Skip to main content

Configuration Editor

Ory Kratos Configuration

selfservice

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
Allowed Return To URLs

List of URLs that are allowed to be redirected to. A redirection request is made by appending `?return_to=...` to Login, Registration, and other self-service flows.
flows

settings

URL where the Settings UI is hosted. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).
highest_available
Sets what Authenticator Assurance Level (used for 2FA) is required to access this feature. If set to `highest_available` then this endpoint requires the highest AAL the identity has set up. If set to `aal1` then the identity can access this feature without 2FA.
after

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
password

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks

totp

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks

oidc

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks

webauthn

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks

passkey

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks

lookup_secret

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks

profile

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks

hooks

before

hooks

logout

after

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
registration

URL where the Registration UI is hosted. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).
before

hooks

after

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
password

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks

webauthn

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks

passkey

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks

oidc

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks

code

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks

hooks

login

URL where the Login UI is hosted. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).
unified
The style of the login flow. If set to `unified` the login flow will be a one-step process. If set to `identifier_first` (experimental!) the login flow will first ask for the identifier and then the credentials.
before

hooks

after

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
password

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks

webauthn

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks

passkey

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks

oidc

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks

code

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks

totp

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks

lookup_secret

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks

hooks

Email and Phone Verification and Account Activation Configuration

URL where the Ory Verify UI is hosted. This is the page where users activate and / or verify their email or telephone number. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).
after

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks

Sets how long the verification request (for the UI interaction) is valid.
before

hooks

code
The strategy to use for verification requests
Account Recovery Configuration

URL where the Ory Recovery UI is hosted. This is the page where users request and complete account recovery. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).
after

Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks

Sets how long the recovery request is valid. If expired, the user has to redo the flow.
before

hooks

code
The strategy to use for recovery requests
error

URL where the Ory Kratos Error UI is hosted. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).
methods

Single Sign-On for B2B

Single Sign-On for B2B allows your customers to bring their own (workforce) identity server (e.g. OneLogin). This feature is not available in the open source licensed code.
config

organizations

profile

link

Link Configuration

Additional configuration for the link strategy.
code

Code Configuration

Additional configuration for the code strategy.
Option 1

Unsupported field schema for field root_selfservice_methods_code_mfa_enabled: Unknown field type undefined.

{
  "const": false
}
password

Password Configuration

Define how passwords are validated.
Allows changing the default HIBP host to a self hosted version.
Defines how often a password may have been breached before it is rejected.
Defines the minimum length of the password.
migrate_hook

config

The URL the password migration hook should call
The HTTP method to use (GET, POST, etc).
headers

The HTTP headers that must be applied to the password migration hook.
Auth mechanisms

Define which auth mechanism the Web-Hook should use
Option 1
config

The name of the api key
The value of the api key
How the api key should be transferred
totp

TOTP Configuration

The issuer (e.g. a domain name) will be shown in the TOTP app (e.g. Google Authenticator). It helps the user differentiate between different codes.
lookup_secret

webauthn

WebAuthn Configuration

Relying Party (RP) Config

An name to help the user identify this RP.
The id must be a subset of the domain currently in the browser.
An explicit RP origin. If left empty, this defaults to `id`, prepended with the current protocol schema (HTTP or HTTPS).
Relying Party Origins

A list of explicit RP origins. If left empty, this defaults to either `origin` or `id`, prepended with the current protocol schema (HTTP or HTTPS).
An icon to help the user identify this RP.
Option 1

Unsupported field schema for field root_selfservice_methods_webauthn_config_rp_origin: Unknown field type undefined.

{
  "not": {}
}

Unsupported field schema for field root_selfservice_methods_webauthn_config_rp_origins: Unknown field type undefined.

{
  "not": {}
}
passkey

Passkey Configuration

Relying Party (RP) Config

A name to help the user identify this RP.
The id must be a subset of the domain currently in the browser.
Relying Party Origins

A list of explicit RP origins. If left empty, this defaults to either `origin` or `id`, prepended with the current protocol schema (HTTP or HTTPS).
Specify OpenID Connect and OAuth2 Configuration

config

Can be used to modify the base URL for OAuth2 Redirect URLs. If unset, the Public Base URL will be used.
OpenID Connect and OAuth2 Providers

A list and configuration of OAuth2 and OpenID Connect providers Ory Kratos should integrate with.
Database related configuration

Miscellaneous settings used in database related tasks (cleanup, etc.)
Database cleanup settings

Settings that controls how the database cleanup process is configured (delays, batch size, etc.)
Controls how many records should be purged from one table during database cleanup task
Delays between various database cleanup phases

Configures delays between each step of the cleanup process. It is useful to tune the process so it will be efficient and performant.
Controls the delay time between cleaning each table in one cleanup iteration
Controls how old records do we want to leave
DSN is used to specify the database credentials as a connection URI.
Courier configuration

The courier is responsible for sending and delivering messages over email, sms, and other means.
templates

recovery

invalid

email

body

The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
valid

email

body

The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
sms

body

A template send to the SMS provider.
recovery_code

invalid

email

body

The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
valid

email

body

The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
sms

body

A template send to the SMS provider.
verification

invalid

email

body

The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
valid

email

body

The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
sms

body

A template send to the SMS provider.
verification_code

invalid

email

body

The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
valid

email

body

The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
sms

body

A template send to the SMS provider.
registration_code

valid

email

body

The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
login_code

valid

email

body

The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
sms

body

A template send to the SMS provider.
You can override certain or all message templates by pointing this key to the path where the templates are located.
Defines the maximum number of times the sending of a message is retried after it failed before it is marked as abandoned
worker

Configures the dispatch worker.
Defines how many messages are pulled from the queue at once.
Defines how long the worker waits before pulling messages from the queue again.
smtp
Defines how emails will be sent, either through SMTP (default) or HTTP.
HTTP Configuration

Configures outgoing emails using HTTP.
request_config

This URL will be used to send the emails to.
The HTTP method to use (GET, POST, etc). Defaults to POST.
headers

The HTTP headers that must be applied to request
URI pointing to the jsonnet template used for payload generation. Only used for those HTTP methods, which support HTTP body payloads
Auth mechanisms

Define which auth mechanism to use for auth with the HTTP email provider
Option 1
config

The name of the api key
The value of the api key
How the api key should be transferred
SMTP Configuration

Configures outgoing emails using the SMTP protocol.
This URI will be used to connect to the SMTP server. Use the scheme smtps for implicit TLS sessions or smtp for explicit StartTLS/cleartext sessions. Please note that TLS is always enforced with certificate trust verification by default for security reasons on both schemes. With the smtp scheme you can use the query parameter (`?disable_starttls=true`) to allow cleartext sessions or (`?disable_starttls=false`) to enforce StartTLS (default behaviour). Additionally, use the query parameter to allow (`?skip_ssl_verify=true`) or disallow (`?skip_ssl_verify=false`) self-signed TLS certificates (default behaviour) on both implicit and explicit TLS sessions.
Path of the client X.509 certificate, in case of certificate based client authentication to the SMTP server.
Path of the client certificate private key, in case of certificate based client authentication to the SMTP server
The recipient of an email will see this as the sender address.
The recipient of an email will see this as the sender name.
SMTP Headers

These headers will be passed in the SMTP conversation -- e.g. when using the AWS SES SMTP interface for cross-account sending.
Identifier used in the SMTP HELO/EHLO command. Some SMTP relays require a unique identifier.
SMS sender configuration

Configures outgoing sms messages using HTTP protocol with generic SMS provider
The recipient of a sms will see this as the sender address.
request_config

This URL will be used to connect to the SMS provider.
The HTTP method to use (GET, POST, etc).
headers

The HTTP headers that must be applied to request
URI pointing to the jsonnet template used for payload generation. Only used for those HTTP methods, which support HTTP body payloads
Auth mechanisms

Define which auth mechanism to use for auth with the SMS provider
Option 1
config

The name of the api key
The value of the api key
How the api key should be transferred
channels

OAuth2 Provider Configuration

If set, the login and registration flows will handle the Ory OAuth 2.0 & OpenID `login_challenge` query parameter to serve as an OpenID Connect Provider. This URL should point to Ory Hydra when you are not running on the Ory Network and be left untouched otherwise.
HTTP Request Headers

These headers will be passed in HTTP request to the OAuth2 Provider.
Configure Preview Features

strong
The default consistency level to use when reading from the database. Defaults to `strong` to not break existing API contracts. Only set this to `eventual` if you can accept that other read APIs will suddenly return eventually consistent results. It is only effective in Ory Network.
serve

admin

request_log

The URL where the admin endpoint is exposed at.
The host (interface) kratos' admin endpoint listens on.
The port kratos' admin endpoint listens on.
socket

Sets the permissions of the unix socket
Owner of unix socket. If empty, the owner will be the user running Kratos.
Group of unix socket. If empty, the group will be the primary group of the user running Kratos.
Mode of unix socket in numeric form
HTTPS

Configure HTTP over TLS (HTTPS). All options can also be set using environment variables by replacing dots (`.`) with underscores (`_`) and uppercasing the key. For example, `some.prefix.tls.key.path` becomes `export SOME_PREFIX_TLS_KEY_PATH`. If all keys are left undefined, TLS will be disabled.
Private Key (PEM)

The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.
TLS Certificate (PEM)

The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.
public

request_log

cors

Configures Cross Origin Resource Sharing for public endpoints.
allowed_origins

A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Only one wildcard can be used per origin.
Option 1
allowed_methods

A list of HTTP methods the user agent is allowed to use with cross-domain requests.
POST
GET
PUT
PATCH
DELETE
allowed_headers

A list of non simple headers the client is allowed to use with cross-domain requests.
exposed_headers

Sets which headers are safe to expose to the API of a CORS API specification.
Sets how long (in seconds) the results of a preflight request can be cached. If set to 0, every request is preceded by a preflight request.
The URL where the endpoint is exposed at. This domain is used to generate redirects, form URLs, and more.
The host (interface) kratos' public endpoint listens on.
The port kratos' public endpoint listens on.
socket

Sets the permissions of the unix socket
Owner of unix socket. If empty, the owner will be the user running Kratos.
Group of unix socket. If empty, the group will be the primary group of the user running Kratos.
Mode of unix socket in numeric form
HTTPS

Configure HTTP over TLS (HTTPS). All options can also be set using environment variables by replacing dots (`.`) with underscores (`_`) and uppercasing the key. For example, `some.prefix.tls.key.path` becomes `export SOME_PREFIX_TLS_KEY_PATH`. If all keys are left undefined, TLS will be disabled.
Private Key (PEM)

The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.
TLS Certificate (PEM)

The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.
tracing

Configure distributed tracing using OpenTelemetry
Set this to the tracing backend you wish to use. Supports Jaeger, Zipkin, and OTEL.
Specifies the service name to use on the tracer.
Specifies the deployment environment to use on the tracer.
providers

jaeger

Configures the jaeger tracing backend.
IPv6 Address and Port
The address of the jaeger-agent where spans should be sent to.
sampling

The address of jaeger-agent's HTTP sampling server
Trace Id ratio sample
zipkin

Configures the zipkin tracing backend.
The address of the Zipkin server where spans should be sent to.
sampling

Sampling ratio for spans.
otlp

Configures the OTLP tracing backend.
IPv6 Address and Port
The endpoint of the OTLP exporter (HTTP) where spans should be sent to.
sampling

Sampling ratio for spans.
Log

Configure logging using the following options. Logging will always be sent to stdout and stderr.
info
Debug enables stack traces on errors. Can also be set using environment variable LOG_LEVEL.
Text to use, when redacting sensitive log value.
The log format can either be text or JSON.
identity

This Identity Schema will be used as the default for self-service flows. Its ID needs to exist in the "schemas" list.
All JSON Schemas for Identity Traits

Note that identities that used the "default_schema_url" field in older kratos versions will be corrupted unless you specify their schema url with the id "default" in this list.
URL for JSON Schema which describes a identity's traits. Can be a file path, a https URL, or a base64 encoded string.
secrets

Default Encryption Signing Secrets

The first secret in the array is used for signing and encrypting things while all other keys are used to verify and decrypt older things that were signed with that old secret.
Signing Keys for Cookies

The first secret in the array is used for encrypting cookies while all other keys are used to decrypt older cookies that were signed with that old secret.
Secrets to use for encryption by cipher

The first secret in the array is used for encryption data while all other keys are used to decrypt older data that were signed with.
Hashing Algorithm Configuration

bcrypt
One of the values: argon2, bcrypt. Any other hashes will be migrated to the set algorithm once an identity authenticates using their password.
Configuration for the Argon2id hasher.

Number of parallel workers, defaults to 2*runtime.NumCPU().
The time a hashing operation (~login latency) should take.
The standard deviation expected for hashing operations. If this value is exceeded you will be warned in the logs to adjust the parameters.
The memory dedicated for Kratos. As password hashing is very resource intense, Kratos will monitor the memory consumption and warn about high values.
Configuration for the Bcrypt hasher. Minimum is 4 when --dev flag is used and 12 otherwise.

Cipher Algorithm Configuration

noop
One of the values: noop, aes, xchacha20-poly1305
HTTP Cookie Configuration

Configure the HTTP Cookies. Applies to both CSRF and session cookies.
Sets the cookie domain for session and CSRF cookies. Useful when dealing with subdomains. Use with care!
Sets the session and CSRF cookie path. Use with care!
Lax
Sets the session and CSRF cookie SameSite.
session

WhoAmI / ToSession Settings

Control how the `/sessions/whoami` endpoint is behaving.
highest_available
Sets what Authenticator Assurance Level (used for 2FA) is required to access this feature. If set to `highest_available` then this endpoint requires the highest AAL the identity has set up. If set to `aal1` then the identity can access this feature without 2FA.
Tokenizer configuration

Configure the tokenizer, responsible for converting a session into a token format such as JWT.
Tokenizer templates

A list of different templates that govern how a session is converted to a token format.
Defines how long a session is active. Once that lifespan has been reached, the user needs to sign in again.
cookie

Sets the session cookie domain. Useful when dealing with subdomains. Use with care! Overrides `cookies.domain`.
Sets the session cookie name. Use with care!
Sets the session cookie path. Use with care! Overrides `cookies.path`.
Sets the session cookie SameSite. Overrides `cookies.same_site`.
Sets when a session can be extended. Settings this value to `24h` will prevent the session from being extended before until 24 hours before it expires. This setting prevents excessive writes to the database. We highly recommend setting this value.
security

account_enumeration

SemVer according to https://semver.org/ prefixed with `v` as in our releases.
The port the courier's metrics endpoint listens on (0/disabled by default). This is a CLI flag and environment variable and can not be set using the config file.
config

This is a CLI flag and environment variable and can not be set using the config file.
Global outgoing network settings

Configure how outgoing network calls behave.
Global HTTP client configuration

Configure how outgoing HTTP calls behave.
Add exempt URLs to private IP ranges

Allows the given URLs to be called despite them being in the private IP range. URLs need to have an exact and case-sensitive match to be excempt.
Feature flags

Set how long Ory Sessions are cached on the edge. If unset, the session expiry will be used. Only effective in the Ory Network.

Unsupported field schema for field root_organizations: Missing items definition.

{
  "title": "Organizations",
  "description": "Please use selfservice.methods.b2b instead. This key will be removed. Only effective in the Ory Network.",
  "type": "array",
  "default": []
}
Enterprise features

Specifies enterprise features. Only effective in the Ory Network or with a valid license.
A fallback URL template used when looking up identity schemas.