Skip to main content

Configuration editor

Ory Kratos Configuration
selfservice
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
Allowed Return To URLs
List of URLs that are allowed to be redirected to. A redirection request is made by appending `?return_to=...` to Login, Registration, and other self-service flows.
flows
settings
URL where the Settings UI is hosted. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).
Sets what Authenticator Assurance Level (used for 2FA) is required to access this feature. If set to `highest_available` then this endpoint requires the highest AAL the identity has set up. If set to `aal1` then the identity can access this feature without 2FA.
after
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
password
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
totp
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
oidc
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
webauthn
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
passkey
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
lookup_secret
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
profile
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
hooks
before
hooks
logout
after
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
registration
If set to true will enable [User Registration](https://www.ory.sh/kratos/docs/self-service/flows/user-registration/).
When registration fails because an account with the given credentials or addresses previously signed up, provide login hints about available methods to sign in to the user.
URL where the Registration UI is hosted. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).
before
hooks
after
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
password
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
webauthn
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
passkey
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
oidc
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
code
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
hooks
Two-step registration is a significantly improved sign up flow and recommended when using more than one sign up methods. To revert to one-step registration, set this to `true`.
login
URL where the Login UI is hosted. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).
The style of the login flow. If set to `unified` the login flow will be a one-step process. If set to `identifier_first` (experimental!) the login flow will first ask for the identifier and then the credentials.
before
hooks
after
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
password
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
webauthn
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
passkey
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
oidc
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
code
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
totp
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
lookup_secret
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
hooks
Email and Phone Verification and Account Activation Configuration
If set to true will enable [Email and Phone Verification and Account Activation](https://www.ory.sh/kratos/docs/self-service/flows/verify-email-account-activation/).
URL where the Ory Verify UI is hosted. This is the page where users activate and / or verify their email or telephone number. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).
after
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
Sets how long the verification request (for the UI interaction) is valid.
before
hooks
The strategy to use for verification requests
Whether to notify recipients, if verification was requested for their address.
Account Recovery Configuration
If set to true will enable [Account Recovery](https://www.ory.sh/kratos/docs/self-service/flows/password-reset-account-recovery/).
URL where the Ory Recovery UI is hosted. This is the page where users request and complete account recovery. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).
after
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
Sets how long the recovery request is valid. If expired, the user has to redo the flow.
before
hooks
The strategy to use for recovery requests
Whether to notify recipients, if recovery was requested for their account.
error
URL where the Ory Kratos Error UI is hosted. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).
methods
Single Sign-On for B2B
Single Sign-On for B2B allows your customers to bring their own (workforce) identity server (e.g. OneLogin). This feature is not available in the open source licensed code.
config
organizations
profile
link
Link Configuration
Additional configuration for the link strategy.
code
If set to true, code.enabled will be set to true as well.
Code Configuration
Additional configuration for the code strategy.
Enabling this allows users to sign in with the code method, even if their identity schema or their credentials are not set up to use the code method. If enabled, a verified address (such as an email) will be used to send the code to the user. Use with caution and only if actually needed.
code

Unsupported field schema for field root_selfservice_methods_code_mfa_enabled: Unknown field type undefined.

{
  "const": false
}
password
Password Configuration
Define how passwords are validated.
Allows changing the default HIBP host to a self hosted version.
If set to false the password validation does not utilize the Have I Been Pwnd API.
Defines how often a password may have been breached before it is rejected.
If set to false the password validation fails when the network or the Have I Been Pwnd API is down.
Defines the minimum length of the password.
If set to false the password validation does not check for similarity between the password and the user identifier.
migrate_hook
If set to true will enable password migration.
config
The URL the password migration hook should call
The HTTP method to use (GET, POST, etc).
headers
The HTTP headers that must be applied to the password migration hook.
Emit tracing events for this hook on delivery or error
Auth mechanisms
Define which auth mechanism the Web-Hook should use
auth
config
The name of the api key
The value of the api key
How the api key should be transferred
totp
TOTP Configuration
The issuer (e.g. a domain name) will be shown in the TOTP app (e.g. Google Authenticator). It helps the user differentiate between different codes.
lookup_secret
webauthn
WebAuthn Configuration
If enabled will have the effect that WebAuthn is used for passwordless flows (as a first factor) and not for multi-factor set ups. With this set to true, users will see an option to sign up with WebAuthn on the registration screen.
Relying Party (RP) Config
An name to help the user identify this RP.
The id must be a subset of the domain currently in the browser.
An explicit RP origin. If left empty, this defaults to `id`, prepended with the current protocol schema (HTTP or HTTPS).
Relying Party Origins
A list of explicit RP origins. If left empty, this defaults to either `origin` or `id`, prepended with the current protocol schema (HTTP or HTTPS).
An icon to help the user identify this RP.
rp

Unsupported field schema for field root_selfservice_methods_webauthn_config_rp_origin: Unknown field type undefined.

{
  "not": {
    "anyOf": [
      {
        "anyOf": [
          {}
        ]
      }
    ]
  }
}
origins
passkey
Passkey Configuration
Relying Party (RP) Config
A name to help the user identify this RP.
The id must be a subset of the domain currently in the browser.
Relying Party Origins
A list of explicit RP origins. If left empty, this defaults to either `origin` or `id`, prepended with the current protocol schema (HTTP or HTTPS).
Specify OpenID Connect and OAuth2 Configuration
config
Can be used to modify the base URL for OAuth2 Redirect URLs. If unset, the Public Base URL will be used.
OpenID Connect and OAuth2 Providers
A list and configuration of OAuth2 and OpenID Connect providers Ory Kratos should integrate with.
Database related configuration
Miscellaneous settings used in database related tasks (cleanup, etc.)
Database cleanup settings
Settings that controls how the database cleanup process is configured (delays, batch size, etc.)
Controls how many records should be purged from one table during database cleanup task
Delays between various database cleanup phases
Configures delays between each step of the cleanup process. It is useful to tune the process so it will be efficient and performant.
Controls the delay time between cleaning each table in one cleanup iteration
Controls how old records do we want to leave
DSN is used to specify the database credentials as a connection URI.
Courier configuration
The courier is responsible for sending and delivering messages over email, sms, and other means.
templates
recovery
invalid
email
body
The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
valid
email
body
The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
sms
body
A template send to the SMS provider.
recovery_code
invalid
email
body
The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
valid
email
body
The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
sms
body
A template send to the SMS provider.
verification
invalid
email
body
The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
valid
email
body
The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
sms
body
A template send to the SMS provider.
verification_code
invalid
email
body
The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
valid
email
body
The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
sms
body
A template send to the SMS provider.
registration_code
valid
email
body
The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
login_code
valid
email
body
The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
sms
body
A template send to the SMS provider.
You can override certain or all message templates by pointing this key to the path where the templates are located.
Defines the maximum number of times the sending of a message is retried after it failed before it is marked as abandoned
worker
Configures the dispatch worker.
Defines how many messages are pulled from the queue at once.
Defines how long the worker waits before pulling messages from the queue again.
Defines how emails will be sent, either through SMTP (default) or HTTP.
HTTP Configuration
Configures outgoing emails using HTTP.
request_config
This URL will be used to send the emails to.
The HTTP method to use (GET, POST, etc). Defaults to POST.
headers
The HTTP headers that must be applied to request
URI pointing to the jsonnet template used for payload generation. Only used for those HTTP methods, which support HTTP body payloads
Auth mechanisms
Define which auth mechanism to use for auth with the HTTP email provider
auth
config
The name of the api key
The value of the api key
How the api key should be transferred
SMTP Configuration
Configures outgoing emails using the SMTP protocol.
This URI will be used to connect to the SMTP server. Use the scheme smtps for implicit TLS sessions or smtp for explicit StartTLS/cleartext sessions. Please note that TLS is always enforced with certificate trust verification by default for security reasons on both schemes. With the smtp scheme you can use the query parameter (`?disable_starttls=true`) to allow cleartext sessions or (`?disable_starttls=false`) to enforce StartTLS (default behaviour). Additionally, use the query parameter to allow (`?skip_ssl_verify=true`) or disallow (`?skip_ssl_verify=false`) self-signed TLS certificates (default behaviour) on both implicit and explicit TLS sessions.
Path of the client X.509 certificate, in case of certificate based client authentication to the SMTP server.
Path of the client certificate private key, in case of certificate based client authentication to the SMTP server
The recipient of an email will see this as the sender address.
The recipient of an email will see this as the sender name.
SMTP Headers
These headers will be passed in the SMTP conversation -- e.g. when using the AWS SES SMTP interface for cross-account sending.
Identifier used in the SMTP HELO/EHLO command. Some SMTP relays require a unique identifier.
SMS sender configuration
Configures outgoing sms messages using HTTP protocol with generic SMS provider
Determines if SMS functionality is enabled
The recipient of a sms will see this as the sender address.
request_config
This URL will be used to connect to the SMS provider.
The HTTP method to use (GET, POST, etc).
headers
The HTTP headers that must be applied to request
URI pointing to the jsonnet template used for payload generation. Only used for those HTTP methods, which support HTTP body payloads
Auth mechanisms
Define which auth mechanism to use for auth with the SMS provider
auth
config
The name of the api key
The value of the api key
How the api key should be transferred
channels
OAuth2 Provider Configuration
If set, the login and registration flows will handle the Ory OAuth 2.0 & OpenID `login_challenge` query parameter to serve as an OpenID Connect Provider. This URL should point to Ory Hydra when you are not running on the Ory Network and be left untouched otherwise.
HTTP Request Headers
These headers will be passed in HTTP request to the OAuth2 Provider.
Override the return_to query parameter with the OAuth2 provider request URL when perfoming an OAuth2 login flow.
Configure Preview Features
The default consistency level to use when reading from the database. Defaults to `strong` to not break existing API contracts. Only set this to `eventual` if you can accept that other read APIs will suddenly return eventually consistent results. It is only effective in Ory Network.
serve
admin
request_log
Disable request logging for /health/alive and /health/ready endpoints
The URL where the admin endpoint is exposed at.
The host (interface) kratos' admin endpoint listens on.
The port kratos' admin endpoint listens on.
socket
Sets the permissions of the unix socket
Owner of unix socket. If empty, the owner will be the user running Kratos.
Group of unix socket. If empty, the group will be the primary group of the user running Kratos.
Mode of unix socket in numeric form
HTTPS
Configure HTTP over TLS (HTTPS). All options can also be set using environment variables by replacing dots (`.`) with underscores (`_`) and uppercasing the key. For example, `some.prefix.tls.key.path` becomes `export SOME_PREFIX_TLS_KEY_PATH`. If all keys are left undefined, TLS will be disabled.
Private Key (PEM)
The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.
TLS Certificate (PEM)
The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.
public
request_log
Disable request logging for /health/alive and /health/ready endpoints
cors
Configures Cross Origin Resource Sharing for public endpoints.
Sets whether CORS is enabled.
allowed_origins
A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Only one wildcard can be used per origin.
allowed_methods
A list of HTTP methods the user agent is allowed to use with cross-domain requests.
allowed_headers
A list of non simple headers the client is allowed to use with cross-domain requests.
exposed_headers
Sets which headers are safe to expose to the API of a CORS API specification.
Sets whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.
TODO
Sets how long (in seconds) the results of a preflight request can be cached. If set to 0, every request is preceded by a preflight request.
Adds additional log output to debug server side CORS issues.
The URL where the endpoint is exposed at. This domain is used to generate redirects, form URLs, and more.
The host (interface) kratos' public endpoint listens on.
The port kratos' public endpoint listens on.
socket
Sets the permissions of the unix socket
Owner of unix socket. If empty, the owner will be the user running Kratos.
Group of unix socket. If empty, the group will be the primary group of the user running Kratos.
Mode of unix socket in numeric form
HTTPS
Configure HTTP over TLS (HTTPS). All options can also be set using environment variables by replacing dots (`.`) with underscores (`_`) and uppercasing the key. For example, `some.prefix.tls.key.path` becomes `export SOME_PREFIX_TLS_KEY_PATH`. If all keys are left undefined, TLS will be disabled.
Private Key (PEM)
The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.
TLS Certificate (PEM)
The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.
tracing
Configure distributed tracing using OpenTelemetry
Set this to the tracing backend you wish to use. Supports Jaeger, Zipkin, and OTEL.
Specifies the service name to use on the tracer.
Specifies the deployment environment to use on the tracer.
providers
jaeger
Configures the jaeger tracing backend.

Unsupported field schema for field root_tracing_providers_jaeger_local_agent_address: Unknown field type undefined.

{
  "title": "IPv6 Address and Port",
  "pattern": "^\\[(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))]:([0-9]*)$"
}
The address of the jaeger-agent where spans should be sent to.
sampling
The address of jaeger-agent's HTTP sampling server
Trace Id ratio sample
zipkin
Configures the zipkin tracing backend.
The address of the Zipkin server where spans should be sent to.
sampling
Sampling ratio for spans.
otlp
Configures the OTLP tracing backend.

Unsupported field schema for field root_tracing_providers_otlp_server_url: Unknown field type undefined.

{
  "title": "IPv6 Address and Port",
  "pattern": "^\\[(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))]:([0-9]*)$"
}
The endpoint of the OTLP exporter (HTTP) where spans should be sent to.
Will use HTTP if set to true; defaults to HTTPS.
sampling
Sampling ratio for spans.
Log
Configure logging using the following options. Logging will always be sent to stdout and stderr.
Debug enables stack traces on errors. Can also be set using environment variable LOG_LEVEL.
If set will leak sensitive values (e.g. emails) in the logs.
Text to use, when redacting sensitive log value.
The log format can either be text or JSON.
identity
This Identity Schema will be used as the default for self-service flows. Its ID needs to exist in the "schemas" list.
All JSON Schemas for Identity Traits
Note that identities that used the "default_schema_url" field in older kratos versions will be corrupted unless you specify their schema url with the id "default" in this list.
All JSON Schemas for Identity Traits-1
URL for JSON Schema which describes a identity's traits. Can be a file path, a https URL, or a base64 encoded string.
secrets
Default Encryption Signing Secrets
The first secret in the array is used for signing and encrypting things while all other keys are used to verify and decrypt older things that were signed with that old secret.
Signing Keys for Cookies
The first secret in the array is used for encrypting cookies while all other keys are used to decrypt older cookies that were signed with that old secret.
Secrets to use for encryption by cipher
The first secret in the array is used for encryption data while all other keys are used to decrypt older data that were signed with.
Hashing Algorithm Configuration
One of the values: argon2, bcrypt. Any other hashes will be migrated to the set algorithm once an identity authenticates using their password.
Configuration for the Argon2id hasher.
Number of parallel workers, defaults to 2*runtime.NumCPU().
The time a hashing operation (~login latency) should take.
The standard deviation expected for hashing operations. If this value is exceeded you will be warned in the logs to adjust the parameters.
The memory dedicated for Kratos. As password hashing is very resource intense, Kratos will monitor the memory consumption and warn about high values.
Configuration for the Bcrypt hasher. Minimum is 4 when --dev flag is used and 12 otherwise.
Cipher Algorithm Configuration
One of the values: noop, aes, xchacha20-poly1305
HTTP Cookie Configuration
Configure the HTTP Cookies. Applies to both CSRF and session cookies.
Sets the cookie domain for session and CSRF cookies. Useful when dealing with subdomains. Use with care!
Sets the session and CSRF cookie path. Use with care!
Sets the session and CSRF cookie SameSite.
session
WhoAmI / ToSession Settings
Control how the `/sessions/whoami` endpoint is behaving.
Sets what Authenticator Assurance Level (used for 2FA) is required to access this feature. If set to `highest_available` then this endpoint requires the highest AAL the identity has set up. If set to `aal1` then the identity can access this feature without 2FA.
Tokenizer configuration
Configure the tokenizer, responsible for converting a session into a token format such as JWT.
Tokenizer templates
A list of different templates that govern how a session is converted to a token format.
Defines how long a session is active. Once that lifespan has been reached, the user needs to sign in again.
cookie
Sets the session cookie domain. Useful when dealing with subdomains. Use with care! Overrides `cookies.domain`.
Sets the session cookie name. Use with care!
If set to true will persist the cookie in the end-user's browser using the `max-age` parameter which is set to the `session.lifespan` value. Persistent cookies are not deleted when the browser is closed (e.g. on reboot or alt+f4). This option affects the Ory OAuth2 and OpenID Provider's remember feature as well.
Sets the session cookie path. Use with care! Overrides `cookies.path`.
Sets the session cookie SameSite. Overrides `cookies.same_site`.
Sets when a session can be extended. Settings this value to `24h` will prevent the session from being extended before until 24 hours before it expires. This setting prevents excessive writes to the database. We highly recommend setting this value.
security
account_enumeration
Mitigate account enumeration by making it harder to figure out if an identifier (email, phone number) exists or not. Enabling this setting degrades user experience. This setting does not mitigate all possible attack vectors yet.
SemVer according to https://semver.org/ prefixed with `v` as in our releases.
This is a CLI flag and environment variable and can not be set using the config file.
This is a CLI flag and environment variable and can not be set using the config file.
The port the courier's metrics endpoint listens on (0/disabled by default). This is a CLI flag and environment variable and can not be set using the config file.
config
This is a CLI flag and environment variable and can not be set using the config file.
Global outgoing network settings
Configure how outgoing network calls behave.
Global HTTP client configuration
Configure how outgoing HTTP calls behave.
Disallow all outgoing HTTP calls to private IP ranges. This feature can help protect against SSRF attacks.
Add exempt URLs to private IP ranges
Allows the given URLs to be called despite them being in the private IP range. URLs need to have an exact and case-sensitive match to be excempt.
Feature flags
If enabled allows Ory Sessions to be cached. Only effective in the Ory Network.
Set how long Ory Sessions are cached on the edge. If unset, the session expiry will be used. Only effective in the Ory Network.
If enabled allows new flow transitions using `continue_with` items.
If enabled allows faster session extension by skipping the session lookup. Disabling this feature will be deprecated in the future.

Unsupported field schema for field root_organizations: Missing items definition.

{
  "title": "Organizations",
  "description": "Please use selfservice.methods.b2b instead. This key will be removed. Only effective in the Ory Network.",
  "type": "array",
  "default": []
}
Enterprise features
Specifies enterprise features. Only effective in the Ory Network or with a valid license.
A fallback URL template used when looking up identity schemas.