Skip to main content

Cloudentity Platform Configuration Reference

Regardless of the deployment type you run, the Cloudentity platform shares common configuration reference that can be used to adjust the platform settings to any business need.

# logging
logging:
    level: info # logging level (panic, fatal, error, warn, info, debug, trace)
# http server
server:
    system_tenant: system # name of the system tenant
    url: https://localhost:8443 # server url template
    mtls_url: "" # mtls server url template
    vanity_url_template: "" # vanity url template (https://{{vanityID}}.vanity.cloudentity.io)
    vanity_mtls_url_template: "" # vanity mtls url template (https://{{vanityID}}.mtls.vanity.cloudentity.io)
    assets_url: "" # url template to cdn with static files
    image_proxy_url: "" # url template to image proxy
    grpc_url: localhost:9443 # grpc url
    port: 8443 # http server port
    grpc_port: 9443 # grpc server port
    do_not_print_audit_logs_for_static_files: true # do not print audit logs for static files
    timeout: 10s # http server timeout
    etag_backoff: 200ms # etag backoff duration
    etag_retries: 25 # max number of etag retries
    audit_logs: true # enable audit logs
    disable_audit_logs_in_stdout: false # disable publishing audit logs to stdout
    http_logs: false # enable http request and response logging
    max_size_bytes: 1048576 # max size of http request body
    dangerous_disable_tls: false # disable tls
    disable_cache: false # disable cache
    disable_gzip: true # disable http gzip encoding
    disable_csrf: false # disable csrf protection
    disable_security: false # disable security middleware
    client_auth_type: RequestClientCert # mtls http server client auth type
    # http server tls
    certificate:
        password: "" # key passphrase
        cert_path: ./certs/srv/cert.pem # path to the certificate PEM file
        key_path: ./certs/srv/cert-key.pem # path to the key PEM file
        cert: "" # base64 encoded cert PEM
        key: "" # base64 encoded key PEM
        generated_key_type: rsa # type for generated key if cert and key are not provided (rsa or ecda)
    disable_monitoring: false # disable /metrics endpoint
    http_metrics_per_tenant: false # enable http metrics per tenant
    disable_async_processing: false # disable async processing (streams,queue)
    # http security configuration (github.com/unrolled/secure)
    security:
        browserxssfilter: true
        contenttypenosniff: true
        forcestsheader: false
        framedeny: true
        isdevelopment: false
        sslredirect: true
        sslforcehost: false
        ssltemporaryredirect: false
        stsincludesubdomains: true
        stspreload: true
        contentsecuritypolicy: |
            default-src 'self';
            script-src 'self' $NONCE 'unsafe-eval';
            worker-src 'self' 'strict-dynamic' $NONCE;
            style-src 'self' 'unsafe-inline' https:;
            font-src 'self' https:;
            img-src 'self' data: https:;
            connect-src 'self' wss:;
            frame-src 'self' https://www.google.com;
        contentsecuritypolicyreportonly: ""
        custombrowserxssvalue: ""
        customframeoptionsvalue: SAMEORIGIN
        publickey: ""
        referrerpolicy: same-origin
        featurepolicy: ""
        permissionspolicy: accelerometer=(),camera=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),screen-wake-lock=(),serial=(),usb=()
        crossoriginopenerpolicy: ""
        sslhost: ""
        allowedhosts: []
        allowedhostsareregex: false
        hostsproxyheaders:
            - X-Forwarded-Host
        sslproxyheaders:
            X-Forwarded-Proto: https
        stsseconds: 31536000
        expectctheader: ""
        securecontextkey: ""
    # cors configuration
    cors:
        allowedorigins:
            - '*'
        allowedheaders:
            - Content-Type
            - Authorization
            - If-Match
        allowedmethods:
            - GET
            - POST
            - PUT
            - DELETE
    # gateway authorizer packages
    packages:
        apigeeedge:
            file: /enforcement/apigee-edge-authorizer.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
        apigeex:
            file: /enforcement/apigee-x-authorizer.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
        aws:
            file: /enforcement/cloudentity-mp-aws-gw-authorizer.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
        istio:
            file: /enforcement/istio-authorizer.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
        kong:
            file: /enforcement/kong-authorizer.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
        kusk:
            file: /enforcement/standalone-authorizer.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
        pyron:
            file: /enforcement/pyron-authorizer.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
        standalone:
            file: /enforcement/standalone-authorizer.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
    # openbanking packages
    openbanking_packages:
        br:
            file: /packages/openbanking/openbanking-quickstart-br.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
        cdr:
            file: /packages/openbanking/openbanking-quickstart-cdr.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
        fdx:
            file: /packages/openbanking/openbanking-quickstart-fdx.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
        generic:
            file: /packages/openbanking/openbanking-quickstart-generic.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
        uk:
            file: /packages/openbanking/openbanking-quickstart-uk.zip # path to package file
            url: "" # url to package
            username: "" # basic auth username for url
            password: "" # basic auth password for url
    templates_dir: ./web/templates # path to dir with templates
    static_dir: ./web/static # path to the dir with static files for templates
    app_static_dir: ./web/app/build/static # path to the dir with static files for react frontend app
    app_dir: ./web/app/build # path to the dir with react frontend app for acp
    swagger_dir: ./web/swagger # path to the dir with swagger ui
    swagger_path_template: ./api/handler/{{module}}.yaml # path to the swagger-{{module}}.yaml
    redirect_to_default_tenant: false # enable redirection to default tenant
    client_certificate_header: "" # default client http TLS certificate header name
    client_certificate_format_header: X-SSL-CERT-FORMAT # format of tls certificate injected as a header
    region: default # The name of the region in which this node is running
    # public path prefix for openbanking brazil endpoints
    obbr_base_paths: []
    # external integrations configuration e.g. hubspot
    integrations:
        # hubspot configuration
        hubspot:
            enabled: false # enabled
            script_src: "" # script source
        # Google Analytics configuration
        google_analytics:
            enabled: false # enabled
            measurement_id: "" # measurement id
        # Google Custom Search JSON API configuration
        google_images:
            api_key: "" # Google Custom Search JSON API key
            cx: "" # The identifier of the Google Programmable Search Engine.
    rate_limiting_threshold: 0 # fine grained rate limiting threshold in number of requests per second
    # licensing configuration
    licensing:
        default_license_type: trial # DefaultLicenseType is the default license type for new tenants
        default_license_duration: 1440h0m0s # DefaultLicenseDuration is the default license duration for new tenants
# sql encryption secret
secrets:
    - id: "1" # secret id
      key: FmIQrzqf7dT57SjVH3g52SEVx45WH9pE # secret key
# pbkdf2 secret hashing configuration
hashing:
    number_of_iterations: 4096 # number of iterations
    key_length: 128 # key length
    salt: WuD0izLakS24Uyft65JP # salt (at least 8 characters)
    function: SHA-512 # SHA-1, SHA-224, SHA-256, SHA-384 or SHA-512
# system tenant
system:
    secret: n8HF35qzZkmsukHJzzz9LnN8m9Mf97uq # system client secret
# limits
limits:
    max_number_of_client_rotated_secrets: 1 # max number of client rotated secrets
    # send otp per address global limit
    send_otp_limit:
        enabled: true # enable rate limiter
        period: 1m0s # period
        rate: 2 # rate
        burst: 1 # max burst
    # limits for admin websocket notifications
    notifications:
        audit_event: 3s
        scope_grants: 3s
    batch_size: 1000
# brute force limits
brute_force_limits:
    enabled: true
    mfa:
        max_attempts: 5
        block_duration: 1m0s
    client_authentication:
        max_attempts: 5
        block_duration: 1m0s
    device_handling:
        max_attempts: 5
        block_duration: 1m0s
    identity_code_inspect:
        max_attempts: 5
        block_duration: 1m0s
    identity_code_verify:
        max_attempts: 5
        block_duration: 1m0s
    identity_change_password:
        max_attempts: 5
        block_duration: 1m0s
    identity_confirm_password:
        max_attempts: 5
        block_duration: 1m0s
    identity_verify_password:
        max_attempts: 5
        block_duration: 1m0s
    identity_registration:
        max_attempts: 5
        block_duration: 1m0s
    identity_set_credential:
        max_attempts: 5
        block_duration: 1m0s
    identity_self_register:
        max_attempts: 5
        block_duration: 1m0s
    identity_activate_self_registered:
        max_attempts: 5
        block_duration: 1m0s
    identity_self_activation:
        max_attempts: 5
        block_duration: 1m0s
    identity_self_change_password:
        max_attempts: 5
        block_duration: 1m0s
    identity_authentication:
        max_attempts: 5
        block_duration: 1m0s
    identity_address_verification:
        max_attempts: 5
        block_duration: 1m0s
# feature flags
features:
    dev_mode: false # hot reloading of templates
    demo_app: false # demo app
    swagger_ui: false # swagger ui
    disable_embedded_sms_provider: false # disable embedded sms provider
    debug: false # enable additional debug logs
    block_non_vanity_domain_access: false # block access to a tenant's resources from traffic not originating from the tenant's vanity domain
    dedicated_faas: false # allow the usage of dedicated FaaS Rego/JS environments
    client_secrets_stored_as_one_way_hash: false # stores client secrets as one-way hashes
    admin_workspace_access: true # admin workspace access
    system_workspace_access: true # system workspace access
    insecure_disable_csrf: false # disable csrf
    insecure_token_exchange_public_clients: false # insecure token exchange public clients
    disable_audit_events: false # disable audit events
    cache_access_tokens: false # cache access tokens
    cdr_disable_unique_software_id: false # disable unique software id for CDR
    do_not_validate_cert_for_private_key_jwt: false # do not validate cert for private key jwt
    drop_tokens_on_password_reset: false # drop tokens on password reset
    initialize_demo_workspace: false # when enabled and the display_workspace_wizard feature flag is set to true, a demo workspace with a set of preconfigured IDPs is created and no welcome screen is displayed
    scope_transient_otp: false # scope transient_otp
    cloudentity_idp: false # Cloudentity IDP
    add_fake_tenant_url_to_login_request_for_non_default_routing: false # add fake tenantUrl to query params for routing other than default (needed for backward compatibility with CIP for vanity domains)
    rar: false # rich authorization requests
    connect_id: false # connectID profile
    identity_assurance: false # identity assurance
    connect_id_consent_page_face_lifting: false # connect ID consent page facelifting
    simple_api_integration: false # simple api integration
    openbanking_ksa: false # openbanking ksa workspace and security profile
    tree_dump_tenant: false # hierarchical dumps tenant APIs
    cdr_arrangement_cache: false # arrangement cache for CDR
    mark_address_as_verified_on_any_proof_of_possession: true # mark address as verified on any proof of possession of the address
    identity_pool_mfa: false # Identity Pool MFA
    cdr_amend_audit_event_with_previous_arrangement: false # add previous arrangement to CDR amend audit event
    saml_v2: false # Enable SAML V2
    jit_permissions: false # Enforce JIT users roles
    scripts_runtime_versions: false # Scripts runtime versions
    admin_portal_face_lifting: false # Admin portal face lifting
    permissions: false # Permissions
    roles: false # Roles
    organizations: false # Organizations
    identifier_based_discovery: false # Identifier-based discovery
    self_service: false # Self-service
# http client
client:
    timeout: 5s # http client timeout
    retry_wait_min: 10ms # minimum time to wait between retries
    retry_wait_max: 100ms # maximum time to wait between retries
    retry_max: 2 # maximum number of retries
    root_ca: "" # file path to the root ca that this client should trust (defaults to system root ca)
    root_ca_pem: "" # PEM encoded root ca  that this client should trust
    insecure_skip_verify: false # disable cert verification
    # client TLS configuration
    tls:
        certificate: "" # file path to the client certificate
        key: "" # file path to the client key
        certificate_pem: "" # client certificate PEM encoded
        key_pem: "" # client key PEM encoded
    disable_follow_redirects: false # disable follow redirects
    disable_retry: false # disable retry
# sql client
sql:
    url: postgres://root@crdb:26257/defaultdb?sslmode=disable # sql connection url
    type: "" # sql db type cockroachdb or postgresql
    # urls to replicas in master/slave mode
    replicas: []
    max_open_conns: 8 # max number of open connection
    max_idle_conns: 0 # max number of idle connection
    # migrations configuration
    migrations:
        disable: false # disable migrations
        path: ./migrations # path to the migrations
        timeout: 1m0s # timeout for running migrations
        down: false # DANGEROUS run all migrations down (removes all data from the database)
    with_cockroachdb_enterprise: false # turn on cockroachdb enterprise features
    # garbage collection ttl per table (default 24h)
    gc:
        audit_events: 1h6m40s
        refresh_tokens: 1h6m40s
    cockroachdb_use_limit_ordering_for_streaming_group_by: false # enable optimizer_use_limit_ordering_for_streaming_group_by feature flag for cockroachdb available from version 22.2.3
# timescale client
timescale:
    enabled: false # enable timescaledb
    url: postgres://postgres:password@timescale/acp?sslmode=disable # sql connection url
    # urls to replicas in master/slave mode
    replicas: []
    max_open_conns: 8 # max number of open connection
    max_idle_conns: 0 # max number of idle connection
    # migrations configuration
    migrations:
        disable: false # disable migrations
        path: ./migrations/timescale # path to the migrations
        timeout: 1m0s # timeout for running migrations
        down: false # DANGEROUS run all migrations down (removes all data from the database)
    data_retention: 2160h0m0s # data retention duration
# spicedb client for external permissions (permission systems)
spicedb:
    enabled: false # enable spicedb
    dry_run: false # turn off enforcement
    url: spicedb:50051 # spicedb endpoint url
    token: secret # bearer token
    ca: "" # path to the root ca
    insecure_skip_verify: false # skip tls verification
# spicedb client for internal permissions (roles)
internal_spicedb:
    enabled: false # enable spicedb
    dry_run: false # turn off enforcement
    url: internal-spicedb:50051 # spicedb endpoint url
    token: secret # bearer token
    ca: "" # path to the root ca
    insecure_skip_verify: false # skip tls verification
# redis client
redis:
    id: redis # redis database id
    region: local # region id
    scan_count: 100 # Number of entries fetched using SCAN
    push_limit: 1024 # at-least-once delivery queue push limit
    number_of_workers: 8 # number of workers for stream handlers
    # Either a single address or a seed list of host:port addresses
    addrs:
        - 127.0.0.1:6379
    db: 0 # Database to be selected after connecting to the server.
    master_name: "" # The sentinel master name.
    username: "" # username
    password: "" # password
    sentinel_password: "" # sentinel password
    max_retries: 3 # max retires
    min_retry_backoff: 8ms # min retry backoff
    max_retry_backoff: 512ms # max retry backoff
    dial_timeout: 5s # dial timeout
    read_timeout: 3s # read timeout
    write_timeout: 3s # write timeout
    pool_size: 0 # pool size
    min_idle_conns: 0 # min idle connections
    max_conn_age: 0s # max connection age
    pool_timeout: 4s # pool timeout
    idle_timeout: 5m0s # idle timeout
    idle_check_frequency: 1m0s # idle check frequency
    max_redirects: 3 # max redirects
    read_only: false # read only
    route_by_latency: false # route by latency
    route_randomly: false # route randomly
    # redis search indexes
    indexes:
        - name: tokens # redis search index name
          # redis search index prefixes
          prefix:
            - access_tokens
            - authorization_codes
            - device_codes
            - openid_tokens
            - pkce_sessions
            - refresh_tokens
            - authorize_requesters
          # redis search tags for index
          tags:
            - tenant_id
            - server_id
            - client_id
            - subject
            - token_type
            - collection
            - consent_id
            - consent_type
            - customer_id
            - sso_session_id
        - name: users # redis search index name
          # redis search index prefixes
          prefix:
            - users
            - user_identifiers
            - user_verified_addresses
            - user_codes
          # redis search tags for index
          tags:
            - tenant_id
            - pool_id
            - user_id
        - name: sessions # redis search index name
          # redis search index prefixes
          prefix:
            - sso_sessions
          # redis search tags for index
          tags:
            - tenant_id
            - server_id
            - subject
        - name: mfa_sessions # redis search index name
          # redis search index prefixes
          prefix:
            - mfa_sessions
          # redis search tags for index
          tags:
            - tenant_id
            - user_pool_id
            - user_id
    # redis streams configuration
    streams:
        max_length: 100000 # max length for streams
        max_ttl: 24h0m0s # max ttl for entries in streams
        trim_interval: 1m0s # trim max ttl interval
        disable_trim: false # disable trimming
        count: 128 # number of events to read from a stream
        block: 1s # duration until timeout
        handler_timeout: 30s # stream handler timeout
        stats_interval: 10s # streams stats interval
        # streams auto claim count
        auto_claim:
            interval: 1s # streams auto claim interval
            min_idle: 30s # streams auto claim min idle
            count: 100 # streams auto claim count
        sleep: 100ms # sleep between reads
        max_retries: 10 # max number of retries
        prefix: "" # redis stream name prefix
        auto_ack: false # automatically ack all messages when there is no error
        # etags configuration
        etag:
            duration: 1m0s # max duration to wait for confirmation
            size: 10000 # max size of confirmations queue
    # redis tls configuration
    tls:
        enabled: false # enable tls
        cert: "" # path to the public key cert PEM file
        key: "" # path to the private key PEM file
        ca: "" # path to the root ca PEM file
        insecure_skip_verify: false # skip host name verification
    max_backoff_retries: 5 # constant backoff max number of retries
    backoff_duration: 10ms # constant backoff duration
    # consumer group configuration - option to override global settings for a given consumer group
    consumer_groups:
        analytics:
            timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout
            batch_size: 0 # count of messages in a singe batch, 0 for default size
            max_retries: -1
        audit_logs_timescale:
            timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout
            batch_size: 200 # count of messages in a singe batch, 0 for default size
            max_retries: -1
        gateway:
            timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout
            batch_size: 100 # count of messages in a singe batch, 0 for default size
            max_retries: 0
        identity_cleanup:
            timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout
            batch_size: 1 # count of messages in a singe batch, 0 for default size
            max_retries: 0
# optional local redis client (uses redis client configuration if addrs is empty)
local_redis:
    id: local-redis # redis database id
    region: local # region id
    scan_count: 100 # Number of entries fetched using SCAN
    push_limit: 1024 # at-least-once delivery queue push limit
    number_of_workers: 8 # number of workers for stream handlers
    # Either a single address or a seed list of host:port addresses
    addrs: []
    db: 0 # Database to be selected after connecting to the server.
    master_name: "" # The sentinel master name.
    username: "" # username
    password: "" # password
    sentinel_password: "" # sentinel password
    max_retries: 3 # max retires
    min_retry_backoff: 8ms # min retry backoff
    max_retry_backoff: 512ms # max retry backoff
    dial_timeout: 5s # dial timeout
    read_timeout: 3s # read timeout
    write_timeout: 3s # write timeout
    pool_size: 0 # pool size
    min_idle_conns: 0 # min idle connections
    max_conn_age: 0s # max connection age
    pool_timeout: 4s # pool timeout
    idle_timeout: 5m0s # idle timeout
    idle_check_frequency: 1m0s # idle check frequency
    max_redirects: 3 # max redirects
    read_only: false # read only
    route_by_latency: false # route by latency
    route_randomly: false # route randomly
    # redis search indexes
    indexes:
        - name: tokens # redis search index name
          # redis search index prefixes
          prefix:
            - access_tokens
            - authorization_codes
            - device_codes
            - openid_tokens
            - pkce_sessions
            - refresh_tokens
            - authorize_requesters
          # redis search tags for index
          tags:
            - tenant_id
            - server_id
            - client_id
            - subject
            - token_type
            - collection
            - consent_id
            - consent_type
            - customer_id
            - sso_session_id
        - name: users # redis search index name
          # redis search index prefixes
          prefix:
            - users
            - user_identifiers
            - user_verified_addresses
            - user_codes
          # redis search tags for index
          tags:
            - tenant_id
            - pool_id
            - user_id
        - name: sessions # redis search index name
          # redis search index prefixes
          prefix:
            - sso_sessions
          # redis search tags for index
          tags:
            - tenant_id
            - server_id
            - subject
        - name: mfa_sessions # redis search index name
          # redis search index prefixes
          prefix:
            - mfa_sessions
          # redis search tags for index
          tags:
            - tenant_id
            - user_pool_id
            - user_id
    # redis streams configuration
    streams:
        max_length: 100000 # max length for streams
        max_ttl: 24h0m0s # max ttl for entries in streams
        trim_interval: 1m0s # trim max ttl interval
        disable_trim: false # disable trimming
        count: 128 # number of events to read from a stream
        block: 1s # duration until timeout
        handler_timeout: 30s # stream handler timeout
        stats_interval: 10s # streams stats interval
        # streams auto claim count
        auto_claim:
            interval: 1s # streams auto claim interval
            min_idle: 30s # streams auto claim min idle
            count: 100 # streams auto claim count
        sleep: 100ms # sleep between reads
        max_retries: 10 # max number of retries
        prefix: "" # redis stream name prefix
        auto_ack: false # automatically ack all messages when there is no error
        # etags configuration
        etag:
            duration: 1m0s # max duration to wait for confirmation
            size: 10000 # max size of confirmations queue
    # redis tls configuration
    tls:
        enabled: false # enable tls
        cert: "" # path to the public key cert PEM file
        key: "" # path to the private key PEM file
        ca: "" # path to the root ca PEM file
        insecure_skip_verify: false # skip host name verification
    max_backoff_retries: 5 # constant backoff max number of retries
    backoff_duration: 10ms # constant backoff duration
    # consumer group configuration - option to override global settings for a given consumer group
    consumer_groups:
        analytics:
            timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout
            batch_size: 0 # count of messages in a singe batch, 0 for default size
            max_retries: -1
        audit_logs_timescale:
            timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout
            batch_size: 200 # count of messages in a singe batch, 0 for default size
            max_retries: -1
        gateway:
            timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout
            batch_size: 100 # count of messages in a singe batch, 0 for default size
            max_retries: 0
        identity_cleanup:
            timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout
            batch_size: 1 # count of messages in a singe batch, 0 for default size
            max_retries: 0
# sql queue
queue:
    disabled: false # disable queue worker pool
    tenant_id: "" # Limit sql queue handler to a single tenant
    count: 1 # number of pool workers
    limit: 10 # poll limit
    heartbeat_interval: 30s # heartbeat interval
    expiration_interval: 1m0s # expiration interval
    polling_interval: 1s # polling interval
    max_backoff: 10s # max backoff
    error_limit: 0.1 # error rate limit
# storage config
storage:
    # refresh tokens storage configuration
    refresh_tokens:
        enabled: true # enable storing refresh tokens in sql, stored in kv if false
        batch_limit: 1000 # refresh token batch delete limit
    # expired consents storage configuration
    consents:
        batch_limit: 1000 # expired consents batch delete limit
    # audit events strorage configuration
    audit_events:
        enabled: true # enable storing audit events in sql
        # audit events retention config
        retention:
            enabled: true # enable audit events retention
            global: true # when true, audit events retention is executed globally, not per tenant
            batch_limit: 1000 # audit events retention batch delete limit
            max_age: 168h0m0s # remove audit events older than max age
# recurring jobs
jobs:
    auditEventsRetention:
        tenant_id: system # tenant id
        id: auditEventsRetention # job id
        queue: execute_retention # queue name
        cron: 15 * * * * # cron expression
        # next execution time
        scheduled_at: {}
        # job starting from
        starting_from: {}
        paused: false # is paused
        payload: null # payload
    cdrExpiredArrangements:
        tenant_id: system # tenant id
        id: cdrExpiredArrangements # job id
        queue: openbanking_set_expired_cdr_arrangements # queue name
        cron: 0 * * * * # cron expression
        # next execution time
        scheduled_at: {}
        # job starting from
        starting_from: {}
        paused: false # is paused
        payload: null # payload
    cdrSyncRegisters:
        tenant_id: system # tenant id
        id: cdrSyncRegisters # job id
        queue: openbanking_cdr_sync_registers # queue name
        cron: '*/4 * * * *' # cron expression
        # next execution time
        scheduled_at: {}
        # job starting from
        starting_from: {}
        paused: false # is paused
        payload: null # payload
    cibaSimulatorExpiredAuthentications:
        tenant_id: system # tenant id
        id: cibaSimulatorExpiredAuthentications # job id
        queue: ciba_simulator_remove_expired_authentications # queue name
        cron: '*/1 * * * *' # cron expression
        # next execution time
        scheduled_at: {}
        # job starting from
        starting_from: {}
        paused: false # is paused
        payload: null # payload
    expiredTokens:
        tenant_id: system # tenant id
        id: expiredTokens # job id
        queue: remove_expired_refresh_tokens # queue name
        cron: 0 * * * * # cron expression
        # next execution time
        scheduled_at: {}
        # job starting from
        starting_from: {}
        paused: false # is paused
        payload: null # payload
    fdxExpiredConsents:
        tenant_id: system # tenant id
        id: fdxExpiredConsents # job id
        queue: openbanking_set_expired_fdx_consents # queue name
        cron: 0 * * * * # cron expression
        # next execution time
        scheduled_at: {}
        # job starting from
        starting_from: {}
        paused: false # is paused
        payload: null # payload
    identityStats:
        tenant_id: system # tenant id
        id: identityStats # job id
        queue: identity_stats # queue name
        cron: 45 * * * * # cron expression
        # next execution time
        scheduled_at: {}
        # job starting from
        starting_from: {}
        paused: false # is paused
        payload: null # payload
    openbankingExpiredConsents:
        tenant_id: system # tenant id
        id: openbankingExpiredConsents # job id
        queue: openbanking_remove_expired_consents # queue name
        cron: 0 * * * * # cron expression
        # next execution time
        scheduled_at: {}
        # job starting from
        starting_from: {}
        paused: false # is paused
        payload: null # payload
    openbankingOrphanedConsents:
        tenant_id: system # tenant id
        id: openbankingOrphanedConsents # job id
        queue: openbanking_remove_orphaned_consents # queue name
        cron: 0 * * * * # cron expression
        # next execution time
        scheduled_at: {}
        # job starting from
        starting_from: {}
        paused: false # is paused
        payload: null # payload
# lru cache
cache:
    redis_ttl: 10m0s
    local_ttl: 1m0s
    local_max_size: 1000
    locks: 256
    disabled: false
# stats cache
stats:
    redis_ttl: 1m0s
    local_ttl: 10s
    local_max_size: 1000
    locks: 0
    disabled: false
# themes cache
themes_cache:
    redis_ttl: 1h0m0s
    local_ttl: 10m0s
    local_max_size: 100
    locks: 0
    disabled: false
# demo apps
demo:
    client:
        root_ca: /certs/ca.pem
        cert: /certs/cid2/cert.pem
        key: /certs/cid2/cert-key.pem
        client_id: cid2
        client_secret: xYA0YnXldHNNjgWBjXGr5xBzIjf8PW-jXWkdZZ_l0WB
        scopes:
            - introspect_openbanking_tokens
    directory:
        redirect_uris:
            - https://fapi-test:8444/test/a/JarmByValuePrivateKeyJwtPaymentsObbrDcrFapiTests/callback
            - https://fapi-test:8444/test/a/JarmByValuePrivateKeyJwtPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/PlainResponseByValuePrivateKeyJwtPaymentsObbrDcrFapiTests/callback
            - https://fapi-test:8444/test/a/PlainResponseByValuePrivateKeyJwtPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/PlainResponsePushedPrivateKeyJwtPaymentsObbrDcrFapiTests/callback
            - https://fapi-test:8444/test/a/PlainResponsePushedPrivateKeyJwtPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/JarmPushedPrivateKeyJwtPaymentsObbrDcrFapiTests/callback
            - https://fapi-test:8444/test/a/JarmPushedPrivateKeyJwtPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/PlainResponseByValueMtlsPaymentsObbrDcrFapiTests/callback
            - https://fapi-test:8444/test/a/PlainResponseByValueMtlsPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/JarmByValueMtlsPaymentsObbrDcrFapiTests/callback
            - https://fapi-test:8444/test/a/JarmByValueMtlsPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/PlainResponsePushedMtlsPaymentsObbrDcrFapiTests/callback
            - https://fapi-test:8444/test/a/PlainResponsePushedMtlsPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/JarmPushedMtlsPaymentsObbrDcrFapiTests/callback
            - https://fapi-test:8444/test/a/JarmPushedMtlsPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/PlainResponseByValueMtlsAccountsObbrDcrFapiTests/callback
            - https://fapi-test:8444/test/a/PlainResponseByValueMtlsAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/JarmByValueMtlsAccountsObbrDcrFapiTests/callback
            - https://fapi-test:8444/test/a/JarmByValueMtlsAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/PlainResponsePushedMtlsAccountsObbrDcrFapiTests/callback
            - https://fapi-test:8444/test/a/PlainResponsePushedMtlsAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/JarmPushedMtlsAccountsObbrDcrFapiTests/callback
            - https://fapi-test:8444/test/a/JarmPushedMtlsAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/JarmPushedPrivateKeyJwtAccountsObbrDcrFapiTests/callback
            - https://fapi-test:8444/test/a/JarmPushedPrivateKeyJwtAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/PlainResponsePushedPrivateKeyJwtAccountsObbrDcrFapiTests/callback
            - https://fapi-test:8444/test/a/PlainResponsePushedPrivateKeyJwtAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/PlainResponseByValuePrivateKeyJwtAccountsObbrDcrFapiTests/callback
            - https://fapi-test:8444/test/a/PlainResponseByValuePrivateKeyJwtAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/JarmByValuePrivateKeyJwtAccountsObbrDcrFapiTests/callback
            - https://fapi-test:8444/test/a/JarmByValuePrivateKeyJwtAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/JarmByValuePrivateKeyJwtOpinDcrFapiTests/callback
            - https://fapi-test:8444/test/a/JarmByValuePrivateKeyJwtOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/PlainResponseByValuePrivateKeyJwtOpinDcrFapiTests/callback
            - https://fapi-test:8444/test/a/PlainResponseByValuePrivateKeyJwtOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/PlainResponsePushedPrivateKeyJwtOpinDcrFapiTests/callback
            - https://fapi-test:8444/test/a/PlainResponsePushedPrivateKeyJwtOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/JarmPushedPrivateKeyJwtOpinDcrFapiTests/callback
            - https://fapi-test:8444/test/a/JarmPushedPrivateKeyJwtOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/PlainResponseByValueMtlsOpinDcrFapiTests/callback
            - https://fapi-test:8444/test/a/PlainResponseByValueMtlsOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/JarmByValueMtlsOpinDcrFapiTests/callback
            - https://fapi-test:8444/test/a/JarmByValueMtlsOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/PlainResponsePushedMtlsOpinDcrFapiTests/callback
            - https://fapi-test:8444/test/a/PlainResponsePushedMtlsOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://fapi-test:8444/test/a/JarmPushedMtlsOpinDcrFapiTests/callback
            - https://fapi-test:8444/test/a/JarmPushedMtlsOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum
            - https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtWithoutBrowserDcrObbrTests/callback
            - https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtWithoutBrowserDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
            - https://obbr-test:8445/test/a/JarmByValueMtlsDcrObbrTests/callback
            - https://obbr-test:8445/test/a/JarmByValueMtlsDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
            - https://obbr-test:8445/test/a/PlainResponseByValueMtlsDcrObbrTests/callback
            - https://obbr-test:8445/test/a/PlainResponseByValueMtlsDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
            - https://obbr-test:8445/test/a/JarmPushedMtlsDcrObbrTests/callback
            - https://obbr-test:8445/test/a/JarmPushedMtlsDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
            - https://obbr-test:8445/test/a/PlainResponsePushedMtlsDcrObbrTests/callback
            - https://obbr-test:8445/test/a/PlainResponsePushedMtlsDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
            - https://obbr-test:8445/test/a/JarmByValuePrivateKeyJwtDcrObbrTests/callback
            - https://obbr-test:8445/test/a/JarmByValuePrivateKeyJwtDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
            - https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtDcrObbrTests/callback
            - https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
            - https://obbr-test:8445/test/a/JarmPushedPrivateKeyJwtDcrObbrTests/callback
            - https://obbr-test:8445/test/a/JarmPushedPrivateKeyJwtDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
            - https://obbr-test:8445/test/a/PlainResponsePushedPrivateKeyJwtDcrObbrTests/callback
            - https://obbr-test:8445/test/a/PlainResponsePushedPrivateKeyJwtDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
            - https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtWithoutBrowserWebhookDcrObbrTests/callback
            - https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtWithoutBrowserWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
            - https://obbr-test:8445/test/a/JarmByValueMtlsWebhookDcrObbrTests/callback
            - https://obbr-test:8445/test/a/JarmByValueMtlsWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
            - https://obbr-test:8445/test/a/PlainResponseByValueMtlsWebhookDcrObbrTests/callback
            - https://obbr-test:8445/test/a/PlainResponseByValueMtlsWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
            - https://obbr-test:8445/test/a/JarmPushedMtlsWebhookDcrObbrTests/callback
            - https://obbr-test:8445/test/a/JarmPushedMtlsWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
            - https://obbr-test:8445/test/a/PlainResponsePushedMtlsWebhookDcrObbrTests/callback
            - https://obbr-test:8445/test/a/PlainResponsePushedMtlsWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
            - https://obbr-test:8445/test/a/JarmByValuePrivateKeyJwtWebhookDcrObbrTests/callback
            - https://obbr-test:8445/test/a/JarmByValuePrivateKeyJwtWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
            - https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtWebhookDcrObbrTests/callback
            - https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
            - https://obbr-test:8445/test/a/JarmPushedPrivateKeyJwtWebhookDcrObbrTests/callback
            - https://obbr-test:8445/test/a/JarmPushedPrivateKeyJwtWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
            - https://obbr-test:8445/test/a/PlainResponsePushedPrivateKeyJwtWebhookDcrObbrTests/callback
            - https://obbr-test:8445/test/a/PlainResponsePushedPrivateKeyJwtWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum
            - https://obbr-test:8445/test/a/PlainResponsePushedPrivateKeyJwtAutomaticPaymentsWebhookObbrTests/callback
        webhook_hosts:
            - https://obbr-test-mtls:8445/test-mtls/a/PlainResponseByValuePrivateKeyJwtWithoutBrowserWebhookDcrObbrTests
            - https://obbr-test-mtls:8445/test-mtls/a/JarmByValueMtlsWebhookDcrObbrTests
            - https://obbr-test-mtls:8445/test-mtls/a/PlainResponseByValueMtlsWebhookDcrObbrTests
            - https://obbr-test-mtls:8445/test-mtls/a/JarmPushedMtlsWebhookDcrObbrTests
            - https://obbr-test-mtls:8445/test-mtls/a/PlainResponsePushedMtlsWebhookDcrObbrTests
            - https://obbr-test-mtls:8445/test-mtls/a/JarmByValuePrivateKeyJwtWebhookDcrObbrTests
            - https://obbr-test-mtls:8445/test-mtls/a/PlainResponseByValuePrivateKeyJwtWebhookDcrObbrTests
            - https://obbr-test-mtls:8445/test-mtls/a/JarmPushedPrivateKeyJwtWebhookDcrObbrTests
            - https://obbr-test-mtls:8445/test-mtls/a/PlainResponsePushedPrivateKeyJwtWebhookDcrObbrTests
# faas provider
faas:
    provider: ""
    # Available node executor env versions (sorted from oldest to the newest).
    node_env_versions:
        - version: "4" # Environment version
          valid_until: ""
          # Nodejs package json
          package_json:
            # NodeJS dependencies
            dependencies:
                async: 3.2.3
                async-lock: 1.4.0
                aws-sdk: 2.1404.0
                axios: 0.25.0
                axios-retry: 3.8.0
                body-parser: 1.19.2
                chalk: 5.0.0
                co: 4.6.0
                debug: 4.3.3
                express: 4.17.3
                express-timeout-handler: ^2.2.2
                graphql: 16.8.1
                immutable: 4.0.0
                invariant: 2.2.4
                js-yaml: 4.1.0
                jsonwebtoken: 8.5.1
                ldapjs: 2.3.1
                lodash: 4.17.21
                log4js: 6.4.1
                lru_map: 0.4.1
                minimist: 1.2.6
                mongodb: 5.9.2
                mongoose: 7.6.8
                morgan: 1.10.0
                mysql: 2.18.1
                mz: 2.7.0
                node-fetch: 3.3.2
                qs: 6.10.3
                ramda: 0.28.0
                request: 2.88.2
                request-promise-native: 1.0.9
                rxjs: 7.5.4
                uglify-js: 3.15.1
                underscore: 1.13.2
                uuid: 8.3.2
                validator: 13.7.0
                ws: 8.5.0
                xml2js: 0.5.0
            # NodeJS engine version
            engines:
                node: v16 # NodeJS engine version
        - version: "5" # Environment version
          valid_until: ""
          # Nodejs package json
          package_json:
            # NodeJS dependencies
            dependencies:
                async: 3.2.5
                async-lock: 1.4.1
                aws-sdk: 2.1541.0
                axios: 1.6.5
                axios-retry: 4.0.0
                body-parser: 1.20.2
                chalk: 5.3.0
                co: 4.6.0
                debug: 4.3.4
                express: 4.18.2
                express-timeout-handler: 2.2.2
                graphql: 16.8.1
                immutable: 4.3.4
                invariant: 2.2.4
                js-yaml: 4.1.0
                jsonwebtoken: 9.0.2
                ldapjs: 3.0.7
                lodash: 4.17.21
                log4js: 6.9.1
                lru_map: 0.4.1
                minimist: 1.2.8
                mongodb: 6.3.0
                mongoose: 8.1.0
                morgan: 1.10.0
                mysql: 2.18.1
                mz: 2.7.0
                node-fetch: 3.3.2
                qs: 6.11.2
                ramda: 0.29.1
                rxjs: 7.8.1
                uglify-js: 3.17.4
                underscore: 1.13.6
                uuid: 9.0.1
                validator: 13.11.0
                ws: 8.16.0
                xml2js: 0.6.2
            # NodeJS engine version
            engines:
                node: v18 # NodeJS engine version
    # Available rego executor env versions (sorted from oldest to the newest).
    rego_env_versions:
        - version: "5" # Environment version
          valid_until: ""
          package_json: null # Nodejs package json
# fission function as a service provider
fission:
    namespace: acp-faas # Kubernetes namespace where functions should be created
    # Runtime configuration for runtime v1
    envs:
        js: nodejs # Name of the fission environment for JS
        rego: rego # Name of the fission environment for Rego
    # Runtime configuration for runtime v2
    envs_v2:
        js: nodejs-v2 # Name of the fission environment for JS
        rego: rego-v2 # Name of the fission environment for Rego
    url: http://router.fission # URL to the fission router
    max_backoff_retries: 3 # Max backoff retries in case of 404 error
    package_template: |- # k8s package template
        apiVersion: fission.io/v1
        kind: Package
        metadata:
          name: {{ .ID }}
          namespace: {{ .Namespace }}
        spec:
          deployment:
            literal: {{ .Base64EncodedBody }}
            type: literal
          environment:
            name: {{ .Env }}
            namespace: {{ .Namespace }}
        status:
          buildstatus: succeeded
    function_template: |- # k8s function template
        apiVersion: fission.io/v1
        kind: Function
        metadata:
          name: {{ .ID  }}
          namespace: {{ .Namespace }}
        spec:
          InvokeStrategy:
            ExecutionStrategy:
              ExecutorType: poolmgr
              SpecializationTimeout: 30
            StrategyType: execution
          concurrency:  {{ .MaxPodsCount }}
          requestsPerPod: {{ .MaxRequestsPerPod }}
          environment:
            name: {{ .Env }}
            namespace: {{ .Namespace }}
          functionTimeout:  {{ .ExecutionTimeout }}
          idletimeout: {{ .IdleTimeout }}
          package:
            packageref:
              name: {{ .ID }}
              namespace: {{ .Namespace }}
              resourceversion: "{{ .ResourceVersion }}"
    # kube config
    kube:
        timeout: 0s
        kubeconfig: ""
    max_pod_age: 0s # max pod age - set 0 to unlimited
    # function settings
    function_settings:
        execution_timeout: 30s # max function execution time
        idle_timeout: 1m0s # max function idle duration
        max_pods_count: 2 # maximum pod count number
        max_requests_per_pod: 5000 # maximum numer of requests per pod
    # fission resource watcher configuration
    resource_watcher:
        interval: 1m0s # how often check for aged resources
        timeout: 10s # check timeout
# docker function as a service provider
docker:
    node_url: http://node-env:8888
    rego_url: http://rego-env:8888
    shared_node_url: http://node-env:8888
    shared_rego_url: http://rego-env:8888
# opentelemetry configuration
otel:
    service_name: acp # service name
    exporter: jaeger # opentelemetry exporter (jaeger or otlp)
    # enabled propagators (b3, baggage, tracecontext, ottrace, jaeger)
    propagators:
        - jaeger
    # jaeger opentelemetry exporter
    jaeger:
        agent_host: localhost # agent host
        agent_port: "6831" # agent port
        header: uber-trace-id # header name
    # opentelemetry protocol exporter
    otlp:
        endpoint: localhost:4318 # otlp endpoint
        path: /v1/traces # otlp path
        root_ca: "" # otlp root ca
        # additional headers
        headers: {}
        insecure_skip_verify: false # disable cert verification
        insecure_http: false # use http instead of https
# consul client https://github.com/hashicorp/consul/blob/master/api/api.go
consul:
    address: 127.0.0.1:8500
    scheme: http
    pathprefix: ""
    datacenter: ""
    transport: null
    httpclient: null
    httpauth: null
    waittime: 0s
    token: ""
    tokenfile: ""
    namespace: ""
    partition: ""
    tlsconfig:
        address: ""
        cafile: ""
        capath: ""
        capem: []
        certfile: ""
        certpem: []
        keyfile: ""
        keypem: []
        insecureskipverify: false
# vault client
vault:
    address: "" # Address is the address of the Vault server.
    agent_address: "" # AgentAddress is the address of the local Vault agent.
    max_retries: 0 # MaxRetries controls the maximum number of times to retry when a 5xx error occurs.
    timeout: 0s # Timeout is for setting custom timeout parameter in the HttpClient
    token: "" # Access token
    # TLSConfig contains the parameters needed to configure TLS on the HTTP client used to communicate with Vault.
    tls:
        cacert: ""
        cacertbytes: []
        capath: ""
        clientcert: ""
        clientkey: ""
        tlsservername: ""
        insecure: false
    # Authentication
    auth:
        approle:
            roleid: ""
            secretid: ""
# embedded smtp gateway configuration
email:
    from: Cloudentity  # From address
    username: "" # Username
    password: "" # Password
    auth: PLAIN
    host: smtp.gmail.com # SMTP server host
    port: 25 # SMTP server port
    timeout: 10s # Timeout
    start_tls: false # Send an email over TLS using STARTTLS
    insecure_skip_verify: false # Skip TLS cert verification
# embedded twilio gateway configuration
sms:
    from: Cloudentity # From number
    sid: "" # The Twilio Account SID
    auth_token: "" # The Twilio Auth Token
# messaging config
messaging:
    # email templates
    emails:
        # verify otp
        otp:
            subject: OTP # Email's subject
            file_template: ./web/emails/ce.html # Path to the file template
            text_template: Dear Customer, [[otp]] is your single-use verification code. # Text template used if tile template is not set
            message_template: | # Default message template
                
We've received a OTP Code request.

                
[[otp]]

                
Here is the OTP code that you have requested.

            # Email's attachments
            attachments: []
        # activate account with code
        activate_account_with_code:
            subject: Account activation # Email's subject
            file_template: ./web/emails/ce.html # Path to the file template
            text_template: "" # Text template used if tile template is not set
            message_template: | # Default message template
                

                Excellent!
                 Your account is almost ready.
                

                
Enter the code below on the account activation page to activate you account.

                
[[code]]

            # Email's attachments
            attachments: []
        # activate account with link
        activate_account_with_link:
            subject: Account activation # Email's subject
            file_template: ./web/emails/ce.html # Path to the file template
            text_template: "" # Text template used if tile template is not set
            message_template: | # Default message template
                

                Excellent!
                 Your account is almost ready.
                

                
Just one more step to access it

                

                	Activate account
                

                

                Alternatively, copy this link and follow it in your browser
                
[[link]]

                

            # Email's attachments
            attachments: []
        # reset credentials with code
        reset_credentials_with_code:
            subject: Credentials reset # Email's subject
            file_template: ./web/emails/ce.html # Path to the file template
            text_template: "" # Text template used if tile template is not set
            message_template: | # Default message template
                
Credentials reset

                

                We've received a request to reset your credentials.

                Your credentials reset code is:
                

                
[[code]]

            # Email's attachments
            attachments: []
        # reset credentials with link
        reset_credentials_with_link:
            subject: Credentials reset # Email's subject
            file_template: ./web/emails/ce.html # Path to the file template
            text_template: "" # Text template used if tile template is not set
            message_template: | # Default message template
                
Credentials reset

                
We've received a request to reset your credentials.

                

                	Reset credentials
                

                

                Alternatively, copy this link and follow it in your browser
                
[[link]]

                

            # Email's attachments
            attachments: []
        # identifier used
        identifier_used:
            subject: Account already exists # Email's subject
            file_template: ./web/emails/ce.html # Path to the file template
            text_template: "" # Text template used if tile template is not set
            message_template: | # Default message template
                
Account already exists

                
The email you provided is already registered with an account.

            # Email's attachments
            attachments: []
        # address verification with link
        address_verification_with_link:
            subject: Address verification # Email's subject
            file_template: ./web/emails/ce.html # Path to the file template
            text_template: "" # Text template used if tile template is not set
            message_template: | # Default message template
                
Address verification

                
We've received a request to verify your address.

                

                	Verify address
                

                

                Alternatively, copy this link and follow it in your browser
                
[[link]]

                

            # Email's attachments
            attachments: []
    # sms templates
    smses:
        # verify otp
        otp:
            message_template: Dear Customer, [[otp]] is your single-use verification code. # Message template
        # activate account with code
        activate_account_with_code:
            message_template: Dear Customer, use [[code]] to activate your account. # Message template
        # activate account with code
        activate_account_with_link:
            message_template: 'Dear Customer, use the link to activate your account: [[link]]' # Message template
        # reset credentials with code
        reset_credentials_with_code:
            message_template: Dear Customer, use [[code]] to reset your credentials. # Message template
        # reset credentials with code
        reset_credentials_with_link:
            message_template: 'Dear Customer, use the link to reset your credentials: [[link]]' # Message template
        # identifier used
        identifier_used:
            message_template: Dear Customer, this number is associated with an existing account. # Message template
        # address verification with link
        address_verification_with_link:
            message_template: 'Dear Customer, use the link to verify your address: [[link]]' # Message template
# embedded IDPs
embedded_idps:
    cookie_domain: "" # cookie domain
    # github idp
    github:
        client_id: "" # client id
        client_secret: "" # client secret
    # google idp
    google:
        client_id: "" # client id
        client_secret: "" # client secret
# global rate limits
rate_limits:
    oauth2:
        enabled: false # enable rate limiter
        period: 1m0s # period
        rate: 60 # rate
        burst: 10 # max burst
# rate limits cache
rate_limits_cache:
    redis_ttl: 1h0m0s
    local_ttl: 10m0s
    local_max_size: 1000
    locks: 0
    disabled: false
# token exchange verifier
token_exchange_verifier:
    idp_client_timeout: 5s # http client timeout when calling IDP endpoints
# subject config
subject:
    default_format: legacy # subject default format for new workspaces
# identity pools captcha configuration
captcha:
    enabled: false
    site_key: 6LdPYcYeAAAAAF5f6K9Pv5jkPEDFsOtfkwxP2a5k
    secret_key: 6LdPYcYeAAAAACiRY1ZG2iSPsHXOhYSaqTO_Ycqz
    whitelist: []
# Limits for asynchronous delete of Identity Pools
async_delete_identity_pool:
    delete_users_batch_size: 100
    delete_users_iterations_count: 30
create_tenant_with_default_admin_identity_pool: true # Default Admin Identity Pool IDP for new tenant