Skip to content

Latest commit

 

History

History
120 lines (117 loc) · 18.7 KB

File metadata and controls

120 lines (117 loc) · 18.7 KB

Environment Variables

Every setting in the on-disk YAML configuration can also be supplied via an AUTHPLANE_* environment variable. Env vars are evaluated after the YAML file is loaded and override matching YAML keys, making them the recommended channel for secrets and per-environment overrides (Docker -e, Kubernetes env:, systemd Environment=). See the configuration reference for the full YAML schema and the deploy guides for environment-specific examples.

Env var YAML key Type Default Required when Source
AUTHPLANE_ADMIN_ADDRESS admin.address string :9001 internal/config/loader.go:353
AUTHPLANE_ADMIN_API_KEY admin.api_key string admin is enabled and server.issuer is not localhost internal/config/loader.go:354
AUTHPLANE_ADMIN_ENABLED admin.enabled bool true internal/config/loader.go:352
AUTHPLANE_AGENTS_ENABLE_JWKS_LISTING agents.enable_jwks_listing bool internal/config/loader.go:266
AUTHPLANE_BROKER_PROVIDER_AUTHORIZE_URL internal/config/loader.go:479
AUTHPLANE_BROKER_PROVIDER_CLIENT_ID internal/config/loader.go:473
AUTHPLANE_BROKER_PROVIDER_CLIENT_SECRET_ENV internal/config/loader.go:476
AUTHPLANE_BROKER_PROVIDER_DISPLAY_NAME internal/config/loader.go:467
AUTHPLANE_BROKER_PROVIDER_PROTOCOL internal/config/loader.go:468
AUTHPLANE_BROKER_PROVIDER_RESPONSE_FORMAT internal/config/loader.go:485
AUTHPLANE_BROKER_PROVIDER_SLUG internal/config/loader.go:460
AUTHPLANE_BROKER_PROVIDER_TOKEN_URL internal/config/loader.go:482
AUTHPLANE_CIMD_CACHE_TTL cimd.cache_ttl duration 1h internal/config/loader.go:329
AUTHPLANE_CIMD_ENABLED cimd.enabled bool true internal/config/loader.go:327
AUTHPLANE_CIMD_FETCH_TIMEOUT cimd.fetch_timeout duration 10s internal/config/loader.go:330
AUTHPLANE_CIMD_REQUIRE_HTTPS cimd.require_https bool true internal/config/loader.go:328
AUTHPLANE_CLIENT_CREDENTIALS_ENABLED client_credentials.enabled bool false internal/config/loader.go:247
AUTHPLANE_CLIENT_CREDENTIALS_TOKEN_EXPIRY client_credentials.token_expiry duration 1h internal/config/loader.go:248
AUTHPLANE_CLIENT_SECRET_PEPPER client_secret_pepper string internal/config/loader.go:242
AUTHPLANE_CONNECT_ALLOWED_RETURN_URLS connect.allowed_return_urls []string internal/config/loader.go:449
AUTHPLANE_CONNECT_REDIRECT_BASE_URL connect.redirect_base_url string internal/config/loader.go:448
AUTHPLANE_CONNECT_STATE_SECRET connect.state_secret string internal/config/loader.go:447
AUTHPLANE_DATA_ENCRYPTION_DRIVER data_encryption.driver string internal/config/loader.go:270
AUTHPLANE_DATA_ENCRYPTION_KEY_ENV data_encryption.aes_master.key_env string internal/config/loader.go:271
AUTHPLANE_DATA_ENCRYPTION_VAULT_ADDRESS data_encryption.vault_transit_encrypt.address string driver is vault_transit_encrypt internal/config/loader.go:272
AUTHPLANE_DATA_ENCRYPTION_VAULT_AUTH_METHOD data_encryption.vault_transit_encrypt.auth_method string internal/config/loader.go:273
AUTHPLANE_DATA_ENCRYPTION_VAULT_KEY_NAME data_encryption.vault_transit_encrypt.key_name string driver is vault_transit_encrypt internal/config/loader.go:276
AUTHPLANE_DATA_ENCRYPTION_VAULT_MOUNT_PATH data_encryption.vault_transit_encrypt.mount_path string internal/config/loader.go:275
AUTHPLANE_DATA_ENCRYPTION_VAULT_ROLE_ID_ENV data_encryption.vault_transit_encrypt.approle.role_id_env string auth_method is approle internal/config/loader.go:277
AUTHPLANE_DATA_ENCRYPTION_VAULT_SECRET_ID_ENV data_encryption.vault_transit_encrypt.approle.secret_id_env string auth_method is approle internal/config/loader.go:278
AUTHPLANE_DATA_ENCRYPTION_VAULT_TOKEN_ENV data_encryption.vault_transit_encrypt.token_env string internal/config/loader.go:274
AUTHPLANE_DCR_APPROVED_REDIRECTS dcr.approved_redirects []string internal/config/loader.go:319
AUTHPLANE_DCR_DEFAULT_REFRESH_EXPIRY dcr.default_refresh_expiry duration 168h internal/config/loader.go:323
AUTHPLANE_DCR_DEFAULT_TOKEN_EXPIRY dcr.default_token_expiry duration 15m internal/config/loader.go:322
AUTHPLANE_DCR_MODE dcr.mode string open internal/config/loader.go:318
AUTHPLANE_DCR_RATE_LIMIT dcr.rate_limit float64 10 internal/config/loader.go:320
AUTHPLANE_DCR_RATE_LIMIT_BURST dcr.rate_limit_burst int 20 internal/config/loader.go:321
AUTHPLANE_DPOP_ENABLED dpop.enabled bool false internal/config/loader.go:252
AUTHPLANE_DPOP_NONCE_TTL dpop.nonce_ttl duration 60s internal/config/loader.go:253
AUTHPLANE_DPOP_PROOF_LIFETIME dpop.proof_lifetime duration 60s internal/config/loader.go:254
AUTHPLANE_DPOP_REQUIRE_NONCE dpop.require_nonce bool internal/config/loader.go:255
AUTHPLANE_LOG_ADD_SOURCE observability.logging.add_source bool internal/config/loader.go:377
AUTHPLANE_LOG_FORMAT observability.logging.format string json internal/config/loader.go:376
AUTHPLANE_LOG_LEVEL observability.logging.level string info internal/config/loader.go:375
AUTHPLANE_LOG_OTEL observability.logging.outputs.otel bool internal/config/loader.go:379
AUTHPLANE_LOG_OTEL_ENDPOINT observability.logging.outputs.otel_endpoint string logging outputs otel is enabled internal/config/loader.go:380
AUTHPLANE_LOG_OTEL_INSECURE observability.logging.outputs.insecure bool internal/config/loader.go:381
AUTHPLANE_LOG_STDOUT observability.logging.outputs.stdout bool true internal/config/loader.go:378
AUTHPLANE_METRICS_INSECURE observability.metrics.insecure bool internal/config/loader.go:385
AUTHPLANE_METRICS_OTEL_ENDPOINT observability.metrics.otel_endpoint string metrics provider is otel or both internal/config/loader.go:384
AUTHPLANE_METRICS_PATH observability.metrics.path string /metrics internal/config/loader.go:383
AUTHPLANE_METRICS_PROVIDER observability.metrics.provider string prometheus internal/config/loader.go:382
AUTHPLANE_OAUTH_REQUIRE_SCOPE oauth.require_scope bool true internal/config/loader.go:358
AUTHPLANE_OIDC_CLIENT_ID oidc.client_id string oidc is enabled internal/config/loader.go:364
AUTHPLANE_OIDC_CLIENT_SECRET oidc.client_secret string oidc is enabled internal/config/loader.go:365
AUTHPLANE_OIDC_CONNECTOR_ID oidc.connector_id string internal/config/loader.go:371
AUTHPLANE_OIDC_DISPLAY_NAME oidc.display_name string internal/config/loader.go:366
AUTHPLANE_OIDC_ENABLED oidc.enabled bool internal/config/loader.go:362
AUTHPLANE_OIDC_INCLUDE_GROUPS_SCOPE oidc.include_groups_scope bool true internal/config/loader.go:370
AUTHPLANE_OIDC_ISSUER oidc.issuer string oidc is enabled internal/config/loader.go:363
AUTHPLANE_OIDC_REDIRECT_URI oidc.redirect_uri string oidc is enabled internal/config/loader.go:368
AUTHPLANE_OIDC_SCOPES oidc.scopes []string internal/config/loader.go:367
AUTHPLANE_OIDC_SHOW_LOCAL_LOGIN oidc.show_local_login bool true internal/config/loader.go:369
AUTHPLANE_RATE_LIMIT_AUTH_FAIL_MAX rate_limit.auth_fail_max int 10 internal/config/loader.go:346
AUTHPLANE_RATE_LIMIT_AUTH_FAIL_WINDOW rate_limit.auth_fail_window duration 10m internal/config/loader.go:347
AUTHPLANE_RATE_LIMIT_AUTH_LOCKOUT rate_limit.auth_lockout duration 15m internal/config/loader.go:348
AUTHPLANE_RATE_LIMIT_BURST rate_limit.burst int 200 internal/config/loader.go:345
AUTHPLANE_RATE_LIMIT_ENABLED rate_limit.enabled bool true internal/config/loader.go:343
AUTHPLANE_RATE_LIMIT_RPS rate_limit.requests_per_second float64 100 internal/config/loader.go:344
AUTHPLANE_RESOURCE_SCOPES internal/config/loader.go:549
AUTHPLANE_RESOURCE_URI internal/config/loader.go:541
AUTHPLANE_SERVER_ADDRESS server.address string :9000 internal/config/loader.go:283
AUTHPLANE_SERVER_ALLOWED_ORIGINS server.allowed_origins []string internal/config/loader.go:288
AUTHPLANE_SERVER_IDLE_TIMEOUT server.idle_timeout duration 120s internal/config/loader.go:286
AUTHPLANE_SERVER_ISSUER server.issuer string http://localhost:9000 internal/config/loader.go:282
AUTHPLANE_SERVER_READ_TIMEOUT server.read_timeout duration 30s internal/config/loader.go:284
AUTHPLANE_SERVER_SHUTDOWN_WAIT server.shutdown_wait duration 10s internal/config/loader.go:287
AUTHPLANE_SERVER_WRITE_TIMEOUT server.write_timeout duration 30s internal/config/loader.go:285
AUTHPLANE_SESSION_COOKIE_NAME session.cookie_name string authserver_session internal/config/loader.go:334
AUTHPLANE_SESSION_FAIL_CLOSED session.fail_closed bool true internal/config/loader.go:339
AUTHPLANE_SESSION_MAX_AGE session.max_age duration 24h internal/config/loader.go:335
AUTHPLANE_SESSION_SAME_SITE session.same_site string lax internal/config/loader.go:337
AUTHPLANE_SESSION_SECRET session.secret string server.issuer is not localhost internal/config/loader.go:338
AUTHPLANE_SESSION_SECURE session.secure bool false internal/config/loader.go:336
AUTHPLANE_SIGNING_ALGORITHM signing.algorithm string ES256 internal/config/loader.go:303
AUTHPLANE_SIGNING_KEY_PATH signing.key_path string data/keys key_store is keyfile internal/config/loader.go:305
AUTHPLANE_SIGNING_KEY_STORE signing.key_store string keyfile internal/config/loader.go:304
AUTHPLANE_SIGNING_PG_ENCRYPTION_KEY_ENV signing.postgres_key.encryption_key_env string internal/config/loader.go:314
AUTHPLANE_STORAGE_DRIVER storage.driver string sqlite internal/config/loader.go:292
AUTHPLANE_STORAGE_POSTGRES_DSN storage.postgres.dsn string driver is postgres internal/config/loader.go:295
AUTHPLANE_STORAGE_POSTGRES_MAX_CONNS storage.postgres.max_conns int 25 internal/config/loader.go:296
AUTHPLANE_STORAGE_POSTGRES_MAX_CONN_IDLE_TIME storage.postgres.max_conn_idle_time duration 30m internal/config/loader.go:299
AUTHPLANE_STORAGE_POSTGRES_MAX_CONN_LIFETIME storage.postgres.max_conn_lifetime duration 1h internal/config/loader.go:298
AUTHPLANE_STORAGE_POSTGRES_MIN_CONNS storage.postgres.min_conns int 5 internal/config/loader.go:297
AUTHPLANE_STORAGE_SQLITE_PATH storage.sqlite.path string data/authserver.db driver is sqlite internal/config/loader.go:293
AUTHPLANE_STORAGE_SQLITE_WAL storage.sqlite.wal bool true internal/config/loader.go:294
AUTHPLANE_TOKEN_EXCHANGE_ALLOW_SELF_EXCHANGE token_exchange.allow_self_exchange bool internal/config/loader.go:260
AUTHPLANE_TOKEN_EXCHANGE_ENABLED token_exchange.enabled bool false internal/config/loader.go:259
AUTHPLANE_TOKEN_EXCHANGE_MAX_CHAIN_DEPTH token_exchange.max_chain_depth int 5 internal/config/loader.go:261
AUTHPLANE_TOKEN_EXCHANGE_TOKEN_EXPIRY token_exchange.token_expiry duration 1h internal/config/loader.go:262
AUTHPLANE_TRACING_ENABLED observability.tracing.enabled bool false internal/config/loader.go:386
AUTHPLANE_TRACING_ENDPOINT observability.tracing.endpoint string tracing is enabled internal/config/loader.go:387
AUTHPLANE_TRACING_INSECURE observability.tracing.insecure bool internal/config/loader.go:388
AUTHPLANE_TRACING_SAMPLE_RATE observability.tracing.sample_rate float64 1.0 internal/config/loader.go:389
AUTHPLANE_VAULT_ADDR signing.vault_transit.address string key_store is vault_transit internal/config/loader.go:306
AUTHPLANE_VAULT_APPROLE_MOUNT signing.vault_transit.approle.mount string internal/config/loader.go:313
AUTHPLANE_VAULT_APPROLE_ROLE_ID signing.vault_transit.approle.role_id string internal/config/loader.go:311
AUTHPLANE_VAULT_APPROLE_SECRET_ID signing.vault_transit.approle.secret_id string role_id is set internal/config/loader.go:312
AUTHPLANE_VAULT_TIMEOUT signing.vault_transit.timeout duration 10s internal/config/loader.go:310
AUTHPLANE_VAULT_TOKEN signing.vault_transit.token string internal/config/loader.go:307
AUTHPLANE_VAULT_TRANSIT_KEY_NAME signing.vault_transit.key_name string authserver-signing internal/config/loader.go:309
AUTHPLANE_VAULT_TRANSIT_MOUNT signing.vault_transit.mount string transit internal/config/loader.go:308