_accounts.config.ACCOUNTS_SESSION_REDIS_URL = None

Redis URL used by the module as a cache system for sessions.

Password hashing

Invenio defaults to use PBKDF2 SHA512 algorithm for password hashing:

invenio_accounts.config.SECURITY_PASSWORD_HASH = 'pbkdf2_sha512'

Default password hashing algorithm for new passwords.

Invenio has support for storing hashes using many different algoritms. For instance, by default Invenio also supports Invenio v1.x password hashes to make migration from v1.x easier. Legacy v1.x password hashes will however be automatically migrated to the new stronger algorithm the next time a user login. You can control the supported and deprecated algorithms using the following two configuration variables:

invenio_accounts.config.SECURITY_PASSWORD_SCHEMES = ['pbkdf2_sha512', 'invenio_aes_encrypted_email']

Supported password hashing algorithms (for passwords already stored).

You should include both the default, supported and any deprecated schemes.

invenio_accounts.config.SECURITY_DEPRECATED_PASSWORD_SCHEMES = ['invenio_aes_encrypted_email']

Deprecated password hashing algorithms.

Password hashes in a deprecated scheme are automatically migrated to the new default algorithm the next time the user login.


The user registration form has support for recaptcha. All you need to do is to set the following two configuration variables (provided by reCAPTCHA when you register):

invenio_accounts.config.RECAPTCHA_PUBLIC_KEY = None

reCAPTCHA public key.

invenio_accounts.config.RECAPTCHA_PRIVATE_KEY = None

reCAPTCHA private key.

User tracking

Invenio-Accounts by default comes with user tracking enabled. The user tracking can be disabled using the configuration variables:

invenio_accounts.config.ACCOUNTS_SESSION_ACTIVITY_ENABLED = True

Enable session activity tracking.

invenio_accounts.config.SECURITY_TRACKABLE = True

Enable user tracking on login.

When a user login the following information is tracked:

  • IP address (current and previous)

  • Timestamp (current and previous)

  • Login count

A user do not have control over above information as it is logged for security purposes.

In addition Invenio is tracking all active sessions of a user. For each active session we track:

  • IP address

  • Country of IP address

  • Browser (e.g. Chrome)

  • Browser version

  • Operating system (e.g. MacOS)

  • Device type (e.g. iPhone).

The user do have full control over the active sessions, meaning they can browse and revoke active session resulting in that the information is removed. The session activity tracking feature is used to allow users to logout from all their active sessions, but also allow administrators to ban a user and ensure they are logged out of all active sessions in the application.

Cleaning session activity table

If the session activity tracking is enabled you should also ensure that you regularly clean the session tracking tables for expired sessions. You do this by configuring a Celery Beat schedule similar to this:

from datetime import timedelta
    'session_cleaner': {
        'task': 'invenio_accounts.tasks.clean_session_table',
        'schedule': timedelta(days=1),
    'delete_login_ips': {
        'task': 'invenio_accounts.tasks.delete_ips',
        'schedule': timedelta(days=30),


You can customize many of the templates used to render user registration, login, logout, email confirmations etc. Here are some few of the possiblities:

invenio_accounts.config.SECURITY_LOGIN_USER_TEMPLATE = 'invenio_accounts/login_user.html'

Default template for login.

invenio_accounts.config.SECURITY_REGISTER_USER_TEMPLATE = 'invenio_accounts/register_user.html'

Default template for user registration.

invenio_accounts.config.SECURITY_RESET_PASSWORD_TEMPLATE = 'invenio_accounts/reset_password.html'

Default template for password recovery (reset of the password).

invenio_accounts.config.SECURITY_CHANGE_PASSWORD_TEMPLATE = 'invenio_accounts/change_password.html'

Default template for change password.

invenio_accounts.config.SECURITY_FORGOT_PASSWORD_TEMPLATE = 'invenio_accounts/forgot_password.html'

Default template for password recovery (asking for email).

invenio_accounts.config.SECURITY_SEND_CONFIRMATION_TEMPLATE = 'invenio_accounts/send_confirmation.html'

Default template for email confirmation.

invenio_accounts.config.SECURITY_SEND_LOGIN_TEMPLATE = 'invenio_accounts/send_login.html'

Default template for email confirmation.


You can also customize the URLs under which you register and login in case you e.g. do not like the current naming:

invenio_accounts.config.SECURITY_LOGIN_URL = '/login/'

URL endpoint for login.

invenio_accounts.config.SECURITY_LOGOUT_URL = '/logout/'

URL endpoint for logout.

invenio_accounts.config.SECURITY_REGISTER_URL = '/signup/'

URL endpoint for user registation.

invenio_accounts.config.SECURITY_RESET_URL = '/lost-password/'

URL endpoint for password recovery.

Feature flags

A lot of the behaviour of Invenio-Accounts can be enabled/disabled depending on your current needs. Here are some of the feature flag options:

invenio_accounts.config.SECURITY_REGISTERABLE = True

Allow users to register.

invenio_accounts.config.SECURITY_RECOVERABLE = True

Allow password recovery by users.

invenio_accounts.config.SECURITY_CONFIRMABLE = True

Allow user to confirm their email address.

invenio_accounts.config.SECURITY_CHANGEABLE = True

Allow password change by users.

invenio_accounts.config.SECURITY_LOGIN_WITHOUT_CONFIRMATION = True

Allow users to login without first confirming their email address.