diff --git a/.env.release.example b/.env.release.example
index 366409e5..ffb6ca84 100644
--- a/.env.release.example
+++ b/.env.release.example
@@ -56,6 +56,12 @@ DEVICE_AUTH_VERIFICATION_URI=
 OAUTH2_GITHUB_CLIENT_ID=
 OAUTH2_GITHUB_CLIENT_SECRET=
 
+# Direct (username/password) authentication. Enable for environments without OAuth2.
+# Requires SKILLHUB_AUTH_DIRECT_ENABLED=true in server and matching frontend config below.
+SKILLHUB_AUTH_DIRECT_ENABLED=false
+SKILLHUB_WEB_AUTH_DIRECT_ENABLED=false
+SKILLHUB_WEB_AUTH_DIRECT_PROVIDER=
+
 # Security scanner is enabled by default. Set to false to disable scanning.
 SKILLHUB_SECURITY_SCANNER_ENABLED=true
 
diff --git a/compose.release.yml b/compose.release.yml
index cd51781f..e45b2069 100644
--- a/compose.release.yml
+++ b/compose.release.yml
@@ -72,6 +72,7 @@ services:
       SKILLHUB_SECURITY_SCANNER_ENABLED: ${SKILLHUB_SECURITY_SCANNER_ENABLED:-true}
       SKILLHUB_SECURITY_SCANNER_URL: http://skill-scanner:8000
       SKILLHUB_SECURITY_SCANNER_MODE: upload
+      SKILLHUB_AUTH_DIRECT_ENABLED: ${SKILLHUB_AUTH_DIRECT_ENABLED:-false}
       BOOTSTRAP_ADMIN_ENABLED: ${BOOTSTRAP_ADMIN_ENABLED:-false}
       BOOTSTRAP_ADMIN_USER_ID: ${BOOTSTRAP_ADMIN_USER_ID:-docker-admin}
       BOOTSTRAP_ADMIN_USERNAME: ${BOOTSTRAP_ADMIN_USERNAME:-admin}
@@ -103,6 +104,8 @@ services:
       SKILLHUB_API_UPSTREAM: ${SKILLHUB_API_UPSTREAM:-http://server:8080}
       SKILLHUB_WEB_API_BASE_URL: ${SKILLHUB_WEB_API_BASE_URL:-}
       SKILLHUB_PUBLIC_BASE_URL: ${SKILLHUB_PUBLIC_BASE_URL:-}
+      SKILLHUB_WEB_AUTH_DIRECT_ENABLED: ${SKILLHUB_WEB_AUTH_DIRECT_ENABLED:-false}
+      SKILLHUB_WEB_AUTH_DIRECT_PROVIDER: ${SKILLHUB_WEB_AUTH_DIRECT_PROVIDER:-}
     depends_on:
       server:
         condition: service_healthy
diff --git a/web/docker-entrypoint.d/30-runtime-config.sh b/web/docker-entrypoint.d/30-runtime-config.sh
index 8e4720a3..780b3ac4 100644
--- a/web/docker-entrypoint.d/30-runtime-config.sh
+++ b/web/docker-entrypoint.d/30-runtime-config.sh
@@ -3,9 +3,14 @@ set -eu
 
 : "${SKILLHUB_WEB_API_BASE_URL:=}"
 : "${SKILLHUB_PUBLIC_BASE_URL:=}"
+: "${SKILLHUB_WEB_AUTH_DIRECT_ENABLED:=false}"
+: "${SKILLHUB_WEB_AUTH_DIRECT_PROVIDER:=}"
+: "${SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_ENABLED:=false}"
+: "${SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_PROVIDER:=}"
+: "${SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_AUTO:=false}"
 
 # Generate runtime-config.js
-envsubst '${SKILLHUB_WEB_API_BASE_URL} ${SKILLHUB_PUBLIC_BASE_URL}' \
+envsubst '${SKILLHUB_WEB_API_BASE_URL} ${SKILLHUB_PUBLIC_BASE_URL} ${SKILLHUB_WEB_AUTH_DIRECT_ENABLED} ${SKILLHUB_WEB_AUTH_DIRECT_PROVIDER} ${SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_ENABLED} ${SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_PROVIDER} ${SKILLHUB_WEB_AUTH_SESSION_BOOTSTRAP_AUTO}' \
   < /usr/share/nginx/html/runtime-config.js.template \
   > /usr/share/nginx/html/runtime-config.js