30/03/2023, 11:02 All configuration - Keycloak

Guides / Server / All configuration

All configuration
Complete list of all build options and configuration for Keycloak

Search All Build options

Configuration

Cache
Value

 cache  ispn (default),

Defines the cache mechanism for high-availability. local

 cache-config-file 
Defines the file from which cache configuration should be loaded from.

 cache-stack  tcp , udp ,

Define the default stack to use for cluster communication and node kubernetes , ec2 ,
discovery. azure , google

Storage (Experimental)
Value

 storage  jpa , chm , hotrod ,

Experimental: Sets the default storage mechanism for all areas. file

 storage-area-auth-session  jpa , chm , hotrod ,

Experimental: Sets a storage mechanism for authentication sessions. file

 storage-area-authorization  jpa , chm , hotrod ,

Experimental: Sets a storage mechanism for authorizations. file

https://www.keycloak.org/server/all-config 1/11
30/03/2023, 11:02 All configuration - Keycloak

Value

 storage-area-client  jpa , chm , hotrod ,

Experimental: Sets a storage mechanism for clients. file

 storage-area-client-scope  jpa , chm , hotrod ,

Experimental: Sets a storage mechanism for client scopes. file

 storage-area-event-admin  jpa , chm , hotrod ,

Experimental: Sets a storage mechanism for admin events. file

 storage-area-event-auth  jpa , chm , hotrod ,

Experimental: Sets a storage mechanism for authentication and file
authorization events.

 storage-area-group  jpa , chm , hotrod ,

Experimental: Sets a storage mechanism for groups. file

 storage-area-login-failure  jpa , chm , hotrod ,

Experimental: Sets a storage mechanism for login failures. file

 storage-area-realm  jpa , chm , hotrod ,

Experimental: Sets a storage mechanism for realms. file

 storage-area-role  jpa , chm , hotrod ,

Experimental: Sets a storage mechanism for roles. file

 storage-area-single-use-object  jpa , chm , hotrod

Experimental: Sets a storage mechanism for single use objects.

 storage-area-user  jpa , chm , hotrod ,

Experimental: Sets a storage mechanism for users. file

 storage-area-user-session  jpa , chm , hotrod ,

Experimental: Sets a storage mechanism for user and client sessions. file

 storage-deployment-state-version-seed
Experimental: Secret that serves as a seed to mask the version number
of Keycloak in URLs.

 storage-file-dir
Experimental: Root directory for file map store.

 storage-hotrod-host
Experimental: Sets the host of the Infinispan server.

https://www.keycloak.org/server/all-config 2/11
30/03/2023, 11:02 All configuration - Keycloak

Value

 storage-hotrod-password
Experimental: Sets the password of the Infinispan user.

 storage-hotrod-port
Experimental: Sets the port of the Infinispan server.

 storage-hotrod-username
Experimental: Sets the username of the Infinispan user.

Database
Value

 db  dev-file (default),
The database vendor. dev-mem , mariadb ,
mssql , mysql ,
oracle , postgres

 db-password
The password of the database user.

 db-pool-initial-size
The initial size of the connection pool.

 db-pool-max-size 100 (default)

The maximum size of the connection pool.

 db-pool-min-size
The minimal size of the connection pool.

 db-schema
The database schema to be used.

 db-url
The full database JDBC URL.

 db-url-database
Sets the database name of the default JDBC URL of the chosen vendor.

 db-url-host
Sets the hostname of the default JDBC URL of the chosen vendor.

https://www.keycloak.org/server/all-config 3/11
30/03/2023, 11:02 All configuration - Keycloak

Value

 db-url-port
Sets the port of the default JDBC URL of the chosen vendor.

 db-url-properties
Sets the properties of the default JDBC URL of the chosen vendor.

 db-username
The username of the database user.

Transaction
Value

 transaction-xa-enabled  true (default),

If set to false, Keycloak uses a non-XA datasource in case the database false
does not support XA transactions.

Feature
Value

 features  account-api ,
Enables a set of one or more features. account2 , admin-
api , admin-fine-
grained-authz ,
admin2 ,
authorization ,
ciba , client-
policies , client-
secret-rotation ,
declarative-user-
profile , docker ,
dynamic-scopes ,
fips ,
impersonation , js-
adapter , kerberos ,
map-storage ,
openshift-

https://www.keycloak.org/server/all-config 4/11
30/03/2023, 11:02 All configuration - Keycloak

Value

integration , par ,
preview , recovery-
codes , scripts ,
step-up-
authentication ,
token-exchange ,
update-email , web-
authn

 features-disabled  account-api ,
Disables a set of one or more features. account2 , admin-
api , admin-fine-
grained-authz ,
admin2 ,
authorization ,
ciba , client-
policies , client-
secret-rotation ,
declarative-user-
profile , docker ,
dynamic-scopes ,
fips ,
impersonation , js-
adapter , kerberos ,
map-storage ,
openshift-
integration , par ,
preview , recovery-
codes , scripts ,
step-up-
authentication ,
token-exchange ,
update-email , web-
authn

Hostname

https://www.keycloak.org/server/all-config 5/11
30/03/2023, 11:02 All configuration - Keycloak

Value

 hostname
Hostname for the Keycloak server.

 hostname-admin
The hostname for accessing the administration console.

 hostname-admin-url
Set the base URL for accessing the administration console, including
scheme, host, port and path

 hostname-path
This should be set if proxy uses a different context-path for Keycloak.

 hostname-port -1 (default)
The port used by the proxy when exposing the hostname.

 hostname-strict true (default),

Disables dynamically resolving the hostname from request headers. false

 hostname-strict-backchannel true , false

By default backchannel URLs are dynamically resolved from request (default)
headers to allow internal and external applications.

 hostname-url
Set the base URL for frontend URLs, including scheme, host, port and
path.

HTTP/TLS
Value

 http-enabled true , false

Enables the HTTP listener. (default)

 http-host 0.0.0.0 (default)

The used HTTP Host.

 http-port 8080 (default)

The used HTTP port.

 http-relative-path  / (default)

https://www.keycloak.org/server/all-config 6/11
30/03/2023, 11:02 All configuration - Keycloak

Value

Set the path relative to / for serving resources.

 https-certificate-file
The file path to a server certificate or certificate chain in PEM format.

 https-certificate-key-file
The file path to a private key in PEM format.

 https-cipher-suites
The cipher suites to use.

 https-client-auth none (default),

Configures the server to require/request client authentication. request , required

 https-key-store-file
The key store which holds the certificate information instead of
specifying separate files.

 https-key-store-password password (default)

The password of the key store file.

 https-key-store-type
The type of the key store file.

 https-port 8443 (default)

The used HTTPS port.

 https-protocols TLSv1.3 (default)

The list of protocols to explicitly enable.

 https-trust-store-file
The trust store which holds the certificate information of the
certificates to trust.

 https-trust-store-password
The password of the trust store file.

 https-trust-store-type
The type of the trust store file.

Health

https://www.keycloak.org/server/all-config 7/11
30/03/2023, 11:02 All configuration - Keycloak

Value

 health-enabled  true , false

If the server should expose health check endpoints. (default)

Metrics
Value

 metrics-enabled  true , false

If the server should expose metrics. (default)

Proxy
Value

 proxy none (default), edge ,

The proxy address forwarding mode if the server is behind a reverse reencrypt ,
proxy. passthrough

Vault
Value

 vault  file
Enables a vault provider.

 vault-dir
If set, secrets can be obtained by reading the content of files within the
given directory.

Logging

https://www.keycloak.org/server/all-config 8/11
30/03/2023, 11:02 All configuration - Keycloak

Value

 log console (default),

Enable one or more log handlers in a comma-separated list. file , gelf

 log-console-color true , false

Enable or disable colors when logging to console. (default)

 log-console-format %d{yyyy-MM-dd

The format of unstructured console log entries. HH:mm:ss,SSS} %-5p [%c]

(%t) %s%e%n (default)

 log-console-output default (default),

Set the log output to JSON or default (plain) unstructured logging. json

 log-file data/log/keycloak.log

Set the log file path and filename. (default)

 log-file-format %d{yyyy-MM-dd

Set a format specific to file log entries. HH:mm:ss,SSS} %-5p [%c]

(%t) %s%e%n (default)

 log-file-output default (default),

Set the log output to JSON or default (plain) unstructured logging. json

 log-gelf-facility keycloak (default)

The facility (name of the process) that sends the message.

 log-gelf-host localhost (default)

Hostname of the Logstash or Graylog Host.

 log-gelf-include-location true (default),

Include source code location. false

 log-gelf-include-message-parameters true (default),

Include message parameters from the log event. false

 log-gelf-include-stack-trace true (default),

If set to true, occuring stack traces are included in the StackTrace field false
in the GELF output.

 log-gelf-level INFO (default)

The log level specifying which message levels will be logged by the
GELF logger.

 log-gelf-max-message-size 8192 (default)

https://www.keycloak.org/server/all-config 9/11
30/03/2023, 11:02 All configuration - Keycloak

Value

Maximum message size (in bytes).

 log-gelf-port 12201 (default)

The port the Logstash or Graylog Host is called on.

 log-gelf-timestamp-format yyyy-MM-dd HH:mm:ss,SSS

Set the format for the GELF timestamp field. (default)

 log-level info (default)

The log level of the root category or a comma-separated list of
individual categories and their levels.

Security (Preview)
Value

 fips-mode  non-strict , strict

Preview: Sets the FIPS mode.

On this page

Cache
Storage (Experimental)

Database
Transaction
Feature

Hostname
HTTP/TLS
Health
Metrics
Proxy

Vault
Logging

Security (Preview)

https://www.keycloak.org/server/all-config 10/11
30/03/2023, 11:02 All configuration - Keycloak

 Edit this guide

Sponsored by

https://www.keycloak.org/server/all-config 11/11