latest--config

shared
Type object
Schema URL https://catalog.lintel.tools/schemas/schemastore/ory-hydra-configuration/_shared/latest--config.json
Parent schema ory-hydra-configuration
Type: object

Properties

db object

Configures the database connection

1 nested properties
ignore_unknown_table_columns boolean

Ignore scan errors when columns in the SQL result have no fields in the destination struct

Default: false
log object

Configures the logger

4 nested properties
level string

Sets the log level.

Default: "info"
Values: "panic" "fatal" "error" "warn" "info" "debug" "trace"
leak_sensitive_values boolean

Logs sensitive values such as cookie and URL parameter.

Default: false
redaction_text string

Text to use, when redacting sensitive log value.

format string

Sets the log format.

Default: "text"
Values: "json" "json_pretty" "text"
serve object

Controls the configuration for the http(s) daemon(s).

4 nested properties
public object

Controls the public daemon serving public API endpoints like /oauth2/auth, /oauth2/token, /.well-known/jwks.json

6 nested properties
port integer
Default: 4444
All of: portNumber
host string

The interface or unix socket Ory Hydra should listen and handle public API requests on. Use the prefix unix: to specify a path to a unix socket. Leave empty to listen on all interfaces.

Default: ""
Examples: "localhost"
cors object

Configures Cross Origin Resource Sharing for public endpoints.

8 nested properties
enabled boolean

Sets whether CORS is enabled.

Default: false
allowed_origins string[]

A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Only one wildcard can be used per origin.

Default:
[]
Examples: ["*","https://example.com","https://*.example.com","https://*.foo.example.com"]
uniqueItems=true
allowed_methods string[]

A list of HTTP methods the user agent is allowed to use with cross-domain requests.

Default:
[
  "POST",
  "GET",
  "PUT",
  "PATCH",
  "DELETE",
  "CONNECT",
  "HEAD",
  "OPTIONS",
  "TRACE"
]
allowed_headers string[]

A list of non simple headers the client is allowed to use with cross-domain requests.

Default:
[
  "Accept",
  "Content-Type",
  "Content-Length",
  "Accept-Language",
  "Content-Language",
  "Authorization"
]
exposed_headers string[]

Sets which headers are safe to expose to the API of a CORS API specification.

Default:
[
  "Cache-Control",
  "Expires",
  "Last-Modified",
  "Pragma",
  "Content-Length",
  "Content-Language",
  "Content-Type"
]
allow_credentials boolean

Sets whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.

Default: true
max_age integer

Sets how long (in seconds) the results of a preflight request can be cached. If set to 0, every request is preceded by a preflight request.

Default: 0
min=0
debug boolean

Adds additional log output to debug server side CORS issues.

Default: false
socket object

Sets the permissions of the unix socket

3 nested properties
owner string

Owner of unix socket. If empty, the owner will be the user running hydra.

Default: ""
group string

Group of unix socket. If empty, the group will be the primary group of the user running hydra.

Default: ""
mode integer

Mode of unix socket in numeric form

Default: 493
min=0max=511
request_log object

Access Log configuration for public server.

1 nested properties
disable_for_health boolean

Disable access log for health endpoints.

Default: false
tls object

Configures HTTPS (HTTP over TLS). If configured, the server automatically supports HTTP/2.

4 nested properties
enabled boolean

Setting enabled to false drops the TLS requirement for the admin endpoint, even if TLS is enabled on the public endpoint.

key

Configures the private key (pem encoded).

All of: pem_file object
cert

Configures the public certificate (pem encoded).

All of: pem_file object
allow_termination_from cidr[]

Whitelist one or multiple CIDR address ranges and allow them to terminate TLS connections. Be aware that the X-Forwarded-Proto header must be set and must never be modifiable by anyone but your proxy / gateway / load balancer. Supports ipv4 and ipv6. Hydra serves http instead of https when this option is set.

admin object
6 nested properties
port integer
Default: 4445
All of: portNumber
host string

The interface or unix socket Ory Hydra should listen and handle administrative API requests on. Use the prefix unix: to specify a path to a unix socket. Leave empty to listen on all interfaces.

Default: ""
Examples: "localhost"
cors object

Configures Cross Origin Resource Sharing for public endpoints.

8 nested properties
enabled boolean

Sets whether CORS is enabled.

Default: false
allowed_origins string[]

A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Only one wildcard can be used per origin.

Default:
[]
Examples: ["*","https://example.com","https://*.example.com","https://*.foo.example.com"]
uniqueItems=true
allowed_methods string[]

A list of HTTP methods the user agent is allowed to use with cross-domain requests.

Default:
[
  "POST",
  "GET",
  "PUT",
  "PATCH",
  "DELETE",
  "CONNECT",
  "HEAD",
  "OPTIONS",
  "TRACE"
]
allowed_headers string[]

A list of non simple headers the client is allowed to use with cross-domain requests.

Default:
[
  "Accept",
  "Content-Type",
  "Content-Length",
  "Accept-Language",
  "Content-Language",
  "Authorization"
]
exposed_headers string[]

Sets which headers are safe to expose to the API of a CORS API specification.

Default:
[
  "Cache-Control",
  "Expires",
  "Last-Modified",
  "Pragma",
  "Content-Length",
  "Content-Language",
  "Content-Type"
]
allow_credentials boolean

Sets whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.

Default: true
max_age integer

Sets how long (in seconds) the results of a preflight request can be cached. If set to 0, every request is preceded by a preflight request.

Default: 0
min=0
debug boolean

Adds additional log output to debug server side CORS issues.

Default: false
socket object

Sets the permissions of the unix socket

3 nested properties
owner string

Owner of unix socket. If empty, the owner will be the user running hydra.

Default: ""
group string

Group of unix socket. If empty, the group will be the primary group of the user running hydra.

Default: ""
mode integer

Mode of unix socket in numeric form

Default: 493
min=0max=511
request_log object

Access Log configuration for admin server.

1 nested properties
disable_for_health boolean

Disable access log for health endpoints.

Default: false
tls
All of: tls_config object
tls object

Configures HTTPS (HTTP over TLS). If configured, the server automatically supports HTTP/2.

4 nested properties
enabled boolean

Setting enabled to false drops the TLS requirement for the admin endpoint, even if TLS is enabled on the public endpoint.

key

Configures the private key (pem encoded).

All of: pem_file object
cert

Configures the public certificate (pem encoded).

All of: pem_file object
allow_termination_from cidr[]

Whitelist one or multiple CIDR address ranges and allow them to terminate TLS connections. Be aware that the X-Forwarded-Proto header must be set and must never be modifiable by anyone but your proxy / gateway / load balancer. Supports ipv4 and ipv6. Hydra serves http instead of https when this option is set.

cookies object
5 nested properties
same_site_mode string

Specify the SameSite mode that cookies should be sent with.

Default: "None"
Values: "Strict" "Lax" "None"
same_site_legacy_workaround boolean

Some older browser versions don’t work with SameSite=None. This option enables the workaround defined in https://web.dev/samesite-cookie-recipes/ which essentially stores a second cookie without SameSite as a fallback.

Default: false
Examples: true
domain string

Sets the cookie domain for session and CSRF cookies. Useful when dealing with subdomains. Use with care!

secure boolean

Sets the HTTP Cookie secure flag in development mode. HTTP Cookies always have the secure flag in production mode.

Default: false
names object

Sets the session cookie name. Use with care!

3 nested properties
login_csrf string
Default: "ory_hydra_login_csrf"
consent_csrf string
Default: "ory_hydra_consent_csrf"
session string
Default: "ory_hydra_session"
dsn string

Sets the data source name. This configures the backend where Ory Hydra persists data. If dsn is memory, data will be written to memory and is lost when you restart this instance. Ory Hydra supports popular SQL databases. For more detailed configuration information go to: https://www.ory.sh/docs/hydra/dependencies-environment#sql

clients object

Configure how outgoing network calls behave.

1 nested properties
http object

Configure how outgoing HTTP calls behave.

1 nested properties
disallow_private_ip_ranges boolean

Disallow all outgoing HTTP calls to private IP ranges. This feature can help protect against SSRF attacks.

Default: false
hsm object

Configures Hardware Security Module.

6 nested properties
enabled boolean
library string

Full path (including file extension) of the HSM vendor PKCS#11 library

pin string

PIN code for token operations

slot integer

Slot ID of the token to use (if label is not specified)

token_label string

Label of the token to use (if slot is not specified). If both slot and label are set, token label takes preference over slot. In this case first slot, that contains this label is used.

key_set_prefix string

Key set prefix can be used in case of multiple Ory Hydra instances need to store keys on the same HSM partition. For example if hsm.key_set_prefix=app1. then key set hydra.openid.id-token would be generated/requested/deleted on HSM with CKA_LABEL=app1.hydra.openid.id-token.

Default: ""
webfinger object

Configures ./well-known/ settings.

2 nested properties
jwks object

Configures the /.well-known/jwks.json endpoint.

1 nested properties
broadcast_keys string[]

A list of JSON Web Keys that should be exposed at that endpoint. This is usually the public key for verifying OpenID Connect ID Tokens. However, you might want to add additional keys here as well.

Default:
[
  "hydra.openid.id-token"
]
Examples: "hydra.jwt.access-token"
oidc_discovery object

Configures OpenID Connect Discovery (/.well-known/openid-configuration).

7 nested properties
jwks_url string

Overwrites the JWKS URL

Examples: "https://my-service.com/.well-known/jwks.json"
format=uri-reference
token_url string

Overwrites the OAuth2 Token URL

Examples: "https://my-service.com/oauth2/token"
format=uri-reference
auth_url string

Overwrites the OAuth2 Auth URL

Examples: "https://my-service.com/oauth2/auth"
format=uri-reference
client_registration_url string

Sets the OpenID Connect Dynamic Client Registration Endpoint

Examples: "https://my-service.com/clients"
format=uri-reference
supported_claims string[]

A list of supported claims to be broadcasted. Claim sub is always included.

Examples: ["email","username"]
supported_scope string[]

The scope OAuth 2.0 Clients may request. Scope offline, offline_access, and openid are always included.

Examples: ["email","whatever","read.photos"]
userinfo_url string

A URL of the userinfo endpoint to be advertised at the OpenID Connect Discovery endpoint /.well-known/openid-configuration. Defaults to Ory Hydra's userinfo endpoint at /userinfo. Set this value if you want to handle this endpoint yourself.

Examples: "https://example.org/my-custom-userinfo-endpoint"
format=uri-reference
oidc object

Configures OpenID Connect features.

2 nested properties
subject_identifiers object

Configures the Subject Identifier algorithm. For more information please head over to the documentation: https://www.ory.sh/docs/hydra/advanced#subject-identifier-algorithms

Examples: {"supported_types":["public","pairwise"],"pairwise":{"salt":"some-random-salt"}}
Any of: variant, variant
2 nested properties
supported_types string[]

A list of algorithms to enable.

Default:
[
  "public"
]
pairwise object

Configures the pairwise algorithm.

1 nested properties
salt string required
dynamic_client_registration object

Configures OpenID Connect Dynamic Client Registration (exposed as admin endpoints /clients/...).

2 nested properties
enabled boolean

Enable dynamic client registration.

Default: false
default_scope string[]

The OpenID Connect Dynamic Client Registration specification has no concept of whitelisting OAuth 2.0 Scope. If you want to expose Dynamic Client Registration, you should set the default scope enabled for newly registered clients. Keep in mind that users can overwrite this default by setting the scope key in the registration payload, effectively disabling the concept of whitelisted scopes.

Examples: ["openid","offline","offline_access"]
urls object
6 nested properties
self object
3 nested properties
issuer string

This value will be used as the issuer in access and ID tokens. It must be specified and using HTTPS protocol, unless --dev is set. This should typically be equal to the public value.

Examples: "https://localhost:4444/"
format=uri
public string

This is the base location of the public endpoints of your Ory Hydra installation. This should typically be equal to the issuer value. If left unspecified, it falls back to the issuer value.

Examples: "https://localhost:4444/"
format=uri
admin string

This is the base location of the admin endpoints of your Ory Hydra installation.

Examples: "https://localhost:4445/"
format=uri
login string

Sets the OAuth2 Login Endpoint URL of the OAuth2 User Login & Consent flow. Defaults to an internal fallback URL showing an error.

Examples: "https://my-login.app/login", "/ui/login"
format=uri-reference
consent string

Sets the consent endpoint of the User Login & Consent flow. Defaults to an internal fallback URL showing an error.

Examples: "https://my-consent.app/consent", "/ui/consent"
format=uri-reference
logout string

Sets the logout endpoint. Defaults to an internal fallback URL showing an error.

Examples: "https://my-logout.app/logout", "/ui/logout"
format=uri-reference
error string

Sets the error endpoint. The error ui will be shown when an OAuth2 error occurs that which can not be sent back to the client. Defaults to an internal fallback URL showing an error.

Examples: "https://my-error.app/error", "/ui/error"
format=uri-reference
post_logout_redirect string

When a user agent requests to logout, it will be redirected to this url afterwards per default.

Examples: "https://my-example.app/logout-successful", "/ui"
format=uri-reference
strategies object
2 nested properties
scope string

Defines how scopes are matched. For more details have a look at https://github.com/ory/fosite#scopes

Default: "wildcard"
Values: "exact" "wildcard"
access_token string

Defines access token type. jwt is a bad idea, see https://www.ory.sh/docs/hydra/advanced#json-web-tokens

Default: "opaque"
Values: "opaque" "jwt"
ttl object

Configures time to live.

5 nested properties
login_consent_request

Configures how long a user login and consent flow may take.

Default: "30m"
All of: duration string
access_token

Configures how long access tokens are valid.

Default: "1h"
All of: duration string
refresh_token duration | enum

Configures how long refresh tokens are valid. Set to -1 for refresh tokens to never expire.

Default: "720h"
id_token

Configures how long id tokens are valid.

Default: "1h"
All of: duration string
auth_code

Configures how long auth codes are valid.

Default: "10m"
All of: duration string
oauth2 object
9 nested properties
expose_internal_errors boolean

Set this to true if you want to share error debugging information with your OAuth 2.0 clients. Keep in mind that debug information is very valuable when dealing with errors, but might also expose database error codes and similar errors.

Default: false
Examples: true
session object
1 nested properties
encrypt_at_rest boolean

If set to true (default) Ory Hydra encrypt OAuth2 and OpenID Connect session data using AES-GCM and the system secret before persisting it in the database.

Default: true
exclude_not_before_claim boolean

Set to true if you want to exclude claim nbf (not before) part of access token.

Default: false
Examples: true
allowed_top_level_claims string[]

A list of custom claims which are allowed to be added top level to the Access Token. They cannot override reserved claims.

Examples: ["username","email","user_uuid"]
hashers object

Configures hashing algorithms. Supports only BCrypt and PBKDF2 at the moment.

3 nested properties
algorithm string

One of the values: pbkdf2, bcrypt.

Warning! This value can not be changed once set as all existing OAuth 2.0 Clients will not be able to sign in any more.

Default: "pbkdf2"
Values: "pbkdf2" "bcrypt"
bcrypt object

Configures the BCrypt hashing algorithm used for hashing OAuth 2.0 Client Secrets.

1 nested properties
cost integer

Sets the BCrypt cost. The higher the value, the more CPU time is being used to generate hashes.

Default: 10
min=4max=31
pbkdf2 object

Configures the PBKDF2 hashing algorithm used for hashing OAuth 2.0 Client Secrets.

1 nested properties
iterations integer

Sets the PBKDF2 iterations. The higher the value, the more CPU time is being used to generate hashes.

Default: 25000
min=1
pkce object
2 nested properties
enforced boolean

Sets whether PKCE should be enforced for all clients.

Examples: true
enforced_for_public_clients boolean

Sets whether PKCE should be enforced for public clients.

Examples: true
client_credentials object
1 nested properties
default_grant_allowed_scope boolean

Automatically grant authorized OAuth2 Scope in OAuth2 Client Credentials Flow. Each OAuth2 Client is allowed to request a predefined OAuth2 Scope (for example read write). If this option is enabled, the full scope is automatically granted when performing the OAuth2 Client Credentials flow.

If disabled, the OAuth2 Client has to request the scope in the OAuth2 request by providing the scope query parameter. Setting this option to true is common if you need compatibility with MITREid.

Examples: false
grant object
1 nested properties
jwt object

Authorization Grants using JWT configuration

3 nested properties
jti_optional boolean

Configures if the JSON Web Token ID (jti) claim is required in the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC7523). If set to false, the jti claim is required. Set this value to true only after careful consideration.

Default: false
iat_optional boolean

Configures if the issued at (iat) claim is required in the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC7523). If set to false, the iat claim is required. Set this value to true only after careful consideration.

Default: false
max_ttl

Configures what the maximum age of a JWT assertion used in the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC7523) can be. This feature uses the exp claim and iat claim to calculate assertion age. Assertions exceeding the max age will be denied. Useful as a safety measure and recommended to keep below 720h. This governs the grant.jwt.max_ttl setting.

Default: "720h"
All of: duration string
refresh_token_hook string

Sets the refresh token hook endpoint. If set it will be called during token refresh to receive updated token claims.

Examples: "https://my-example.app/token-refresh-hook"
format=uri
secrets object

The secrets section configures secrets used for encryption and signing of several systems. All secrets can be rotated, for more information on this topic go to: https://www.ory.sh/docs/hydra/advanced#rotation-of-hmac-token-signing-and-database-and-cookie-encryption-keys

2 nested properties
system string[]

The system secret must be at least 16 characters long. If none is provided, one will be generated. They key is used to encrypt sensitive data using AES-GCM (256 bit) and validate HMAC signatures. The first item in the list is used for signing and encryption. The whole list is used for verifying signatures and decryption.

Examples: ["this-is-the-primary-secret","this-is-an-old-secret","this-is-another-old-secret"]
cookie string[]

A secret that is used to encrypt cookie sessions. Defaults to secrets.system. It is recommended to use a separate secret in production. The first item in the list is used for signing and encryption. The whole list is used for verifying signatures and decryption.

Examples: ["this-is-the-primary-secret","this-is-an-old-secret","this-is-another-old-secret"]
profiling string

Enables profiling if set. For more details on profiling, head over to: https://blog.golang.org/profiling-go-programs

Values: "cpu" "mem"
Examples: "cpu"
tracing object

Ory Hydra supports distributed tracing.

3 nested properties
provider string

Set this to the tracing backend you wish to use. Supports Jaeger, Zipkin DataDog, Elastic APM and Instana. If omitted or empty, tracing will be disabled. Use environment variables to configure DataDog (see https://docs.datadoghq.com/tracing/setup/go/#configuration).

Values: "jaeger" "zipkin" "datadog" "elastic-apm" "instana" "otel"
Examples: "jaeger"
service_name string

Specifies the service name to use on the tracer.

Examples: "Ory Hydra"
providers object
2 nested properties
jaeger object

Configures the jaeger tracing backend.

4 nested properties
local_agent_address string

The address of the jaeger-agent where spans should be sent to.

Examples: "127.0.0.1:6831"
One of: variant, variant, variant
propagation string

The tracing header format

Examples: "jaeger"
max_tag_value_length integer

The value passed to the max tag value length that has been configured.

min=0
sampling object
Examples: {"type":"const","value":1,"server_url":"http://localhost:5778/sampling"}
All of: variant, variant
zipkin object

Configures the zipkin tracing backend.

Examples: {"server_url":"http://localhost:9411/api/v2/spans"}
1 nested properties
server_url string

The address of Zipkin server where spans should be sent to.

format=uri
sqa object

Software Quality Assurance telemetry configuration section

Examples: {"opt_out":true}
1 nested properties
opt_out boolean

Disables anonymized telemetry reports - for more information please visit https://www.ory.sh/docs/ecosystem/sqa

Default: false
Examples: true
version string

SemVer according to https://semver.org/ prefixed with v as in our releases.

pattern=^v(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
cgroups object

Ory Hydra can respect Linux container CPU quota

1 nested properties
v1 object

Configures parameters using cgroups v1 hierarchy

1 nested properties
auto_max_procs_enabled boolean

Set GOMAXPROCS automatically according to cgroups limits

Default: false
Examples: true
dev boolean

If true, disables critical security measures to allow easier local development. Do not use in production.

Default: false

Definitions

http_method string
portNumber

The port to listen on.

socket object

Sets the permissions of the unix socket

owner string

Owner of unix socket. If empty, the owner will be the user running hydra.

Default: ""
group string

Group of unix socket. If empty, the group will be the primary group of the user running hydra.

Default: ""
mode integer

Mode of unix socket in numeric form

Default: 493
min=0max=511
cors object

Configures Cross Origin Resource Sharing for public endpoints.

enabled boolean

Sets whether CORS is enabled.

Default: false
allowed_origins string[]

A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Only one wildcard can be used per origin.

Default:
[]
Examples: ["*","https://example.com","https://*.example.com","https://*.foo.example.com"]
uniqueItems=true
allowed_methods string[]

A list of HTTP methods the user agent is allowed to use with cross-domain requests.

Default:
[
  "POST",
  "GET",
  "PUT",
  "PATCH",
  "DELETE",
  "CONNECT",
  "HEAD",
  "OPTIONS",
  "TRACE"
]
allowed_headers string[]

A list of non simple headers the client is allowed to use with cross-domain requests.

Default:
[
  "Accept",
  "Content-Type",
  "Content-Length",
  "Accept-Language",
  "Content-Language",
  "Authorization"
]
exposed_headers string[]

Sets which headers are safe to expose to the API of a CORS API specification.

Default:
[
  "Cache-Control",
  "Expires",
  "Last-Modified",
  "Pragma",
  "Content-Length",
  "Content-Language",
  "Content-Type"
]
allow_credentials boolean

Sets whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.

Default: true
max_age integer

Sets how long (in seconds) the results of a preflight request can be cached. If set to 0, every request is preceded by a preflight request.

Default: 0
min=0
debug boolean

Adds additional log output to debug server side CORS issues.

Default: false
cidr string

CIDR address range.

Examples:
  • "127.0.0.1/32"
pem_file object
duration string
Examples:
  • "1h"
  • "1h5m1s"
tls_config object

Configures HTTPS (HTTP over TLS). If configured, the server automatically supports HTTP/2.

enabled boolean

Setting enabled to false drops the TLS requirement for the admin endpoint, even if TLS is enabled on the public endpoint.

key

Configures the private key (pem encoded).

All of: pem_file object
cert

Configures the public certificate (pem encoded).

All of: pem_file object
allow_termination_from cidr[]

Whitelist one or multiple CIDR address ranges and allow them to terminate TLS connections. Be aware that the X-Forwarded-Proto header must be set and must never be modifiable by anyone but your proxy / gateway / load balancer. Supports ipv4 and ipv6. Hydra serves http instead of https when this option is set.