Skip to main content

Configuration Editor

Ory Kratos Configuration
selfservice
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
Allowed Return To URLs
List of URLs that are allowed to be redirected to. A redirection request is made by appending `?return_to=...` to Login, Registration, and other self-service flows.
flows
settings
URL where the Settings UI is hosted. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).
highest_available
Sets what Authenticator Assurance Level (used for 2FA) is required to access this feature. If set to `highest_available` then this endpoint requires the highest AAL the identity has set up. If set to `aal1` then the identity can access this feature without 2FA.
after
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
password
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
totp
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
oidc
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
webauthn
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
passkey
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
lookup_secret
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
profile
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
hooks
before
hooks
logout
after
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
registration
URL where the Registration UI is hosted. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).
before
hooks
after
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
password
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
webauthn
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
passkey
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
oidc
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
code
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
hooks
login
URL where the Login UI is hosted. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).
unified
The style of the login flow. If set to `unified` the login flow will be a one-step process. If set to `identifier_first` (experimental!) the login flow will first ask for the identifier and then the credentials.
before
hooks
after
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
password
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
webauthn
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
passkey
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
oidc
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
code
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
totp
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
lookup_secret
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
hooks
Email and Phone Verification and Account Activation Configuration
URL where the Ory Verify UI is hosted. This is the page where users activate and / or verify their email or telephone number. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).
after
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
Sets how long the verification request (for the UI interaction) is valid.
before
hooks
code
The strategy to use for verification requests
Account Recovery Configuration
URL where the Ory Recovery UI is hosted. This is the page where users request and complete account recovery. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).
after
Ory Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).
hooks
Sets how long the recovery request is valid. If expired, the user has to redo the flow.
before
hooks
code
The strategy to use for recovery requests
error
URL where the Ory Kratos Error UI is hosted. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).
methods
Single Sign-On for B2B
Single Sign-On for B2B allows your customers to bring their own (workforce) identity server (e.g. OneLogin). This feature is not available in the open source licensed code.
config
organizations
profile
link
Link Configuration
Additional configuration for the link strategy.
code
Code Configuration
Additional configuration for the code strategy.
Option 1

Unsupported field schema for field root_selfservice_methods_code_mfa_enabled: Unknown field type undefined.

{
  "const": false
}
password
Password Configuration
Define how passwords are validated.
Allows changing the default HIBP host to a self hosted version.
Defines how often a password may have been breached before it is rejected.
Defines the minimum length of the password.
migrate_hook
config
The URL the password migration hook should call
The HTTP method to use (GET, POST, etc).
headers
The HTTP headers that must be applied to the password migration hook.
Auth mechanisms
Define which auth mechanism the Web-Hook should use
Option 1
config
The name of the api key
The value of the api key
How the api key should be transferred
totp
TOTP Configuration
The issuer (e.g. a domain name) will be shown in the TOTP app (e.g. Google Authenticator). It helps the user differentiate between different codes.
lookup_secret
webauthn
WebAuthn Configuration
Relying Party (RP) Config
An name to help the user identify this RP.
The id must be a subset of the domain currently in the browser.
An explicit RP origin. If left empty, this defaults to `id`, prepended with the current protocol schema (HTTP or HTTPS).
Relying Party Origins
A list of explicit RP origins. If left empty, this defaults to either `origin` or `id`, prepended with the current protocol schema (HTTP or HTTPS).
An icon to help the user identify this RP.
Option 1

Unsupported field schema for field root_selfservice_methods_webauthn_config_rp_origin: Unknown field type undefined.

{
  "not": {}
}

Unsupported field schema for field root_selfservice_methods_webauthn_config_rp_origins: Unknown field type undefined.

{
  "not": {}
}
passkey
Passkey Configuration
Relying Party (RP) Config
A name to help the user identify this RP.
The id must be a subset of the domain currently in the browser.
Relying Party Origins
A list of explicit RP origins. If left empty, this defaults to either `origin` or `id`, prepended with the current protocol schema (HTTP or HTTPS).
Specify OpenID Connect and OAuth2 Configuration
config
Can be used to modify the base URL for OAuth2 Redirect URLs. If unset, the Public Base URL will be used.
OpenID Connect and OAuth2 Providers
A list and configuration of OAuth2 and OpenID Connect providers Ory Kratos should integrate with.
Database related configuration
Miscellaneous settings used in database related tasks (cleanup, etc.)
Database cleanup settings
Settings that controls how the database cleanup process is configured (delays, batch size, etc.)
Controls how many records should be purged from one table during database cleanup task
Delays between various database cleanup phases
Configures delays between each step of the cleanup process. It is useful to tune the process so it will be efficient and performant.
Controls the delay time between cleaning each table in one cleanup iteration
Controls how old records do we want to leave
DSN is used to specify the database credentials as a connection URI.
Courier configuration
The courier is responsible for sending and delivering messages over email, sms, and other means.
templates
recovery
invalid
email
body
The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
valid
email
body
The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
sms
body
A template send to the SMS provider.
recovery_code
invalid
email
body
The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
valid
email
body
The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
sms
body
A template send to the SMS provider.
verification
invalid
email
body
The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
valid
email
body
The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
sms
body
A template send to the SMS provider.
verification_code
invalid
email
body
The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
valid
email
body
The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
sms
body
A template send to the SMS provider.
registration_code
valid
email
body
The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
login_code
valid
email
body
The fallback template for email clients that do not support html.
The default template used for sending out emails. The template can contain HTML
sms
body
A template send to the SMS provider.
You can override certain or all message templates by pointing this key to the path where the templates are located.
Defines the maximum number of times the sending of a message is retried after it failed before it is marked as abandoned
worker
Configures the dispatch worker.
Defines how many messages are pulled from the queue at once.
Defines how long the worker waits before pulling messages from the queue again.
smtp
Defines how emails will be sent, either through SMTP (default) or HTTP.
HTTP Configuration
Configures outgoing emails using HTTP.
request_config
This URL will be used to send the emails to.
The HTTP method to use (GET, POST, etc). Defaults to POST.
headers
The HTTP headers that must be applied to request
URI pointing to the jsonnet template used for payload generation. Only used for those HTTP methods, which support HTTP body payloads
Auth mechanisms
Define which auth mechanism to use for auth with the HTTP email provider
Option 1
config
The name of the api key
The value of the api key
How the api key should be transferred
SMTP Configuration
Configures outgoing emails using the SMTP protocol.
This URI will be used to connect to the SMTP server. Use the scheme smtps for implicit TLS sessions or smtp for explicit StartTLS/cleartext sessions. Please note that TLS is always enforced with certificate trust verification by default for security reasons on both schemes. With the smtp scheme you can use the query parameter (`?disable_starttls=true`) to allow cleartext sessions or (`?disable_starttls=false`) to enforce StartTLS (default behaviour). Additionally, use the query parameter to allow (`?skip_ssl_verify=true`) or disallow (`?skip_ssl_verify=false`) self-signed TLS certificates (default behaviour) on both implicit and explicit TLS sessions.
Path of the client X.509 certificate, in case of certificate based client authentication to the SMTP server.
Path of the client certificate private key, in case of certificate based client authentication to the SMTP server
The recipient of an email will see this as the sender address.
The recipient of an email will see this as the sender name.
SMTP Headers
These headers will be passed in the SMTP conversation -- e.g. when using the AWS SES SMTP interface for cross-account sending.
Identifier used in the SMTP HELO/EHLO command. Some SMTP relays require a unique identifier.
SMS sender configuration
Configures outgoing sms messages using HTTP protocol with generic SMS provider
The recipient of a sms will see this as the sender address.
request_config
This URL will be used to connect to the SMS provider.
The HTTP method to use (GET, POST, etc).
headers
The HTTP headers that must be applied to request
URI pointing to the jsonnet template used for payload generation. Only used for those HTTP methods, which support HTTP body payloads
Auth mechanisms
Define which auth mechanism to use for auth with the SMS provider
Option 1
config
The name of the api key
The value of the api key
How the api key should be transferred
channels
OAuth2 Provider Configuration
If set, the login and registration flows will handle the Ory OAuth 2.0 & OpenID `login_challenge` query parameter to serve as an OpenID Connect Provider. This URL should point to Ory Hydra when you are not running on the Ory Network and be left untouched otherwise.
HTTP Request Headers
These headers will be passed in HTTP request to the OAuth2 Provider.
Configure Preview Features
strong
The default consistency level to use when reading from the database. Defaults to `strong` to not break existing API contracts. Only set this to `eventual` if you can accept that other read APIs will suddenly return eventually consistent results. It is only effective in Ory Network.
serve
admin
request_log
The URL where the admin endpoint is exposed at.
The host (interface) kratos' admin endpoint listens on.
The port kratos' admin endpoint listens on.
socket
Sets the permissions of the unix socket
Owner of unix socket. If empty, the owner will be the user running Kratos.
Group of unix socket. If empty, the group will be the primary group of the user running Kratos.
Mode of unix socket in numeric form
HTTPS
Configure HTTP over TLS (HTTPS). All options can also be set using environment variables by replacing dots (`.`) with underscores (`_`) and uppercasing the key. For example, `some.prefix.tls.key.path` becomes `export SOME_PREFIX_TLS_KEY_PATH`. If all keys are left undefined, TLS will be disabled.
Private Key (PEM)
The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.
TLS Certificate (PEM)
The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.
public
request_log
cors
Configures Cross Origin Resource Sharing for public endpoints.
allowed_origins
A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Only one wildcard can be used per origin.
Option 1
allowed_methods
A list of HTTP methods the user agent is allowed to use with cross-domain requests.
POST
GET
PUT
PATCH
DELETE
allowed_headers
A list of non simple headers the client is allowed to use with cross-domain requests.
exposed_headers
Sets which headers are safe to expose to the API of a CORS API specification.
Sets how long (in seconds) the results of a preflight request can be cached. If set to 0, every request is preceded by a preflight request.
The URL where the endpoint is exposed at. This domain is used to generate redirects, form URLs, and more.
The host (interface) kratos' public endpoint listens on.
The port kratos' public endpoint listens on.
socket
Sets the permissions of the unix socket
Owner of unix socket. If empty, the owner will be the user running Kratos.
Group of unix socket. If empty, the group will be the primary group of the user running Kratos.
Mode of unix socket in numeric form
HTTPS
Configure HTTP over TLS (HTTPS). All options can also be set using environment variables by replacing dots (`.`) with underscores (`_`) and uppercasing the key. For example, `some.prefix.tls.key.path` becomes `export SOME_PREFIX_TLS_KEY_PATH`. If all keys are left undefined, TLS will be disabled.
Private Key (PEM)
The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.
TLS Certificate (PEM)
The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.
tracing
Configure distributed tracing using OpenTelemetry
Set this to the tracing backend you wish to use. Supports Jaeger, Zipkin, and OTEL.
Specifies the service name to use on the tracer.
Specifies the deployment environment to use on the tracer.
providers
jaeger
Configures the jaeger tracing backend.
IPv6 Address and Port
The address of the jaeger-agent where spans should be sent to.
sampling
The address of jaeger-agent's HTTP sampling server
Trace Id ratio sample
zipkin
Configures the zipkin tracing backend.
The address of the Zipkin server where spans should be sent to.
sampling
Sampling ratio for spans.
otlp
Configures the OTLP tracing backend.
IPv6 Address and Port
The endpoint of the OTLP exporter (HTTP) where spans should be sent to.
sampling
Sampling ratio for spans.
Log
Configure logging using the following options. Logging will always be sent to stdout and stderr.
info
Debug enables stack traces on errors. Can also be set using environment variable LOG_LEVEL.
Text to use, when redacting sensitive log value.
The log format can either be text or JSON.
identity
This Identity Schema will be used as the default for self-service flows. Its ID needs to exist in the "schemas" list.
All JSON Schemas for Identity Traits
Note that identities that used the "default_schema_url" field in older kratos versions will be corrupted unless you specify their schema url with the id "default" in this list.
URL for JSON Schema which describes a identity's traits. Can be a file path, a https URL, or a base64 encoded string.
secrets
Default Encryption Signing Secrets
The first secret in the array is used for signing and encrypting things while all other keys are used to verify and decrypt older things that were signed with that old secret.
Signing Keys for Cookies
The first secret in the array is used for encrypting cookies while all other keys are used to decrypt older cookies that were signed with that old secret.
Secrets to use for encryption by cipher
The first secret in the array is used for encryption data while all other keys are used to decrypt older data that were signed with.
Hashing Algorithm Configuration
bcrypt
One of the values: argon2, bcrypt. Any other hashes will be migrated to the set algorithm once an identity authenticates using their password.
Configuration for the Argon2id hasher.
Number of parallel workers, defaults to 2*runtime.NumCPU().
The time a hashing operation (~login latency) should take.
The standard deviation expected for hashing operations. If this value is exceeded you will be warned in the logs to adjust the parameters.
The memory dedicated for Kratos. As password hashing is very resource intense, Kratos will monitor the memory consumption and warn about high values.
Configuration for the Bcrypt hasher. Minimum is 4 when --dev flag is used and 12 otherwise.
Cipher Algorithm Configuration
noop
One of the values: noop, aes, xchacha20-poly1305
HTTP Cookie Configuration
Configure the HTTP Cookies. Applies to both CSRF and session cookies.
Sets the cookie domain for session and CSRF cookies. Useful when dealing with subdomains. Use with care!
Sets the session and CSRF cookie path. Use with care!
Lax
Sets the session and CSRF cookie SameSite.
session
WhoAmI / ToSession Settings
Control how the `/sessions/whoami` endpoint is behaving.
highest_available
Sets what Authenticator Assurance Level (used for 2FA) is required to access this feature. If set to `highest_available` then this endpoint requires the highest AAL the identity has set up. If set to `aal1` then the identity can access this feature without 2FA.
Tokenizer configuration
Configure the tokenizer, responsible for converting a session into a token format such as JWT.
Tokenizer templates
A list of different templates that govern how a session is converted to a token format.
Defines how long a session is active. Once that lifespan has been reached, the user needs to sign in again.
cookie
Sets the session cookie domain. Useful when dealing with subdomains. Use with care! Overrides `cookies.domain`.
Sets the session cookie name. Use with care!
Sets the session cookie path. Use with care! Overrides `cookies.path`.
Sets the session cookie SameSite. Overrides `cookies.same_site`.
Sets when a session can be extended. Settings this value to `24h` will prevent the session from being extended before until 24 hours before it expires. This setting prevents excessive writes to the database. We highly recommend setting this value.
security
account_enumeration
SemVer according to https://semver.org/ prefixed with `v` as in our releases.
The port the courier's metrics endpoint listens on (0/disabled by default). This is a CLI flag and environment variable and can not be set using the config file.
config
This is a CLI flag and environment variable and can not be set using the config file.
Global outgoing network settings
Configure how outgoing network calls behave.
Global HTTP client configuration
Configure how outgoing HTTP calls behave.
Add exempt URLs to private IP ranges
Allows the given URLs to be called despite them being in the private IP range. URLs need to have an exact and case-sensitive match to be excempt.
Feature flags
Set how long Ory Sessions are cached on the edge. If unset, the session expiry will be used. Only effective in the Ory Network.

Unsupported field schema for field root_organizations: Missing items definition.

{
  "title": "Organizations",
  "description": "Please use selfservice.methods.b2b instead. This key will be removed. Only effective in the Ory Network.",
  "type": "array",
  "default": []
}
Enterprise features
Specifies enterprise features. Only effective in the Ory Network or with a valid license.
A fallback URL template used when looking up identity schemas.