Configuration
You can load the config file from another source using the -c path/to/config.yaml or --config path/to/config.yaml flag: $kratos --config path/to/config.yaml.
Config files can be formatted as JSON, YAML and TOML. Some configuration values support reloading without server restart. All configuration values can be set using environment variables, as documented below.
Disclaimer
This reference configuration documents all keys, also deprecated ones! It is a reference for all possible configuration values.
If you are looking for an example configuration, it is better to try out the quickstart.
To find out more about edge cases like setting string array values through environmental variables head to the Configuration section.
## Ory Kratos Configuration
selfservice:
default_browser_return_url: https://my-app.com/dashboard
allowed_return_urls:
- https://app.my-app.com/dashboard
- /dashboard
- https://www.my-app.com/
- https://*.my-app.com/
flows:
settings:
ui_url: https://my-app.com/user/settings
lifespan: 1h
privileged_session_max_age: 1h
required_aal: aal1
after:
default_browser_return_url: https://my-app.com/dashboard
password:
default_browser_return_url: https://my-app.com/dashboard
hooks:
- hook: web_hook
config:
url: http://a.aaa
method: ""
headers: {}
body: file:///path/to/body.jsonnet
can_interrupt: false
emit_analytics_event: false
auth:
type: api_key
config:
name: ""
value: ""
in: header
totp:
default_browser_return_url: https://my-app.com/dashboard
hooks:
- hook: web_hook
config:
url: http://a.aaa
method: ""
headers: {}
body: file:///path/to/body.jsonnet
can_interrupt: false
emit_analytics_event: false
auth:
type: api_key
config:
name: ""
value: ""
in: header
oidc:
default_browser_return_url: https://my-app.com/dashboard
hooks:
- hook: web_hook
config:
url: http://a.aaa
method: ""
headers: {}
body: file:///path/to/body.jsonnet
can_interrupt: false
emit_analytics_event: false
auth:
type: api_key
config:
name: ""
value: ""
in: header
webauthn:
default_browser_return_url: https://my-app.com/dashboard
hooks:
- hook: web_hook
config:
url: http://a.aaa
method: ""
headers: {}
body: file:///path/to/body.jsonnet
can_interrupt: false
emit_analytics_event: false
auth:
type: api_key
config:
name: ""
value: ""
in: header
passkey:
default_browser_return_url: https://my-app.com/dashboard
hooks:
- hook: web_hook
config:
url: http://a.aaa
method: ""
headers: {}
body: file:///path/to/body.jsonnet
can_interrupt: false
emit_analytics_event: false
auth:
type: api_key
config:
name: ""
value: ""
in: header
lookup_secret:
default_browser_return_url: https://my-app.com/dashboard
hooks:
- hook: web_hook
config:
url: http://a.aaa
method: ""
headers: {}
body: file:///path/to/body.jsonnet
can_interrupt: false
emit_analytics_event: false
auth:
type: api_key
config:
name: ""
value: ""
in: header
profile:
default_browser_return_url: https://my-app.com/dashboard
hooks:
- hook: web_hook
config:
url: http://a.aaa
method: ""
headers: {}
body: file:///path/to/body.jsonnet
can_interrupt: false
emit_analytics_event: false
auth:
type: api_key
config:
name: ""
value: ""
in: header
hooks:
- hook: web_hook
config:
url: http://a.aaa
method: ""
headers: {}
body: file:///path/to/body.jsonnet
can_interrupt: false
emit_analytics_event: false
auth:
type: api_key
config:
name: ""
value: ""
in: header
before:
hooks:
- hook: web_hook
config:
url: http://a.aaa
method: ""
headers: {}
body: file:///path/to/body.jsonnet
can_interrupt: false
emit_analytics_event: false
auth:
type: api_key
config:
name: ""
value: ""
in: header
logout:
after:
default_browser_return_url: https://my-app.com/dashboard
registration:
enabled: false
login_hints: false
ui_url: https://my-app.com/signup
lifespan: 1h
before:
hooks:
- hook: web_hook
config:
url: http://a.aaa
method: ""
headers: {}
body: file:///path/to/body.jsonnet
can_interrupt: false
emit_analytics_event: false
auth:
type: api_key
config:
name: ""
value: ""
in: header
after:
default_browser_return_url: https://my-app.com/dashboard
password:
default_browser_return_url: https://my-app.com/dashboard
hooks:
- hook: session
webauthn:
default_browser_return_url: https://my-app.com/dashboard
hooks:
- hook: session
passkey:
default_browser_return_url: https://my-app.com/dashboard
hooks:
- hook: session
oidc:
default_browser_return_url: https://my-app.com/dashboard
hooks:
- hook: session
code:
default_browser_return_url: https://my-app.com/dashboard
hooks:
- hook: session
hooks:
- hook: web_hook
config:
url: http://a.aaa
method: ""
headers: {}
body: file:///path/to/body.jsonnet
can_interrupt: false
emit_analytics_event: false
auth:
type: api_key
config:
name: ""
value: ""
in: header
enable_legacy_one_step: false
login:
ui_url: https://my-app.com/login
lifespan: 1h
style: unified
before:
hooks:
- hook: web_hook
config:
url: http://a.aaa
method: ""
headers: {}
body: file:///path/to/body.jsonnet
can_interrupt: false
emit_analytics_event: false
auth:
type: api_key
config:
name: ""
value: ""
in: header
after:
default_browser_return_url: https://my-app.com/dashboard
password:
default_browser_return_url: https://my-app.com/dashboard
hooks:
- hook: revoke_active_sessions
webauthn:
default_browser_return_url: https://my-app.com/dashboard
hooks:
- hook: revoke_active_sessions
passkey:
default_browser_return_url: https://my-app.com/dashboard
hooks:
- hook: revoke_active_sessions
oidc:
default_browser_return_url: https://my-app.com/dashboard
hooks:
- hook: revoke_active_sessions
code:
default_browser_return_url: https://my-app.com/dashboard
hooks:
- hook: revoke_active_sessions
totp:
default_browser_return_url: https://my-app.com/dashboard
hooks:
- hook: revoke_active_sessions
lookup_secret:
default_browser_return_url: https://my-app.com/dashboard
hooks:
- hook: revoke_active_sessions
hooks:
- hook: web_hook
config:
url: http://a.aaa
method: ""
headers: {}
body: file:///path/to/body.jsonnet
can_interrupt: false
emit_analytics_event: false
auth:
type: api_key
config:
name: ""
value: ""
in: header
verification:
enabled: false
ui_url: https://my-app.com/verify
after:
default_browser_return_url: https://my-app.com/dashboard
hooks:
- hook: web_hook
config:
url: http://a.aaa
method: ""
headers: {}
body: file:///path/to/body.jsonnet
can_interrupt: false
emit_analytics_event: false
auth:
type: api_key
config:
name: ""
value: ""
in: header
lifespan: 1h
before:
hooks:
- hook: web_hook
config:
url: http://a.aaa
method: ""
headers: {}
body: file:///path/to/body.jsonnet
can_interrupt: false
emit_analytics_event: false
auth:
type: api_key
config:
name: ""
value: ""
in: header
use: link
notify_unknown_recipients: false
recovery:
enabled: false
ui_url: https://my-app.com/verify
after:
default_browser_return_url: https://my-app.com/dashboard
hooks:
- hook: web_hook
config:
url: http://a.aaa
method: ""
headers: {}
body: file:///path/to/body.jsonnet
can_interrupt: false
emit_analytics_event: false
auth:
type: api_key
config:
name: ""
value: ""
in: header
lifespan: 1h
before:
hooks:
- hook: web_hook
config:
url: http://a.aaa
method: ""
headers: {}
body: file:///path/to/body.jsonnet
can_interrupt: false
emit_analytics_event: false
auth:
type: api_key
config:
name: ""
value: ""
in: header
use: link
notify_unknown_recipients: false
error:
ui_url: https://my-app.com/kratos-error
methods:
b2b:
config:
organizations:
- id: 00000000-0000-0000-0000-000000000000
label: ACME SSO
domains:
- my-app.com
profile:
enabled: false
link:
enabled: false
config:
base_url: https://my-app.com
lifespan: 1h
code:
passwordless_enabled: true
mfa_enabled: false
enabled: false
config:
lifespan: 1h
missing_credential_fallback_enabled: false
password:
enabled: false
config:
haveibeenpwned_host: ""
haveibeenpwned_enabled: false
max_breaches: 0
ignore_network_errors: false
min_password_length: 6
identifier_similarity_check_enabled: false
migrate_hook:
enabled: false
config:
url: http://a.aaa
method: POST
headers: {}
emit_analytics_event: false
auth:
type: api_key
config:
name: ""
value: ""
in: header
totp:
enabled: false
config:
issuer: ""
lookup_secret:
enabled: false
webauthn:
enabled: false
config:
passwordless: false
rp:
display_name: Ory Foundation
id: ory.sh
icon: https://www.ory.sh/an-icon.png
passkey:
enabled: false
config:
rp:
display_name: Ory Foundation
id: ory.sh
origins:
- https://www.ory.sh
oidc:
enabled: false
config:
base_redirect_uri: https://auth.myexample.org/
providers:
- id: google
provider: google
label: ""
client_id: ""
client_secret: ""
issuer_url: https://accounts.google.com
auth_url: https://accounts.google.com/o/oauth2/v2/auth
token_url: https://www.googleapis.com/oauth2/v4/token
mapper_url: file://path/to/oidc.jsonnet
scope:
- offline_access
microsoft_tenant: common
subject_source: userinfo
apple_team_id: KP76DQS54M
apple_private_key_id: UX56C66723
apple_private_key: |-
-----BEGIN PRIVATE KEY-----
........
-----END PRIVATE KEY-----
requested_claims:
id_token:
email: null
email_verified: null
organization_id: 12345678-1234-1234-1234-123456789012
additional_id_token_audiences:
- 12345678-1234-1234-1234-123456789012
claims_source: id_token
pkce: auto
database:
cleanup:
batch_size: 1
sleep:
tables: 0ns
older_than: 0ns
dsn: "postgres://user:
password@postgresd:5432/database?sslmode=disable&max_conns=20&max_idle_conns=\
4"
courier:
templates:
recovery:
invalid:
email:
body:
plaintext: file://path/to/body.plaintext.gotmpl
html: file://path/to/body.html.gotmpl
subject: file://path/to/subject.gotmpl
valid:
email:
body:
plaintext: file://path/to/body.plaintext.gotmpl
html: file://path/to/body.html.gotmpl
subject: file://path/to/subject.gotmpl
sms:
body:
plaintext: file://path/to/body.plaintext.gotmpl
recovery_code:
invalid:
email:
body:
plaintext: file://path/to/body.plaintext.gotmpl
html: file://path/to/body.html.gotmpl
subject: file://path/to/subject.gotmpl
valid:
email:
body:
plaintext: file://path/to/body.plaintext.gotmpl
html: file://path/to/body.html.gotmpl
subject: file://path/to/subject.gotmpl
sms:
body:
plaintext: file://path/to/body.plaintext.gotmpl
verification:
invalid:
email:
body:
plaintext: file://path/to/body.plaintext.gotmpl
html: file://path/to/body.html.gotmpl
subject: file://path/to/subject.gotmpl
valid:
email:
body:
plaintext: file://path/to/body.plaintext.gotmpl
html: file://path/to/body.html.gotmpl
subject: file://path/to/subject.gotmpl
sms:
body:
plaintext: file://path/to/body.plaintext.gotmpl
verification_code:
invalid:
email:
body:
plaintext: file://path/to/body.plaintext.gotmpl
html: file://path/to/body.html.gotmpl
subject: file://path/to/subject.gotmpl
valid:
email:
body:
plaintext: file://path/to/body.plaintext.gotmpl
html: file://path/to/body.html.gotmpl
subject: file://path/to/subject.gotmpl
sms:
body:
plaintext: file://path/to/body.plaintext.gotmpl
registration_code:
valid:
email:
body:
plaintext: file://path/to/body.plaintext.gotmpl
html: file://path/to/body.html.gotmpl
subject: file://path/to/subject.gotmpl
login_code:
valid:
email:
body:
plaintext: file://path/to/body.plaintext.gotmpl
html: file://path/to/body.html.gotmpl
subject: file://path/to/subject.gotmpl
sms:
body:
plaintext: file://path/to/body.plaintext.gotmpl
template_override_path: /conf/courier-templates
message_retries: 10
worker:
pull_count: -100000000
pull_wait: 0ns
delivery_strategy: smtp
http:
request_config:
url: https://example.com/api/v1/email
method: ""
headers: {}
body: file:///path/to/body.jsonnet
auth:
type: api_key
config:
name: ""
value: ""
in: header
smtp:
connection_uri: smtps://foo:bar@my-mailserver:1234/?skip_ssl_verify=false
client_cert_path: ""
client_key_path: ""
from_address: aaa@a.aa
from_name: Bob
headers:
X-SES-SOURCE-ARN: arn:aws:ses:us-west-2:123456789012:identity/example.com
X-SES-FROM-ARN: arn:aws:ses:us-west-2:123456789012:identity/example.com
X-SES-RETURN-PATH-ARN: arn:aws:ses:us-west-2:123456789012:identity/example.com
local_name: ""
sms:
enabled: false
from: ""
request_config:
url: https://api.twillio.com/sms/send
method: ""
headers: {}
body: file:///path/to/body.jsonnet
auth:
type: api_key
config:
name: ""
value: ""
in: header
channels:
- id: sms
type: http
request_config:
url: https://example.com/api/v1/email
method: ""
headers: {}
body: file:///path/to/body.jsonnet
auth:
type: api_key
config:
name: ""
value: ""
in: header
oauth2_provider:
url: https://some-slug.projects.oryapis.com
headers:
Authorization: Bearer some-token
override_return_to: false
preview:
default_read_consistency_level: strong
serve:
admin:
request_log:
disable_for_health: false
base_url: https://kratos.private-network:4434/
host: ""
port: 4434
socket:
owner: ""
group: ""
mode: 0
tls:
key:
path: path/to/file.pem
base64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tXG5NSUlEWlRDQ0FrMmdBd0lCQWdJRVY1eE90REFOQmdr...
cert:
path: path/to/file.pem
base64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tXG5NSUlEWlRDQ0FrMmdBd0lCQWdJRVY1eE90REFOQmdr...
public:
request_log:
disable_for_health: false
cors:
enabled: false
allowed_origins:
- https://example.com
- https://*.example.com
- https://*.foo.example.com
allowed_methods:
- POST
allowed_headers:
- ""
exposed_headers:
- ""
allow_credentials: false
options_passthrough: false
max_age: 0
debug: false
base_url: https://my-app.com/
host: ""
port: 4433
socket:
owner: ""
group: ""
mode: 0
tls:
key:
path: path/to/file.pem
base64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tXG5NSUlEWlRDQ0FrMmdBd0lCQWdJRVY1eE90REFOQmdr...
cert:
path: path/to/file.pem
base64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tXG5NSUlEWlRDQ0FrMmdBd0lCQWdJRVY1eE90REFOQmdr...
tracing:
provider: jaeger
service_name: Ory Hydra
deployment_environment: development
providers:
jaeger:
local_agent_address: 127.0.0.1:6831
sampling:
server_url: http://localhost:5778/sampling
trace_id_ratio: 0.5
zipkin:
server_url: http://localhost:9411/api/v2/spans
sampling:
sampling_ratio: 0.4
otlp:
server_url: localhost:4318
insecure: false
sampling:
sampling_ratio: 0.4
authorization_header: Bearer 2389s8fs9d8fus9f
log:
level: trace
leak_sensitive_values: false
redaction_text: ""
format: json
identity:
default_schema_id: ""
schemas:
- id: customer
url: base64://ewogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAicHJvcGVydGllcyI6IHsKICAgICJiYXIiOiB7CiAgICAgICJ0eXBlIjogInN0cmluZyIKICAgIH0KICB9LAogICJyZXF1aXJlZCI6IFsKICAgICJiYXIiCiAgXQp9
- id: employee
url: https://foo.bar.com/path/to/employee.traits.schema.json
- id: employee-v2
url: file://path/to/employee.v2.traits.schema.json
secrets:
default:
- ipsumipsumipsumi
cookie:
- ipsumipsumipsumi
cipher:
- ipsumipsumipsumipsumipsumipsumip
hashers:
algorithm: argon2
argon2:
memory: 0B
iterations: 1
parallelism: 1
salt_length: 16
key_length: 16
expected_duration: 0ns
expected_deviation: 0ns
dedicated_memory: 0B
bcrypt:
cost: 4
ciphers:
algorithm: noop
cookies:
domain: ""
path: ""
same_site: Strict
session:
whoami:
required_aal: aal1
tokenizer:
templates:
a:
ttl: 0ns
claims_mapper_url: http://a.aaa
jwks_url: http://a.aaa
lifespan: 1h
cookie:
domain: ""
name: ""
persistent: false
path: ""
same_site: Strict
earliest_possible_extend: 1h
security:
account_enumeration:
mitigate: false
version: v0.5.0-alpha.1
dev: false
help: false
sqa-opt-out: false
watch-courier: false
expose-metrics-port: 4434
config:
- ""
clients:
http:
disallow_private_ip_ranges: false
private_ip_exception_urls:
- http://a.aaa
feature_flags:
cacheable_sessions: false
cacheable_sessions_max_age: 0ns
use_continue_with_transitions: false
faster_session_extend: false
organizations: []
enterprise:
identity_schema_fallback_url_template: ""