authgear.yaml
The app configuration authgear.yaml
This is the main configuration file affecting every aspect of Authgear.
JSON Schema
The configuration file is validated against the following JSON Schema:
{
"$defs": {
"AccessControlLevelString": {
"enum": [
"hidden",
"readonly",
"readwrite"
],
"type": "string"
},
"AccountDeletionConfig": {
"additionalProperties": false,
"properties": {
"grace_period_days": {
"$ref": "#/$defs/DurationDays",
"maximum": 180,
"minimum": 1
},
"scheduled_by_end_user_enabled": {
"type": "boolean"
}
},
"type": "object"
},
"AppConfig": {
"additionalProperties": false,
"properties": {
"account_deletion": {
"$ref": "#/$defs/AccountDeletionConfig"
},
"authentication": {
"$ref": "#/$defs/AuthenticationConfig"
},
"authenticator": {
"$ref": "#/$defs/AuthenticatorConfig"
},
"forgot_password": {
"$ref": "#/$defs/ForgotPasswordConfig"
},
"google_tag_manager": {
"$ref": "#/$defs/GoogleTagManagerConfig"
},
"hook": {
"$ref": "#/$defs/HookConfig"
},
"http": {
"$ref": "#/$defs/HTTPConfig"
},
"id": {
"type": "string"
},
"identity": {
"$ref": "#/$defs/IdentityConfig"
},
"localization": {
"$ref": "#/$defs/LocalizationConfig"
},
"messaging": {
"$ref": "#/$defs/MessagingConfig"
},
"oauth": {
"$ref": "#/$defs/OAuthConfig"
},
"session": {
"$ref": "#/$defs/SessionConfig"
},
"ui": {
"$ref": "#/$defs/UIConfig"
},
"user_profile": {
"$ref": "#/$defs/UserProfileConfig"
},
"verification": {
"$ref": "#/$defs/VerificationConfig"
},
"welcome_message": {
"$ref": "#/$defs/WelcomeMessageConfig"
}
},
"required": [
"id",
"http"
],
"type": "object"
},
"AuthenticationConfig": {
"additionalProperties": false,
"properties": {
"device_token": {
"$ref": "#/$defs/DeviceTokenConfig"
},
"identities": {
"items": {
"$ref": "#/$defs/IdentityType"
},
"type": "array",
"uniqueItems": true
},
"primary_authenticators": {
"items": {
"$ref": "#/$defs/PrimaryAuthenticatorType"
},
"type": "array",
"uniqueItems": true
},
"public_signup_disabled": {
"type": "boolean"
},
"recovery_code": {
"$ref": "#/$defs/RecoveryCodeConfig"
},
"secondary_authentication_mode": {
"$ref": "#/$defs/SecondaryAuthenticationMode"
},
"secondary_authenticators": {
"items": {
"$ref": "#/$defs/SecondaryAuthenticatorType"
},
"type": "array",
"uniqueItems": true
}
},
"type": "object"
},
"AuthenticatorConfig": {
"additionalProperties": false,
"properties": {
"oob_otp": {
"$ref": "#/$defs/AuthenticatorOOBConfig"
},
"password": {
"$ref": "#/$defs/AuthenticatorPasswordConfig"
},
"totp": {
"$ref": "#/$defs/AuthenticatorTOTPConfig"
}
},
"type": "object"
},
"AuthenticatorOOBConfig": {
"additionalProperties": false,
"properties": {
"email": {
"$ref": "#/$defs/AuthenticatorOOBEmailConfig"
},
"sms": {
"$ref": "#/$defs/AuthenticatorOOBSMSConfig"
}
},
"type": "object"
},
"AuthenticatorOOBEmailConfig": {
"additionalProperties": false,
"properties": {
"maximum": {
"type": "integer"
}
},
"type": "object"
},
"AuthenticatorOOBSMSConfig": {
"additionalProperties": false,
"properties": {
"maximum": {
"type": "integer"
}
},
"type": "object"
},
"AuthenticatorPasswordConfig": {
"additionalProperties": false,
"properties": {
"force_change": {
"type": "boolean"
},
"policy": {
"$ref": "#/$defs/PasswordPolicyConfig"
}
},
"type": "object"
},
"AuthenticatorTOTPConfig": {
"additionalProperties": false,
"properties": {
"maximum": {
"type": "integer"
}
},
"type": "object"
},
"BiometricConfig": {
"additionalProperties": false,
"properties": {
"list_enabled": {
"type": "boolean"
}
},
"type": "object"
},
"BlockingHookHandlersConfig": {
"additionalProperties": false,
"properties": {
"event": {
"enum": [
"user.pre_create",
"user.profile.pre_update",
"user.pre_schedule_deletion"
],
"type": "string"
},
"url": {
"format": "uri",
"type": "string"
}
},
"required": [
"event",
"url"
],
"type": "object"
},
"CustomAttributesAttributeConfig": {
"allOf": [
{
"if": {
"properties": {
"type": {
"const": "number"
}
}
},
"then": {
"properties": {
"maximum": {
"type": "number"
},
"minimum": {
"type": "number"
}
}
}
},
{
"if": {
"properties": {
"type": {
"const": "integer"
}
}
},
"then": {
"properties": {
"maximum": {
"type": "integer"
},
"minimum": {
"type": "integer"
}
}
}
},
{
"if": {
"properties": {
"type": {
"const": "enum"
}
}
},
"then": {
"properties": {
"enum": {
"items": {
"minLength": 1,
"pattern": "^[a-zA-Z0-9_]*$",
"type": "string"
},
"minItems": 1,
"type": "array",
"uniqueItems": true
}
},
"required": [
"enum"
]
}
},
{
"if": {
"properties": {
"type": {
"not": {
"enum": [
"number",
"integer",
"enum"
]
}
}
}
},
"then": true
}
],
"properties": {
"access_control": {
"$ref": "#/$defs/UserProfileAttributesAccessControl"
},
"id": {
"minLength": 1,
"type": "string"
},
"pointer": {
"format": "x_custom_attribute_pointer",
"not": {
"enum": [
"/iss",
"/sub",
"/aud",
"/exp",
"/nbf",
"/iat",
"/jti",
"/sub",
"/email",
"/email_verified",
"/phone_number",
"/phone_number_verified",
"/preferred_username",
"/family_name",
"/given_name",
"/picture",
"/gender",
"/birthdate",
"/zoneinfo",
"/locale",
"/name",
"/nickname",
"/middle_name",
"/profile",
"/website",
"/address",
"/updated_at"
]
},
"type": "string"
},
"type": {
"enum": [
"string",
"number",
"integer",
"enum",
"phone_number",
"email",
"url",
"country_code"
],
"type": "string"
}
},
"required": [
"id",
"pointer",
"type"
],
"type": "object"
},
"CustomAttributesConfig": {
"additionalProperties": false,
"properties": {
"attributes": {
"items": {
"$ref": "#/$defs/CustomAttributesAttributeConfig"
},
"type": "array"
}
},
"type": "object"
},
"DeviceTokenConfig": {
"additionalProperties": false,
"properties": {
"disabled": {
"type": "boolean"
},
"expire_in_days": {
"$ref": "#/$defs/DurationDays"
}
},
"type": "object"
},
"DurationDays": {
"type": "integer"
},
"DurationSeconds": {
"type": "integer"
},
"ForgotPasswordConfig": {
"additionalProperties": false,
"properties": {
"enabled": {
"type": "boolean"
},
"reset_code_expiry_seconds": {
"$ref": "#/$defs/DurationSeconds"
}
},
"type": "object"
},
"GoogleTagManagerConfig": {
"additionalProperties": false,
"properties": {
"container_id": {
"format": "google_tag_manager_container_id",
"type": "string"
}
},
"type": "object"
},
"HTTPConfig": {
"additionalProperties": false,
"properties": {
"allowed_origins": {
"items": {
"format": "http_origin_spec",
"minLength": 1,
"type": "string"
},
"type": "array"
},
"cookie_domain": {
"type": "string"
},
"cookie_prefix": {
"type": "string"
},
"public_origin": {
"format": "http_origin",
"type": "string"
}
},
"required": [
"public_origin"
],
"type": "object"
},
"HookConfig": {
"additionalProperties": false,
"properties": {
"blocking_handlers": {
"items": {
"$ref": "#/$defs/BlockingHookHandlersConfig"
},
"type": "array"
},
"non_blocking_handlers": {
"items": {
"$ref": "#/$defs/NonBlockingHookHandlersConfig"
},
"type": "array"
},
"sync_hook_timeout_seconds": {
"$ref": "#/$defs/DurationSeconds"
},
"sync_hook_total_timeout_seconds": {
"$ref": "#/$defs/DurationSeconds"
}
},
"type": "object"
},
"ISO31661Alpha2": {
"enum": [
"AD",
"AE",
"AF",
"AG",
"AI",
"AL",
"AM",
"AO",
"AR",
"AS",
"AT",
"AU",
"AW",
"AX",
"AZ",
"BA",
"BB",
"BD",
"BE",
"BF",
"BG",
"BH",
"BI",
"BJ",
"BL",
"BM",
"BN",
"BO",
"BQ",
"BR",
"BS",
"BT",
"BW",
"BY",
"BZ",
"CA",
"CC",
"CD",
"CF",
"CG",
"CH",
"CI",
"CK",
"CL",
"CM",
"CN",
"CO",
"CR",
"CU",
"CV",
"CW",
"CX",
"CY",
"CZ",
"DE",
"DJ",
"DK",
"DM",
"DO",
"DZ",
"EC",
"EE",
"EG",
"EH",
"ER",
"ES",
"ET",
"FI",
"FJ",
"FK",
"FM",
"FO",
"FR",
"GA",
"GB",
"GD",
"GE",
"GF",
"GG",
"GH",
"GI",
"GL",
"GM",
"GN",
"GP",
"GQ",
"GR",
"GT",
"GU",
"GW",
"GY",
"HK",
"HN",
"HR",
"HT",
"HU",
"ID",
"IE",
"IL",
"IM",
"IN",
"IO",
"IQ",
"IR",
"IS",
"IT",
"JE",
"JM",
"JO",
"JP",
"KE",
"KG",
"KH",
"KI",
"KM",
"KN",
"KP",
"KR",
"KW",
"KY",
"KZ",
"LA",
"LB",
"LC",
"LI",
"LK",
"LR",
"LS",
"LT",
"LU",
"LV",
"LY",
"MA",
"MC",
"MD",
"ME",
"MF",
"MG",
"MH",
"MK",
"ML",
"MM",
"MN",
"MO",
"MP",
"MQ",
"MR",
"MS",
"MT",
"MU",
"MV",
"MW",
"MX",
"MY",
"MZ",
"NA",
"NC",
"NE",
"NF",
"NG",
"NI",
"NL",
"NO",
"NP",
"NR",
"NU",
"NZ",
"OM",
"PA",
"PE",
"PF",
"PG",
"PH",
"PK",
"PL",
"PM",
"PR",
"PS",
"PT",
"PW",
"PY",
"QA",
"RE",
"RO",
"RS",
"RU",
"RW",
"SA",
"SB",
"SC",
"SD",
"SE",
"SG",
"SH",
"SI",
"SJ",
"SK",
"SL",
"SM",
"SN",
"SO",
"SR",
"SS",
"ST",
"SV",
"SX",
"SY",
"SZ",
"TC",
"TD",
"TG",
"TH",
"TJ",
"TK",
"TL",
"TM",
"TN",
"TO",
"TR",
"TT",
"TV",
"TW",
"TZ",
"UA",
"UG",
"US",
"UY",
"UZ",
"VA",
"VC",
"VE",
"VG",
"VI",
"VN",
"VU",
"WF",
"WS",
"XK",
"YE",
"YT",
"ZA",
"ZM",
"ZW"
],
"type": "string"
},
"IdentityConfig": {
"additionalProperties": false,
"properties": {
"biometric": {
"$ref": "#/$defs/BiometricConfig"
},
"login_id": {
"$ref": "#/$defs/LoginIDConfig"
},
"oauth": {
"$ref": "#/$defs/OAuthSSOConfig"
},
"on_conflict": {
"$ref": "#/$defs/IdentityConflictConfig"
}
},
"type": "object"
},
"IdentityConflictConfig": {
"additionalProperties": false,
"properties": {
"promotion": {
"$ref": "#/$defs/PromotionConflictBehavior"
}
},
"type": "object"
},
"IdentityType": {
"enum": [
"login_id",
"oauth",
"anonymous",
"biometric"
],
"type": "string"
},
"LocalizationConfig": {
"additionalProperties": false,
"properties": {
"fallback_language": {
"format": "bcp47",
"type": "string"
},
"supported_languages": {
"items": {
"format": "bcp47",
"type": "string"
},
"minItems": 1,
"type": "array",
"uniqueItems": true
}
},
"type": "object"
},
"LoginIDConfig": {
"additionalProperties": false,
"properties": {
"keys": {
"items": {
"$ref": "#/$defs/LoginIDKeyConfig"
},
"type": "array"
},
"types": {
"$ref": "#/$defs/LoginIDTypesConfig"
}
},
"type": "object"
},
"LoginIDEmailConfig": {
"additionalProperties": false,
"allOf": [
{
"if": {
"properties": {
"domain_blocklist_enabled": {
"enum": [
true
]
}
},
"required": [
"domain_blocklist_enabled"
]
},
"then": {
"properties": {
"domain_allowlist_enabled": {
"enum": [
false
]
}
}
}
},
{
"if": {
"properties": {
"block_free_email_provider_domains": {
"enum": [
true
]
}
},
"required": [
"block_free_email_provider_domains"
]
},
"then": {
"properties": {
"domain_blocklist_enabled": {
"enum": [
true
]
}
},
"required": [
"domain_blocklist_enabled"
]
}
}
],
"properties": {
"block_free_email_provider_domains": {
"type": "boolean"
},
"block_plus_sign": {
"type": "boolean"
},
"case_sensitive": {
"type": "boolean"
},
"domain_allowlist_enabled": {
"type": "boolean"
},
"domain_blocklist_enabled": {
"type": "boolean"
},
"ignore_dot_sign": {
"type": "boolean"
}
},
"type": "object"
},
"LoginIDKeyConfig": {
"additionalProperties": false,
"properties": {
"key": {
"type": "string"
},
"max_length": {
"type": "integer"
},
"modify_disabled": {
"type": "boolean"
},
"type": {
"$ref": "#/$defs/LoginIDKeyType"
}
},
"required": [
"type"
],
"type": "object"
},
"LoginIDKeyType": {
"enum": [
"email",
"phone",
"username"
],
"type": "string"
},
"LoginIDTypesConfig": {
"additionalProperties": false,
"properties": {
"email": {
"$ref": "#/$defs/LoginIDEmailConfig"
},
"username": {
"$ref": "#/$defs/LoginIDUsernameConfig"
}
},
"type": "object"
},
"LoginIDUsernameConfig": {
"additionalProperties": false,
"properties": {
"ascii_only": {
"type": "boolean"
},
"block_reserved_usernames": {
"type": "boolean"
},
"case_sensitive": {
"type": "boolean"
},
"exclude_keywords_enabled": {
"type": "boolean"
}
},
"type": "object"
},
"MessagingConfig": {
"additionalProperties": false,
"properties": {
"sms_provider": {
"$ref": "#/$defs/SMSProvider"
}
},
"type": "object"
},
"NonBlockingHookHandlersConfig": {
"additionalProperties": false,
"properties": {
"events": {
"items": {
"enum": [
"*",
"user.created",
"user.authenticated",
"user.profile.updated",
"user.disabled",
"user.reenabled",
"user.anonymous.promoted",
"user.deletion_scheduled",
"user.deletion_unscheduled",
"user.deleted",
"identity.email.added",
"identity.email.removed",
"identity.email.updated",
"identity.phone.added",
"identity.phone.removed",
"identity.phone.updated",
"identity.username.added",
"identity.username.removed",
"identity.username.updated",
"identity.oauth.connected",
"identity.oauth.disconnected"
],
"type": "string"
},
"type": "array"
},
"url": {
"format": "uri",
"type": "string"
}
},
"required": [
"events",
"url"
],
"type": "object"
},
"OAuthClaimConfig": {
"additionalProperties": false,
"properties": {
"assume_verified": {
"type": "boolean"
},
"required": {
"type": "boolean"
}
},
"type": "object"
},
"OAuthClaimsConfig": {
"additionalProperties": false,
"properties": {
"email": {
"$ref": "#/$defs/OAuthClaimConfig"
}
},
"type": "object"
},
"OAuthClientConfig": {
"additionalProperties": false,
"properties": {
"access_token_lifetime_seconds": {
"$ref": "#/$defs/DurationSeconds",
"minimum": 300
},
"client_id": {
"type": "string"
},
"client_uri": {
"format": "uri",
"type": "string"
},
"grant_types": {
"items": {
"type": "string"
},
"type": "array"
},
"is_first_party": {
"type": "boolean"
},
"issue_jwt_access_token": {
"type": "boolean"
},
"name": {
"type": "string"
},
"post_logout_redirect_uris": {
"items": {
"format": "uri",
"type": "string"
},
"type": "array"
},
"redirect_uris": {
"items": {
"format": "uri",
"type": "string"
},
"minItems": 1,
"type": "array"
},
"refresh_token_idle_timeout_enabled": {
"type": "boolean"
},
"refresh_token_idle_timeout_seconds": {
"$ref": "#/$defs/DurationSeconds"
},
"refresh_token_lifetime_seconds": {
"$ref": "#/$defs/DurationSeconds"
},
"response_types": {
"items": {
"type": "string"
},
"type": "array"
}
},
"required": [
"name",
"client_id",
"redirect_uris"
],
"type": "object"
},
"OAuthConfig": {
"additionalProperties": false,
"properties": {
"clients": {
"items": {
"$ref": "#/$defs/OAuthClientConfig"
},
"type": "array"
}
},
"type": "object"
},
"OAuthSSOConfig": {
"additionalProperties": false,
"properties": {
"providers": {
"items": {
"$ref": "#/$defs/OAuthSSOProviderConfig"
},
"type": "array"
}
},
"type": "object"
},
"OAuthSSOProviderConfig": {
"additionalProperties": false,
"allOf": [
{
"if": {
"properties": {
"type": {
"const": "apple"
}
}
},
"then": {
"required": [
"key_id",
"team_id"
]
}
},
{
"if": {
"properties": {
"type": {
"const": "azureadv2"
}
}
},
"then": {
"required": [
"tenant"
]
}
},
{
"if": {
"properties": {
"type": {
"const": "wechat"
}
}
},
"then": {
"required": [
"app_type",
"account_id"
]
}
},
{
"if": {
"properties": {
"type": {
"const": "adfs"
}
}
},
"then": {
"required": [
"discovery_document_endpoint"
]
}
},
{
"if": {
"properties": {
"type": {
"const": "azureadb2c"
}
}
},
"then": {
"required": [
"tenant",
"policy"
]
}
}
],
"properties": {
"account_id": {
"format": "wechat_account_id",
"type": "string"
},
"alias": {
"type": "string"
},
"app_type": {
"$ref": "#/$defs/OAuthSSOWeChatAppType"
},
"claims": {
"$ref": "#/$defs/OAuthClaimsConfig"
},
"client_id": {
"type": "string"
},
"discovery_document_endpoint": {
"format": "uri",
"type": "string"
},
"is_sandbox_account": {
"type": "boolean"
},
"key_id": {
"type": "string"
},
"modify_disabled": {
"type": "boolean"
},
"policy": {
"type": "string"
},
"team_id": {
"type": "string"
},
"tenant": {
"type": "string"
},
"type": {
"$ref": "#/$defs/OAuthSSOProviderType"
},
"wechat_redirect_uris": {
"items": {
"format": "uri",
"type": "string"
},
"type": "array"
}
},
"required": [
"alias",
"type",
"client_id"
],
"type": "object"
},
"OAuthSSOProviderType": {
"enum": [
"google",
"facebook",
"github",
"linkedin",
"azureadv2",
"azureadb2c",
"adfs",
"apple",
"wechat"
],
"type": "string"
},
"OAuthSSOWeChatAppType": {
"enum": [
"mobile",
"web"
],
"type": "string"
},
"PasswordPolicyConfig": {
"additionalProperties": false,
"properties": {
"digit_required": {
"type": "boolean"
},
"excluded_keywords": {
"items": {
"type": "string"
},
"type": "array"
},
"history_days": {
"$ref": "#/$defs/DurationDays"
},
"history_size": {
"type": "integer"
},
"lowercase_required": {
"type": "boolean"
},
"min_length": {
"minimum": 1,
"type": "integer"
},
"minimum_guessable_level": {
"type": "integer"
},
"symbol_required": {
"type": "boolean"
},
"uppercase_required": {
"type": "boolean"
}
},
"type": "object"
},
"PhoneInputConfig": {
"additionalProperties": false,
"properties": {
"allowlist": {
"items": {
"$ref": "#/$defs/ISO31661Alpha2"
},
"minItems": 1,
"type": "array"
},
"pinned_list": {
"items": {
"$ref": "#/$defs/ISO31661Alpha2"
},
"type": "array"
},
"preselect_by_ip_disabled": {
"type": "boolean"
}
},
"type": "object"
},
"PrimaryAuthenticatorType": {
"enum": [
"password",
"oob_otp_email",
"oob_otp_sms"
],
"type": "string"
},
"PromotionConflictBehavior": {
"enum": [
"error",
"login"
],
"type": "string"
},
"RecoveryCodeConfig": {
"additionalProperties": false,
"properties": {
"count": {
"maximum": 50,
"minimum": 10,
"type": "integer"
},
"list_enabled": {
"type": "boolean"
}
},
"type": "object"
},
"SMSProvider": {
"enum": [
"nexmo",
"twilio"
],
"type": "string"
},
"SecondaryAuthenticationMode": {
"enum": [
"disabled",
"if_exists",
"required"
],
"type": "string"
},
"SecondaryAuthenticatorType": {
"enum": [
"password",
"oob_otp_email",
"oob_otp_sms",
"totp"
],
"type": "string"
},
"SessionConfig": {
"additionalProperties": false,
"properties": {
"cookie_non_persistent": {
"type": "boolean"
},
"idle_timeout_enabled": {
"type": "boolean"
},
"idle_timeout_seconds": {
"$ref": "#/$defs/DurationSeconds"
},
"lifetime_seconds": {
"$ref": "#/$defs/DurationSeconds"
}
},
"type": "object"
},
"StandardAttributesAccessControlConfig": {
"additionalProperties": false,
"properties": {
"access_control": {
"$ref": "#/$defs/UserProfileAttributesAccessControl"
},
"pointer": {
"enum": [
"/email",
"/phone_number",
"/preferred_username",
"/family_name",
"/given_name",
"/picture",
"/gender",
"/birthdate",
"/zoneinfo",
"/locale",
"/name",
"/nickname",
"/middle_name",
"/profile",
"/website",
"/address"
],
"format": "json-pointer",
"type": "string"
}
},
"type": "object"
},
"StandardAttributesConfig": {
"additionalProperties": false,
"properties": {
"access_control": {
"items": {
"$ref": "#/$defs/StandardAttributesAccessControlConfig"
},
"type": "array"
},
"population": {
"$ref": "#/$defs/StandardAttributesPopulationConfig"
}
},
"type": "object"
},
"StandardAttributesPopulationConfig": {
"additionalProperties": false,
"properties": {
"strategy": {
"enum": [
"none",
"on_signup"
],
"type": "string"
}
},
"type": "object"
},
"UIConfig": {
"additionalProperties": false,
"properties": {
"dark_theme_disabled": {
"type": "boolean"
},
"default_client_uri": {
"format": "uri",
"type": "string"
},
"default_post_logout_redirect_uri": {
"format": "uri",
"type": "string"
},
"default_redirect_uri": {
"format": "uri",
"type": "string"
},
"phone_input": {
"$ref": "#/$defs/PhoneInputConfig"
},
"watermark_disabled": {
"type": "boolean"
}
},
"type": "object"
},
"UserProfileAttributesAccessControl": {
"additionalProperties": false,
"enum": [
{
"bearer": "hidden",
"end_user": "hidden",
"portal_ui": "hidden"
},
{
"bearer": "hidden",
"end_user": "hidden",
"portal_ui": "readonly"
},
{
"bearer": "hidden",
"end_user": "hidden",
"portal_ui": "readwrite"
},
{
"bearer": "readonly",
"end_user": "hidden",
"portal_ui": "readonly"
},
{
"bearer": "readonly",
"end_user": "hidden",
"portal_ui": "readwrite"
},
{
"bearer": "readonly",
"end_user": "readonly",
"portal_ui": "readonly"
},
{
"bearer": "readonly",
"end_user": "readonly",
"portal_ui": "readwrite"
},
{
"bearer": "readonly",
"end_user": "readwrite",
"portal_ui": "readwrite"
}
],
"properties": {
"bearer": {
"$ref": "#/$defs/AccessControlLevelString"
},
"end_user": {
"$ref": "#/$defs/AccessControlLevelString"
},
"portal_ui": {
"$ref": "#/$defs/AccessControlLevelString"
}
},
"type": "object"
},
"UserProfileConfig": {
"additionalProperties": false,
"properties": {
"custom_attributes": {
"$ref": "#/$defs/CustomAttributesConfig"
},
"standard_attributes": {
"$ref": "#/$defs/StandardAttributesConfig"
}
},
"type": "object"
},
"VerificationClaimConfig": {
"additionalProperties": false,
"properties": {
"enabled": {
"type": "boolean"
},
"required": {
"type": "boolean"
}
},
"type": "object"
},
"VerificationClaimsConfig": {
"additionalProperties": false,
"properties": {
"email": {
"$ref": "#/$defs/VerificationClaimConfig"
},
"phone_number": {
"$ref": "#/$defs/VerificationClaimConfig"
}
},
"type": "object"
},
"VerificationConfig": {
"additionalProperties": false,
"properties": {
"claims": {
"$ref": "#/$defs/VerificationClaimsConfig"
},
"code_expiry_seconds": {
"$ref": "#/$defs/DurationSeconds",
"minimum": 60
},
"criteria": {
"$ref": "#/$defs/VerificationCriteria"
}
},
"type": "object"
},
"VerificationCriteria": {
"enum": [
"any",
"all"
],
"type": "string"
},
"WelcomeMessageConfig": {
"additionalProperties": false,
"properties": {
"destination": {
"$ref": "#/$defs/WelcomeMessageDestination"
},
"enabled": {
"type": "boolean"
}
},
"type": "object"
},
"WelcomeMessageDestination": {
"enum": [
"first",
"all"
],
"type": "string"
}
},
"$ref": "#/$defs/AppConfig"
}Annotated example
# The ID of this instance of Authgear.
id: myapp
# Configure different identity behavior.
identity:
# Configure Login ID Identity.
login_id:
# Defines the set of accepted login IDs.
# By default the user can have
#
# At most 1 email
#
# If you do not want the defaults, define keys yourselves.
keys:
# Define the type of login ID.
# Valid values are "email" "phone" and "username"
- type: email
# How long login ID can be
# Default is 40.
max_length: 40
# Whether the login ID can be modified by the end-user in the settings page.
modify_disabled: false
- type: phone
- type: username
# Configure the characteristics of some login IDs.
types:
# Configure Email Login ID Identity.
email:
# Whether + sign should be disallowed in the local part. Default is false.
block_plus_sign: false
# Whether the email should be treated case sensitively. Default is false.
case_sensitive: false
# Whether . sign should be ignored. Default is false.
ignore_dot_sign: false
# Whether email domain blocklist is enabled. Default is false.
# In addition to setting it to true, you also need to provide
# `email_domain_blocklist.txt` next to `authgear.yaml`.
# It is a plaintext file with one domain per line.
# domain_blocklist_enabled and domain_allowlist_enabled is mutually exclusive.
domain_blocklist_enabled: false
# Whether email domain allowlist is enabled. Default is false.
# In addition to setting it to true, you also need to provide
# `email_domain_allowlist.txt` next to `authgear.yaml`.
# It is a plaintext file with one domain per line.
# domain_blocklist_enabled and domain_allowlist_enabled is mutually exclusive.
domain_allowlist_enabled: false
# Whether free email provider domains are blocked. Default is false.
# It is an auxiliary option of domain_blocklist_enabled so
# domain_blocklist_enabled must be true for this to take effect.
block_free_email_provider_domains: false
# Configure Username Login ID Identity.
username:
# Whether the username can only contain `-a-zA-Z0-9_.`. Default is true.
ascii_only: true
# Whether reserved usernames are blocked. Default is true.
block_reserved_usernames: true
# Whether the username should be treated case sensitively. Default is false.
case_sensitive: false
# Whether exclude keyword list is enabled. Default is false.
# In addition to setting it to true, you also need to provide
# `reserved_name.txt` next to `authgear.yaml`.
# It is a plaintext file with one keyword per line.
exclude_keywords_enabled: false
# Configure OAuth Identity.
oauth:
# Configure external OAuth identity providers.
providers:
# Denote the type of the identity provider.
- type: google
# alias by default is the same as the value of the type.
alias: google
# Client ID and client secret are the credentials you obtain from the specific provider.
# Please refer to the documentation of the provider.
# You must separately provide the client secret in the secret config file.
client_id: google_client_id
# Configure the verification on the claims derived from the user profile received from the provider.
claims:
# Configure the claim "email"
email:
# Whether the claim is assumed to be verified.
# Default is true.
# That is, by default, all "email" claims from every provider are trusted.
assume_verified: true
- type: apple
alias: apple
# The client ID for Apple is the services ID.
# The client secret for Apple is the PEM format of the private key.
client_id: apple_services_id
# The key ID of the private key.
key_id: key_id
# The team ID of your Apple Developer Account.
team_id: team_id
- type: azureadv2
alias: azure
client_id: client_id
# Tenant is either the special value "common", the special value "organizations" or
# the ID of a Azure AD tenant.
#
# Note that when you create the client in Azure Portal,
# you have to choose which tenant the client intends to interact with.
#
# If you wish to allow any microsoft accounts such as
#
# - hotmail
# - Xbox
# - Outlook
#
# to login, then the value must be "common".
#
# If you wish to allow any user in any Azure ADs in your Azure account,
# then the value must be "organizations".
#
# Otherwise the value must be the ID of a Azure AD tenant.
# In this case, only user in that Azure AD can login.
tenant: common
- type: wechat
alias: wechat
client_id: client_id
# Wether the given client is bound to an sandbox account.
# Default is false.
is_sandbox_account: false
# The wechat account ID.
# Wechat account always starts with `gh_`.
account_id: "gh_foobar"
# The application type. Valid values are "mobile" and "web".
app_type: "mobile"
on_conflict:
# Configure the behavior in anonymous user promotion when the claimed identity
# conflicts with an existing identity.
#
# Valid values are "error" and "login".
# Default is "error".
#
# For example, the user initially signed up as "user@example.com".
# Later on the user uninstalled the mobile app.
# The user installed the mobile app again and forgot they had signed up before.
# The user continued as anonymous user.
# The user finally opted to sign up with "user@example.com".
# At this point, the user has 2 accounts.
#
# If the value is "error", an error is shown telling the user that
# the identity they are claiming has been claimed by another user.
#
# If the value is "login", the anonymous user is discarded.
# And the user simply authenticates themselves as the original user.
# It is up to the developer to handle account merging.
promotion: "error"
# Configure biometric identity
biometric:
# Configure whether biometric identity is shown in the settings page.
# If it is true, the user can view the list of biometric identity in the settings page.
# They can remove any biometric identity that they will never use again.
# Default is false.
list_enabled: false
# Configure different authenticator behavior.
authenticator:
# Configure OOB-OTP Authenticator.
oob_otp:
email:
# the maximum number of the authenticator the user can have.
# default is 1.
maximum: 1
sms:
# the maximum number of the authenticator the user can have.
# default is 1.
maximum: 1
# Configure Password Authenticator
password:
# Configure password policy
# All policies are turned off by default.
policy:
# Set the minimum length of new password.
min_length: 10
# Require new password to have at least 1 digit.
digit_required: true
# Require new password to have at least 1 lowercase ASCII character.
lowercase_required: true
# Require new password to have at least 1 uppercase ASCII character.
uppercase_required: true
# Require new password to have at least 1 symbol character.
symbol_required: true
# Disallow password containing the given keywords.
excluded_keywords:
- secret
- admin
- password
# Require strong password.
# The strength of the password is calculated with https://github.com/dropbox/zxcvbn
# 1 is the weakest level and 5 is the strongest level.
minimum_guessable_level: 5
# Determine how long password history is kept.
history_days: 90
# Determine how many password history is kept.
history_size: 10
# Configure TOTP Authenticator
totp:
# the maximum number of the authenticator the user can have.
# default is 1.
maximum: 1
# Configure the authentication behavior.
authentication:
# Determine which identities are enabled.
#
# To enable anonymous user, add "anonymous".
# To enable biometric authentication, add "biometric".
#
# By default "login_id" and "oauth" are enabled.
identities:
- login_id
- oauth
- anonymous
- biometric
# Determine which authenticators can be used as primary authenticator.
# By default only "password" is enabled.
primary_authenticators:
- password
# Determine which authenticators can be used as secondary authenticator.
# By default only "totp" is enabled.
secondary_authenticators:
- totp
# Configure the MFA behavior.
#
# if_exists: The user can add secondary authenticators.
# If the user has at least one secondary authenticator, then MFA must be performed.
#
# required: The user must add secondary authenticators.
# The user must perform MFA during authentication.
#
# disabled: The user cannot add any secondary authenticators.
#
# Default is "if_exists"
secondary_authentication_mode: if_exists
# Configure Device Token.
# Device token can be generated during MFA.
# It is used to skip MFA on the device for future authentication.
device_token:
# Determine how long the device token is valid.
expire_in_days: 30
# Whether user must be created by admin. Default is false.
public_signup_disabled: false
# Configure Recovery Code
recovery_code:
# The number of recovery codes. Default is 16.
count: 16
# Whether the user can list the recovery codes again. Default is false.
list_enabled: false
# Configure forgot password behavior
forgot_password:
# Which forgot password is enabled.
# The default is true.
enabled: true
# How long the reset code remains valid. The default is 1200. That is 20 minutes.
reset_code_expiry_seconds: 1200
# Configure webhook
hook:
# How long a single handler can proceed the webhook event before timeout.
# Default is 5.
sync_hook_timeout_seconds: 5
# How long all handlers can proceed the webhook event before timeout.
# Default is 10.
sync_hook_total_timeout_seconds: 10
# Define the list of webhook handlers
handlers:
# The event name.
- event: before_user_create
# The endpoint of the webhook handler.
url: https://api.example.com/hook/before_user_create
http:
# The allowed origin for the HTTP header access-control-allow-origin
# Default is empty list.
allowed_origins:
- https://trusted-third-party-server.com
# Explicitly set the cookie domain. Default is eTLD+1.
cookie_domain: https://accounts.myapp.com
# The expected origin
# It is used to render an absolute URL in templates.
public_origin: https://accounts.myapp.com
# Set the prefix of the cookies written by Authgear in case
# you have cookie name conflicts you want to avoid.
# The default prefix is an empty string.
cookie_prefix: "my_app_"
# Configure default messaging configuration.
messaging:
# Configure which SMS provider to use.
# Valid values are "twilio" and "nexmo".
# You must provide the credentials in secret config.
sms_provider: "twilio"
# Configure user verification
verification:
# Determine the verification status criteria.
# any: User is verified if any of the verifiable claims is verified
# all: User is verified if all of the verifiable claims are verified
# Default to any.
criteria: any
# Lifetime of verification code, default to 3600 (1 hour)
code_expiry_seconds: 3600
# Configure which claims are verifiable and are required to be verified.
claims:
# Configure the claim "email"
email:
# Whether this claim is verifiable.
# Default is true.
enabled: true
# Whether this claim is required to be verified.
# Default is true.
required: true
# Configure the claim "phone_number"
phone_number:
enabled: true
required: true
# Configure localization.
localization:
# The list of supported languages.
# Default is an singleton array of fallback_language.
supported_languages: ["en"]
# The fallback language when none of the supported languages match the preferred languages.
# Default is en.
fallback_language: en
# Configure OAuth.
oauth:
# Define the list of known OAuth 2 clients.
clients:
# The OAuth 2 client ID.
# A reasonably long secure random string is recommended.
- client_id: client_id
# Whether the client is considered as first party.
# Default is true.
# Anonymous user and biometric authentication requires first party client,
# so normally you should leave it as true.
is_first_party: true
# Define a list of allowed redirect URIs.
# According to OAuth 2 spec, exact match is used.
# So "http://example.com" does not match "http://example.com/"
redirect_uris:
- "com.myapp://host/path"
# Which grant types are allowed in the token endpoint.
# "authorization_code" and "refresh_token" must be included for OAuth 2 authorization code flow.
grant_types:
- authorization_code
- refresh_token
# What response the authorization endpoint can return.
# "code" must be included for OAuth 2 authorization code flow.
response_types:
- code
# Define a list of allowed post logout redirect URIs.
# Same as redirect_uris, exact match is used.
post_logout_redirect_uris:
- "https://www.myapp.com/post_logout"
# The lifetime of the access token. Default is 1800 (30 minutes).
access_token_lifetime_seconds: 1800
# The lifetime of the refresh token. Default is 31449600 (52 weeks).
refresh_token_lifetime_seconds: 31449600
# Whether refresh token idle timeout is enabled. Default is true.
refresh_token_idle_timeout_enabled: true
# The idle timeout of the refresh token. Default is 2592000 (30 days).
refresh_token_idle_timeout_seconds: 2592000
# Whether the access token is opaque or an JWT.
# Default is false.
# Access token as JWT allows you to directly inspect the access token
# to determine the user, without forwarding the request to the resolver.
issue_jwt_access_token: false
# Configure session.
session:
# Whether the cookie is session cookie. Default is false.
cookie_non_persistent: false
# Whether the session becomes invalid after idling.
idle_timeout_enabled: false
# How long before the session timeout.
idle_timeout_seconds: 300
# The lifetime of the session. Default is 86400.
lifetime_seconds: 86400
ui:
phone_input:
# The list of country code to show in the phone number input widget.
allowlist:
- 'HK'
- 'US'
# The list of country code pinned to the top of the list.
pinned_list:
- 'HK'
# Wether preselection of country code by IP address is disabled.
# Default is false.
preselect_by_ip_disabled: false
# Whether dark theme is disabled.
# Default is false.
dark_theme_disabled: false
# Whether watermark is disabled.
# Default is false.
watermark_disabled: false
# If it is provided, the web UI will have a "Back to App" link.
default_client_uri: ""
# If it is provided, the web UI will redirect to the URI after logout.
default_post_logout_redirect_uri: ""
# If it is provided, the web UI will redirect to the URI after login.
default_redirect_uri: ""
# Configure welcome message.
welcome_message:
# Whether to send the welcome message.
# Default is false.
enabled: false
# Whether to send the welcome message to all addresses or first address.
# Valid values are first and all.
# Default is first.
destination: firstLast updated