{ "$id": "https://github.com/ory/kratos/embedx/config.schema.json", "$schema": "http://json-schema.org/draft-07/schema#", "title": "Ory Kratos Configuration", "type": "object", "definitions": { "baseUrl": { "title": "Base URL", "description": "The URL where the endpoint is exposed at. This domain is used to generate redirects, form URLs, and more.", "type": "string", "format": "uri-reference", "examples": [ "https://my-app.com/", "https://my-app.com/.ory/kratos/public" ] }, "socket": { "type": "object", "additionalProperties": false, "description": "Sets the permissions of the unix socket", "properties": { "owner": { "type": "string", "description": "Owner of unix socket. If empty, the owner will be the user running Kratos.", "default": "" }, "group": { "type": "string", "description": "Group of unix socket. If empty, the group will be the primary group of the user running Kratos.", "default": "" }, "mode": { "type": "integer", "description": "Mode of unix socket in numeric form", "default": 493, "minimum": 0, "maximum": 511 } } }, "defaultReturnTo": { "title": "Redirect browsers to set URL per default", "description": "Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).", "type": "string", "format": "uri-reference", "examples": ["https://my-app.com/dashboard", "/dashboard"] }, "selfServiceSessionRevokerHook": { "type": "object", "properties": { "hook": { "const": "revoke_active_sessions" } }, "additionalProperties": false, "required": ["hook"] }, "selfServiceSessionIssuerHook": { "type": "object", "properties": { "hook": { "const": "session" } }, "additionalProperties": false, "required": ["hook"] }, "selfServiceRequireVerifiedAddressHook": { "type": "object", "properties": { "hook": { "const": "require_verified_address" } }, "additionalProperties": false, "required": ["hook"] }, "selfServiceVerificationHook": { "type": "object", "properties": { "hook": { "const": "verification" } }, "additionalProperties": false, "required": ["hook"] }, "selfServiceShowVerificationUIHook": { "type": "object", "properties": { "hook": { "const": "show_verification_ui" } }, "additionalProperties": false, "required": ["hook"] }, "b2bSSOHook": { "type": "object", "properties": { "hook": { "const": "b2b_sso" }, "config": { "type": "object", "additionalProperties": true } }, "additionalProperties": false, "required": ["hook", "config"] }, "webHookAuthBasicAuthProperties": { "properties": { "type": { "const": "basic_auth" }, "config": { "type": "object", "properties": { "user": { "type": "string", "description": "user name for basic auth" }, "password": { "type": "string", "description": "password for basic auth" } }, "additionalProperties": false, "required": ["user", "password"] } }, "additionalProperties": false, "required": ["type", "config"] }, "httpRequestConfig": { "type": "object", "properties": { "url": { "title": "HTTP address of API endpoint", "description": "This URL will be used to send the emails to.", "examples": ["https://example.com/api/v1/email"], "type": "string", "pattern": "^https?://" }, "method": { "type": "string", "description": "The HTTP method to use (GET, POST, etc). Defaults to POST.", "default": "POST" }, "headers": { "type": "object", "description": "The HTTP headers that must be applied to request", "additionalProperties": { "type": "string" } }, "body": { "type": "string", "format": "uri", "pattern": "^(http|https|file|base64)://", "description": "URI pointing to the jsonnet template used for payload generation. Only used for those HTTP methods, which support HTTP body payloads", "default": "base64://ZnVuY3Rpb24oY3R4KSB7CiAgcmVjaXBpZW50OiBjdHgucmVjaXBpZW50LAogIHRlbXBsYXRlX3R5cGU6IGN0eC50ZW1wbGF0ZV90eXBlLAogIHRvOiBpZiAidGVtcGxhdGVfZGF0YSIgaW4gY3R4ICYmICJ0byIgaW4gY3R4LnRlbXBsYXRlX2RhdGEgdGhlbiBjdHgudGVtcGxhdGVfZGF0YS50byBlbHNlIG51bGwsCiAgcmVjb3ZlcnlfY29kZTogaWYgInRlbXBsYXRlX2RhdGEiIGluIGN0eCAmJiAicmVjb3ZlcnlfY29kZSIgaW4gY3R4LnRlbXBsYXRlX2RhdGEgdGhlbiBjdHgudGVtcGxhdGVfZGF0YS5yZWNvdmVyeV9jb2RlIGVsc2UgbnVsbCwKICByZWNvdmVyeV91cmw6IGlmICJ0ZW1wbGF0ZV9kYXRhIiBpbiBjdHggJiYgInJlY292ZXJ5X3VybCIgaW4gY3R4LnRlbXBsYXRlX2RhdGEgdGhlbiBjdHgudGVtcGxhdGVfZGF0YS5yZWNvdmVyeV91cmwgZWxzZSBudWxsLAogIHZlcmlmaWNhdGlvbl91cmw6IGlmICJ0ZW1wbGF0ZV9kYXRhIiBpbiBjdHggJiYgInZlcmlmaWNhdGlvbl91cmwiIGluIGN0eC50ZW1wbGF0ZV9kYXRhIHRoZW4gY3R4LnRlbXBsYXRlX2RhdGEudmVyaWZpY2F0aW9uX3VybCBlbHNlIG51bGwsCiAgdmVyaWZpY2F0aW9uX2NvZGU6IGlmICJ0ZW1wbGF0ZV9kYXRhIiBpbiBjdHggJiYgInZlcmlmaWNhdGlvbl9jb2RlIiBpbiBjdHgudGVtcGxhdGVfZGF0YSB0aGVuIGN0eC50ZW1wbGF0ZV9kYXRhLnZlcmlmaWNhdGlvbl9jb2RlIGVsc2UgbnVsbCwKICBzdWJqZWN0OiBjdHguc3ViamVjdCwKICBib2R5OiBjdHguYm9keQp9Cg==", "examples": [ "file:///path/to/body.jsonnet", "file://./body.jsonnet", "base64://ZnVuY3Rpb24oY3R4KSB7CiAgaWRlbnRpdHlfaWQ6IGlmIGN0eFsiaWRlbnRpdHkiXSAhPSBudWxsIHRoZW4gY3R4LmlkZW50aXR5LmlkLAp9=", "https://oryapis.com/default_body.jsonnet" ] }, "auth": { "type": "object", "title": "Auth mechanisms", "description": "Define which auth mechanism to use for auth with the HTTP email provider", "oneOf": [ { "$ref": "#/definitions/webHookAuthApiKeyProperties" }, { "$ref": "#/definitions/webHookAuthBasicAuthProperties" } ] }, "additionalProperties": false }, "additionalProperties": false }, "webHookAuthApiKeyProperties": { "properties": { "type": { "const": "api_key" }, "config": { "type": "object", "properties": { "name": { "type": "string", "description": "The name of the api key" }, "value": { "type": "string", "description": "The value of the api key" }, "in": { "type": "string", "description": "How the api key should be transferred", "enum": ["header", "cookie"] } }, "additionalProperties": false, "required": ["name", "value", "in"] } }, "additionalProperties": false, "required": ["type", "config"] }, "selfServiceWebHook": { "type": "object", "properties": { "hook": { "const": "web_hook" }, "config": { "type": "object", "title": "Web-Hook Configuration", "description": "Define what the hook should do", "properties": { "response": { "title": "Response Handling", "description": "How the web hook should handle the response", "type": "object", "additionalProperties": false, "properties": { "ignore": { "type": "boolean", "description": "Ignore the response from the web hook. If enabled the request will be made asynchronously which can be useful if you only wish to notify another system but do not parse the response.", "default": false }, "parse": { "type": "boolean", "default": false, "description": "If enabled parses the response before saving the flow result. Set this value to true if you would like to modify the identity, for example identity metadata, before saving it during registration. When enabled, you may also abort the registration, verification, login or settings flow due to, for example, a validation flow. Head over to the [web hook documentation](https://www.ory.sh/docs/kratos/hooks/configure-hooks) for more information." } }, "not": { "properties": { "ignore": { "const": true }, "parse": { "const": true } }, "required": ["ignore", "parse"] } }, "url": { "type": "string", "description": "The URL the Web-Hook should call", "format": "uri" }, "method": { "type": "string", "description": "The HTTP method to use (GET, POST, etc)." }, "headers": { "type": "object", "description": "The HTTP headers that must be applied to the Web-Hook", "additionalProperties": { "type": "string" } }, "body": { "type": "string", "oneOf": [ { "format": "uri", "pattern": "^(http|https|file|base64)://", "description": "URI pointing to the jsonnet template used for payload generation. Only used for those HTTP methods, which support HTTP body payloads", "examples": [ "file:///path/to/body.jsonnet", "file://./body.jsonnet", "base64://ZnVuY3Rpb24oY3R4KSB7CiAgaWRlbnRpdHlfaWQ6IGlmIGN0eFsiaWRlbnRpdHkiXSAhPSBudWxsIHRoZW4gY3R4LmlkZW50aXR5LmlkLAp9=", "https://oryapis.com/default_body.jsonnet" ] }, { "description": "DEPRECATED: please use a URI instead (i.e. prefix your filepath with 'file://')", "not": { "pattern": "^(http|https|file|base64)://" } } ] }, "can_interrupt": { "type": "boolean", "default": false, "description": "Deprecated, please use `response.parse` instead. If enabled allows the web hook to interrupt / abort the self-service flow. It only applies to certain flows (registration/verification/login/settings) and requires a valid response format." }, "emit_analytics_event": { "type": "boolean", "default": true, "description": "Emit tracing events for this webhook on delivery or error" }, "auth": { "type": "object", "title": "Auth mechanisms", "description": "Define which auth mechanism the Web-Hook should use", "oneOf": [ { "$ref": "#/definitions/webHookAuthApiKeyProperties" }, { "$ref": "#/definitions/webHookAuthBasicAuthProperties" } ] }, "additionalProperties": false }, "anyOf": [ { "not": { "properties": { "response": { "properties": { "ignore": { "enum": [true] } }, "required": ["ignore"] } }, "required": ["response"] } }, { "properties": { "can_interrupt": { "enum": [false] } }, "require": ["can_interrupt"] } ], "additionalProperties": false, "required": ["url", "method"] } }, "additionalProperties": false, "required": ["hook", "config"] }, "OIDCClaims": { "title": "OpenID Connect claims", "description": "The OpenID Connect claims and optionally their properties which should be included in the id_token or returned from the UserInfo Endpoint.", "type": "object", "examples": [ { "id_token": { "email": null, "email_verified": null } }, { "userinfo": { "given_name": { "essential": true }, "nickname": null, "email": { "essential": true }, "email_verified": { "essential": true }, "picture": null, "http://example.info/claims/groups": null }, "id_token": { "auth_time": { "essential": true }, "acr": { "values": ["urn:mace:incommon:iap:silver"] } } } ], "patternProperties": { "^userinfo$|^id_token$": { "type": "object", "additionalProperties": false, "patternProperties": { ".*": { "oneOf": [ { "const": null, "description": "Indicates that this Claim is being requested in the default manner." }, { "type": "object", "additionalProperties": false, "properties": { "essential": { "description": "Indicates whether the Claim being requested is an Essential Claim.", "type": "boolean" }, "value": { "description": "Requests that the Claim be returned with a particular value.", "$comment": "There seem to be no constrains on value" }, "values": { "description": "Requests that the Claim be returned with one of a set of values, with the values appearing in order of preference.", "type": "array", "items": { "$comment": "There seem to be no constrains on individual items" } } } } ] } } } } }, "selfServiceOIDCProvider": { "type": "object", "properties": { "id": { "type": "string", "examples": ["google"] }, "provider": { "title": "Provider", "description": "Can be one of github, github-app, gitlab, generic, google, microsoft, discord, salesforce, slack, facebook, auth0, vk, yandex, apple, spotify, netid, dingtalk, patreon.", "type": "string", "enum": [ "github", "github-app", "gitlab", "generic", "google", "microsoft", "discord", "salesforce", "slack", "facebook", "auth0", "vk", "yandex", "apple", "spotify", "netid", "dingtalk", "patreon", "linkedin", "linkedin_v2", "lark", "x" ], "examples": ["google"] }, "label": { "title": "Optional string which will be used when generating labels for UI buttons.", "type": "string" }, "client_id": { "type": "string" }, "client_secret": { "type": "string" }, "issuer_url": { "type": "string", "format": "uri", "examples": ["https://accounts.google.com"] }, "auth_url": { "type": "string", "format": "uri", "examples": ["https://accounts.google.com/o/oauth2/v2/auth"] }, "token_url": { "type": "string", "format": "uri", "examples": ["https://www.googleapis.com/oauth2/v4/token"] }, "mapper_url": { "title": "Jsonnet Mapper URL", "description": "The URL where the jsonnet source is located for mapping the provider's data to Ory Kratos data.", "type": "string", "format": "uri", "examples": [ "file://path/to/oidc.jsonnet", "https://foo.bar.com/path/to/oidc.jsonnet", "base64://bG9jYWwgc3ViamVjdCA9I..." ] }, "scope": { "type": "array", "items": { "type": "string", "examples": ["offline_access", "profile"] } }, "microsoft_tenant": { "title": "Azure AD Tenant", "description": "The Azure AD Tenant to use for authentication.", "type": "string", "examples": [ "common", "organizations", "consumers", "8eaef023-2b34-4da1-9baa-8bc8c9d6a490", "contoso.onmicrosoft.com" ] }, "subject_source": { "title": "Microsoft subject source", "description": "Controls which source the subject identifier is taken from by microsoft provider. If set to `userinfo` (the default) then the identifier is taken from the `sub` field of OIDC ID token or data received from `/userinfo` standard OIDC endpoint. If set to `me` then the `id` field of data structure received from `https://graph.microsoft.com/v1.0/me` is taken as an identifier.", "type": "string", "enum": ["userinfo", "me"], "default": "userinfo", "examples": ["userinfo"] }, "apple_team_id": { "title": "Apple Developer Team ID", "description": "Apple Developer Team ID needed for generating a JWT token for client secret", "type": "string", "examples": ["KP76DQS54M"] }, "apple_private_key_id": { "title": "Apple Private Key Identifier", "description": "Sign In with Apple Private Key Identifier needed for generating a JWT token for client secret", "type": "string", "examples": ["UX56C66723"] }, "apple_private_key": { "title": "Apple Private Key", "description": "Sign In with Apple Private Key needed for generating a JWT token for client secret", "type": "string", "examples": [ "-----BEGIN PRIVATE KEY-----\n........\n-----END PRIVATE KEY-----" ] }, "requested_claims": { "$ref": "#/definitions/OIDCClaims" }, "organization_id": { "title": "Organization ID", "description": "The ID of the organization that this provider belongs to. Only effective in the Ory Network.", "type": "string", "examples": ["12345678-1234-1234-1234-123456789012"] }, "additional_id_token_audiences": { "title": "Additional client ids allowed when using ID token submission", "type": "array", "items": { "type": "string", "examples": ["12345678-1234-1234-1234-123456789012"] } }, "claims_source": { "title": "Claims source", "description": "Can be either `userinfo` (calls the userinfo endpoint to get the claims) or `id_token` (takes the claims from the id token). It defaults to `id_token`", "type": "string", "enum": ["id_token", "userinfo"], "default": "id_token", "examples": ["id_token", "userinfo"] }, "pkce": { "title": "Proof Key for Code Exchange", "description": "PKCE controls if the OpenID Connect OAuth2 flow should use PKCE (Proof Key for Code Exchange). IMPORTANT: If you set this to `force`, you must whitelist a different return URL for your OAuth2 client in the provider's configuration. Instead of /self-service/methods/oidc/callback/, you must use /self-service/methods/oidc/callback", "type": "string", "enum": ["auto", "never", "force"], "default": "auto" } }, "additionalProperties": false, "required": ["id", "provider", "client_id", "mapper_url"], "allOf": [ { "if": { "properties": { "provider": { "const": "microsoft" } }, "required": ["provider"] }, "then": { "required": ["microsoft_tenant"] }, "else": { "not": { "properties": { "microsoft_tenant": {} }, "required": ["microsoft_tenant"] } } }, { "if": { "properties": { "provider": { "const": "apple" } }, "required": ["provider"] }, "then": { "not": { "properties": { "client_secret": { "type": "string", "minLength": 1 } }, "required": ["client_secret"] }, "required": [ "apple_private_key_id", "apple_private_key", "apple_team_id" ] }, "else": { "required": ["client_secret"], "allOf": [ { "not": { "properties": { "apple_team_id": { "type": "string", "minLength": 1 } }, "required": ["apple_team_id"] } }, { "not": { "properties": { "apple_private_key_id": { "type": "string", "minLength": 1 } }, "required": ["apple_private_key_id"] } }, { "not": { "properties": { "apple_private_key": { "type": "string", "minLength": 1 } }, "required": ["apple_private_key"] } } ] } } ] }, "selfServiceHooks": { "type": "array", "items": { "anyOf": [ { "$ref": "#/definitions/selfServiceWebHook" }, { "$ref": "#/definitions/b2bSSOHook" } ] }, "uniqueItems": true, "additionalItems": false }, "selfServiceAfterRecoveryHooks": { "type": "array", "items": { "anyOf": [ { "$ref": "#/definitions/selfServiceWebHook" }, { "$ref": "#/definitions/selfServiceSessionRevokerHook" } ] }, "uniqueItems": true, "additionalItems": false }, "selfServiceAfterSettingsMethod": { "type": "object", "additionalProperties": false, "properties": { "default_browser_return_url": { "$ref": "#/definitions/defaultReturnTo" }, "hooks": { "type": "array", "items": { "anyOf": [ { "$ref": "#/definitions/selfServiceWebHook" } ] }, "uniqueItems": true, "additionalItems": false } } }, "selfServiceAfterSettingsAuthMethod": { "type": "object", "additionalProperties": false, "properties": { "default_browser_return_url": { "$ref": "#/definitions/defaultReturnTo" }, "hooks": { "type": "array", "items": { "anyOf": [ { "$ref": "#/definitions/selfServiceWebHook" }, { "$ref": "#/definitions/selfServiceSessionRevokerHook" } ] }, "uniqueItems": true, "additionalItems": false } } }, "selfServiceAfterDefaultLoginMethod": { "type": "object", "additionalProperties": false, "properties": { "default_browser_return_url": { "$ref": "#/definitions/defaultReturnTo" }, "hooks": { "type": "array", "items": { "anyOf": [ { "$ref": "#/definitions/selfServiceSessionRevokerHook" }, { "$ref": "#/definitions/selfServiceRequireVerifiedAddressHook" }, { "$ref": "#/definitions/selfServiceWebHook" }, { "$ref": "#/definitions/selfServiceVerificationHook" }, { "$ref": "#/definitions/selfServiceShowVerificationUIHook" } ] }, "uniqueItems": true, "additionalItems": false } } }, "selfServiceAfterOIDCLoginMethod": { "type": "object", "additionalProperties": false, "properties": { "default_browser_return_url": { "$ref": "#/definitions/defaultReturnTo" }, "hooks": { "type": "array", "items": { "anyOf": [ { "$ref": "#/definitions/selfServiceSessionRevokerHook" }, { "$ref": "#/definitions/selfServiceWebHook" }, { "$ref": "#/definitions/selfServiceRequireVerifiedAddressHook" }, { "$ref": "#/definitions/b2bSSOHook" } ] }, "uniqueItems": true, "additionalItems": false } } }, "selfServiceAfterRegistrationMethod": { "type": "object", "additionalProperties": false, "properties": { "default_browser_return_url": { "$ref": "#/definitions/defaultReturnTo" }, "hooks": { "type": "array", "items": { "anyOf": [ { "$ref": "#/definitions/selfServiceSessionIssuerHook" }, { "$ref": "#/definitions/selfServiceWebHook" }, { "$ref": "#/definitions/selfServiceShowVerificationUIHook" }, { "$ref": "#/definitions/b2bSSOHook" } ] }, "uniqueItems": true, "additionalItems": false } } }, "featureRequiredAal": { "title": "Required Authenticator Assurance Level", "description": "Sets what Authenticator Assurance Level (used for 2FA) is required to access this feature. If set to `highest_available` then this endpoint requires the highest AAL the identity has set up. If set to `aal1` then the identity can access this feature without 2FA.", "type": "string", "enum": ["aal1", "highest_available"], "default": "highest_available" }, "selfServiceAfterSettings": { "type": "object", "additionalProperties": false, "properties": { "default_browser_return_url": { "$ref": "#/definitions/defaultReturnTo" }, "password": { "$ref": "#/definitions/selfServiceAfterSettingsAuthMethod" }, "totp": { "$ref": "#/definitions/selfServiceAfterSettingsAuthMethod" }, "oidc": { "$ref": "#/definitions/selfServiceAfterSettingsAuthMethod" }, "webauthn": { "$ref": "#/definitions/selfServiceAfterSettingsAuthMethod" }, "passkey": { "$ref": "#/definitions/selfServiceAfterSettingsAuthMethod" }, "lookup_secret": { "$ref": "#/definitions/selfServiceAfterSettingsAuthMethod" }, "profile": { "$ref": "#/definitions/selfServiceAfterSettingsMethod" }, "hooks": { "$ref": "#/definitions/selfServiceHooks" } } }, "selfServiceBeforeLogin": { "type": "object", "additionalProperties": false, "properties": { "hooks": { "$ref": "#/definitions/selfServiceHooks" } } }, "selfServiceAfterLogin": { "type": "object", "additionalProperties": false, "properties": { "default_browser_return_url": { "$ref": "#/definitions/defaultReturnTo" }, "password": { "$ref": "#/definitions/selfServiceAfterDefaultLoginMethod" }, "webauthn": { "$ref": "#/definitions/selfServiceAfterDefaultLoginMethod" }, "passkey": { "$ref": "#/definitions/selfServiceAfterDefaultLoginMethod" }, "oidc": { "$ref": "#/definitions/selfServiceAfterOIDCLoginMethod" }, "code": { "$ref": "#/definitions/selfServiceAfterDefaultLoginMethod" }, "totp": { "$ref": "#/definitions/selfServiceAfterDefaultLoginMethod" }, "lookup_secret": { "$ref": "#/definitions/selfServiceAfterDefaultLoginMethod" }, "hooks": { "type": "array", "items": { "anyOf": [ { "$ref": "#/definitions/selfServiceWebHook" }, { "$ref": "#/definitions/selfServiceSessionRevokerHook" }, { "$ref": "#/definitions/selfServiceRequireVerifiedAddressHook" }, { "$ref": "#/definitions/selfServiceVerificationHook" }, { "$ref": "#/definitions/selfServiceShowVerificationUIHook" }, { "$ref": "#/definitions/b2bSSOHook" } ] }, "uniqueItems": true, "additionalItems": false } } }, "selfServiceBeforeRegistration": { "type": "object", "additionalProperties": false, "properties": { "hooks": { "$ref": "#/definitions/selfServiceHooks" } } }, "selfServiceBeforeSettings": { "type": "object", "additionalProperties": false, "properties": { "hooks": { "$ref": "#/definitions/selfServiceHooks" } } }, "selfServiceBeforeRecovery": { "type": "object", "additionalProperties": false, "properties": { "hooks": { "$ref": "#/definitions/selfServiceHooks" } } }, "selfServiceBeforeVerification": { "type": "object", "additionalProperties": false, "properties": { "hooks": { "$ref": "#/definitions/selfServiceHooks" } } }, "selfServiceAfterRegistration": { "type": "object", "additionalProperties": false, "properties": { "default_browser_return_url": { "$ref": "#/definitions/defaultReturnTo" }, "password": { "$ref": "#/definitions/selfServiceAfterRegistrationMethod" }, "webauthn": { "$ref": "#/definitions/selfServiceAfterRegistrationMethod" }, "passkey": { "$ref": "#/definitions/selfServiceAfterRegistrationMethod" }, "oidc": { "$ref": "#/definitions/selfServiceAfterRegistrationMethod" }, "code": { "$ref": "#/definitions/selfServiceAfterRegistrationMethod" }, "hooks": { "$ref": "#/definitions/selfServiceHooks" } } }, "selfServiceAfterVerification": { "type": "object", "additionalProperties": false, "properties": { "default_browser_return_url": { "$ref": "#/definitions/defaultReturnTo" }, "hooks": { "$ref": "#/definitions/selfServiceHooks" } } }, "selfServiceAfterRecovery": { "type": "object", "properties": { "default_browser_return_url": { "$ref": "#/definitions/defaultReturnTo" }, "hooks": { "$ref": "#/definitions/selfServiceAfterRecoveryHooks" } }, "additionalProperties": false }, "tlsxSource": { "type": "object", "additionalProperties": false, "properties": { "path": { "title": "Path to PEM-encoded Fle", "type": "string", "examples": ["path/to/file.pem"] }, "base64": { "title": "Base64 Encoded Inline", "description": "The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.", "type": "string", "examples": [ "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tXG5NSUlEWlRDQ0FrMmdBd0lCQWdJRVY1eE90REFOQmdr..." ] } } }, "tlsx": { "title": "HTTPS", "description": "Configure HTTP over TLS (HTTPS). All options can also be set using environment variables by replacing dots (`.`) with underscores (`_`) and uppercasing the key. For example, `some.prefix.tls.key.path` becomes `export SOME_PREFIX_TLS_KEY_PATH`. If all keys are left undefined, TLS will be disabled.", "type": "object", "additionalProperties": false, "properties": { "key": { "title": "Private Key (PEM)", "allOf": [ { "$ref": "#/definitions/tlsxSource" } ] }, "cert": { "title": "TLS Certificate (PEM)", "allOf": [ { "$ref": "#/definitions/tlsxSource" } ] } } }, "courierTemplates": { "additionalProperties": false, "type": "object", "properties": { "invalid": { "additionalProperties": false, "type": "object", "properties": { "email": { "$ref": "#/definitions/emailCourierTemplate" } }, "required": ["email"] }, "valid": { "additionalProperties": false, "type": "object", "properties": { "email": { "$ref": "#/definitions/emailCourierTemplate" }, "sms": { "$ref": "#/definitions/smsCourierTemplate" } }, "required": ["email"] } } }, "smsCourierTemplate": { "additionalProperties": false, "type": "object", "properties": { "body": { "additionalProperties": false, "type": "object", "properties": { "plaintext": { "type": "string", "description": "A template send to the SMS provider.", "format": "uri", "examples": [ "file://path/to/body.plaintext.gotmpl", "https://foo.bar.com/path/to/body.plaintext.gotmpl" ] } } } } }, "emailCourierTemplate": { "additionalProperties": false, "type": "object", "properties": { "body": { "additionalProperties": false, "type": "object", "properties": { "plaintext": { "type": "string", "description": "The fallback template for email clients that do not support html.", "format": "uri", "examples": [ "file://path/to/body.plaintext.gotmpl", "https://foo.bar.com/path/to/body.plaintext.gotmpl", "base64://e3sgZGVmaW5lIGFmLVpBIH19CkhhbGxvLAoKSGVyc3RlbCBqb3UgcmVrZW5pbmcgZGV1ciBoaWVyZGllIHNrYWtlbCB0ZSB2b2xnOgp7ey0gZW5kIC19fQoKe3sgZGVmaW5lIGVuLVVTIH19CkhpLAoKcGxlYXNlIHJlY292ZXIgYWNjZXNzIHRvIHlvdXIgYWNjb3VudCBieSBjbGlja2luZyB0aGUgZm9sbG93aW5nIGxpbms6Cnt7LSBlbmQgLX19Cgp7ey0gaWYgZXEgLmxhbmcgImFmLVpBIiAtfX0KCnt7IHRlbXBsYXRlICJhZi1aQSIgLiB9fQoKe3stIGVsc2UgLX19Cgp7eyB0ZW1wbGF0ZSAiZW4tVVMiIH19Cgp7ey0gZW5kIC19fQp7eyAuUmVjb3ZlcnlVUkwgfX0K" ] }, "html": { "type": "string", "description": "The default template used for sending out emails. The template can contain HTML ", "format": "uri", "examples": [ "file://path/to/body.html.gotmpl", "https://foo.bar.com/path/to/body.html.gotmpl", "base64://e3sgZGVmaW5lIGFmLVpBIH19CkhhbGxvLAoKSGVyc3RlbCBqb3UgcmVrZW5pbmcgZGV1ciBoaWVyZGllIHNrYWtlbCB0ZSB2b2xnOgp7ey0gZW5kIC19fQoKe3sgZGVmaW5lIGVuLVVTIH19CkhpLAoKcGxlYXNlIHJlY292ZXIgYWNjZXNzIHRvIHlvdXIgYWNjb3VudCBieSBjbGlja2luZyB0aGUgZm9sbG93aW5nIGxpbms6Cnt7LSBlbmQgLX19Cgp7ey0gaWYgZXEgLmxhbmcgImFmLVpBIiAtfX0KCnt7IHRlbXBsYXRlICJhZi1aQSIgLiB9fQoKe3stIGVsc2UgLX19Cgp7eyB0ZW1wbGF0ZSAiZW4tVVMiIH19Cgp7ey0gZW5kIC19fQo8YSBocmVmPSJ7eyAuUmVjb3ZlcnlVUkwgfX0iPnt7IC5SZWNvdmVyeVVSTCB9fTwvYT4" ] } } }, "subject": { "type": "string", "format": "uri", "examples": [ "file://path/to/subject.gotmpl", "https://foo.bar.com/path/to/subject.gotmpl", "base64://e3sgZGVmaW5lIGFmLVpBIH19CkhhbGxvLAoKSGVyc3RlbCBqb3UgcmVrZW5pbmcgZGV1ciBoaWVyZGllIHNrYWtlbCB0ZSB2b2xnOgp7ey0gZW5kIC19fQoKe3sgZGVmaW5lIGVuLVVTIH19CkhpLAoKcGxlYXNlIHJlY292ZXIgYWNjZXNzIHRvIHlvdXIgYWNjb3VudCBieSBjbGlja2luZyB0aGUgZm9sbG93aW5nIGxpbms6Cnt7LSBlbmQgLX19Cgp7ey0gaWYgZXEgLmxhbmcgImFmLVpBIiAtfX0KCnt7IHRlbXBsYXRlICJhZi1aQSIgLiB9fQoKe3stIGVsc2UgLX19Cgp7eyB0ZW1wbGF0ZSAiZW4tVVMiIH19Cgp7ey0gZW5kIC19fQo8YSBocmVmPSJ7eyAuUmVjb3ZlcnlVUkwgfX0iPnt7IC5SZWNvdmVyeVVSTCB9fTwvYT4" ] } } } }, "properties": { "selfservice": { "type": "object", "additionalProperties": false, "required": ["default_browser_return_url"], "properties": { "default_browser_return_url": { "$ref": "#/definitions/defaultReturnTo" }, "allowed_return_urls": { "title": "Allowed Return To URLs", "description": "List of URLs that are allowed to be redirected to. A redirection request is made by appending `?return_to=...` to Login, Registration, and other self-service flows.", "type": "array", "items": { "type": "string", "format": "uri-reference" }, "examples": [ [ "https://app.my-app.com/dashboard", "/dashboard", "https://www.my-app.com/", "https://*.my-app.com/" ] ] }, "flows": { "type": "object", "additionalProperties": false, "properties": { "settings": { "type": "object", "additionalProperties": false, "properties": { "ui_url": { "title": "URL of the Settings page.", "description": "URL where the Settings UI is hosted. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).", "type": "string", "format": "uri-reference", "examples": ["https://my-app.com/user/settings"], "default": "https://www.ory.sh/kratos/docs/fallback/settings" }, "lifespan": { "type": "string", "pattern": "^([0-9]+(ns|us|ms|s|m|h))+$", "default": "1h", "examples": ["1h", "1m", "1s"] }, "privileged_session_max_age": { "type": "string", "pattern": "^([0-9]+(ns|us|ms|s|m|h))+$", "default": "1h", "examples": ["1h", "1m", "1s"] }, "required_aal": { "$ref": "#/definitions/featureRequiredAal" }, "after": { "$ref": "#/definitions/selfServiceAfterSettings" }, "before": { "$ref": "#/definitions/selfServiceBeforeSettings" } } }, "logout": { "type": "object", "additionalProperties": false, "properties": { "after": { "type": "object", "additionalProperties": false, "properties": { "default_browser_return_url": { "$ref": "#/definitions/defaultReturnTo" } } } } }, "registration": { "type": "object", "additionalProperties": false, "properties": { "enabled": { "type": "boolean", "title": "Enable User Registration", "description": "If set to true will enable [User Registration](https://www.ory.sh/kratos/docs/self-service/flows/user-registration/).", "default": true }, "login_hints": { "type": "boolean", "title": "Provide Login Hints on Failed Registration", "description": "When registration fails because an account with the given credentials or addresses previously signed up, provide login hints about available methods to sign in to the user.", "default": false }, "ui_url": { "title": "Registration UI URL", "description": "URL where the Registration UI is hosted. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).", "type": "string", "format": "uri-reference", "examples": ["https://my-app.com/signup"], "default": "https://www.ory.sh/kratos/docs/fallback/registration" }, "lifespan": { "type": "string", "pattern": "^([0-9]+(ns|us|ms|s|m|h))+$", "default": "1h", "examples": ["1h", "1m", "1s"] }, "before": { "$ref": "#/definitions/selfServiceBeforeRegistration" }, "after": { "$ref": "#/definitions/selfServiceAfterRegistration" }, "enable_legacy_one_step": { "type": "boolean", "title": "Disable two-step registration", "description": "Two-step registration is a significantly improved sign up flow and recommended when using more than one sign up methods. To revert to one-step registration, set this to `true`.", "default": false } } }, "login": { "type": "object", "additionalProperties": false, "properties": { "ui_url": { "title": "Login UI URL", "description": "URL where the Login UI is hosted. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).", "type": "string", "format": "uri-reference", "examples": ["https://my-app.com/login"], "default": "https://www.ory.sh/kratos/docs/fallback/login" }, "lifespan": { "type": "string", "pattern": "^([0-9]+(ns|us|ms|s|m|h))+$", "default": "1h", "examples": ["1h", "1m", "1s"] }, "style": { "title": "Login Flow Style", "description": "The style of the login flow. If set to `unified` the login flow will be a one-step process. If set to `identifier_first` (experimental!) the login flow will first ask for the identifier and then the credentials.", "type": "string", "enum": ["unified", "identifier_first"], "default": "unified" }, "before": { "$ref": "#/definitions/selfServiceBeforeLogin" }, "after": { "$ref": "#/definitions/selfServiceAfterLogin" } } }, "verification": { "title": "Email and Phone Verification and Account Activation Configuration", "type": "object", "additionalProperties": false, "properties": { "enabled": { "type": "boolean", "title": "Enable Email/Phone Verification", "description": "If set to true will enable [Email and Phone Verification and Account Activation](https://www.ory.sh/kratos/docs/self-service/flows/verify-email-account-activation/).", "default": false }, "ui_url": { "title": "Verify UI URL", "description": "URL where the Ory Verify UI is hosted. This is the page where users activate and / or verify their email or telephone number. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).", "type": "string", "format": "uri-reference", "examples": ["https://my-app.com/verify"], "default": "https://www.ory.sh/kratos/docs/fallback/verification" }, "after": { "$ref": "#/definitions/selfServiceAfterVerification" }, "lifespan": { "title": "Self-Service Verification Request Lifespan", "description": "Sets how long the verification request (for the UI interaction) is valid.", "type": "string", "pattern": "^([0-9]+(ns|us|ms|s|m|h))+$", "default": "1h", "examples": ["1h", "1m", "1s"] }, "before": { "$ref": "#/definitions/selfServiceBeforeVerification" }, "use": { "title": "Verification Strategy", "description": "The strategy to use for verification requests", "type": "string", "enum": ["link", "code"], "default": "code" }, "notify_unknown_recipients": { "title": "Notify unknown recipients", "description": "Whether to notify recipients, if verification was requested for their address.", "type": "boolean", "default": false } } }, "recovery": { "title": "Account Recovery Configuration", "type": "object", "additionalProperties": false, "properties": { "enabled": { "type": "boolean", "title": "Enable Account Recovery", "description": "If set to true will enable [Account Recovery](https://www.ory.sh/kratos/docs/self-service/flows/password-reset-account-recovery/).", "default": false }, "ui_url": { "title": "Recovery UI URL", "description": "URL where the Ory Recovery UI is hosted. This is the page where users request and complete account recovery. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).", "type": "string", "format": "uri-reference", "examples": ["https://my-app.com/verify"], "default": "https://www.ory.sh/kratos/docs/fallback/recovery" }, "after": { "$ref": "#/definitions/selfServiceAfterRecovery" }, "lifespan": { "title": "Self-Service Recovery Request Lifespan", "description": "Sets how long the recovery request is valid. If expired, the user has to redo the flow.", "type": "string", "pattern": "^([0-9]+(ns|us|ms|s|m|h))+$", "default": "1h", "examples": ["1h", "1m", "1s"] }, "before": { "$ref": "#/definitions/selfServiceBeforeRecovery" }, "use": { "title": "Recovery Strategy", "description": "The strategy to use for recovery requests", "type": "string", "enum": ["link", "code"], "default": "code" }, "notify_unknown_recipients": { "title": "Notify unknown recipients", "description": "Whether to notify recipients, if recovery was requested for their account.", "type": "boolean", "default": false } } }, "error": { "type": "object", "additionalProperties": false, "properties": { "ui_url": { "title": "Ory Kratos Error UI URL", "description": "URL where the Ory Kratos Error UI is hosted. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).", "type": "string", "format": "uri-reference", "examples": ["https://my-app.com/kratos-error"], "default": "https://www.ory.sh/kratos/docs/fallback/error" } } } } }, "methods": { "type": "object", "additionalProperties": false, "properties": { "b2b": { "title": "Single Sign-On for B2B", "description": "Single Sign-On for B2B allows your customers to bring their own (workforce) identity server (e.g. OneLogin). This feature is not available in the open source licensed code.", "type": "object", "properties": { "config": { "type": "object", "additionalProperties": false, "properties": { "organizations": { "type": "array", "items": { "type": "object", "properties": { "id": { "type": "string", "description": "The ID of the organization.", "format": "uuid", "examples": ["00000000-0000-0000-0000-000000000000"] }, "label": { "type": "string", "description": "The label of the organization.", "examples": ["ACME SSO"] }, "domains": { "type": "array", "items": { "type": "string", "format": "hostname", "examples": ["my-app.com"], "description": "If this domain matches the email's domain, this provider is shown." } } } } } } } }, "additionalProperties": false }, "profile": { "type": "object", "additionalProperties": false, "properties": { "enabled": { "type": "boolean", "title": "Enables Profile Management Method", "default": true } } }, "link": { "type": "object", "additionalProperties": false, "properties": { "enabled": { "type": "boolean", "title": "Enables Link Method", "default": false }, "config": { "type": "object", "title": "Link Configuration", "description": "Additional configuration for the link strategy.", "properties": { "base_url": { "title": "Override the base URL which should be used as the base for recovery and verification links.", "type": "string", "examples": ["https://my-app.com"] }, "lifespan": { "title": "How long a link is valid for", "type": "string", "pattern": "^([0-9]+(ns|us|ms|s|m|h))+$", "default": "1h", "examples": ["1h", "1m", "1s"] } } } } }, "code": { "type": "object", "additionalProperties": true, "anyOf": [ { "properties": { "passwordless_enabled": { "const": true }, "mfa_enabled": { "const": false } } }, { "properties": { "mfa_enabled": { "const": true }, "passwordless_enabled": { "const": false } } }, { "properties": { "mfa_enabled": { "const": false }, "passwordless_enabled": { "const": false } } } ], "properties": { "passwordless_enabled": { "type": "boolean", "title": "Enables login and registration with the code method.", "description": "If set to true, code.enabled will be set to true as well.", "default": false }, "mfa_enabled": { "type": "boolean", "title": "Enables login flows code method to fulfil MFA requests", "default": false }, "enabled": { "type": "boolean", "title": "Enables Code Method", "default": true }, "config": { "type": "object", "title": "Code Configuration", "description": "Additional configuration for the code strategy.", "properties": { "lifespan": { "title": "How long a code is valid for", "type": "string", "pattern": "^([0-9]+(ns|us|ms|s|m|h))+$", "default": "1h", "examples": ["1h", "1m", "1s"] }, "missing_credential_fallback_enabled": { "type": "boolean", "title": "Enable Code OTP as a Fallback", "description": "Enabling this allows users to sign in with the code method, even if their identity schema or their credentials are not set up to use the code method. If enabled, a verified address (such as an email) will be used to send the code to the user. Use with caution and only if actually needed.", "default": false } } } } }, "password": { "type": "object", "additionalProperties": false, "properties": { "enabled": { "type": "boolean", "title": "Enables Username/Email and Password Method", "default": true }, "config": { "type": "object", "title": "Password Configuration", "description": "Define how passwords are validated.", "properties": { "haveibeenpwned_host": { "title": "Custom haveibeenpwned host", "description": "Allows changing the default HIBP host to a self hosted version.", "type": "string", "default": "api.pwnedpasswords.com" }, "haveibeenpwned_enabled": { "title": "Enable the HaveIBeenPwned API", "description": "If set to false the password validation does not utilize the Have I Been Pwnd API.", "type": "boolean", "default": true }, "max_breaches": { "title": "Allow Password Breaches", "description": "Defines how often a password may have been breached before it is rejected.", "type": "integer", "minimum": 0, "maximum": 100, "default": 0 }, "ignore_network_errors": { "title": "Ignore Lookup Network Errors", "description": "If set to false the password validation fails when the network or the Have I Been Pwnd API is down.", "type": "boolean", "default": true }, "min_password_length": { "title": "Minimum Password Length", "description": "Defines the minimum length of the password.", "type": "integer", "default": 8, "minimum": 6 }, "identifier_similarity_check_enabled": { "title": "Enable password-identifier similarity check", "description": "If set to false the password validation does not check for similarity between the password and the user identifier.", "type": "boolean", "default": true }, "migrate_hook": { "type": "object", "additionalProperties": false, "properties": { "enabled": { "type": "boolean", "title": "Enable Password Migration", "description": "If set to true will enable password migration.", "default": false }, "config": { "type": "object", "additionalProperties": false, "properties": { "url": { "type": "string", "description": "The URL the password migration hook should call", "format": "uri" }, "method": { "type": "string", "description": "The HTTP method to use (GET, POST, etc).", "const": "POST", "default": "POST" }, "headers": { "type": "object", "description": "The HTTP headers that must be applied to the password migration hook.", "additionalProperties": { "type": "string" } }, "emit_analytics_event": { "type": "boolean", "default": true, "description": "Emit tracing events for this hook on delivery or error" }, "auth": { "type": "object", "title": "Auth mechanisms", "description": "Define which auth mechanism the Web-Hook should use", "oneOf": [ { "$ref": "#/definitions/webHookAuthApiKeyProperties" }, { "$ref": "#/definitions/webHookAuthBasicAuthProperties" } ] }, "additionalProperties": false } } } } }, "additionalProperties": false } } }, "totp": { "type": "object", "additionalProperties": false, "properties": { "enabled": { "type": "boolean", "title": "Enables the TOTP method", "default": false }, "config": { "type": "object", "title": "TOTP Configuration", "properties": { "issuer": { "title": "TOTP Issuer", "description": "The issuer (e.g. a domain name) will be shown in the TOTP app (e.g. Google Authenticator). It helps the user differentiate between different codes.", "type": "string" } }, "additionalProperties": false } } }, "lookup_secret": { "type": "object", "additionalProperties": false, "properties": { "enabled": { "type": "boolean", "title": "Enables the lookup secret method", "default": false } } }, "webauthn": { "type": "object", "additionalProperties": false, "properties": { "enabled": { "type": "boolean", "title": "Enables the WebAuthn method", "default": false }, "config": { "type": "object", "title": "WebAuthn Configuration", "properties": { "passwordless": { "type": "boolean", "title": "Use For Passwordless Flows", "description": "If enabled will have the effect that WebAuthn is used for passwordless flows (as a first factor) and not for multi-factor set ups. With this set to true, users will see an option to sign up with WebAuthn on the registration screen." }, "rp": { "title": "Relying Party (RP) Config", "properties": { "display_name": { "type": "string", "title": "Relying Party Display Name", "description": "An name to help the user identify this RP.", "examples": ["Ory Foundation"] }, "id": { "type": "string", "title": "Relying Party Identifier", "description": "The id must be a subset of the domain currently in the browser.", "examples": ["ory.sh"] }, "origin": { "type": "string", "title": "Relying Party Origin", "description": "An explicit RP origin. If left empty, this defaults to `id`, prepended with the current protocol schema (HTTP or HTTPS).", "format": "uri", "deprecationMessage": "This field is deprecated. Use `origins` instead.", "examples": ["https://www.ory.sh"] }, "origins": { "type": "array", "title": "Relying Party Origins", "description": "A list of explicit RP origins. If left empty, this defaults to either `origin` or `id`, prepended with the current protocol schema (HTTP or HTTPS).", "items": { "type": "string", "format": "uri", "examples": [ "https://www.ory.sh", "https://auth.ory.sh" ] } }, "icon": { "type": "string", "title": "Relying Party Icon", "description": "An icon to help the user identify this RP.", "format": "uri", "deprecationMessage": "This field is deprecated and ignored due to security considerations.", "examples": ["https://www.ory.sh/an-icon.png"] } }, "type": "object", "oneOf": [ { "required": ["id", "display_name"], "properties": { "origin": { "not": {} }, "origins": { "not": {} } } }, { "required": ["id", "display_name", "origin"], "properties": { "origin": { "type": "string" }, "origins": { "not": {} } } }, { "required": ["id", "display_name", "origins"], "properties": { "origin": { "not": {} }, "origins": { "type": "array", "items": { "type": "string" } } } } ] } }, "additionalProperties": false } }, "if": { "properties": { "enabled": { "const": true } }, "required": ["enabled"] }, "then": { "required": ["config"] } }, "passkey": { "type": "object", "additionalProperties": false, "properties": { "enabled": { "type": "boolean", "title": "Enables the Passkey method", "default": false }, "config": { "type": "object", "title": "Passkey Configuration", "properties": { "rp": { "title": "Relying Party (RP) Config", "properties": { "display_name": { "type": "string", "title": "Relying Party Display Name", "description": "A name to help the user identify this RP.", "examples": ["Ory Foundation"] }, "id": { "type": "string", "title": "Relying Party Identifier", "description": "The id must be a subset of the domain currently in the browser.", "examples": ["ory.sh"] }, "origins": { "type": "array", "title": "Relying Party Origins", "description": "A list of explicit RP origins. If left empty, this defaults to either `origin` or `id`, prepended with the current protocol schema (HTTP or HTTPS).", "items": { "type": "string", "format": "uri", "examples": [ "https://www.ory.sh", "https://auth.ory.sh" ] } } }, "type": "object", "required": ["display_name", "id"] } }, "additionalProperties": false } }, "if": { "properties": { "enabled": { "const": true } }, "required": ["enabled"] }, "then": { "required": ["config"] } }, "oidc": { "type": "object", "title": "Specify OpenID Connect and OAuth2 Configuration", "showEnvVarBlockForObject": true, "additionalProperties": false, "properties": { "enabled": { "type": "boolean", "title": "Enables OpenID Connect Method", "default": false }, "config": { "type": "object", "additionalProperties": false, "properties": { "base_redirect_uri": { "type": "string", "title": "Base URL for OAuth2 Redirect URIs", "description": "Can be used to modify the base URL for OAuth2 Redirect URLs. If unset, the Public Base URL will be used.", "format": "uri", "examples": ["https://auth.myexample.org/"] }, "providers": { "title": "OpenID Connect and OAuth2 Providers", "description": "A list and configuration of OAuth2 and OpenID Connect providers Ory Kratos should integrate with.", "type": "array", "items": { "$ref": "#/definitions/selfServiceOIDCProvider" } } } } } } } } } }, "database": { "type": "object", "title": "Database related configuration", "description": "Miscellaneous settings used in database related tasks (cleanup, etc.)", "properties": { "cleanup": { "type": "object", "title": "Database cleanup settings", "description": "Settings that controls how the database cleanup process is configured (delays, batch size, etc.)", "properties": { "batch_size": { "type": "integer", "title": "Number of records to clean in one iteration", "description": "Controls how many records should be purged from one table during database cleanup task", "minimum": 1, "default": 100 }, "sleep": { "type": "object", "title": "Delays between various database cleanup phases", "description": "Configures delays between each step of the cleanup process. It is useful to tune the process so it will be efficient and performant.", "properties": { "tables": { "type": "string", "title": "Delay between each table cleanups", "description": "Controls the delay time between cleaning each table in one cleanup iteration", "pattern": "^[0-9]+(ns|us|ms|s|m|h)$", "default": "1m" } } }, "older_than": { "type": "string", "title": "Remove records older than", "description": "Controls how old records do we want to leave", "pattern": "^[0-9]+(ns|us|ms|s|m|h)$", "default": "0s" } } } }, "additionalProperties": false }, "dsn": { "type": "string", "title": "Data Source Name", "description": "DSN is used to specify the database credentials as a connection URI.", "examples": [ "postgres://user: password@postgresd:5432/database?sslmode=disable&max_conns=20&max_idle_conns=4", "mysql://user:secret@tcp(mysqld:3306)/database?max_conns=20&max_idle_conns=4", "cockroach://user@cockroachdb:26257/database?sslmode=disable&max_conns=20&max_idle_conns=4", "sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc" ] }, "courier": { "type": "object", "title": "Courier configuration", "description": "The courier is responsible for sending and delivering messages over email, sms, and other means.", "properties": { "templates": { "additionalProperties": false, "type": "object", "properties": { "recovery": { "$ref": "#/definitions/courierTemplates" }, "recovery_code": { "$ref": "#/definitions/courierTemplates" }, "verification": { "$ref": "#/definitions/courierTemplates" }, "verification_code": { "$ref": "#/definitions/courierTemplates" }, "registration_code": { "additionalProperties": false, "type": "object", "properties": { "valid": { "additionalProperties": false, "type": "object", "properties": { "email": { "$ref": "#/definitions/emailCourierTemplate" } }, "required": ["email"] } } }, "login_code": { "additionalProperties": false, "type": "object", "properties": { "valid": { "additionalProperties": false, "type": "object", "properties": { "email": { "$ref": "#/definitions/emailCourierTemplate" }, "sms": { "$ref": "#/definitions/smsCourierTemplate" } }, "required": ["email"] } } } } }, "template_override_path": { "type": "string", "title": "Override message templates", "description": "You can override certain or all message templates by pointing this key to the path where the templates are located.", "examples": ["/conf/courier-templates"] }, "message_retries": { "description": "Defines the maximum number of times the sending of a message is retried after it failed before it is marked as abandoned", "type": "integer", "default": 5, "examples": [10, 60] }, "worker": { "description": "Configures the dispatch worker.", "type": "object", "properties": { "pull_count": { "description": "Defines how many messages are pulled from the queue at once.", "type": "integer", "default": 10 }, "pull_wait": { "description": "Defines how long the worker waits before pulling messages from the queue again.", "type": "string", "pattern": "^([0-9]+(ns|us|ms|s|m|h))+$", "default": "1s" } } }, "delivery_strategy": { "title": "Delivery Strategy", "description": "Defines how emails will be sent, either through SMTP (default) or HTTP.", "type": "string", "enum": ["smtp", "http"], "default": "smtp" }, "http": { "title": "HTTP Configuration", "description": "Configures outgoing emails using HTTP.", "type": "object", "properties": { "request_config": { "$ref": "#/definitions/httpRequestConfig" } }, "additionalProperties": false }, "smtp": { "title": "SMTP Configuration", "description": "Configures outgoing emails using the SMTP protocol.", "type": "object", "properties": { "connection_uri": { "title": "SMTP connection string", "description": "This URI will be used to connect to the SMTP server. Use the scheme smtps for implicit TLS sessions or smtp for explicit StartTLS/cleartext sessions. Please note that TLS is always enforced with certificate trust verification by default for security reasons on both schemes. With the smtp scheme you can use the query parameter (`?disable_starttls=true`) to allow cleartext sessions or (`?disable_starttls=false`) to enforce StartTLS (default behaviour). Additionally, use the query parameter to allow (`?skip_ssl_verify=true`) or disallow (`?skip_ssl_verify=false`) self-signed TLS certificates (default behaviour) on both implicit and explicit TLS sessions.", "examples": [ "smtps://foo:bar@my-mailserver:1234/?skip_ssl_verify=false", "smtp://foo:bar@my-mailserver:1234/?disable_starttls=true (NOT RECOMMENDED: Cleartext smtp for devel and legacy infrastructure only)", "smtp://foo:bar@my-mailserver:1234/ (Explicit StartTLS with certificate trust verification)", "smtp://foo:bar@my-mailserver:1234/?skip_ssl_verify=true (NOT RECOMMENDED: Explicit StartTLS without certificate trust verification)", "smtps://foo:bar@my-mailserver:1234/ (Implicit TLS with certificate trust verification)", "smtps://foo:bar@my-mailserver:1234/?skip_ssl_verify=true (NOT RECOMMENDED: Implicit TLS without certificate trust verification)", "smtps://subdomain.my-mailserver:1234/?server_name=my-mailserver (allows TLS to work if the server is hosted on a sudomain that uses a non-wildcard domain certificate)" ], "type": "string", "pattern": "^smtps?:\\/\\/.*" }, "client_cert_path": { "title": "SMTP Client certificate path", "description": "Path of the client X.509 certificate, in case of certificate based client authentication to the SMTP server.", "type": "string", "default": "" }, "client_key_path": { "title": "SMTP Client private key path", "description": "Path of the client certificate private key, in case of certificate based client authentication to the SMTP server", "type": "string", "default": "" }, "from_address": { "title": "SMTP Sender Address", "description": "The recipient of an email will see this as the sender address.", "type": "string", "format": "email", "default": "no-reply@ory.kratos.sh" }, "from_name": { "title": "SMTP Sender Name", "description": "The recipient of an email will see this as the sender name.", "type": "string", "examples": ["Bob"] }, "headers": { "title": "SMTP Headers", "description": "These headers will be passed in the SMTP conversation -- e.g. when using the AWS SES SMTP interface for cross-account sending.", "type": "object", "additionalProperties": { "type": "string" }, "examples": [ { "X-SES-SOURCE-ARN": "arn:aws:ses:us-west-2:123456789012:identity/example.com", "X-SES-FROM-ARN": "arn:aws:ses:us-west-2:123456789012:identity/example.com", "X-SES-RETURN-PATH-ARN": "arn:aws:ses:us-west-2:123456789012:identity/example.com" } ] }, "local_name": { "title": "SMTP HELO/EHLO name", "description": "Identifier used in the SMTP HELO/EHLO command. Some SMTP relays require a unique identifier.", "type": "string", "default": "localhost" } }, "additionalProperties": false }, "sms": { "title": "SMS sender configuration", "description": "Configures outgoing sms messages using HTTP protocol with generic SMS provider", "type": "object", "properties": { "enabled": { "description": "Determines if SMS functionality is enabled", "type": "boolean", "default": false }, "from": { "title": "SMS Sender Address", "description": "The recipient of a sms will see this as the sender address.", "type": "string", "default": "Ory Kratos" }, "request_config": { "type": "object", "properties": { "url": { "title": "HTTP address of API endpoint", "description": "This URL will be used to connect to the SMS provider.", "examples": ["https://api.twillio.com/sms/send"], "type": "string", "pattern": "^https?:\\/\\/.*" }, "method": { "type": "string", "description": "The HTTP method to use (GET, POST, etc)." }, "headers": { "type": "object", "description": "The HTTP headers that must be applied to request", "additionalProperties": { "type": "string" } }, "body": { "type": "string", "format": "uri", "pattern": "^(http|https|file|base64)://", "description": "URI pointing to the jsonnet template used for payload generation. Only used for those HTTP methods, which support HTTP body payloads", "examples": [ "file:///path/to/body.jsonnet", "file://./body.jsonnet", "base64://ZnVuY3Rpb24oY3R4KSB7CiAgaWRlbnRpdHlfaWQ6IGlmIGN0eFsiaWRlbnRpdHkiXSAhPSBudWxsIHRoZW4gY3R4LmlkZW50aXR5LmlkLAp9=", "https://oryapis.com/default_body.jsonnet" ] }, "auth": { "type": "object", "title": "Auth mechanisms", "description": "Define which auth mechanism to use for auth with the SMS provider", "oneOf": [ { "$ref": "#/definitions/webHookAuthApiKeyProperties" }, { "$ref": "#/definitions/webHookAuthBasicAuthProperties" } ] }, "additionalProperties": false }, "required": ["url", "method"], "additionalProperties": false } }, "additionalProperties": false }, "channels": { "type": "array", "items": { "title": "Courier channel configuration", "type": "object", "properties": { "id": { "type": "string", "title": "Channel id", "description": "The channel id. Corresponds to the .via property of the identity schema for recovery, verification, etc. Currently only phone is supported.", "maxLength": 32, "enum": ["sms"] }, "type": { "type": "string", "title": "Channel type", "description": "The channel type. Currently only http is supported.", "enum": ["http"] }, "request_config": { "$ref": "#/definitions/httpRequestConfig" } }, "required": ["id", "request_config"], "additionalProperties": false } } }, "additionalProperties": false }, "oauth2_provider": { "title": "OAuth2 Provider Configuration", "type": "object", "properties": { "url": { "title": "OAuth 2.0 Provider URL.", "description": "If set, the login and registration flows will handle the Ory OAuth 2.0 & OpenID `login_challenge` query parameter to serve as an OpenID Connect Provider. This URL should point to Ory Hydra when you are not running on the Ory Network and be left untouched otherwise.", "type": "string", "format": "uri", "examples": [ "https://some-slug.projects.oryapis.com", "https://domain-of-ory-hydra:4445" ] }, "headers": { "title": "HTTP Request Headers", "description": "These headers will be passed in HTTP request to the OAuth2 Provider.", "type": "object", "additionalProperties": { "type": "string" }, "examples": [ { "Authorization": "Bearer some-token" } ] }, "override_return_to": { "title": "Persist OAuth2 request between flows", "type": "boolean", "default": false, "description": "Override the return_to query parameter with the OAuth2 provider request URL when perfoming an OAuth2 login flow." } }, "additionalProperties": false }, "preview": { "title": "Configure Preview Features", "type": "object", "properties": { "default_read_consistency_level": { "type": "string", "title": "Default Read Consistency Level", "description": "The default consistency level to use when reading from the database. Defaults to `strong` to not break existing API contracts. Only set this to `eventual` if you can accept that other read APIs will suddenly return eventually consistent results. It is only effective in Ory Network.", "enum": ["strong", "eventual"], "default": "strong" } } }, "serve": { "type": "object", "properties": { "admin": { "type": "object", "properties": { "request_log": { "type": "object", "properties": { "disable_for_health": { "title": "Disable health endpoints request logging", "description": "Disable request logging for /health/alive and /health/ready endpoints", "type": "boolean", "default": false } }, "additionalProperties": false }, "base_url": { "title": "Admin Base URL", "description": "The URL where the admin endpoint is exposed at.", "type": "string", "format": "uri", "examples": ["https://kratos.private-network:4434/"] }, "host": { "title": "Admin Host", "description": "The host (interface) kratos' admin endpoint listens on.", "type": "string", "default": "0.0.0.0" }, "port": { "title": "Admin Port", "description": "The port kratos' admin endpoint listens on.", "type": "integer", "minimum": 1, "maximum": 65535, "examples": [4434], "default": 4434 }, "socket": { "$ref": "#/definitions/socket" }, "tls": { "$ref": "#/definitions/tlsx" } }, "additionalProperties": false }, "public": { "type": "object", "properties": { "request_log": { "type": "object", "properties": { "disable_for_health": { "title": "Disable health endpoints request logging", "description": "Disable request logging for /health/alive and /health/ready endpoints", "type": "boolean", "default": false } }, "additionalProperties": false }, "cors": { "type": "object", "additionalProperties": false, "description": "Configures Cross Origin Resource Sharing for public endpoints.", "properties": { "enabled": { "type": "boolean", "description": "Sets whether CORS is enabled.", "default": false }, "allowed_origins": { "type": "array", "description": "A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Only one wildcard can be used per origin.", "items": { "type": "string", "minLength": 1, "not": { "type": "string", "description": "does match all strings that contain two or more (*)", "pattern": ".*\\*.*\\*.*" }, "anyOf": [ { "type": "string", "format": "uri" }, { "const": "*" } ] }, "uniqueItems": true, "default": ["*"], "examples": [ [ "https://example.com", "https://*.example.com", "https://*.foo.example.com" ] ] }, "allowed_methods": { "type": "array", "description": "A list of HTTP methods the user agent is allowed to use with cross-domain requests.", "default": ["POST", "GET", "PUT", "PATCH", "DELETE"], "items": { "type": "string", "enum": [ "POST", "GET", "PUT", "PATCH", "DELETE", "CONNECT", "HEAD", "OPTIONS", "TRACE" ] } }, "allowed_headers": { "type": "array", "description": "A list of non simple headers the client is allowed to use with cross-domain requests.", "default": [ "Authorization", "Content-Type", "Max-Age", "X-Session-Token", "X-XSRF-TOKEN", "X-CSRF-TOKEN" ], "items": { "type": "string" } }, "exposed_headers": { "type": "array", "description": "Sets which headers are safe to expose to the API of a CORS API specification.", "default": ["Content-Type"], "items": { "type": "string" } }, "allow_credentials": { "type": "boolean", "description": "Sets whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.", "default": true }, "options_passthrough": { "type": "boolean", "description": "TODO", "default": false }, "max_age": { "type": "integer", "description": "Sets how long (in seconds) the results of a preflight request can be cached. If set to 0, every request is preceded by a preflight request.", "default": 0, "minimum": 0 }, "debug": { "type": "boolean", "description": "Adds additional log output to debug server side CORS issues.", "default": false } } }, "base_url": { "$ref": "#/definitions/baseUrl" }, "host": { "title": "Public Host", "description": "The host (interface) kratos' public endpoint listens on.", "type": "string", "default": "0.0.0.0" }, "port": { "title": "Public Port", "description": "The port kratos' public endpoint listens on.", "type": "integer", "minimum": 1, "maximum": 65535, "examples": [4433], "default": 4433 }, "socket": { "$ref": "#/definitions/socket" }, "tls": { "$ref": "#/definitions/tlsx" } }, "additionalProperties": false } }, "additionalProperties": false }, "tracing": { "$ref": "https://raw.githubusercontent.com/ory/x/v0.0.660/otelx/config.schema.json" }, "log": { "title": "Log", "description": "Configure logging using the following options. Logging will always be sent to stdout and stderr.", "type": "object", "properties": { "level": { "description": "Debug enables stack traces on errors. Can also be set using environment variable LOG_LEVEL.", "type": "string", "default": "info", "enum": [ "trace", "debug", "info", "warning", "error", "fatal", "panic" ] }, "leak_sensitive_values": { "type": "boolean", "title": "Leak Sensitive Log Values", "description": "If set will leak sensitive values (e.g. emails) in the logs." }, "redaction_text": { "type": "string", "title": "Sensitive log value redaction text", "description": "Text to use, when redacting sensitive log value." }, "format": { "description": "The log format can either be text or JSON.", "type": "string", "enum": ["json", "text"] } }, "additionalProperties": false }, "identity": { "type": "object", "properties": { "default_schema_id": { "title": "The default Identity Schema", "description": "This Identity Schema will be used as the default for self-service flows. Its ID needs to exist in the \"schemas\" list.", "type": "string", "default": "default" }, "schemas": { "type": "array", "title": "All JSON Schemas for Identity Traits", "description": "Note that identities that used the \"default_schema_url\" field in older kratos versions will be corrupted unless you specify their schema url with the id \"default\" in this list.", "examples": [ [ { "id": "customer", "url": "base64://ewogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAicHJvcGVydGllcyI6IHsKICAgICJiYXIiOiB7CiAgICAgICJ0eXBlIjogInN0cmluZyIKICAgIH0KICB9LAogICJyZXF1aXJlZCI6IFsKICAgICJiYXIiCiAgXQp9" }, { "id": "employee", "url": "https://foo.bar.com/path/to/employee.traits.schema.json" }, { "id": "employee-v2", "url": "file://path/to/employee.v2.traits.schema.json" } ] ], "minItems": 1, "items": { "type": "object", "properties": { "id": { "title": "The schema's ID.", "type": "string", "examples": ["employee"] }, "url": { "type": "string", "title": "JSON Schema URL for identity traits schema", "description": "URL for JSON Schema which describes a identity's traits. Can be a file path, a https URL, or a base64 encoded string.", "format": "uri", "examples": [ "file://path/to/identity.traits.schema.json", "https://foo.bar.com/path/to/identity.traits.schema.json", "base64://ewogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAicHJvcGVydGllcyI6IHsKICAgICJiYXIiOiB7CiAgICAgICJ0eXBlIjogInN0cmluZyIKICAgIH0KICB9LAogICJyZXF1aXJlZCI6IFsKICAgICJiYXIiCiAgXQp9" ] } }, "required": ["id", "url"] } } }, "required": ["schemas"], "additionalProperties": false }, "secrets": { "type": "object", "properties": { "default": { "type": "array", "title": "Default Encryption Signing Secrets", "description": "The first secret in the array is used for signing and encrypting things while all other keys are used to verify and decrypt older things that were signed with that old secret.", "items": { "type": "string", "minLength": 16 }, "uniqueItems": true }, "cookie": { "type": "array", "title": "Signing Keys for Cookies", "description": "The first secret in the array is used for encrypting cookies while all other keys are used to decrypt older cookies that were signed with that old secret.", "items": { "type": "string", "minLength": 16 }, "uniqueItems": true }, "cipher": { "type": "array", "title": "Secrets to use for encryption by cipher", "description": "The first secret in the array is used for encryption data while all other keys are used to decrypt older data that were signed with.", "items": { "type": "string", "minLength": 32, "maxLength": 32 }, "minItems": 1 } }, "additionalProperties": false }, "hashers": { "title": "Hashing Algorithm Configuration", "type": "object", "properties": { "algorithm": { "title": "Password hashing algorithm", "description": "One of the values: argon2, bcrypt.\nAny other hashes will be migrated to the set algorithm once an identity authenticates using their password.", "type": "string", "default": "bcrypt", "enum": ["argon2", "bcrypt"] }, "argon2": { "title": "Configuration for the Argon2id hasher.", "type": "object", "properties": { "memory": { "type": "string", "pattern": "^[0-9]+(B|KB|MB|GB|TB|PB|EB)", "default": "128MB" }, "iterations": { "type": "integer", "minimum": 1, "default": 1 }, "parallelism": { "type": "integer", "minimum": 1, "description": "Number of parallel workers, defaults to 2*runtime.NumCPU()." }, "salt_length": { "type": "integer", "minimum": 16, "default": 16 }, "key_length": { "type": "integer", "minimum": 16, "default": 32 }, "expected_duration": { "description": "The time a hashing operation (~login latency) should take.", "type": "string", "pattern": "^([0-9]+(ns|us|ms|s|m|h))+$", "default": "500ms" }, "expected_deviation": { "description": "The standard deviation expected for hashing operations. If this value is exceeded you will be warned in the logs to adjust the parameters.", "type": "string", "pattern": "^([0-9]+(ns|us|ms|s|m|h))+$", "default": "500ms" }, "dedicated_memory": { "description": "The memory dedicated for Kratos. As password hashing is very resource intense, Kratos will monitor the memory consumption and warn about high values.", "type": "string", "pattern": "^[0-9]+(B|KB|MB|GB|TB|PB|EB)", "default": "1GB" } }, "additionalProperties": false }, "bcrypt": { "title": "Configuration for the Bcrypt hasher. Minimum is 4 when --dev flag is used and 12 otherwise.", "type": "object", "additionalProperties": false, "required": ["cost"], "properties": { "cost": { "type": "integer", "minimum": 4, "maximum": 31, "default": 12 } } } }, "additionalProperties": false }, "ciphers": { "title": "Cipher Algorithm Configuration", "type": "object", "properties": { "algorithm": { "title": "ciphering algorithm", "description": "One of the values: noop, aes, xchacha20-poly1305", "type": "string", "default": "noop", "enum": ["noop", "aes", "xchacha20-poly1305"] } } }, "cookies": { "type": "object", "title": "HTTP Cookie Configuration", "description": "Configure the HTTP Cookies. Applies to both CSRF and session cookies.", "properties": { "domain": { "title": "HTTP Cookie Domain", "description": "Sets the cookie domain for session and CSRF cookies. Useful when dealing with subdomains. Use with care!", "type": "string" }, "path": { "title": "HTTP Cookie Path", "description": "Sets the session and CSRF cookie path. Use with care!", "type": "string", "default": "/" }, "same_site": { "title": "HTTP Cookie Same Site Configuration", "description": "Sets the session and CSRF cookie SameSite.", "type": "string", "enum": ["Strict", "Lax", "None"], "default": "Lax" } }, "additionalProperties": false }, "session": { "type": "object", "additionalProperties": false, "properties": { "whoami": { "title": "WhoAmI / ToSession Settings", "description": "Control how the `/sessions/whoami` endpoint is behaving.", "type": "object", "properties": { "required_aal": { "$ref": "#/definitions/featureRequiredAal" }, "tokenizer": { "title": "Tokenizer configuration", "description": "Configure the tokenizer, responsible for converting a session into a token format such as JWT.", "type": "object", "properties": { "templates": { "title": "Tokenizer templates", "description": "A list of different templates that govern how a session is converted to a token format.", "type": "object", "patternProperties": { "[a-zA-Z0-9-_.]+": { "type": "object", "required": ["jwks_url"], "properties": { "ttl": { "type": "string", "pattern": "^([0-9]+(ns|us|ms|s|m|h))+$", "default": "1m", "title": "Token time to live" }, "claims_mapper_url": { "type": "string", "format": "uri", "title": "JsonNet mapper URL" }, "jwks_url": { "type": "string", "format": "uri", "title": "JSON Web Key Set URL" } } } } } } } }, "additionalProperties": false }, "lifespan": { "title": "Session Lifespan", "description": "Defines how long a session is active. Once that lifespan has been reached, the user needs to sign in again.", "type": "string", "pattern": "^([0-9]+(ns|us|ms|s|m|h))+$", "default": "24h", "examples": ["1h", "1m", "1s"] }, "cookie": { "type": "object", "properties": { "domain": { "title": "Session Cookie Domain", "description": "Sets the session cookie domain. Useful when dealing with subdomains. Use with care! Overrides `cookies.domain`.", "type": "string" }, "name": { "title": "Session Cookie Name", "description": "Sets the session cookie name. Use with care!", "type": "string", "default": "ory_kratos_session" }, "persistent": { "title": "Make Session Cookie Persistent", "description": "If set to true will persist the cookie in the end-user's browser using the `max-age` parameter which is set to the `session.lifespan` value. Persistent cookies are not deleted when the browser is closed (e.g. on reboot or alt+f4). This option affects the Ory OAuth2 and OpenID Provider's remember feature as well.", "type": "boolean", "default": true }, "path": { "title": "Session Cookie Path", "description": "Sets the session cookie path. Use with care! Overrides `cookies.path`.", "type": "string" }, "same_site": { "title": "Session Cookie SameSite Configuration", "description": "Sets the session cookie SameSite. Overrides `cookies.same_site`.", "type": "string", "enum": ["Strict", "Lax", "None"] } }, "additionalProperties": false }, "earliest_possible_extend": { "title": "Earliest Possible Session Extension", "description": "Sets when a session can be extended. Settings this value to `24h` will prevent the session from being extended before until 24 hours before it expires. This setting prevents excessive writes to the database. We highly recommend setting this value.", "type": "string", "pattern": "^([0-9]+(ns|us|ms|s|m|h))+$", "examples": ["1h", "1m", "1s"] } } }, "security": { "type": "object", "properties": { "account_enumeration": { "type": "object", "properties": { "mitigate": { "type": "boolean", "default": false, "description": "Mitigate account enumeration by making it harder to figure out if an identifier (email, phone number) exists or not. Enabling this setting degrades user experience. This setting does not mitigate all possible attack vectors yet." } } } } }, "version": { "title": "The kratos version this config is written for.", "description": "SemVer according to https://semver.org/ prefixed with `v` as in our releases.", "type": "string", "pattern": "^(v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?)|$", "examples": ["v0.5.0-alpha.1"] }, "dev": { "type": "boolean" }, "help": { "type": "boolean" }, "sqa-opt-out": { "type": "boolean", "default": false, "description": "This is a CLI flag and environment variable and can not be set using the config file." }, "watch-courier": { "type": "boolean", "default": false, "description": "This is a CLI flag and environment variable and can not be set using the config file." }, "expose-metrics-port": { "title": "Metrics port", "description": "The port the courier's metrics endpoint listens on (0/disabled by default). This is a CLI flag and environment variable and can not be set using the config file.", "type": "integer", "minimum": 0, "maximum": 65535, "examples": [4434], "default": 0 }, "config": { "type": "array", "items": { "type": "string" }, "description": "This is a CLI flag and environment variable and can not be set using the config file." }, "clients": { "title": "Global outgoing network settings", "description": "Configure how outgoing network calls behave.", "type": "object", "properties": { "http": { "title": "Global HTTP client configuration", "description": "Configure how outgoing HTTP calls behave.", "type": "object", "properties": { "disallow_private_ip_ranges": { "title": "Disallow private IP ranges", "description": "Disallow all outgoing HTTP calls to private IP ranges. This feature can help protect against SSRF attacks.", "type": "boolean", "default": false }, "private_ip_exception_urls": { "title": "Add exempt URLs to private IP ranges", "description": "Allows the given URLs to be called despite them being in the private IP range. URLs need to have an exact and case-sensitive match to be excempt.", "type": "array", "items": { "type": "string", "format": "uri-reference" }, "default": [] } } } } }, "feature_flags": { "title": "Feature flags", "properties": { "cacheable_sessions": { "type": "boolean", "title": "Enable Ory Sessions caching", "description": "If enabled allows Ory Sessions to be cached. Only effective in the Ory Network.", "default": false }, "cacheable_sessions_max_age": { "title": "Set Ory Session Edge Caching maximum age", "description": "Set how long Ory Sessions are cached on the edge. If unset, the session expiry will be used. Only effective in the Ory Network.", "type": "string", "pattern": "^([0-9]+(ns|us|ms|s|m|h))+$" }, "use_continue_with_transitions": { "type": "boolean", "title": "Enable new flow transitions using `continue_with` items", "description": "If enabled allows new flow transitions using `continue_with` items.", "default": false }, "faster_session_extend": { "type": "boolean", "title": "Enable faster session extension", "description": "If enabled allows faster session extension by skipping the session lookup. Disabling this feature will be deprecated in the future.", "default": false } }, "additionalProperties": false }, "organizations": { "title": "Organizations", "description": "Please use selfservice.methods.b2b instead. This key will be removed. Only effective in the Ory Network.", "type": "array", "default": [] }, "enterprise": { "title": "Enterprise features", "description": "Specifies enterprise features. Only effective in the Ory Network or with a valid license.", "type": "object", "properties": { "identity_schema_fallback_url_template": { "type": "string", "title": "Fallback URL template for identity schemas", "description": "A fallback URL template used when looking up identity schemas." } }, "additionalProperties": false } }, "allOf": [ { "if": { "properties": { "selfservice": { "properties": { "flows": { "oneOf": [ { "properties": { "verification": { "properties": { "enabled": { "const": true } }, "required": ["enabled"] } }, "required": ["verification"] }, { "properties": { "recovery": { "properties": { "enabled": { "const": true } }, "required": ["enabled"] } }, "required": ["recovery"] } ] } }, "required": ["flows"] } }, "required": ["selfservice"] }, "then": { "required": ["courier"] } }, { "if": { "properties": { "ciphers": { "properties": { "algorithm": { "oneOf": [ { "const": "aes" }, { "const": "xchacha20-poly1305" } ] } }, "required": ["algorithm"] } }, "required": ["ciphers"] }, "then": { "required": ["secrets"], "properties": { "secrets": { "required": ["cipher"] } } } } ], "required": ["identity", "dsn", "selfservice"], "additionalProperties": false }