Skip to main content

Configuration editor

ORY Keto Configuration
Add this to allow defining the schema, useful for IDE integration
Sets the data source name. This configures the backend where ORY Keto persists data. If dsn is "memory", data will be written to memory and is lost when you restart this instance. ORY Hydra supports popular SQL databases. For more detailed configuration information go to: https://www.ory.sh/docs/hydra/dependencies-environment#sql
serve
Read API (http and gRPC)
The port to listen on.
The network interface to listen on.
The path to a file that will be created when the read API is ready to accept connections. The content of the file is the host:port of the read API. Use this to get the actual port when using port 0. The service might not yet be ready to accept connections when the file is created.
Cross Origin Resource Sharing (CORS)
Configure [Cross Origin Resource Sharing (CORS)](http://www.w3.org/TR/cors/) using the following options.
If set to true, CORS will be enabled and preflight-requests (OPTION) will be answered.
Allowed Origins
A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penality. Only one wildcard can be used per origin.
A list of methods the client is allowed to use with cross-domain requests.
Allowed Request HTTP Headers
A list of non simple headers the client is allowed to use with cross-domain requests.
Allowed Response HTTP Headers
Indicates which headers are safe to expose to the API of a CORS API specification
Indicates whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.
Indicates how long (in seconds) the results of a preflight request can be cached. The default is 0 which stands for no max age.
Set to true to debug server side CORS issues.
HTTPS
Configure HTTP over TLS (HTTPS). All options can also be set using environment variables by replacing dots (`.`) with underscores (`_`) and uppercasing the key. For example, `some.prefix.tls.key.path` becomes `export SOME_PREFIX_TLS_KEY_PATH`. If all keys are left undefined, TLS will be disabled.
Private Key (PEM)
The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.
TLS Certificate (PEM)
The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.
Write API (http and gRPC)
The port to listen on.
The network interface to listen on.
The path to a file that will be created when the write API is ready to accept connections. The content of the file is the host:port of the write API. Use this to get the actual port when using port 0. The service might not yet be ready to accept connections when the file is created.
Cross Origin Resource Sharing (CORS)
Configure [Cross Origin Resource Sharing (CORS)](http://www.w3.org/TR/cors/) using the following options.
If set to true, CORS will be enabled and preflight-requests (OPTION) will be answered.
Allowed Origins
A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penality. Only one wildcard can be used per origin.
A list of methods the client is allowed to use with cross-domain requests.
Allowed Request HTTP Headers
A list of non simple headers the client is allowed to use with cross-domain requests.
Allowed Response HTTP Headers
Indicates which headers are safe to expose to the API of a CORS API specification
Indicates whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.
Indicates how long (in seconds) the results of a preflight request can be cached. The default is 0 which stands for no max age.
Set to true to debug server side CORS issues.
HTTPS
Configure HTTP over TLS (HTTPS). All options can also be set using environment variables by replacing dots (`.`) with underscores (`_`) and uppercasing the key. For example, `some.prefix.tls.key.path` becomes `export SOME_PREFIX_TLS_KEY_PATH`. If all keys are left undefined, TLS will be disabled.
Private Key (PEM)
The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.
TLS Certificate (PEM)
The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.
Metrics API (http only)
The port to listen on.
The network interface to listen on.
The path to a file that will be created when the metrics API is ready to accept connections. The content of the file is the host:port of the metrics API. Use this to get the actual port when using port 0. The service might not yet be ready to accept connections when the file is created.
Cross Origin Resource Sharing (CORS)
Configure [Cross Origin Resource Sharing (CORS)](http://www.w3.org/TR/cors/) using the following options.
If set to true, CORS will be enabled and preflight-requests (OPTION) will be answered.
Allowed Origins
A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penality. Only one wildcard can be used per origin.
A list of methods the client is allowed to use with cross-domain requests.
Allowed Request HTTP Headers
A list of non simple headers the client is allowed to use with cross-domain requests.
Allowed Response HTTP Headers
Indicates which headers are safe to expose to the API of a CORS API specification
Indicates whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.
Indicates how long (in seconds) the results of a preflight request can be cached. The default is 0 which stands for no max age.
Set to true to debug server side CORS issues.
HTTPS
Configure HTTP over TLS (HTTPS). All options can also be set using environment variables by replacing dots (`.`) with underscores (`_`) and uppercasing the key. For example, `some.prefix.tls.key.path` becomes `export SOME_PREFIX_TLS_KEY_PATH`. If all keys are left undefined, TLS will be disabled.
Private Key (PEM)
The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.
TLS Certificate (PEM)
The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.
Ory Permission Language Syntax API (http and gRPC)
The port to listen on.
The network interface to listen on.
The path to a file that will be created when the OPL API is ready to accept connections. The content of the file is the host:port of the OPL API. Use this to get the actual port when using port 0. The service might not yet be ready to accept connections when the file is created.
Cross Origin Resource Sharing (CORS)
Configure [Cross Origin Resource Sharing (CORS)](http://www.w3.org/TR/cors/) using the following options.
If set to true, CORS will be enabled and preflight-requests (OPTION) will be answered.
Allowed Origins
A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penality. Only one wildcard can be used per origin.
A list of methods the client is allowed to use with cross-domain requests.
Allowed Request HTTP Headers
A list of non simple headers the client is allowed to use with cross-domain requests.
Allowed Response HTTP Headers
Indicates which headers are safe to expose to the API of a CORS API specification
Indicates whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.
Indicates how long (in seconds) the results of a preflight request can be cached. The default is 0 which stands for no max age.
Set to true to debug server side CORS issues.
HTTPS
Configure HTTP over TLS (HTTPS). All options can also be set using environment variables by replacing dots (`.`) with underscores (`_`) and uppercasing the key. For example, `some.prefix.tls.key.path` becomes `export SOME_PREFIX_TLS_KEY_PATH`. If all keys are left undefined, TLS will be disabled.
Private Key (PEM)
The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.
TLS Certificate (PEM)
The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.
Enables CPU or memory profiling if set. For more details on profiling Go programs read [Profiling Go Programs](https://blog.golang.org/profiling-go-programs).
Log
Configure logging using the following options. Logs will always be sent to stdout and stderr.
The level of log entries to show. Debug enables stack traces on errors.
The output format of log messages.
If set will leak sensitive values (e.g. emails) in the logs.
Text to use, when redacting sensitive log value.
tracing
Configure distributed tracing using OpenTelemetry
Set this to the tracing backend you wish to use. Supports Jaeger, Zipkin, and OTEL.
Specifies the service name to use on the tracer.
Specifies the deployment environment to use on the tracer.
providers
jaeger
Configures the jaeger tracing backend.

Unsupported field schema for field root_tracing_providers_jaeger_local_agent_address: Unknown field type undefined.

{
  "title": "IPv6 Address and Port",
  "pattern": "^\\[(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))]:([0-9]*)$"
}
The address of the jaeger-agent where spans should be sent to.
sampling
The address of jaeger-agent's HTTP sampling server
Trace Id ratio sample
zipkin
Configures the zipkin tracing backend.
The address of the Zipkin server where spans should be sent to.
sampling
Sampling ratio for spans.
otlp
Configures the OTLP tracing backend.

Unsupported field schema for field root_tracing_providers_otlp_server_url: Unknown field type undefined.

{
  "title": "IPv6 Address and Port",
  "pattern": "^\\[(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))]:([0-9]*)$"
}
The endpoint of the OTLP exporter (HTTP) where spans should be sent to.
Will use HTTP if set to true; defaults to HTTPS.
sampling
Sampling ratio for spans.
A URI that points to a directory of namespace files, a single file with all namespaces, or a websocket connection that provides former via `github.com/ory/x/watcherx.WatchAndServeWS`
Namespace configuration or it's location.
Limits
Limits aiming to control the resource consumption. These limits are not a sufficient replacement for rate-limiting.
The global maximum depth on all read operations. Note that this does not affect how deeply nested the tuples can be. This value can be decreased for a request by a value specified on the request, only if the request-specific value is greater than 1 and less than the global maximum depth.
The global maximum width on all read operations. Note that this does not affect how deeply nested the tuples can be. This value can be decreased for a request by a value specified on the request, only if the request-specific value is greater than 1 and less than the global maximum width.
The maximum number of tuples that will be accepted by the batch check endpoint.
The limit for the number of tuples that will be checked concurrently during a batch check.
Global outgoing network settings
Configure how outgoing network calls behave.
Global HTTP client configuration
Configure how outgoing HTTP calls behave.
Disallow all outgoing HTTP calls to private IP ranges. This feature can help protect against SSRF attacks.
SemVer according to https://semver.org/ prefixed with `v` as in our releases.