All configuration

Cache

Type Default

cache

Defines the cache mechanism for high-availability.

By default, a 'ispn' cache is used to create a cluster between multiple server nodes. A 'local' cache disables clustering and is intended for development and testing purposes.

CLI: --cache

Env: KC_CACHE

ispn, local

ispn

cache-config-file

Defines the file from which cache configuration should be loaded from.

The configuration file is relative to the 'conf/' directory.

CLI: --cache-config-file

Env: KC_CACHE_CONFIG_FILE

cache-stack

Define the default stack to use for cluster communication and node discovery.

This option only takes effect if 'cache' is set to 'ispn'. Default: udp.

CLI: --cache-stack

Env: KC_CACHE_STACK

tcp, udp, kubernetes, ec2, azure, google

Storage (Experimental)

Type Default

storage

Experimental: Sets the default storage mechanism for all areas.

CLI: --storage

Env: KC_STORAGE

jpa, chm, hotrod

storage-area-action-token

Experimental: Sets a storage mechanism for action tokens.

CLI: --storage-area-action-token

Env: KC_STORAGE_AREA_ACTION_TOKEN

jpa, chm, hotrod

storage-area-auth-session

Experimental: Sets a storage mechanism for authentication sessions.

CLI: --storage-area-auth-session

Env: KC_STORAGE_AREA_AUTH_SESSION

jpa, chm, hotrod

storage-area-authorization

Experimental: Sets a storage mechanism for authorizations.

CLI: --storage-area-authorization

Env: KC_STORAGE_AREA_AUTHORIZATION

jpa, chm, hotrod

storage-area-client

Experimental: Sets a storage mechanism for clients.

CLI: --storage-area-client

Env: KC_STORAGE_AREA_CLIENT

jpa, chm, hotrod

storage-area-client-scope

Experimental: Sets a storage mechanism for client scopes.

CLI: --storage-area-client-scope

Env: KC_STORAGE_AREA_CLIENT_SCOPE

jpa, chm, hotrod

storage-area-event-admin

Experimental: Sets a storage mechanism for admin events.

CLI: --storage-area-event-admin

Env: KC_STORAGE_AREA_EVENT_ADMIN

jpa, chm, hotrod

storage-area-event-auth

Experimental: Sets a storage mechanism for authentication and authorization events.

CLI: --storage-area-event-auth

Env: KC_STORAGE_AREA_EVENT_AUTH

jpa, chm, hotrod

storage-area-group

Experimental: Sets a storage mechanism for groups.

CLI: --storage-area-group

Env: KC_STORAGE_AREA_GROUP

jpa, chm, hotrod

storage-area-login-failure

Experimental: Sets a storage mechanism for login failures.

CLI: --storage-area-login-failure

Env: KC_STORAGE_AREA_LOGIN_FAILURE

jpa, chm, hotrod

storage-area-realm

Experimental: Sets a storage mechanism for realms.

CLI: --storage-area-realm

Env: KC_STORAGE_AREA_REALM

jpa, chm, hotrod

storage-area-role

Experimental: Sets a storage mechanism for roles.

CLI: --storage-area-role

Env: KC_STORAGE_AREA_ROLE

jpa, chm, hotrod

storage-area-single-use-object

Experimental: Sets a storage mechanism for single use objects.

CLI: --storage-area-single-use-object

Env: KC_STORAGE_AREA_SINGLE_USE_OBJECT

jpa, chm, hotrod

storage-area-user

Experimental: Sets a storage mechanism for users.

CLI: --storage-area-user

Env: KC_STORAGE_AREA_USER

jpa, chm, hotrod

storage-area-user-session

Experimental: Sets a storage mechanism for user and client sessions.

CLI: --storage-area-user-session

Env: KC_STORAGE_AREA_USER_SESSION

jpa, chm, hotrod

storage-deployment-state-version-seed

Experimental: Secret that serves as a seed to mask the version number of Keycloak in URLs.

Need to be identical across all servers in the cluster. Will default to a random number generated when starting the server which is secure but will lead to problems when a loadbalancer without sticky sessions is used or nodes are restarted.

CLI: --storage-deployment-state-version-seed

Env: KC_STORAGE_DEPLOYMENT_STATE_VERSION_SEED

storage-hotrod-host

Experimental: Sets the host of the Infinispan server.

CLI: --storage-hotrod-host

Env: KC_STORAGE_HOTROD_HOST

storage-hotrod-password

Experimental: Sets the password of the Infinispan user.

CLI: --storage-hotrod-password

Env: KC_STORAGE_HOTROD_PASSWORD

storage-hotrod-port

Experimental: Sets the port of the Infinispan server.

CLI: --storage-hotrod-port

Env: KC_STORAGE_HOTROD_PORT

storage-hotrod-username

Experimental: Sets the username of the Infinispan user.

CLI: --storage-hotrod-username

Env: KC_STORAGE_HOTROD_USERNAME

Database

Type Default

db

The database vendor.

CLI: --db

Env: KC_DB

dev-file, dev-mem, mariadb, mssql, mysql, oracle, postgres

dev-file

db-password

The password of the database user.

CLI: --db-password

Env: KC_DB_PASSWORD

db-pool-initial-size

The initial size of the connection pool.

CLI: --db-pool-initial-size

Env: KC_DB_POOL_INITIAL_SIZE

db-pool-max-size

The maximum size of the connection pool.

CLI: --db-pool-max-size

Env: KC_DB_POOL_MAX_SIZE

100

db-pool-min-size

The minimal size of the connection pool.

CLI: --db-pool-min-size

Env: KC_DB_POOL_MIN_SIZE

db-schema

The database schema to be used.

CLI: --db-schema

Env: KC_DB_SCHEMA

db-url

The full database JDBC URL.

If not provided, a default URL is set based on the selected database vendor. For instance, if using 'postgres', the default JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.

CLI: --db-url

Env: KC_DB_URL

db-url-database

Sets the database name of the default JDBC URL of the chosen vendor.

If the db-url option is set, this option is ignored.

CLI: --db-url-database

Env: KC_DB_URL_DATABASE

db-url-host

Sets the hostname of the default JDBC URL of the chosen vendor.

If the db-url option is set, this option is ignored.

CLI: --db-url-host

Env: KC_DB_URL_HOST

db-url-port

Sets the port of the default JDBC URL of the chosen vendor.

If the db-url option is set, this option is ignored.

CLI: --db-url-port

Env: KC_DB_URL_PORT

db-url-properties

Sets the properties of the default JDBC URL of the chosen vendor.

If the db-url option is set, this option is ignored.

CLI: --db-url-properties

Env: KC_DB_URL_PROPERTIES

db-username

The username of the database user.

CLI: --db-username

Env: KC_DB_USERNAME

Transaction

Type Default

transaction-xa-enabled

If set to false, Keycloak uses a non-XA datasource in case the database does not support XA transactions.

CLI: --transaction-xa-enabled

Env: KC_TRANSACTION_XA_ENABLED

true, false

true

Feature

Type Default

features

Enables a set of one or more features.

CLI: --features

Env: KC_FEATURES

authorization, account2, account-api, admin-fine-grained-authz, admin-api, admin, admin2, docker, impersonation, openshift-integration, scripts, token-exchange, web-authn, client-policies, ciba, map-storage, par, declarative-user-profile, dynamic-scopes, client-secret-rotation, step-up-authentication, recovery-codes, update-email, preview

features-disabled

Disables a set of one or more features.

CLI: --features-disabled

Env: KC_FEATURES_DISABLED

authorization, account2, account-api, admin-fine-grained-authz, admin-api, admin, admin2, docker, impersonation, openshift-integration, scripts, token-exchange, web-authn, client-policies, ciba, map-storage, par, declarative-user-profile, dynamic-scopes, client-secret-rotation, step-up-authentication, recovery-codes, update-email, preview

Hostname

Type Default

hostname

Hostname for the Keycloak server.

CLI: --hostname

Env: KC_HOSTNAME

hostname-admin

The hostname for accessing the administration console.

Use this option if you are exposing the administration console using a hostname other than the value set to the 'hostname' option.

CLI: --hostname-admin

Env: KC_HOSTNAME_ADMIN

hostname-admin-url

Set the base URL for accessing the administration console, including scheme, host, port and path

CLI: --hostname-admin-url

Env: KC_HOSTNAME_ADMIN_URL

hostname-path

This should be set if proxy uses a different context-path for Keycloak.

CLI: --hostname-path

Env: KC_HOSTNAME_PATH

hostname-port

The port used by the proxy when exposing the hostname.

Set this option if the proxy uses a port other than the default HTTP and HTTPS ports.

CLI: --hostname-port

Env: KC_HOSTNAME_PORT

-1

hostname-strict

Disables dynamically resolving the hostname from request headers.

Should always be set to true in production, unless proxy verifies the Host header.

CLI: --hostname-strict

Env: KC_HOSTNAME_STRICT

true, false

true

hostname-strict-backchannel

By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications.

If all applications use the public URL this option should be enabled.

CLI: --hostname-strict-backchannel

Env: KC_HOSTNAME_STRICT_BACKCHANNEL

true, false

false

hostname-url

Set the base URL for frontend URLs, including scheme, host, port and path.

CLI: --hostname-url

Env: KC_HOSTNAME_URL

HTTP/TLS

Type Default

http-enabled

Enables the HTTP listener.

CLI: --http-enabled

Env: KC_HTTP_ENABLED

true, false

false

http-host

The used HTTP Host.

CLI: --http-host

Env: KC_HTTP_HOST

0.0.0.0

http-port

The used HTTP port.

CLI: --http-port

Env: KC_HTTP_PORT

8080

http-relative-path

Set the path relative to '/' for serving resources.

The path must start with a '/'.

CLI: --http-relative-path

Env: KC_HTTP_RELATIVE_PATH

/

https-certificate-file

The file path to a server certificate or certificate chain in PEM format.

CLI: --https-certificate-file

Env: KC_HTTPS_CERTIFICATE_FILE

https-certificate-key-file

The file path to a private key in PEM format.

CLI: --https-certificate-key-file

Env: KC_HTTPS_CERTIFICATE_KEY_FILE

https-cipher-suites

The cipher suites to use.

If none is given, a reasonable default is selected.

CLI: --https-cipher-suites

Env: KC_HTTPS_CIPHER_SUITES

https-client-auth

Configures the server to require/request client authentication.

CLI: --https-client-auth

Env: KC_HTTPS_CLIENT_AUTH

none, request, required

none

https-key-store-file

The key store which holds the certificate information instead of specifying separate files.

CLI: --https-key-store-file

Env: KC_HTTPS_KEY_STORE_FILE

https-key-store-password

The password of the key store file.

CLI: --https-key-store-password

Env: KC_HTTPS_KEY_STORE_PASSWORD

password

https-key-store-type

The type of the key store file.

If not given, the type is automatically detected based on the file name.

CLI: --https-key-store-type

Env: KC_HTTPS_KEY_STORE_TYPE

https-port

The used HTTPS port.

CLI: --https-port

Env: KC_HTTPS_PORT

8443

https-protocols

The list of protocols to explicitly enable.

CLI: --https-protocols

Env: KC_HTTPS_PROTOCOLS

TLSv1.3

https-trust-store-file

The trust store which holds the certificate information of the certificates to trust.

CLI: --https-trust-store-file

Env: KC_HTTPS_TRUST_STORE_FILE

https-trust-store-password

The password of the trust store file.

CLI: --https-trust-store-password

Env: KC_HTTPS_TRUST_STORE_PASSWORD

https-trust-store-type

The type of the trust store file.

If not given, the type is automatically detected based on the file name.

CLI: --https-trust-store-type

Env: KC_HTTPS_TRUST_STORE_TYPE

Health

Type Default

health-enabled

If the server should expose health check endpoints.

If enabled, health checks are available at the '/health', '/health/ready' and '/health/live' endpoints.

CLI: --health-enabled

Env: KC_HEALTH_ENABLED

true, false

false

Metrics

Type Default

metrics-enabled

If the server should expose metrics.

If enabled, metrics are available at the '/metrics' endpoint.

CLI: --metrics-enabled

Env: KC_METRICS_ENABLED

true, false

false

Proxy

Type Default

proxy

The proxy address forwarding mode if the server is behind a reverse proxy.

CLI: --proxy

Env: KC_PROXY

none, edge, reencrypt, passthrough

none

Vault

Type Default

vault

Enables a vault provider.

CLI: --vault

Env: KC_VAULT

file, hashicorp

vault-dir

If set, secrets can be obtained by reading the content of files within the given directory.

CLI: --vault-dir

Env: KC_VAULT_DIR

Logging

Type Default

log

Enable one or more log handlers in a comma-separated list.

CLI: --log

Env: KC_LOG

console, file, gelf

console

log-console-color

Enable or disable colors when logging to console.

CLI: --log-console-color

Env: KC_LOG_CONSOLE_COLOR

true, false

false

log-console-format

The format of unstructured console log entries.

If the format has spaces in it, escape the value using "<format>".

CLI: --log-console-format

Env: KC_LOG_CONSOLE_FORMAT

%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n

log-console-output

Set the log output to JSON or default (plain) unstructured logging.

CLI: --log-console-output

Env: KC_LOG_CONSOLE_OUTPUT

default, json

default

log-file

Set the log file path and filename.

CLI: --log-file

Env: KC_LOG_FILE

data/log/keycloak.log

log-file-format

Set a format specific to file log entries.

CLI: --log-file-format

Env: KC_LOG_FILE_FORMAT

%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n

log-file-output

Set the log output to JSON or default (plain) unstructured logging.

CLI: --log-file-output

Env: KC_LOG_FILE_OUTPUT

default, json

default

log-gelf-facility

The facility (name of the process) that sends the message.

CLI: --log-gelf-facility

Env: KC_LOG_GELF_FACILITY

keycloak

log-gelf-host

Hostname of the Logstash or Graylog Host.

By default UDP is used, prefix the host with 'tcp:' to switch to TCP. Example: 'tcp:localhost'

CLI: --log-gelf-host

Env: KC_LOG_GELF_HOST

localhost

log-gelf-include-location

Include source code location.

CLI: --log-gelf-include-location

Env: KC_LOG_GELF_INCLUDE_LOCATION

true, false

true

log-gelf-include-message-parameters

Include message parameters from the log event.

CLI: --log-gelf-include-message-parameters

Env: KC_LOG_GELF_INCLUDE_MESSAGE_PARAMETERS

true, false

true

log-gelf-include-stack-trace

If set to true, occuring stack traces are included in the 'StackTrace' field in the GELF output.

CLI: --log-gelf-include-stack-trace

Env: KC_LOG_GELF_INCLUDE_STACK_TRACE

true, false

true

log-gelf-level

The log level specifying which message levels will be logged by the GELF logger.

Message levels lower than this value will be discarded.

CLI: --log-gelf-level

Env: KC_LOG_GELF_LEVEL

INFO

log-gelf-max-message-size

Maximum message size (in bytes).

If the message size is exceeded, GELF will submit the message in multiple chunks.

CLI: --log-gelf-max-message-size

Env: KC_LOG_GELF_MAX_MESSAGE_SIZE

8192

log-gelf-port

The port the Logstash or Graylog Host is called on.

CLI: --log-gelf-port

Env: KC_LOG_GELF_PORT

12201

log-gelf-timestamp-format

Set the format for the GELF timestamp field.

Uses Java SimpleDateFormat pattern.

CLI: --log-gelf-timestamp-format

Env: KC_LOG_GELF_TIMESTAMP_FORMAT

yyyy-MM-dd HH:mm:ss,SSS

log-level

The log level of the root category or a comma-separated list of individual categories and their levels.

For the root category, you don’t need to specify a category.

CLI: --log-level

Env: KC_LOG_LEVEL

info