authgear.secrets.yaml
The secret configuration authgear.secrets.yaml
This is the configuration file containing various secrets used in Authgear.
JSON Schema
The configuration file is validated against the following JSON Schema:
{
"$defs": {
"AdminAPIAuthKey": {
"$ref": "#/$defs/JWS"
},
"AnalyticRedisCredentials": {
"additionalProperties": false,
"properties": {
"redis_url": {
"type": "string"
}
},
"required": [
"redis_url"
],
"type": "object"
},
"AuditDatabaseCredentials": {
"additionalProperties": false,
"properties": {
"database_schema": {
"type": "string"
},
"database_url": {
"type": "string"
}
},
"required": [
"database_url"
],
"type": "object"
},
"CSRFKeyMaterials": {
"$ref": "#/$defs/JWS"
},
"DatabaseCredentials": {
"additionalProperties": false,
"properties": {
"database_schema": {
"type": "string"
},
"database_url": {
"type": "string"
}
},
"required": [
"database_url"
],
"type": "object"
},
"ElasticsearchCredentials": {
"additionalProperties": false,
"properties": {
"elasticsearch_url": {
"type": "string"
}
},
"required": [
"elasticsearch_url"
],
"type": "object"
},
"ImagesKeyMaterials": {
"$ref": "#/$defs/JWS"
},
"JWK": {
"properties": {
"kid": {
"type": "string"
},
"kty": {
"type": "string"
}
},
"required": [
"kid",
"kty"
],
"type": "object"
},
"JWS": {
"additionalProperties": false,
"properties": {
"keys": {
"items": {
"$ref": "#/$defs/JWK"
},
"minItems": 1,
"type": "array"
}
},
"required": [
"keys"
],
"type": "object"
},
"NexmoCredentials": {
"additionalProperties": false,
"properties": {
"api_key": {
"type": "string"
},
"api_secret": {
"type": "string"
}
},
"required": [
"api_key",
"api_secret"
],
"type": "object"
},
"OAuthClientCredentials": {
"additionalProperties": false,
"properties": {
"items": {
"items": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"client_secret": {
"type": "string"
}
},
"required": [
"alias",
"client_secret"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"items"
],
"type": "object"
},
"OAuthKeyMaterials": {
"$ref": "#/$defs/JWS"
},
"RedisCredentials": {
"additionalProperties": false,
"properties": {
"redis_url": {
"type": "string"
}
},
"required": [
"redis_url"
],
"type": "object"
},
"SMTPMode": {
"enum": [
"normal",
"ssl"
],
"type": "string"
},
"SMTPServerCredentials": {
"additionalProperties": false,
"properties": {
"host": {
"type": "string"
},
"mode": {
"$ref": "#/$defs/SMTPMode"
},
"password": {
"type": "string"
},
"port": {
"maximum": 65535,
"minimum": 1,
"type": "integer"
},
"username": {
"type": "string"
}
},
"required": [
"host",
"port",
"username",
"password"
],
"type": "object"
},
"SecretConfig": {
"additionalProperties": false,
"properties": {
"secrets": {
"items": {
"$ref": "#/$defs/SecretItem"
},
"type": "array"
}
},
"required": [
"secrets"
],
"type": "object"
},
"SecretItem": {
"additionalProperties": false,
"allOf": [
{
"if": {
"properties": {
"key": {
"const": "admin-api.auth"
}
}
},
"then": {
"properties": {
"data": {
"$ref": "#/$defs/AdminAPIAuthKey"
}
}
}
},
{
"if": {
"properties": {
"key": {
"const": "analytic.redis"
}
}
},
"then": {
"properties": {
"data": {
"$ref": "#/$defs/AnalyticRedisCredentials"
}
}
}
},
{
"if": {
"properties": {
"key": {
"const": "audit.db"
}
}
},
"then": {
"properties": {
"data": {
"$ref": "#/$defs/AuditDatabaseCredentials"
}
}
}
},
{
"if": {
"properties": {
"key": {
"const": "csrf"
}
}
},
"then": {
"properties": {
"data": {
"$ref": "#/$defs/CSRFKeyMaterials"
}
}
}
},
{
"if": {
"properties": {
"key": {
"const": "db"
}
}
},
"then": {
"properties": {
"data": {
"$ref": "#/$defs/DatabaseCredentials"
}
}
}
},
{
"if": {
"properties": {
"key": {
"const": "elasticsearch"
}
}
},
"then": {
"properties": {
"data": {
"$ref": "#/$defs/ElasticsearchCredentials"
}
}
}
},
{
"if": {
"properties": {
"key": {
"const": "images"
}
}
},
"then": {
"properties": {
"data": {
"$ref": "#/$defs/ImagesKeyMaterials"
}
}
}
},
{
"if": {
"properties": {
"key": {
"const": "mail.smtp"
}
}
},
"then": {
"properties": {
"data": {
"$ref": "#/$defs/SMTPServerCredentials"
}
}
}
},
{
"if": {
"properties": {
"key": {
"const": "oauth"
}
}
},
"then": {
"properties": {
"data": {
"$ref": "#/$defs/OAuthKeyMaterials"
}
}
}
},
{
"if": {
"properties": {
"key": {
"const": "redis"
}
}
},
"then": {
"properties": {
"data": {
"$ref": "#/$defs/RedisCredentials"
}
}
}
},
{
"if": {
"properties": {
"key": {
"const": "sms.nexmo"
}
}
},
"then": {
"properties": {
"data": {
"$ref": "#/$defs/NexmoCredentials"
}
}
}
},
{
"if": {
"properties": {
"key": {
"const": "sms.twilio"
}
}
},
"then": {
"properties": {
"data": {
"$ref": "#/$defs/TwilioCredentials"
}
}
}
},
{
"if": {
"properties": {
"key": {
"const": "sso.oauth.client"
}
}
},
"then": {
"properties": {
"data": {
"$ref": "#/$defs/OAuthClientCredentials"
}
}
}
},
{
"if": {
"properties": {
"key": {
"const": "webhook"
}
}
},
"then": {
"properties": {
"data": {
"$ref": "#/$defs/WebhookKeyMaterials"
}
}
}
}
],
"properties": {
"data": {},
"key": {
"$ref": "#/$defs/SecretKey"
}
},
"required": [
"key",
"data"
],
"type": "object"
},
"SecretKey": {
"enum": [
"admin-api.auth",
"analytic.redis",
"audit.db",
"csrf",
"db",
"elasticsearch",
"images",
"mail.smtp",
"oauth",
"redis",
"sms.nexmo",
"sms.twilio",
"sso.oauth.client",
"webhook"
],
"type": "string"
},
"TwilioCredentials": {
"additionalProperties": false,
"properties": {
"account_sid": {
"type": "string"
},
"auth_token": {
"type": "string"
}
},
"required": [
"account_sid",
"auth_token"
],
"type": "object"
},
"WebhookKeyMaterials": {
"$ref": "#/$defs/JWS"
}
},
"$ref": "#/$defs/SecretConfig"
}Structure
Secrets are placed under the key secrets. Each item has key and data. The valid values for key are listed below, where data is key-specific.
secrets:
- key: well-known-key
data: key-specific-dataNote that ALL secrets are required.
admin-api.auth
admin-api.auth defines the JWK to verify Admin API token. It must be an RSA key.
secrets:
- key: admin-api.auth
data:
keys:
- kid: key_id
kty: RSA
# Other fields specific to RSA.db
db defines the database credentials. Only PostgreSQL database is supported.
secrets:
- key: db
data:
database_url: postgresql://
database_scheme: publicaudit.db
audit.db defines the database credentials of the instance for storing audit data. Only PostgreSQL database is supported.
secrets:
- key: audit.db
data:
database_url: postgresql://
database_scheme: publicredis
redis defines the Redis credentials.
secrets:
- key: redis
data:
redis_url: redis://username:password@localhost:6379/0analytic.redis
analytic.redis defines the Redis credentials of the Redis instance for storing analytics data.
secrets:
- key: analytic.redis
data:
redis_url: redis://username:password@localhost:6379/0elasticsearch
elasticsearch defines the connection information of the Elasticsearch instance.
secrets:
- key: elasticsearch
data:
elasticsearch_url: http://localhost:9200sso.oauth.client
sso.oauth.client defines the client secrets.
This is the place where you provide the client secrets of configured external OAuth providers.
secrets:
- key: sso.oauth.client
data:
items:
- alias: google
client_secret: client_secret
- alias: apple
client_secret: private_key_in_pem_formatmail.smtp
mail.smtp defines the SMTP credentials.
mode is either ssl or normal. Usually, you do not need to set it and the mode is inferred from the port.
secrets:
- key: mail.smtp
data:
host: localhost
port: 587
mode: ssl
username: username
password: passwordsms.twilio
sms.twilio defines the Twilio credentials.
secrets:
- key: sms.twilio
data:
account_sid: account_sid
auth_token: auth_tokensms.nexmo
sms.nexmo defines the Nexmo credentials.
secrets:
- key: sms.nexmo
data:
api_key: api_key
api_secret: api_secretjwt
jwt defines the JSON web key (JWK) to sign internal use, ephemeral JWT token. It must be an octet key.
secrets:
- key: jwt
data:
keys:
- kid: key_id
kty: oct
k: keyoidc
oidc defines the JWK to sign ID tokens. It must be an RSA key.
secrets:
- key: oidc
data:
keys:
- kid: key_id
kty: RSA
# Other fields specific to RSA.csrf
csrf defines the symmetric key to generate a CSRF token. It must be an octet key.
webhook
webhook defines the symmetric key to sign webhook request body. It must be an octet key.
Last updated
Was this helpful?