# logging
logging:
level: info # logging level (panic, fatal, error, warn, info, debug, trace)
# http server
server:
system_tenant: system # name of the system tenant
url: https://localhost:8443 # server url template
mtls_url: "" # mtls server url template
vanity_url_template: "" # vanity url template (https://{{vanityID}}.vanity.cloudentity.io)
vanity_mtls_url_template: "" # vanity mtls url template (https://{{vanityID}}.mtls.vanity.cloudentity.io)
assets_url: "" # url template to cdn with static files
image_proxy_url: "" # url template to image proxy
grpc_url: localhost:9443 # grpc url
port: 8443 # http server port
grpc_port: 9443 # grpc server port
do_not_print_audit_logs_for_static_files: true # do not print audit logs for static files
timeout: 10s # http server timeout
etag_backoff: 200ms # etag backoff duration
etag_retries: 25 # max number of etag retries
audit_logs: true # enable audit logs
cloudflare_headers: false # enable support for cloudflare headers (cf-iplatitude etc)
disable_audit_logs_in_stdout: false # disable publishing audit logs to stdout
http_logs: false # enable http request and response logging
max_size_bytes: 1048576 # max size of http request body
dangerous_disable_tls: false # disable tls
disable_cache: false # disable cache
disable_gzip: true # disable http gzip encoding
disable_csrf: false # disable csrf protection
disable_security: false # disable security middleware
client_auth_type: RequestClientCert # mtls http server client auth type
# http server tls
certificate:
password: "" # key passphrase
cert_path: ./certs/srv/cert.pem # path to the certificate PEM file
key_path: ./certs/srv/cert-key.pem # path to the key PEM file
cert: "" # base64 encoded cert PEM
key: "" # base64 encoded key PEM
generated_key_type: rsa # type for generated key if cert and key are not provided (rsa or ecda)
disable_monitoring: false # disable /metrics endpoint
http_metrics_per_tenant: false # enable http metrics per tenant
disable_async_processing: false # disable async processing (streams,queue)
# http security configuration (github.com/unrolled/secure)
security:
browserxssfilter: true
contenttypenosniff: true
forcestsheader: false
framedeny: true
isdevelopment: false
sslredirect: true
sslforcehost: false
ssltemporaryredirect: false
stsincludesubdomains: true
stspreload: true
contentsecuritypolicy: |
default-src 'self';
script-src 'self' 'unsafe-eval' 'unsafe-inline' www.gstatic.com www.google.com ajax.googleapis.com faye.acceptto.net dbfp.us.authz.stage.cloudentity.io dbfp.acceptto.com dbfpdev.acceptto.com;
worker-src 'self' 'strict-dynamic' $NONCE;
style-src 'self' 'unsafe-inline' https:;
font-src 'self' https:;
img-src 'self' data: https:;
connect-src 'self' wss: dbfp.acceptto.com dbfp.us.authz.stage.cloudentity.io dbfpdev.acceptto.com;
frame-src 'self' https://www.google.com;
contentsecuritypolicyreportonly: ""
custombrowserxssvalue: ""
customframeoptionsvalue: SAMEORIGIN
publickey: ""
referrerpolicy: same-origin
featurepolicy: ""
permissionspolicy: accelerometer=(),camera=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),screen-wake-lock=(),serial=(),usb=()
crossoriginopenerpolicy: ""
sslhost: ""
allowedhosts: []
allowedhostsareregex: false
hostsproxyheaders:
- X-Forwarded-Host
sslproxyheaders:
X-Forwarded-Proto: https
stsseconds: 31536000
expectctheader: ""
securecontextkey: ""
# cors configuration
cors:
allowedorigins:
- '*'
allowedheaders:
- Content-Type
- Authorization
- If-Match
allowedmethods:
- GET
- POST
- PUT
- DELETE
# gateway authorizer packages
packages:
apigeeedge:
file: /enforcement/apigee-edge-authorizer.zip # path to package file
url: "" # url to package
username: "" # basic auth username for url
password: "" # basic auth password for url
apigeex:
file: /enforcement/apigee-x-authorizer.zip # path to package file
url: "" # url to package
username: "" # basic auth username for url
password: "" # basic auth password for url
aws:
file: /enforcement/cloudentity-mp-aws-gw-authorizer.zip # path to package file
url: "" # url to package
username: "" # basic auth username for url
password: "" # basic auth password for url
istio:
file: /enforcement/istio-authorizer.zip # path to package file
url: "" # url to package
username: "" # basic auth username for url
password: "" # basic auth password for url
kong:
file: /enforcement/kong-authorizer.zip # path to package file
url: "" # url to package
username: "" # basic auth username for url
password: "" # basic auth password for url
kusk:
file: /enforcement/standalone-authorizer.zip # path to package file
url: "" # url to package
username: "" # basic auth username for url
password: "" # basic auth password for url
pyron:
file: /enforcement/pyron-authorizer.zip # path to package file
url: "" # url to package
username: "" # basic auth username for url
password: "" # basic auth password for url
standalone:
file: /enforcement/standalone-authorizer.zip # path to package file
url: "" # url to package
username: "" # basic auth username for url
password: "" # basic auth password for url
# openbanking packages
openbanking_packages:
br:
file: /packages/openbanking/openbanking-quickstart-br.zip # path to package file
url: "" # url to package
username: "" # basic auth username for url
password: "" # basic auth password for url
cdr:
file: /packages/openbanking/openbanking-quickstart-cdr.zip # path to package file
url: "" # url to package
username: "" # basic auth username for url
password: "" # basic auth password for url
fdx:
file: /packages/openbanking/openbanking-quickstart-fdx.zip # path to package file
url: "" # url to package
username: "" # basic auth username for url
password: "" # basic auth password for url
generic:
file: /packages/openbanking/openbanking-quickstart-generic.zip # path to package file
url: "" # url to package
username: "" # basic auth username for url
password: "" # basic auth password for url
uk:
file: /packages/openbanking/openbanking-quickstart-uk.zip # path to package file
url: "" # url to package
username: "" # basic auth username for url
password: "" # basic auth password for url
templates_dir: ./web/templates # path to dir with templates
static_dir: ./web/static # path to the dir with static files for templates
app_static_dir: ./web/app/build/static # path to the dir with static files for react frontend app
app_dir: ./web/app/build # path to the dir with react frontend app for acp
swagger_dir: ./web/swagger # path to the dir with swagger ui
swagger_path_template: ./api/handler/{{module}}.yaml # path to the swagger-{{module}}.yaml
redirect_to_default_tenant: false # enable redirection to default tenant
client_certificate_header: "" # default client http TLS certificate header name
client_certificate_format_header: X-SSL-CERT-FORMAT # format of tls certificate injected as a header
region: default # The name of the region in which this node is running
# public path prefix for openbanking brazil endpoints
obbr_base_paths: []
# external integrations configuration e.g. marketo
integrations:
# Marketo configuration
marketo:
enabled: false # enabled
instance_id: "" # instance id
# Google Custom Search JSON API configuration
google_images:
api_key: "" # Google Custom Search JSON API key
cx: "" # The identifier of the Google Programmable Search Engine.
rate_limiting_threshold: 0 # fine grained rate limiting threshold in number of requests per second
# licensing configuration
licensing:
default_license_type: trial # DefaultLicenseType is the default license type for new tenants
default_license_duration: 1440h0m0s # DefaultLicenseDuration is the default license duration for new tenants
# sql encryption secret
secrets:
- id: "1" # secret id
key: FmIQrzqf7dT57SjVH3g52SEVx45WH9pE # secret key
# pbkdf2 secret hashing configuration
hashing:
number_of_iterations: 4096 # number of iterations
key_length: 128 # key length
salt: WuD0izLakS24Uyft65JP # salt (at least 8 characters)
function: SHA-512 # SHA-1, SHA-224, SHA-256, SHA-384 or SHA-512
# system tenant
system:
secret: n8HF35qzZkmsukHJzzz9LnN8m9Mf97uq # system client secret
# limits
limits:
max_number_of_client_rotated_secrets: 1 # max number of client rotated secrets
# send otp per address global limit
send_otp_limit:
enabled: true # enable rate limiter
period: 1m0s # period
rate: 2 # rate
burst: 1 # max burst
# limits for admin websocket notifications
notifications:
audit_event: 3s
scope_grants: 3s
batch_size: 1000
# brute force limits
brute_force_limits:
enabled: true
mfa:
max_attempts: 5
block_duration: 1m0s
client_authentication:
max_attempts: 5
block_duration: 1m0s
device_handling:
max_attempts: 5
block_duration: 1m0s
identity_code_inspect:
max_attempts: 5
block_duration: 1m0s
identity_code_verify:
max_attempts: 5
block_duration: 1m0s
identity_change_password:
max_attempts: 5
block_duration: 1m0s
identity_confirm_password:
max_attempts: 5
block_duration: 1m0s
identity_verify_password:
max_attempts: 5
block_duration: 1m0s
identity_registration:
max_attempts: 5
block_duration: 1m0s
identity_set_credential:
max_attempts: 5
block_duration: 1m0s
identity_self_register:
max_attempts: 5
block_duration: 1m0s
identity_activate_self_registered:
max_attempts: 5
block_duration: 1m0s
identity_self_activation:
max_attempts: 5
block_duration: 1m0s
identity_self_change_password:
max_attempts: 5
block_duration: 1m0s
identity_self_change_totp_secret:
max_attempts: 5
block_duration: 1m0s
identity_change_totp_secret:
max_attempts: 5
block_duration: 1m0s
identity_authentication:
max_attempts: 5
block_duration: 1m0s
identity_address_verification:
max_attempts: 5
block_duration: 1m0s
# feature flags
features:
dev_mode: false # hot reloading of templates
demo_app: false # demo app
swagger_ui: false # swagger ui
disable_embedded_sms_provider: false # disable embedded sms provider
debug: false # enable additional debug logs
block_non_vanity_domain_access: false # block access to a tenant's resources from traffic not originating from the tenant's vanity domain
dedicated_faas: false # allow the usage of dedicated FaaS Rego/JS environments
client_secrets_stored_as_one_way_hash: false # stores client secrets as one-way hashes
admin_workspace_access: true # admin workspace access
system_workspace_access: true # system workspace access
insecure_disable_csrf: false # disable csrf
insecure_token_exchange_public_clients: false # insecure token exchange public clients
disable_audit_events: false # disable audit events
cache_access_tokens: false # cache access tokens
cdr_disable_unique_software_id: false # disable unique software id for CDR
do_not_validate_cert_for_private_key_jwt: false # do not validate cert for private key jwt
drop_tokens_on_password_reset: false # drop tokens on password reset
initialize_demo_workspace: false # when enabled and the display_workspace_wizard feature flag is set to true, a demo workspace with a set of preconfigured IDPs is created and no welcome screen is displayed
scope_transient_otp: false # scope transient_otp
cloudentity_idp: false # Cloudentity IDP
add_fake_tenant_url_to_login_request_for_non_default_routing: false # add fake tenantUrl to query params for routing other than default (needed for backward compatibility with CIP for vanity domains)
rar: false # rich authorization requests
connect_id: false # connectID profile
identity_assurance: false # identity assurance
connect_id_consent_page_face_lifting: false # connect ID consent page facelifting
openbanking_ksa: false # openbanking ksa workspace and security profile
tree_dump_tenant: false # hierarchical dumps tenant APIs
cdr_arrangement_cache: false # arrangement cache for CDR
jit_map_user_pool_attributes_to_authn_ctx: false # allow to map user pool attributes to authn ctx if JIT is enabled
mark_address_as_verified_on_any_proof_of_possession: true # mark address as verified on any proof of possession of the address
arculix: false # Arculix 2FA and MFA
risk_engine: false # Risk engine
handle_mfa_recovery_in_identity_pools: false # Handle MFA Recovery in Identity Pools
acr: false # ACR support
permissions: false # Permissions
roles: false # Roles
organizations: false # Organizations
identifier_based_discovery: false # Identifier-based discovery
self_service: false # Self-service
identity_pool_mfa: false # Identity Pool MFA
identity_pool_totp: false # Identity Pool TOTP
obbr: false # openbanking brasil
# http client
client:
timeout: 5s # http client timeout
retry_wait_min: 10ms # minimum time to wait between retries
retry_wait_max: 100ms # maximum time to wait between retries
retry_max: 2 # maximum number of retries
root_ca: "" # file path to the root ca that this client should trust (defaults to system root ca)
root_ca_pem: "" # PEM encoded root ca that this client should trust
insecure_skip_verify: false # disable cert verification
# client TLS configuration
tls:
certificate: "" # file path to the client certificate
key: "" # file path to the client key
certificate_pem: "" # client certificate PEM encoded
key_pem: "" # client key PEM encoded
disable_follow_redirects: false # disable follow redirects
disable_retry: false # disable retry
# sql client
sql:
url: postgres://root@crdb:26257/defaultdb?sslmode=disable # sql connection url
type: "" # sql db type cockroachdb or postgresql
# urls to replicas in master/slave mode
replicas: []
max_open_conns: 8 # max number of open connection
max_idle_conns: 0 # max number of idle connection
# migrations configuration
migrations:
disable: false # disable migrations
path: ./migrations # path to the migrations
timeout: 1m0s # timeout for running migrations
down: false # DANGEROUS run all migrations down (removes all data from the database)
with_cockroachdb_enterprise: false # turn on cockroachdb enterprise features
# garbage collection ttl per table (default 24h)
gc:
audit_events: 1h6m40s
refresh_tokens: 1h6m40s
cockroachdb_use_limit_ordering_for_streaming_group_by: false # enable optimizer_use_limit_ordering_for_streaming_group_by feature flag for cockroachdb available from version 22.2.3
# timescale client
timescale:
enabled: false # enable timescaledb
url: postgres://postgres:password@timescale/acp?sslmode=disable # sql connection url
# urls to replicas in master/slave mode
replicas: []
max_open_conns: 8 # max number of open connection
max_idle_conns: 0 # max number of idle connection
# migrations configuration
migrations:
disable: false # disable migrations
path: ./migrations/timescale # path to the migrations
timeout: 1m0s # timeout for running migrations
down: false # DANGEROUS run all migrations down (removes all data from the database)
data_retention: 2160h0m0s # data retention duration
# spicedb client for external permissions (permission systems)
spicedb:
enabled: false # enable spicedb
dry_run: false # turn off enforcement
url: spicedb:50051 # spicedb endpoint url
token: secret # bearer token
ca: "" # path to the root ca
insecure_skip_verify: false # skip tls verification
# spicedb client for internal permissions (roles)
internal_spicedb:
enabled: false # enable spicedb
dry_run: false # turn off enforcement
url: internal-spicedb:50051 # spicedb endpoint url
token: secret # bearer token
ca: "" # path to the root ca
insecure_skip_verify: false # skip tls verification
# redis client
redis:
id: redis # redis database id
region: local # region id
scan_count: 100 # Number of entries fetched using SCAN
push_limit: 1024 # at-least-once delivery queue push limit
# Either a single address or a seed list of host:port addresses
addrs:
- 127.0.0.1:6379
db: 0 # Database to be selected after connecting to the server.
master_name: "" # The sentinel master name.
username: "" # username
password: "" # password
sentinel_password: "" # sentinel password
max_retries: 3 # max retires
min_retry_backoff: 8ms # min retry backoff
max_retry_backoff: 512ms # max retry backoff
dial_timeout: 5s # dial timeout
read_timeout: 3s # read timeout
write_timeout: 3s # write timeout
pool_size: 0 # pool size
min_idle_conns: 0 # min idle connections
max_conn_age: 0s # max connection age
pool_timeout: 4s # pool timeout
idle_timeout: 5m0s # idle timeout
idle_check_frequency: 1m0s # idle check frequency
max_redirects: 3 # max redirects
read_only: false # read only
route_by_latency: false # route by latency
route_randomly: false # route randomly
# redis search indexes
indexes:
- name: tokens # redis search index name
# redis search index prefixes
prefix:
- access_tokens
- authorization_codes
- device_codes
- openid_tokens
- pkce_sessions
- refresh_tokens
- authorize_requesters
# redis search tags for index
tags:
- tenant_id
- server_id
- client_id
- subject
- token_type
- collection
- consent_id
- consent_type
- customer_id
- sso_session_id
- name: users # redis search index name
# redis search index prefixes
prefix:
- users
- user_identifiers
- user_verified_addresses
- user_codes
# redis search tags for index
tags:
- tenant_id
- pool_id
- user_id
- name: sessions # redis search index name
# redis search index prefixes
prefix:
- sso_sessions
# redis search tags for index
tags:
- tenant_id
- server_id
- subject
- name: mfa_sessions # redis search index name
# redis search index prefixes
prefix:
- mfa_sessions
# redis search tags for index
tags:
- tenant_id
- user_pool_id
- user_id
# redis streams configuration
streams:
number_of_workers: 8 # number of workers for stream handlers
max_length: 100000 # max length for streams
max_ttl: 24h0m0s # max ttl for entries in streams
trim_interval: 1m0s # trim max ttl interval
disable_trim: false # disable trimming
count: 128 # number of events to read from a stream
block: 1s # duration until timeout
handler_timeout: 30s # stream handler timeout
stats_interval: 10s # streams stats interval
# streams auto claim count
auto_claim:
interval: 1s # streams auto claim interval
min_idle: 30s # streams auto claim min idle
count: 100 # streams auto claim count
sleep: 100ms # sleep between reads
max_retries: 10 # max number of retries
prefix: "" # redis stream name prefix
auto_ack: false # automatically ack all messages when there is no error
# etags configuration
etag:
duration: 1m0s # max duration to wait for confirmation
size: 10000 # max size of confirmations queue
# redis tls configuration
tls:
enabled: false # enable tls
cert: "" # path to the public key cert PEM file
key: "" # path to the private key PEM file
ca: "" # path to the root ca PEM file
insecure_skip_verify: false # skip host name verification
max_backoff_retries: 5 # constant backoff max number of retries
backoff_duration: 10ms # constant backoff duration
# consumer group configuration - option to override global settings for a given consumer group
consumer_groups:
analytics:
timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout
batch_size: 0 # count of messages in a singe batch, 0 for default size
max_retries: -1
max_length: 0 # max length for streams
number_of_workers: 0 # number of workers for stream handlers
audit_logs_timescale:
timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout
batch_size: 200 # count of messages in a singe batch, 0 for default size
max_retries: -1
max_length: 0 # max length for streams
number_of_workers: 0 # number of workers for stream handlers
gateway:
timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout
batch_size: 100 # count of messages in a singe batch, 0 for default size
max_retries: 0
max_length: 0 # max length for streams
number_of_workers: 0 # number of workers for stream handlers
identity_cleanup:
timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout
batch_size: 1 # count of messages in a singe batch, 0 for default size
max_retries: 0
max_length: 0 # max length for streams
number_of_workers: 0 # number of workers for stream handlers
identity_messenger:
timeout: 1m0s # timeout for all handlers in a given consumer group, 0 for default timeout
batch_size: 10 # count of messages in a singe batch, 0 for default size
max_retries: 1
max_length: 0 # max length for streams
number_of_workers: 0 # number of workers for stream handlers
# optional local redis client (uses redis client configuration if addrs is empty)
local_redis:
id: local-redis # redis database id
region: local # region id
scan_count: 100 # Number of entries fetched using SCAN
push_limit: 1024 # at-least-once delivery queue push limit
# Either a single address or a seed list of host:port addresses
addrs: []
db: 0 # Database to be selected after connecting to the server.
master_name: "" # The sentinel master name.
username: "" # username
password: "" # password
sentinel_password: "" # sentinel password
max_retries: 3 # max retires
min_retry_backoff: 8ms # min retry backoff
max_retry_backoff: 512ms # max retry backoff
dial_timeout: 5s # dial timeout
read_timeout: 3s # read timeout
write_timeout: 3s # write timeout
pool_size: 0 # pool size
min_idle_conns: 0 # min idle connections
max_conn_age: 0s # max connection age
pool_timeout: 4s # pool timeout
idle_timeout: 5m0s # idle timeout
idle_check_frequency: 1m0s # idle check frequency
max_redirects: 3 # max redirects
read_only: false # read only
route_by_latency: false # route by latency
route_randomly: false # route randomly
# redis search indexes
indexes:
- name: tokens # redis search index name
# redis search index prefixes
prefix:
- access_tokens
- authorization_codes
- device_codes
- openid_tokens
- pkce_sessions
- refresh_tokens
- authorize_requesters
# redis search tags for index
tags:
- tenant_id
- server_id
- client_id
- subject
- token_type
- collection
- consent_id
- consent_type
- customer_id
- sso_session_id
- name: users # redis search index name
# redis search index prefixes
prefix:
- users
- user_identifiers
- user_verified_addresses
- user_codes
# redis search tags for index
tags:
- tenant_id
- pool_id
- user_id
- name: sessions # redis search index name
# redis search index prefixes
prefix:
- sso_sessions
# redis search tags for index
tags:
- tenant_id
- server_id
- subject
- name: mfa_sessions # redis search index name
# redis search index prefixes
prefix:
- mfa_sessions
# redis search tags for index
tags:
- tenant_id
- user_pool_id
- user_id
# redis streams configuration
streams:
number_of_workers: 8 # number of workers for stream handlers
max_length: 100000 # max length for streams
max_ttl: 24h0m0s # max ttl for entries in streams
trim_interval: 1m0s # trim max ttl interval
disable_trim: false # disable trimming
count: 128 # number of events to read from a stream
block: 1s # duration until timeout
handler_timeout: 30s # stream handler timeout
stats_interval: 10s # streams stats interval
# streams auto claim count
auto_claim:
interval: 1s # streams auto claim interval
min_idle: 30s # streams auto claim min idle
count: 100 # streams auto claim count
sleep: 100ms # sleep between reads
max_retries: 10 # max number of retries
prefix: "" # redis stream name prefix
auto_ack: false # automatically ack all messages when there is no error
# etags configuration
etag:
duration: 1m0s # max duration to wait for confirmation
size: 10000 # max size of confirmations queue
# redis tls configuration
tls:
enabled: false # enable tls
cert: "" # path to the public key cert PEM file
key: "" # path to the private key PEM file
ca: "" # path to the root ca PEM file
insecure_skip_verify: false # skip host name verification
max_backoff_retries: 5 # constant backoff max number of retries
backoff_duration: 10ms # constant backoff duration
# consumer group configuration - option to override global settings for a given consumer group
consumer_groups:
analytics:
timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout
batch_size: 0 # count of messages in a singe batch, 0 for default size
max_retries: -1
max_length: 0 # max length for streams
number_of_workers: 0 # number of workers for stream handlers
audit_logs_timescale:
timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout
batch_size: 200 # count of messages in a singe batch, 0 for default size
max_retries: -1
max_length: 0 # max length for streams
number_of_workers: 0 # number of workers for stream handlers
gateway:
timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout
batch_size: 100 # count of messages in a singe batch, 0 for default size
max_retries: 0
max_length: 0 # max length for streams
number_of_workers: 0 # number of workers for stream handlers
identity_cleanup:
timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout
batch_size: 1 # count of messages in a singe batch, 0 for default size
max_retries: 0
max_length: 0 # max length for streams
number_of_workers: 0 # number of workers for stream handlers
identity_messenger:
timeout: 1m0s # timeout for all handlers in a given consumer group, 0 for default timeout
batch_size: 10 # count of messages in a singe batch, 0 for default size
max_retries: 1
max_length: 0 # max length for streams
number_of_workers: 0 # number of workers for stream handlers
# sql queue
queue:
disabled: false # disable queue worker pool
tenant_id: "" # Limit sql queue handler to a single tenant
count: 1 # number of pool workers
limit: 10 # poll limit
heartbeat_interval: 30s # heartbeat interval
expiration_interval: 1m0s # expiration interval
polling_interval: 1s # polling interval
max_backoff: 10s # max backoff
error_limit: 0.1 # error rate limit
# storage config
storage:
# refresh tokens storage configuration
refresh_tokens:
enabled: true # enable storing refresh tokens in sql, stored in kv if false
batch_limit: 1000 # refresh token batch delete limit
# expired consents storage configuration
consents:
batch_limit: 1000 # expired consents batch delete limit
# audit events strorage configuration
audit_events:
enabled: true # enable storing audit events in sql
# audit events retention config
retention:
enabled: true # enable audit events retention
global: true # when true, audit events retention is executed globally, not per tenant
batch_limit: 1000 # audit events retention batch delete limit
max_age: 168h0m0s # remove audit events older than max age
# recurring jobs
jobs:
auditEventsRetention:
tenant_id: system # tenant id
id: auditEventsRetention # job id
queue: execute_retention # queue name
cron: 15 * * * * # cron expression
# next execution time
scheduled_at: {}
# job starting from
starting_from: {}
paused: false # is paused
payload: null # payload
cdrArrangementsAutoRemoval:
tenant_id: system # tenant id
id: cdrArrangementsAutoRemoval # job id
queue: openbanking_cdr_arrangements_auto_removal # queue name
cron: 0 0 * * * # cron expression
# next execution time
scheduled_at: {}
# job starting from
starting_from: {}
paused: false # is paused
payload: null # payload
cdrExpiredArrangements:
tenant_id: system # tenant id
id: cdrExpiredArrangements # job id
queue: openbanking_set_expired_cdr_arrangements # queue name
cron: 0 * * * * # cron expression
# next execution time
scheduled_at: {}
# job starting from
starting_from: {}
paused: false # is paused
payload: null # payload
cdrSyncRegisters:
tenant_id: system # tenant id
id: cdrSyncRegisters # job id
queue: openbanking_cdr_sync_registers # queue name
cron: '*/4 * * * *' # cron expression
# next execution time
scheduled_at: {}
# job starting from
starting_from: {}
paused: false # is paused
payload: null # payload
cibaSimulatorExpiredAuthentications:
tenant_id: system # tenant id
id: cibaSimulatorExpiredAuthentications # job id
queue: ciba_simulator_remove_expired_authentications # queue name
cron: '*/1 * * * *' # cron expression
# next execution time
scheduled_at: {}
# job starting from
starting_from: {}
paused: false # is paused
payload: null # payload
expiredTokens:
tenant_id: system # tenant id
id: expiredTokens # job id
queue: remove_expired_refresh_tokens # queue name
cron: 0 * * * * # cron expression
# next execution time
scheduled_at: {}
# job starting from
starting_from: {}
paused: false # is paused
payload: null # payload
fdxExpiredConsents:
tenant_id: system # tenant id
id: fdxExpiredConsents # job id
queue: openbanking_set_expired_fdx_consents # queue name
cron: 0 * * * * # cron expression
# next execution time
scheduled_at: {}
# job starting from
starting_from: {}
paused: false # is paused
payload: null # payload
identityStats:
tenant_id: system # tenant id
id: identityStats # job id
queue: identity_stats # queue name
cron: 45 * * * * # cron expression
# next execution time
scheduled_at: {}
# job starting from
starting_from: {}
paused: false # is paused
payload: null # payload
openbankingExpiredConsents:
tenant_id: system # tenant id
id: openbankingExpiredConsents # job id
queue: openbanking_remove_expired_consents # queue name
cron: 0 * * * * # cron expression
# next execution time
scheduled_at: {}
# job starting from
starting_from: {}
paused: false # is paused
payload: null # payload
openbankingOrphanedConsents:
tenant_id: system # tenant id
id: openbankingOrphanedConsents # job id
queue: openbanking_remove_orphaned_consents # queue name
cron: 0 * * * * # cron expression
# next execution time
scheduled_at: {}
# job starting from
starting_from: {}
paused: false # is paused
payload: null # payload
# lru cache
cache:
redis_ttl: 10m0s
local_ttl: 1m0s
local_max_size: 1000
locks: 256
disabled: false
# stats cache
stats:
redis_ttl: 1m0s
local_ttl: 10s
local_max_size: 1000
locks: 0
disabled: false
# themes cache
themes_cache:
redis_ttl: 1h0m0s
local_ttl: 10m0s
local_max_size: 100
locks: 0
disabled: false
# demo apps
demo:
client:
root_ca: /certs/ca.pem
cert: /certs/cid2/cert.pem
key: /certs/cid2/cert-key.pem
client_id: cid2
client_secret: xYA0YnXldHNNjgWBjXGr5xBzIjf8PW-jXWkdZZ_l0WB
scopes:
- introspect_openbanking_tokens
directory:
redirect_uris:
- https://fapi-test:8444/test/a/JarmByValuePrivateKeyJwtPaymentsObbrDcrFapiTests/callback
- https://fapi-test:8444/test/a/JarmByValuePrivateKeyJwtPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/PlainResponseByValuePrivateKeyJwtPaymentsObbrDcrFapiTests/callback
- https://fapi-test:8444/test/a/PlainResponseByValuePrivateKeyJwtPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/PlainResponsePushedPrivateKeyJwtPaymentsObbrDcrFapiTests/callback
- https://fapi-test:8444/test/a/PlainResponsePushedPrivateKeyJwtPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/JarmPushedPrivateKeyJwtPaymentsObbrDcrFapiTests/callback
- https://fapi-test:8444/test/a/JarmPushedPrivateKeyJwtPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/PlainResponseByValueMtlsPaymentsObbrDcrFapiTests/callback
- https://fapi-test:8444/test/a/PlainResponseByValueMtlsPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/JarmByValueMtlsPaymentsObbrDcrFapiTests/callback
- https://fapi-test:8444/test/a/JarmByValueMtlsPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/PlainResponsePushedMtlsPaymentsObbrDcrFapiTests/callback
- https://fapi-test:8444/test/a/PlainResponsePushedMtlsPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/JarmPushedMtlsPaymentsObbrDcrFapiTests/callback
- https://fapi-test:8444/test/a/JarmPushedMtlsPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/PlainResponseByValueMtlsAccountsObbrDcrFapiTests/callback
- https://fapi-test:8444/test/a/PlainResponseByValueMtlsAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/JarmByValueMtlsAccountsObbrDcrFapiTests/callback
- https://fapi-test:8444/test/a/JarmByValueMtlsAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/PlainResponsePushedMtlsAccountsObbrDcrFapiTests/callback
- https://fapi-test:8444/test/a/PlainResponsePushedMtlsAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/JarmPushedMtlsAccountsObbrDcrFapiTests/callback
- https://fapi-test:8444/test/a/JarmPushedMtlsAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/JarmPushedPrivateKeyJwtAccountsObbrDcrFapiTests/callback
- https://fapi-test:8444/test/a/JarmPushedPrivateKeyJwtAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/PlainResponsePushedPrivateKeyJwtAccountsObbrDcrFapiTests/callback
- https://fapi-test:8444/test/a/PlainResponsePushedPrivateKeyJwtAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/PlainResponseByValuePrivateKeyJwtAccountsObbrDcrFapiTests/callback
- https://fapi-test:8444/test/a/PlainResponseByValuePrivateKeyJwtAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/JarmByValuePrivateKeyJwtAccountsObbrDcrFapiTests/callback
- https://fapi-test:8444/test/a/JarmByValuePrivateKeyJwtAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/JarmByValuePrivateKeyJwtOpinDcrFapiTests/callback
- https://fapi-test:8444/test/a/JarmByValuePrivateKeyJwtOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/PlainResponseByValuePrivateKeyJwtOpinDcrFapiTests/callback
- https://fapi-test:8444/test/a/PlainResponseByValuePrivateKeyJwtOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/PlainResponsePushedPrivateKeyJwtOpinDcrFapiTests/callback
- https://fapi-test:8444/test/a/PlainResponsePushedPrivateKeyJwtOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/JarmPushedPrivateKeyJwtOpinDcrFapiTests/callback
- https://fapi-test:8444/test/a/JarmPushedPrivateKeyJwtOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/PlainResponseByValueMtlsOpinDcrFapiTests/callback
- https://fapi-test:8444/test/a/PlainResponseByValueMtlsOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/JarmByValueMtlsOpinDcrFapiTests/callback
- https://fapi-test:8444/test/a/JarmByValueMtlsOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/PlainResponsePushedMtlsOpinDcrFapiTests/callback
- https://fapi-test:8444/test/a/PlainResponsePushedMtlsOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://fapi-test:8444/test/a/JarmPushedMtlsOpinDcrFapiTests/callback
- https://fapi-test:8444/test/a/JarmPushedMtlsOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
- https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtWithoutBrowserDcrObbrTests/callback
- https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtWithoutBrowserDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
- https://obbr-test:8445/test/a/JarmByValueMtlsDcrObbrTests/callback
- https://obbr-test:8445/test/a/JarmByValueMtlsDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
- https://obbr-test:8445/test/a/PlainResponseByValueMtlsDcrObbrTests/callback
- https://obbr-test:8445/test/a/PlainResponseByValueMtlsDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
- https://obbr-test:8445/test/a/JarmPushedMtlsDcrObbrTests/callback
- https://obbr-test:8445/test/a/JarmPushedMtlsDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
- https://obbr-test:8445/test/a/PlainResponsePushedMtlsDcrObbrTests/callback
- https://obbr-test:8445/test/a/PlainResponsePushedMtlsDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
- https://obbr-test:8445/test/a/JarmByValuePrivateKeyJwtDcrObbrTests/callback
- https://obbr-test:8445/test/a/JarmByValuePrivateKeyJwtDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
- https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtDcrObbrTests/callback
- https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
- https://obbr-test:8445/test/a/JarmPushedPrivateKeyJwtDcrObbrTests/callback
- https://obbr-test:8445/test/a/JarmPushedPrivateKeyJwtDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
- https://obbr-test:8445/test/a/PlainResponsePushedPrivateKeyJwtDcrObbrTests/callback
- https://obbr-test:8445/test/a/PlainResponsePushedPrivateKeyJwtDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
- https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtWithoutBrowserWebhookDcrObbrTests/callback
- https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtWithoutBrowserWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
- https://obbr-test:8445/test/a/JarmByValueMtlsWebhookDcrObbrTests/callback
- https://obbr-test:8445/test/a/JarmByValueMtlsWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
- https://obbr-test:8445/test/a/PlainResponseByValueMtlsWebhookDcrObbrTests/callback
- https://obbr-test:8445/test/a/PlainResponseByValueMtlsWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
- https://obbr-test:8445/test/a/JarmPushedMtlsWebhookDcrObbrTests/callback
- https://obbr-test:8445/test/a/JarmPushedMtlsWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
- https://obbr-test:8445/test/a/PlainResponsePushedMtlsWebhookDcrObbrTests/callback
- https://obbr-test:8445/test/a/PlainResponsePushedMtlsWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
- https://obbr-test:8445/test/a/JarmByValuePrivateKeyJwtWebhookDcrObbrTests/callback
- https://obbr-test:8445/test/a/JarmByValuePrivateKeyJwtWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
- https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtWebhookDcrObbrTests/callback
- https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
- https://obbr-test:8445/test/a/JarmPushedPrivateKeyJwtWebhookDcrObbrTests/callback
- https://obbr-test:8445/test/a/JarmPushedPrivateKeyJwtWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
- https://obbr-test:8445/test/a/PlainResponsePushedPrivateKeyJwtWebhookDcrObbrTests/callback
- https://obbr-test:8445/test/a/PlainResponsePushedPrivateKeyJwtWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
- https://obbr-test:8445/test/a/PlainResponsePushedPrivateKeyJwtAutomaticPaymentsWebhookObbrTests/callback
webhook_hosts:
- https://obbr-test-mtls:8445/test-mtls/a/PlainResponseByValuePrivateKeyJwtWithoutBrowserWebhookDcrObbrTests
- https://obbr-test-mtls:8445/test-mtls/a/JarmByValueMtlsWebhookDcrObbrTests
- https://obbr-test-mtls:8445/test-mtls/a/PlainResponseByValueMtlsWebhookDcrObbrTests
- https://obbr-test-mtls:8445/test-mtls/a/JarmPushedMtlsWebhookDcrObbrTests
- https://obbr-test-mtls:8445/test-mtls/a/PlainResponsePushedMtlsWebhookDcrObbrTests
- https://obbr-test-mtls:8445/test-mtls/a/JarmByValuePrivateKeyJwtWebhookDcrObbrTests
- https://obbr-test-mtls:8445/test-mtls/a/PlainResponseByValuePrivateKeyJwtWebhookDcrObbrTests
- https://obbr-test-mtls:8445/test-mtls/a/JarmPushedPrivateKeyJwtWebhookDcrObbrTests
- https://obbr-test-mtls:8445/test-mtls/a/PlainResponsePushedPrivateKeyJwtWebhookDcrObbrTests
# faas provider
faas:
provider: ""
# Available node executor env versions (sorted from oldest to the newest).
node_env_versions:
- version: "4" # Environment version
valid_until: ""
# Nodejs package json
package_json:
# NodeJS dependencies
dependencies:
async: 3.2.3
async-lock: 1.4.0
aws-sdk: 2.1404.0
axios: 0.25.0
axios-retry: 3.8.0
body-parser: 1.19.2
chalk: 5.0.0
co: 4.6.0
debug: 4.3.3
express: 4.19.2
express-timeout-handler: ^2.2.2
graphql: 16.8.1
immutable: 4.0.0
invariant: 2.2.4
js-yaml: 4.1.0
jsonwebtoken: 8.5.1
ldapjs: 2.3.1
lodash: 4.17.21
log4js: 6.4.1
lru_map: 0.4.1
minimist: 1.2.6
mongodb: 5.9.2
mongoose: 7.6.8
morgan: 1.10.0
mysql: 2.18.1
mz: 2.7.0
node-fetch: 3.3.2
qs: 6.10.3
ramda: 0.28.0
request: 2.88.2
request-promise-native: 1.0.9
rxjs: 7.5.4
uglify-js: 3.15.1
underscore: 1.13.2
uuid: 8.3.2
validator: 13.7.0
ws: 8.18.0
xml2js: 0.5.0
# NodeJS engine version
engines:
node: v16 # NodeJS engine version
- version: "5" # Environment version
valid_until: ""
# Nodejs package json
package_json:
# NodeJS dependencies
dependencies:
async: 3.2.5
async-lock: 1.4.1
aws-sdk: 2.1541.0
axios: 1.7.4
axios-retry: 4.0.0
body-parser: 1.20.2
chalk: 5.3.0
co: 4.6.0
debug: 4.3.4
express: 4.19.2
express-timeout-handler: 2.2.2
graphql: 16.8.1
immutable: 4.3.4
invariant: 2.2.4
js-yaml: 4.1.0
jsonwebtoken: 9.0.2
ldapjs: 3.0.7
lodash: 4.17.21
log4js: 6.9.1
lru_map: 0.4.1
minimist: 1.2.8
mongodb: 6.3.0
mongoose: 8.1.0
morgan: 1.10.0
mysql: 2.18.1
mz: 2.7.0
node-fetch: 3.3.2
qs: 6.11.2
ramda: 0.29.1
rxjs: 7.8.1
uglify-js: 3.17.4
underscore: 1.13.6
uuid: 9.0.1
validator: 13.11.0
ws: 8.18.0
xml2js: 0.6.2
# NodeJS engine version
engines:
node: v18 # NodeJS engine version
- version: "6" # Environment version
valid_until: ""
# Nodejs package json
package_json:
# NodeJS dependencies
dependencies:
async: 3.2.5
async-lock: 1.4.1
aws-sdk: 2.1659.0
axios: 1.7.4
axios-retry: 4.4.1
body-parser: 1.20.2
chalk: 5.3.0
co: 4.6.0
debug: 4.3.5
express: 4.19.2
express-timeout-handler: 2.2.2
graphql: 16.9.0
immutable: 4.3.6
invariant: 2.2.4
js-yaml: 4.1.0
jsonwebtoken: 9.0.2
ldapjs: 3.0.7
lodash: 4.17.21
log4js: 6.9.1
lru_map: 0.4.1
minimist: 1.2.8
mongodb: 6.8.0
mongoose: 8.5.1
morgan: 1.10.0
mysql: 2.18.1
mz: 2.7.0
node-fetch: 3.3.2
qs: 6.12.3
ramda: 0.30.1
rxjs: 7.8.1
uglify-js: 3.19.0
underscore: 1.13.6
uuid: 10.0.0
validator: 13.12.0
ws: 8.18.0
xml2js: 0.6.2
# NodeJS engine version
engines:
node: v20 # NodeJS engine version
# Available rego executor env versions (sorted from oldest to the newest).
rego_env_versions:
- version: "6" # Environment version
valid_until: ""
package_json: null # Nodejs package json
# fission function as a service provider
fission:
namespace: acp-faas # Kubernetes namespace where functions should be created
# Runtime configuration for runtime v1
envs:
js: nodejs # Name of the fission environment for JS
rego: rego # Name of the fission environment for Rego
# Runtime configuration for runtime v2
envs_v2:
js: nodejs-v2 # Name of the fission environment for JS
rego: rego-v2 # Name of the fission environment for Rego
url: http://router.fission # URL to the fission router
max_backoff_retries: 3 # Max backoff retries in case of 404 error
package_template: |- # k8s package template
apiVersion: fission.io/v1
kind: Package
metadata:
name: {{ .ID }}
namespace: {{ .Namespace }}
spec:
deployment:
literal: {{ .Base64EncodedBody }}
type: literal
environment:
name: {{ .Env }}
namespace: {{ .Namespace }}
status:
buildstatus: succeeded
function_template: |- # k8s function template
apiVersion: fission.io/v1
kind: Function
metadata:
name: {{ .ID }}
namespace: {{ .Namespace }}
spec:
InvokeStrategy:
ExecutionStrategy:
ExecutorType: poolmgr
SpecializationTimeout: 30
StrategyType: execution
concurrency: {{ .MaxPodsCount }}
requestsPerPod: {{ .MaxRequestsPerPod }}
environment:
name: {{ .Env }}
namespace: {{ .Namespace }}
functionTimeout: {{ .ExecutionTimeout }}
idletimeout: {{ .IdleTimeout }}
package:
packageref:
name: {{ .ID }}
namespace: {{ .Namespace }}
resourceversion: "{{ .ResourceVersion }}"
# kube config
kube:
timeout: 0s
kubeconfig: ""
max_pod_age: 0s # max pod age - set 0 to unlimited
# function settings
function_settings:
execution_timeout: 30s # max function execution time
idle_timeout: 1m0s # max function idle duration
max_pods_count: 2 # maximum pod count number
max_requests_per_pod: 5000 # maximum numer of requests per pod
# fission resource watcher configuration
resource_watcher:
interval: 1m0s # how often check for aged resources
timeout: 10s # check timeout
# risk engine configuration
risk_engine:
url: https://cyber-inference.mm-dev.acceptto.com # risk engine url
tenant_id: "" # risk engine tenant id
api_key: "" # risk engine api key
timeout: 2s # risk engine client timeout
dbfp_url: https://dbfpdev.acceptto.com/bfp7.js # dbfp url
dbfp_timeout: 2s # dbfp timeout
# docker function as a service provider
docker:
node_url: http://node-env:8888
rego_url: http://rego-env:8888
shared_node_url: http://node-env:8888
shared_rego_url: http://rego-env:8888
# opentelemetry configuration
otel:
service_name: acp # service name
exporter: jaeger # opentelemetry exporter (jaeger or otlp)
# enabled propagators (b3, baggage, tracecontext, ottrace, jaeger)
propagators:
- jaeger
# jaeger opentelemetry exporter
jaeger:
agent_host: localhost # agent host
agent_port: "6831" # agent port
header: uber-trace-id # header name
# opentelemetry protocol exporter
otlp:
endpoint: localhost:4318 # otlp endpoint
path: /v1/traces # otlp path
root_ca: "" # otlp root ca
# additional headers
headers: {}
insecure_skip_verify: false # disable cert verification
insecure_http: false # use http instead of https
# consul client https://github.com/hashicorp/consul/blob/master/api/api.go
consul:
address: 127.0.0.1:8500
scheme: http
pathprefix: ""
datacenter: ""
transport: null
httpclient: null
httpauth: null
waittime: 0s
token: ""
tokenfile: ""
namespace: ""
partition: ""
tlsconfig:
address: ""
cafile: ""
capath: ""
capem: []
certfile: ""
certpem: []
keyfile: ""
keypem: []
insecureskipverify: false
# vault client
vault:
address: "" # Address is the address of the Vault server.
agent_address: "" # AgentAddress is the address of the local Vault agent.
max_retries: 0 # MaxRetries controls the maximum number of times to retry when a 5xx error occurs.
timeout: 0s # Timeout is for setting custom timeout parameter in the HttpClient
token: "" # Access token
# TLSConfig contains the parameters needed to configure TLS on the HTTP client used to communicate with Vault.
tls:
cacert: ""
cacertbytes: []
capath: ""
clientcert: ""
clientkey: ""
tlsservername: ""
insecure: false
# Authentication
auth:
approle:
roleid: ""
secretid: ""
# embedded smtp gateway configuration
email:
from: Cloudentity # From address
username: "" # Username
password: "" # Password
auth: PLAIN
host: smtp.gmail.com # SMTP server host
port: 25 # SMTP server port
timeout: 10s # Timeout
start_tls: false # Send an email over TLS using STARTTLS
insecure_skip_verify: false # Skip TLS cert verification
# embedded twilio gateway configuration
sms:
from: Cloudentity # From number
sid: "" # The Twilio Account SID
auth_token: "" # The Twilio Auth Token
# messaging config
messaging:
# email templates
emails:
# verify otp
otp:
subject: OTP # Email's subject
file_template: ./web/emails/ce.html # Path to the file template
text_template: Dear Customer, [[otp]] is your single-use verification code. # Text template used if tile template is not set
message_template: | # Default message template
We've received a OTP Code request.
[[otp]]
Here is the OTP code that you have requested.
# Email's attachments
attachments: []
# activate account with code
activate_account_with_code:
subject: Account activation # Email's subject
file_template: ./web/emails/ce.html # Path to the file template
text_template: "" # Text template used if tile template is not set
message_template: | # Default message template
Excellent!
Your account is almost ready.
Enter the code below on the account activation page to activate you account.
[[code]]
# Email's attachments
attachments: []
# activate account with link
activate_account_with_link:
subject: Account activation # Email's subject
file_template: ./web/emails/ce.html # Path to the file template
text_template: "" # Text template used if tile template is not set
message_template: | # Default message template
Excellent!
Your account is almost ready.
Just one more step to access it
Alternatively, copy this link and follow it in your browser
[[link]]
# Email's attachments
attachments: []
# reset credentials with code
reset_credentials_with_code:
subject: Credentials reset # Email's subject
file_template: ./web/emails/ce.html # Path to the file template
text_template: "" # Text template used if tile template is not set
message_template: | # Default message template
Credentials reset
We've received a request to reset your credentials.
Your credentials reset code is:
[[code]]
# Email's attachments
attachments: []
# reset credentials with link
reset_credentials_with_link:
subject: Credentials reset # Email's subject
file_template: ./web/emails/ce.html # Path to the file template
text_template: "" # Text template used if tile template is not set
message_template: | # Default message template
Credentials reset
We've received a request to reset your credentials.
Alternatively, copy this link and follow it in your browser
[[link]]
# Email's attachments
attachments: []
# identifier used
identifier_used:
subject: Account already exists # Email's subject
file_template: ./web/emails/ce.html # Path to the file template
text_template: "" # Text template used if tile template is not set
message_template: | # Default message template
Account already exists
The email you provided is already registered with an account.
# Email's attachments
attachments: []
# address verification with link
address_verification_with_link:
subject: Address verification # Email's subject
file_template: ./web/emails/ce.html # Path to the file template
text_template: "" # Text template used if tile template is not set
message_template: | # Default message template
Address verification
We've received a request to verify your address.
Alternatively, copy this link and follow it in your browser
[[link]]
# Email's attachments
attachments: []
# sms templates
smses:
# verify otp
otp:
message_template: Dear Customer, [[otp]] is your single-use verification code. # Message template
# activate account with code
activate_account_with_code:
message_template: Dear Customer, use [[code]] to activate your account. # Message template
# activate account with code
activate_account_with_link:
message_template: 'Dear Customer, use the link to activate your account: [[link]]' # Message template
# reset credentials with code
reset_credentials_with_code:
message_template: Dear Customer, use [[code]] to reset your credentials. # Message template
# reset credentials with code
reset_credentials_with_link:
message_template: 'Dear Customer, use the link to reset your credentials: [[link]]' # Message template
# identifier used
identifier_used:
message_template: Dear Customer, this number is associated with an existing account. # Message template
# address verification with link
address_verification_with_link:
message_template: 'Dear Customer, use the link to verify your address: [[link]]' # Message template
# embedded IDPs
embedded_idps:
cookie_domain: "" # cookie domain
# github idp
github:
client_id: "" # client id
client_secret: "" # client secret
# google idp
google:
client_id: "" # client id
client_secret: "" # client secret
# global rate limits
rate_limits:
oauth2:
enabled: false # enable rate limiter
period: 1m0s # period
rate: 60 # rate
burst: 10 # max burst
# rate limits cache
rate_limits_cache:
redis_ttl: 1h0m0s
local_ttl: 10m0s
local_max_size: 1000
locks: 0
disabled: false
# token exchange verifier
token_exchange_verifier:
idp_client_timeout: 5s # http client timeout when calling IDP endpoints
# subject config
subject:
default_format: legacy # subject default format for new workspaces
# identity pools captcha configuration
captcha:
enabled: false
site_key: 6LdPYcYeAAAAAF5f6K9Pv5jkPEDFsOtfkwxP2a5k
secret_key: 6LdPYcYeAAAAACiRY1ZG2iSPsHXOhYSaqTO_Ycqz
whitelist: []
# Limits for asynchronous delete of Identity Pools
async_delete_identity_pool:
delete_users_batch_size: 100
delete_users_iterations_count: 30
create_tenant_with_default_admin_identity_pool: true # Default Admin Identity Pool IDP for new tenant
Deployment and Operations
29 mins read
Cloudentity Platform Configuration Reference
Regardless of the deployment type you run, the Cloudentity platform shares common configuration reference that can be used to adjust the platform settings to any business need.