search

authgear.secrets.yaml

The secret configuration authgear.secrets.yaml

This is the configuration file containing various secrets used in Authgear.

hashtag
JSON Schema

The configuration file is validated against the following JSON Schema:

{
  "$defs": {
    "AdminAPIAuthKey": {
      "$ref": "#/$defs/JWS"
    },
    "AnalyticRedisCredentials": {
      "additionalProperties": false,
      "properties": {
        "redis_url": {
          "type": "string"
        }
      },
      "required": [
        "redis_url"
      ],
      "type": "object"
    },
    "AuditDatabaseCredentials": {
      "additionalProperties": false,
      "properties": {
        "database_schema": {
          "type": "string"
        },
        "database_url": {
          "type": "string"
        }
      },
      "required": [
        "database_url"
      ],
      "type": "object"
    },
    "CSRFKeyMaterials": {
      "$ref": "#/$defs/JWS"
    },
    "DatabaseCredentials": {
      "additionalProperties": false,
      "properties": {
        "database_schema": {
          "type": "string"
        },
        "database_url": {
          "type": "string"
        }
      },
      "required": [
        "database_url"
      ],
      "type": "object"
    },
    "ElasticsearchCredentials": {
      "additionalProperties": false,
      "properties": {
        "elasticsearch_url": {
          "type": "string"
        }
      },
      "required": [
        "elasticsearch_url"
      ],
      "type": "object"
    },
    "ImagesKeyMaterials": {
      "$ref": "#/$defs/JWS"
    },
    "JWK": {
      "properties": {
        "kid": {
          "type": "string"
        },
        "kty": {
          "type": "string"
        }
      },
      "required": [
        "kid",
        "kty"
      ],
      "type": "object"
    },
    "JWS": {
      "additionalProperties": false,
      "properties": {
        "keys": {
          "items": {
            "$ref": "#/$defs/JWK"
          },
          "minItems": 1,
          "type": "array"
        }
      },
      "required": [
        "keys"
      ],
      "type": "object"
    },
    "NexmoCredentials": {
      "additionalProperties": false,
      "properties": {
        "api_key": {
          "type": "string"
        },
        "api_secret": {
          "type": "string"
        }
      },
      "required": [
        "api_key",
        "api_secret"
      ],
      "type": "object"
    },
    "OAuthClientCredentials": {
      "additionalProperties": false,
      "properties": {
        "items": {
          "items": {
            "additionalProperties": false,
            "properties": {
              "alias": {
                "type": "string"
              },
              "client_secret": {
                "type": "string"
              }
            },
            "required": [
              "alias",
              "client_secret"
            ],
            "type": "object"
          },
          "type": "array"
        }
      },
      "required": [
        "items"
      ],
      "type": "object"
    },
    "OAuthKeyMaterials": {
      "$ref": "#/$defs/JWS"
    },
    "RedisCredentials": {
      "additionalProperties": false,
      "properties": {
        "redis_url": {
          "type": "string"
        }
      },
      "required": [
        "redis_url"
      ],
      "type": "object"
    },
    "SMTPMode": {
      "enum": [
        "normal",
        "ssl"
      ],
      "type": "string"
    },
    "SMTPServerCredentials": {
      "additionalProperties": false,
      "properties": {
        "host": {
          "type": "string"
        },
        "mode": {
          "$ref": "#/$defs/SMTPMode"
        },
        "password": {
          "type": "string"
        },
        "port": {
          "maximum": 65535,
          "minimum": 1,
          "type": "integer"
        },
        "username": {
          "type": "string"
        }
      },
      "required": [
        "host",
        "port",
        "username",
        "password"
      ],
      "type": "object"
    },
    "SecretConfig": {
      "additionalProperties": false,
      "properties": {
        "secrets": {
          "items": {
            "$ref": "#/$defs/SecretItem"
          },
          "type": "array"
        }
      },
      "required": [
        "secrets"
      ],
      "type": "object"
    },
    "SecretItem": {
      "additionalProperties": false,
      "allOf": [
        {
          "if": {
            "properties": {
              "key": {
                "const": "admin-api.auth"
              }
            }
          },
          "then": {
            "properties": {
              "data": {
                "$ref": "#/$defs/AdminAPIAuthKey"
              }
            }
          }
        },
        {
          "if": {
            "properties": {
              "key": {
                "const": "analytic.redis"
              }
            }
          },
          "then": {
            "properties": {
              "data": {
                "$ref": "#/$defs/AnalyticRedisCredentials"
              }
            }
          }
        },
        {
          "if": {
            "properties": {
              "key": {
                "const": "audit.db"
              }
            }
          },
          "then": {
            "properties": {
              "data": {
                "$ref": "#/$defs/AuditDatabaseCredentials"
              }
            }
          }
        },
        {
          "if": {
            "properties": {
              "key": {
                "const": "csrf"
              }
            }
          },
          "then": {
            "properties": {
              "data": {
                "$ref": "#/$defs/CSRFKeyMaterials"
              }
            }
          }
        },
        {
          "if": {
            "properties": {
              "key": {
                "const": "db"
              }
            }
          },
          "then": {
            "properties": {
              "data": {
                "$ref": "#/$defs/DatabaseCredentials"
              }
            }
          }
        },
        {
          "if": {
            "properties": {
              "key": {
                "const": "elasticsearch"
              }
            }
          },
          "then": {
            "properties": {
              "data": {
                "$ref": "#/$defs/ElasticsearchCredentials"
              }
            }
          }
        },
        {
          "if": {
            "properties": {
              "key": {
                "const": "images"
              }
            }
          },
          "then": {
            "properties": {
              "data": {
                "$ref": "#/$defs/ImagesKeyMaterials"
              }
            }
          }
        },
        {
          "if": {
            "properties": {
              "key": {
                "const": "mail.smtp"
              }
            }
          },
          "then": {
            "properties": {
              "data": {
                "$ref": "#/$defs/SMTPServerCredentials"
              }
            }
          }
        },
        {
          "if": {
            "properties": {
              "key": {
                "const": "oauth"
              }
            }
          },
          "then": {
            "properties": {
              "data": {
                "$ref": "#/$defs/OAuthKeyMaterials"
              }
            }
          }
        },
        {
          "if": {
            "properties": {
              "key": {
                "const": "redis"
              }
            }
          },
          "then": {
            "properties": {
              "data": {
                "$ref": "#/$defs/RedisCredentials"
              }
            }
          }
        },
        {
          "if": {
            "properties": {
              "key": {
                "const": "sms.nexmo"
              }
            }
          },
          "then": {
            "properties": {
              "data": {
                "$ref": "#/$defs/NexmoCredentials"
              }
            }
          }
        },
        {
          "if": {
            "properties": {
              "key": {
                "const": "sms.twilio"
              }
            }
          },
          "then": {
            "properties": {
              "data": {
                "$ref": "#/$defs/TwilioCredentials"
              }
            }
          }
        },
        {
          "if": {
            "properties": {
              "key": {
                "const": "sso.oauth.client"
              }
            }
          },
          "then": {
            "properties": {
              "data": {
                "$ref": "#/$defs/OAuthClientCredentials"
              }
            }
          }
        },
        {
          "if": {
            "properties": {
              "key": {
                "const": "webhook"
              }
            }
          },
          "then": {
            "properties": {
              "data": {
                "$ref": "#/$defs/WebhookKeyMaterials"
              }
            }
          }
        }
      ],
      "properties": {
        "data": {},
        "key": {
          "$ref": "#/$defs/SecretKey"
        }
      },
      "required": [
        "key",
        "data"
      ],
      "type": "object"
    },
    "SecretKey": {
      "enum": [
        "admin-api.auth",
        "analytic.redis",
        "audit.db",
        "csrf",
        "db",
        "elasticsearch",
        "images",
        "mail.smtp",
        "oauth",
        "redis",
        "sms.nexmo",
        "sms.twilio",
        "sso.oauth.client",
        "webhook"
      ],
      "type": "string"
    },
    "TwilioCredentials": {
      "additionalProperties": false,
      "properties": {
        "account_sid": {
          "type": "string"
        },
        "auth_token": {
          "type": "string"
        }
      },
      "required": [
        "account_sid",
        "auth_token"
      ],
      "type": "object"
    },
    "WebhookKeyMaterials": {
      "$ref": "#/$defs/JWS"
    }
  },
  "$ref": "#/$defs/SecretConfig"
}

hashtag
Structure

Secrets are placed under the key secrets. Each item has key and data. The valid values for key are listed below, where data is key-specific.

Note that ALL secrets are required.

hashtag
admin-api.auth

admin-api.auth defines the JWK to verify Admin API token. It must be an RSA key.

hashtag
db

db defines the database credentials. Only PostgreSQL database is supported.

hashtag
audit.db

audit.db defines the database credentials of the instance for storing audit data. Only PostgreSQL database is supported.

hashtag
redis

redis defines the Redis credentials.

hashtag
analytic.redis

analytic.redis defines the Redis credentials of the Redis instance for storing analytics data.

hashtag
elasticsearch

elasticsearch defines the connection information of the Elasticsearch instance.

hashtag
sso.oauth.client

sso.oauth.client defines the client secrets.

This is the place where you provide the client secrets of configured external OAuth providers.

hashtag
mail.smtp

mail.smtp defines the SMTP credentials.

mode is either ssl or normal. Usually, you do not need to set it and the mode is inferred from the port.

hashtag
sms.twilio

sms.twilio defines the Twilio credentials.

hashtag
sms.nexmo

sms.nexmo defines the Nexmo credentials.

hashtag
jwt

jwt defines the JSON web key (JWK) to sign internal use, ephemeral JWT token. It must be an octet key.

hashtag
oidc

oidc defines the JWK to sign ID tokens. It must be an RSA key.

hashtag
csrf

csrf defines the symmetric key to generate a CSRF token. It must be an octet key.

The format shares with jwt

hashtag
webhook

webhook defines the symmetric key to sign webhook request body. It must be an octet key.

The format is shared with jwt.

Previousauthgear.yamlNextNon-HTTP scheme redirect URI

Last updated