Skip to main content

Configuration editor

ORY Keto Configuration

Add this to allow defining the schema, useful for IDE integration

Sets the data source name. This configures the backend where ORY Keto persists data. If dsn is "memory", data will be written to memory and is lost when you restart this instance. ORY Hydra supports popular SQL databases. For more detailed configuration information go to: https://www.ory.sh/docs/hydra/dependencies-environment#sql

serve

Read API (http and gRPC)

The port to listen on.

The network interface to listen on.

Cross Origin Resource Sharing (CORS)

Configure [Cross Origin Resource Sharing (CORS)](http://www.w3.org/TR/cors/) using the following options.

If set to true, CORS will be enabled and preflight-requests (OPTION) will be answered.

Allowed Origins

A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penality. Only one wildcard can be used per origin.

GET
POST
PUT
DELETE
PATCH

A list of methods the client is allowed to use with cross-domain requests.

Allowed Request HTTP Headers

A list of non simple headers the client is allowed to use with cross-domain requests.

Allowed Response HTTP Headers

Indicates which headers are safe to expose to the API of a CORS API specification

Indicates whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.

Indicates how long (in seconds) the results of a preflight request can be cached. The default is 0 which stands for no max age.

Set to true to debug server side CORS issues.

HTTPS

Configure HTTP over TLS (HTTPS). All options can also be set using environment variables by replacing dots (`.`) with underscores (`_`) and uppercasing the key. For example, `some.prefix.tls.key.path` becomes `export SOME_PREFIX_TLS_KEY_PATH`. If all keys are left undefined, TLS will be disabled.

Private Key (PEM)

The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.

TLS Certificate (PEM)

The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.

Write API (http and gRPC)

The port to listen on.

The network interface to listen on.

Cross Origin Resource Sharing (CORS)

Configure [Cross Origin Resource Sharing (CORS)](http://www.w3.org/TR/cors/) using the following options.

If set to true, CORS will be enabled and preflight-requests (OPTION) will be answered.

Allowed Origins

A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penality. Only one wildcard can be used per origin.

GET
POST
PUT
DELETE
PATCH

A list of methods the client is allowed to use with cross-domain requests.

Allowed Request HTTP Headers

A list of non simple headers the client is allowed to use with cross-domain requests.

Allowed Response HTTP Headers

Indicates which headers are safe to expose to the API of a CORS API specification

Indicates whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.

Indicates how long (in seconds) the results of a preflight request can be cached. The default is 0 which stands for no max age.

Set to true to debug server side CORS issues.

HTTPS

Configure HTTP over TLS (HTTPS). All options can also be set using environment variables by replacing dots (`.`) with underscores (`_`) and uppercasing the key. For example, `some.prefix.tls.key.path` becomes `export SOME_PREFIX_TLS_KEY_PATH`. If all keys are left undefined, TLS will be disabled.

Private Key (PEM)

The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.

TLS Certificate (PEM)

The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.

Metrics API (http only)

The port to listen on.

The network interface to listen on.

Cross Origin Resource Sharing (CORS)

Configure [Cross Origin Resource Sharing (CORS)](http://www.w3.org/TR/cors/) using the following options.

If set to true, CORS will be enabled and preflight-requests (OPTION) will be answered.

Allowed Origins

A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penality. Only one wildcard can be used per origin.

GET
POST
PUT
DELETE
PATCH

A list of methods the client is allowed to use with cross-domain requests.

Allowed Request HTTP Headers

A list of non simple headers the client is allowed to use with cross-domain requests.

Allowed Response HTTP Headers

Indicates which headers are safe to expose to the API of a CORS API specification

Indicates whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.

Indicates how long (in seconds) the results of a preflight request can be cached. The default is 0 which stands for no max age.

Set to true to debug server side CORS issues.

HTTPS

Configure HTTP over TLS (HTTPS). All options can also be set using environment variables by replacing dots (`.`) with underscores (`_`) and uppercasing the key. For example, `some.prefix.tls.key.path` becomes `export SOME_PREFIX_TLS_KEY_PATH`. If all keys are left undefined, TLS will be disabled.

Private Key (PEM)

The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.

TLS Certificate (PEM)

The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.

Ory Permission Language Syntax API (http and gRPC)

The port to listen on.

The network interface to listen on.

Cross Origin Resource Sharing (CORS)

Configure [Cross Origin Resource Sharing (CORS)](http://www.w3.org/TR/cors/) using the following options.

If set to true, CORS will be enabled and preflight-requests (OPTION) will be answered.

Allowed Origins

A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penality. Only one wildcard can be used per origin.

GET
POST
PUT
DELETE
PATCH

A list of methods the client is allowed to use with cross-domain requests.

Allowed Request HTTP Headers

A list of non simple headers the client is allowed to use with cross-domain requests.

Allowed Response HTTP Headers

Indicates which headers are safe to expose to the API of a CORS API specification

Indicates whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.

Indicates how long (in seconds) the results of a preflight request can be cached. The default is 0 which stands for no max age.

Set to true to debug server side CORS issues.

HTTPS

Configure HTTP over TLS (HTTPS). All options can also be set using environment variables by replacing dots (`.`) with underscores (`_`) and uppercasing the key. For example, `some.prefix.tls.key.path` becomes `export SOME_PREFIX_TLS_KEY_PATH`. If all keys are left undefined, TLS will be disabled.

Private Key (PEM)

The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.

TLS Certificate (PEM)

The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.


Enables CPU or memory profiling if set. For more details on profiling Go programs read [Profiling Go Programs](https://blog.golang.org/profiling-go-programs).

Log

Configure logging using the following options. Logs will always be sent to stdout and stderr.

info

The level of log entries to show. Debug enables stack traces on errors.

text

The output format of log messages.

If set will leak sensitive values (e.g. emails) in the logs.

Text to use, when redacting sensitive log value.

tracing

Configure distributed tracing using OpenTelemetry


Set this to the tracing backend you wish to use. Supports Jaeger, Zipkin, and OTEL.

Specifies the service name to use on the tracer.

Specifies the deployment environment to use on the tracer.

providers

jaeger

Configures the jaeger tracing backend.

IPv6 Address and Port

Unsupported field schema for field root_tracing_providers_jaeger_local_agent_address: Unknown field type undefined.

{
  "title": "IPv6 Address and Port",
  "pattern": "^\\[(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))]:([0-9]*)$"
}

The address of the jaeger-agent where spans should be sent to.

sampling

The address of jaeger-agent's HTTP sampling server

Trace Id ratio sample

zipkin

Configures the zipkin tracing backend.

The address of the Zipkin server where spans should be sent to.

sampling

Sampling ratio for spans.

otlp

Configures the OTLP tracing backend.

IPv6 Address and Port

Unsupported field schema for field root_tracing_providers_otlp_server_url: Unknown field type undefined.

{
  "title": "IPv6 Address and Port",
  "pattern": "^\\[(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))]:([0-9]*)$"
}

The endpoint of the OTLP exporter (HTTP) where spans should be sent to.

Will use HTTP if set to true; defaults to HTTPS.

sampling

Sampling ratio for spans.

Legacy namespace Repo URI

A URI that points to a directory of namespace files, a single file with all namespaces, or a websocket connection that provides former via `github.com/ory/x/watcherx.WatchAndServeWS`

Namespace configuration or it's location.

Limits

Limits aiming to control the resource consumption. These limits are not a sufficient replacement for rate-limiting.

The global maximum depth on all read operations. Note that this does not affect how deeply nested the tuples can be. This value can be decreased for a request by a value specified on the request, only if the request-specific value is greater than 1 and less than the global maximum depth.

The global maximum width on all read operations. Note that this does not affect how deeply nested the tuples can be. This value can be decreased for a request by a value specified on the request, only if the request-specific value is greater than 1 and less than the global maximum width.

Global outgoing network settings

Configure how outgoing network calls behave.

Global HTTP client configuration

Configure how outgoing HTTP calls behave.

Disallow all outgoing HTTP calls to private IP ranges. This feature can help protect against SSRF attacks.

SemVer according to https://semver.org/ prefixed with `v` as in our releases.

Feedback