Server configuration

string

Database connection string. = HTTP Client

time.Duration

Default timeout for clients.

bool

Allow insecure (invalid, expired TLS/SSL certificates) connections.

string

IP and port for the HTTP server.

string

When webapps are enabled (HTTP_WEBAPP_ENABLED) this is moved to '/api' if not explicitly set otherwise. API base URL is internaly prefixed with baseUrl

bool

string

Corteza will directly serve these assets (static files). When empty path is set (default value), embedded files are used.

string

Base URL (prefix) for all routes (<baseUrl>/auth, <baseUrl>/api, …​)

string

Domain for the HTTP server.

string

Domain for the HTTP webapp.

bool

Enable /debug route.

bool

bool

Enable (prometheus) metrics.

bool

Report HTTP panic to Sentry.

bool

Enable /version route.

bool

Log HTTP requests.

bool

Log HTTP responses.

string

Password for the metrics endpoint.

string

Name for metrics endpoint.

string

Username for the metrics endpoint.

bool

Is SSL termination enabled in ingres, proxy or load balancer that is in front of Corteza? By default, Corteza checks for presence of LETSENCRYPT_HOST environmental variable. This DOES NOT enable SSL termination in Cortreza!

bool

bool

Enable web console. When running in dev environment, web console is enabled by default.

string

Password for the web console endpoint. When running in dev environment, password is not required.

Corteza intentionally sets default password to random chars to prevent security incidents.

string

Username for the web console endpoint.

string

string

Webapp base URL is internaly prefixed with baseUrl

bool

string

string

Space delimited list of role handles. These roles are automatically assigned to anonymous user. Memberships can not be managed for these roles.

string

Space delimited list of role handles. These roles are automatically assigned to authenticated user. Memberships can not be managed for these roles. System will refuse to start if roles listed here are also listed under anonymous roles

string

Space delimited list of role handles. These roles causes short-circuiting access control check and allowing all operations. System will refuse to start if check-bypassing roles are also listed as authenticated or anonymous auto-assigned roles.

bool

Log RBAC related events and actions

string

string

Prefix for SCIM API endpoints

bool

Enable SCIM subsystem

bool

Use external IDs in SCIM API endpoints

string

Validates format of external IDs. Defaults to UUID

string

Secret to use to validate requests on SCIM API endpoints = Email sending

string

The SMTP from email parameter

string

The SMTP server hostname.

string

The SMTP password.

int

The SMTP post.

bool

Allow insecure (invalid, expired TLS certificates) connections.

string

string

The SMTP username. = Actionlog

bool

bool

bool

bool

Enable API Gateway debugging info

bool

Enable API Gateway

bool

Enable extra logging

bool

Enable incoming request body output in logs

bool

Enable profiler

bool

Profiler enabled for all routes

bool

Enable full debug log on requests / responses - warning, includes sensitive data

bool

Follow redirects on proxy requests

time.Duration

Outbound request timeout = Authentication

time.Duration

Lifetime of the access token. Should be shorter than lifetime of the refresh token.

string

Path to js, css, images and template source files

When corteza starts, if path exists it tries to load template files from it.

When empty path is set (default value), embedded files are used.

string

Frontend base URL. Must be an absolute URL, with the domain. This is used for some redirects and links in auth emails.

string

Cookie name used for CSRF protection

bool

Enable CSRF protection

string

Form field name used for CSRF protection

string

Secret used for securing CSRF protection

string

Handle for OAuth2 client used for automatic redirect from /auth/oauth2/go endpoint.

This simplifies configuration for OAuth2 flow for Corteza Web applications as it removes the need to suply redirection URL and client ID (oauth2/go endpoint does that internally)

bool

When enabled, corteza reloads template before every execution. Enable this for debugging or when developing auth templates.

Should be disabled in production where templates do not change between server restarts.

string

Secret used for securing cookies

string

Redirect URL to be sent with OAuth2 authentication request to provider

provider placeholder is replaced with the actual value when used.

time.Duration

How often are expired sessions and tokens purged from the database

string

Algoritm to be use for JWT signature.

Supported valus: - HS256, HS384, HS512 - PS256, PS384, PS512, - RS256, RS384, RS512

Provide shared secret string for HS256, HS384, HS512 and full private key or path to the file PS* and RS* algorithms.

string

Raw private key or absolute or relative path to the file containing one.

bool

Enable extra logging for authentication flows

bool

Password security allows you to disable constraints to which passwords must conform to.

string

When set, Corteza creates one or more users with the configured values using provided email as a password. It skips existing (email, handle). All new users are assigned to all bypass roles.

When set in production, Corteza stops and reports an error

time.Duration

Lifetime of the refresh token. Should be much longer than lifetime of the access token.

Refresh tokens are used to exchange expired access tokens with new ones.

int

How many requests from a cerain IP address are allowed in a time window. Set to zero to disable

time.Duration

How many requests from a cerain IP address are allowed in a time window

string

Secret used for signing JWT tokens. Value is used only when HS256, HS384 or HS512 algorithm is used.

string

Session cookie domain

string

Session cookie name

string

Session cookie path

bool

Defaults to true when HTTPS is used. Corteza will try to guess the this setting by

time.Duration

Maximum time user is allowed to stay idle when logged in without "remember-me" option and before session is expired.

Recomended value is between an hour and a day.

time.Duration

Duration of the session in /auth lasts when user logs-in with "remember-me" option.

If set to 0, "remember-me" option is removed. = Connection to Corredor

string

Hostname and port of the Corredor gRPC server.

time.Duration

bool

Enable/disable Corredor integration

time.Duration

time.Duration

time.Duration

Max delay for backoff on connection.

int

Max message size that can be recived.

bool

string

bool

string

string

string

string

string

bool

Enable eventbus scheduler.

time.Duration

Set time interval for eventbus scheduler. = federation

time.Duration

Delay in seconds for data sync

int

Bulk size in fetching for data sync

bool

Federation enabled on system, it toggles rest API endpoints, possibility to map modules in Compose and sync itself

string

Host that is used during node pairing, also included in invitation

string

Federation label

time.Duration

Delay in seconds for structure sync

int

Bulk size in fetching for structure sync = Limits

int

Maximum number of valid (not deleted, not suspended) users = locale

bool

When enabled, Corteza reloads language files on every request Enable this for debugging or developing.

string

List of compa delimited languages (language tags) to enable. In case when an enabled language can not be loaded, error is logged.

When loading language configurations (config.xml) from the configured path(s).

bool

Log locale related events and actions

string

string

Name of the query string parameter used to pass the language tag (it overrides Accept-Language header). Set it to empty string to disable detection from the query string. This parameter is ignored if only one language is enabled

bool

When enabled, an editor for resource translations is enabled in UI = log

bool

Disables json format for logging and enables more human-readable output with colors.

Disable for production.

string

Log filtering rules by level and name (log-level:log-namespace). Please note that level (LOG_LEVEL) is applied before filter and it affects the final output!

Leave unset for production.

Example: warn+:* :auth,workflow. Log warnings, errors, panic, fatals. Everything from auth and workflow is logged.

See more examples and documentation here: https://github.com/moul/zapfilter

bool

Set to true to see where the logging was called from.

Disable for production.

string

Minimum logging level. If set to "warn", Levels warn, error, dpanic panic and fatal will be logged.

Recommended value for production: warn

Possible values: debug, info, warn, error, dpanic, panic, fatal

string

Include stack-trace when logging at a specified level or below. Disable for production.

Possible values: debug, info, warn, error, dpanic, panic, fatal

bool

Enable messagebus

bool

Enable extra logging for messagebus watchers = Monitoring

time.Duration

Output (log) interval for monitoring. = Object (file) storage

string

string

component placeholder is replaced with service name (e.g system).

string

string

component placeholder is replaced with service name (e.g system).

string

string

bool

bool

string

Location where uploaded files are stored. = Provisioning

bool

Controls if provision should run when the server starts.

string

Colon seperated paths to config files for provisioning. = Sentry monitoring

string

Set to enable Sentry client.

bool

Attach stacktraces

bool

Print out debugging information.

string

Set reported distribution.

string

Set reported environment.

int

Maximum number of bredcrumbs.

string

Set reported Release.

float64

Sample rate for event submission (0.0 - 1.0. defaults to 1.0)

string

Set reported Server name.

string

Set to enable Sentry client for webapp. = Rendering engine

string

Gotenberg rendering container address.

bool

Is Gotenberg rendering container enabled. = Data store (database) upgrade

bool

Controls if the upgradable systems should be upgraded when the server starts.

bool

Enable/disable debug logging. To enable debug logging set UPGRADE_DEBUG=true. = Delay system startup

time.Duration

Delays API startup for the amount of time specified (10s, 2m…​). This delay happens before service (WAIT_FOR_SERVICES) probing.

string

Space delimited list of hosts and/or URLs to probe. Host format: host or host:443 (port will default to 80).

time.Duration

Interval between service probes.

time.Duration

Timeout for each service probe.

time.Duration

Max time for each service probe.

bool

Show temporary status web page. = Websocket server

bool

Enable extra logging for authentication flows

time.Duration

time.Duration

time.Duration

Time before WsServer gets timed out. = Workflow

int

Defines the maximum call stack size between workflows

bool

Enables verbose logging for workflow execution

bool

Registers enabled and valid workflows and executes them when triggered

bool

Enables execution stack trace construction

bool

Forces the stack trace to record all steps = Discovery

string

Indicates host of corteza discovery server

string

Indicates host of corteza compose webapp

bool

Enable discovery related activity info

bool

Enable discovery endpoints = attachment

string

Avatar initials background color

string

Avatar initials text color

string

Avatar initials font file path

int64

Avatar image maximum upload size, default value is 1MB = webapp

string

Path to custom SCSS source files directory