Log: Level: info # ZITADEL_LOG_LEVEL Formatter: Format: text # ZITADEL_LOG_FORMATTER_FORMAT # Exposes metrics on /debug/metrics Metrics: # Select type otel (OpenTelemetry) or none (disables collection and endpoint) Type: otel # ZITADEL_METRICS_TYPE Tracing: # Choose one in "otel", "google", "log" and "none" # Depending on the type there are different configuration options # for type 'otel' is used for standard [open telemetry](https://opentelemetry.io) # Fraction: 1.0 # Endpoint: 'otel.collector.endpoint' # ServiceName: 'ZITADEL' # Name of the service in traces # # type 'log' or '' disables tracing # # for type 'google' # ProjectID: '' # Fraction: 1.0 Type: otel # ZITADEL_TRACING_TYPE Fraction: 1.0 # ZITADEL_TRACING_FRACTION # The endpoint of the otel collector endpoint Endpoint: "otel-collector" #ZITADEL_TRACING_ENDPOINT # The name of the service in traces ServiceName: "ZITADEL" #ZITADEL_TRACING_SERVICENAME # Profiler enables capturing profiling data (CPU, Memory, ...) for performance analysis Profiler: # Choose one of "google" and "none" # Depending on the type there are different configuration options # for type 'google' # ProjectID: google-project-id # # type 'none' or '' disables profiling Type: none # ZITADEL_PROFILER_TYPE # projectID for google ProjectID: '' # ZITADEL_PROFILER_PROJECTID Telemetry: # As long as Enabled is true, ZITADEL tries to send usage data to the configured Telemetry.Endpoints. # Data is projected by ZITADEL even if Enabled is false. # This means that switching this to true makes ZITADEL try to send past data. Enabled: true # ZITADEL_TELEMETRY_ENABLED # Push telemetry data to all these endpoints at least once using an HTTP POST request. # If one endpoint returns an unsuccessful response code or times out, # ZITADEL retries to push the data point to all configured endpoints until it succeeds. # Configure delivery guarantees and intervals in the section Projections.Customizations.Telemetry # The endpoints can be reconfigured at runtime. # Ten redirects are followed. # If you change this configuration at runtime, remaining data that is not successfully delivered to the old endpoints is sent to the new endpoints. Endpoints: - http://otel-collector # These headers are sent with every request to the configured endpoints. # Configure headers by environment variable using a JSON string with header values as arrays, like this: # ZITADEL_TELEMETRY_HEADERS='{"header1": ["value1"], "header2": ["value2", "value3"]}' Headers: # ZITADEL_TELEMETRY_HEADERS # single-value: "single-value" # multi-value: # - "multi-value-1" # - "multi-value-2" # The maximum number of data points that are queried before they are sent to the configured endpoints. Limit: 100 # ZITADEL_TELEMETRY_LIMIT # Port ZITADEL will listen on Port: 8081 # ZITADEL_PORT # ExternalPort is the port on which end users access ZITADEL. # It can differ from Port e.g. if a reverse proxy forwards the traffic to ZITADEL # Read more about external access: https://zitadel.com/docs/self-hosting/manage/custom-domain ExternalPort: 443 # ZITADEL_EXTERNALPORT # ExternalDomain is the domain on which end users access ZITADEL. # Read more about external access: https://zitadel.com/docs/self-hosting/manage/custom-domain ExternalDomain: sso.example.fr # ExternalSecure specifies if ZITADEL is exposed externally using HTTPS or HTTP. # Read more about external access: https://zitadel.com/docs/self-hosting/manage/custom-domain ExternalSecure: true # ZITADEL_EXTERNALSECURE TLS: # If enabled, ZITADEL will serve all traffic over TLS (HTTPS and gRPC) # you must then also provide a private key and certificate to be used for the connection # either directly or by a path to the corresponding file Enabled: false # ZITADEL_TLS_ENABLED # Path to the private key of the TLS certificate, will be loaded into the key # and overwrite any existing value # E.g. /path/to/key/file.pem KeyPath: /key.pem # ZITADEL_TLS_KEYPATH # Private key of the TLS certificate (KeyPath has a higher priority than Key) # base64 encoded content of a pem file Key: # ZITADEL_TLS_KEY # Path to the certificate for the TLS connection, will be loaded into the Cert # and overwrite any existing value # E.g. /path/to/cert/file.pem CertPath: /fullchain.pem # ZITADEL_TLS_CERTPATH # Certificate for the TLS connection (CertPath will this overwrite if specified) # base64 encoded content of a pem file Cert: # ZITADEL_TLS_CERT # Header name of HTTP2 (incl. gRPC) calls from which the instance will be matched # Deprecated: Use the InstanceHostHeaders instead HTTP2HostHeader: ":authority" # ZITADEL_HTTP2HOSTHEADER # Header name of HTTP1 calls from which the instance will be matched # Deprecated: Use the InstanceHostHeaders instead HTTP1HostHeader: "host" # ZITADEL_HTTP1HOSTHEADER # Ordered header name list, which will be used to match the instance InstanceHostHeaders: # ZITADEL_INSTANCEHOSTHEADERS - "x-zitadel-instance-host" # Ordered header name list, which will be used as the public host PublicHostHeaders: # ZITADEL_PUBLICHOSTHEADERS - "x-zitadel-public-host" WebAuthNName: ZITADEL # ZITADEL_WEBAUTHNNAME Database: # CockroachDB is the default database of ZITADEL # cockroach: # Host: localhost # ZITADEL_DATABASE_COCKROACH_HOST # Port: 26257 # ZITADEL_DATABASE_COCKROACH_PORT # Database: zitadel # ZITADEL_DATABASE_COCKROACH_DATABASE # MaxOpenConns: 5 # ZITADEL_DATABASE_COCKROACH_MAXOPENCONNS # MaxIdleConns: 2 # ZITADEL_DATABASE_COCKROACH_MAXIDLECONNS # MaxConnLifetime: 30m # ZITADEL_DATABASE_COCKROACH_MAXCONNLIFETIME # MaxConnIdleTime: 5m # ZITADEL_DATABASE_COCKROACH_MAXCONNIDLETIME # Options: "" # ZITADEL_DATABASE_COCKROACH_OPTIONS # User: # Username: zitadel # ZITADEL_DATABASE_COCKROACH_USER_USERNAME # Password: "" # ZITADEL_DATABASE_COCKROACH_USER_PASSWORD # SSL: # Mode: disable # ZITADEL_DATABASE_COCKROACH_USER_SSL_MODE # RootCert: "" # ZITADEL_DATABASE_COCKROACH_USER_SSL_ROOTCERT # Cert: "" # ZITADEL_DATABASE_COCKROACH_USER_SSL_CERT # Key: "" # ZITADEL_DATABASE_COCKROACH_USER_SSL_KEY # Admin: # # By default, ExistingDatabase is not specified in the connection string # # If the connection resolves to a database that is not existing in your system, configure an existing one here # # It is used in zitadel init to connect to cockroach and create a dedicated database for ZITADEL. # ExistingDatabase: # ZITADEL_DATABASE_COCKROACH_ADMIN_EXISTINGDATABASE # Username: root # ZITADEL_DATABASE_COCKROACH_ADMIN_USERNAME # Password: "" # ZITADEL_DATABASE_COCKROACH_ADMIN_PASSWORD # SSL: # Mode: disable # ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_MODE # RootCert: "" # ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_ROOTCERT # Cert: "" # ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_CERT # Key: "" # ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_KEY # Postgres is used as soon as a value is set # The values describe the possible fields to set values postgres: Host: localhost # ZITADEL_DATABASE_POSTGRES_HOST Port: 5432 # ZITADEL_DATABASE_POSTGRES_PORT Database: zitadel # ZITADEL_DATABASE_POSTGRES_DATABASE MaxOpenConns: 25 # ZITADEL_DATABASE_POSTGRES_MAXOPENCONNS MaxIdleConns: 10 # ZITADEL_DATABASE_POSTGRES_MAXIDLECONNS MaxConnLifetime: 1h # ZITADEL_DATABASE_POSTGRES_MAXCONNLIFETIME MaxConnIdleTime: 5m # ZITADEL_DATABASE_POSTGRES_MAXCONNIDLETIME Options: "" # ZITADEL_DATABASE_POSTGRES_OPTIONS User: Username: zitadel # ZITADEL_DATABASE_POSTGRES_USER_USERNAME Password: "***" # ZITADEL_DATABASE_POSTGRES_USER_PASSWORD SSL: Mode: disable # ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE RootCert: # ZITADEL_DATABASE_POSTGRES_USER_SSL_ROOTCERT Cert: # ZITADEL_DATABASE_POSTGRES_USER_SSL_CERT Key: # ZITADEL_DATABASE_POSTGRES_USER_SSL_KEY Admin: # The default ExistingDatabase is postgres # If your db system doesn't have a database named postgres, configure an existing database here # It is used in zitadel init to connect to postgres and create a dedicated database for ZITADEL. ExistingDatabase: # ZITADEL_DATABASE_POSTGRES_ADMIN_EXISTINGDATABASE Username: postgres # ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME Password: "****" # ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD SSL: Mode: disable # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE RootCert: # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_ROOTCERT Cert: # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_CERT Key: # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_KEY # Caches are EXPERIMENTAL. The following config may have breaking changes in the future. # If no config is provided, caching is disabled by default. Caches: # Connectors are reused by caches. Connectors: # Memory connector works with local server memory. # It is the simplest (and probably fastest) cache implementation. # Unsuitable for deployments with multiple containers, # as each container's cache may hold a different state of the same object. Memory: Enabled: false # AutoPrune removes invalidated or expired object from the cache. AutoPrune: Interval: 1m TimeOut: 5s # Postgres connector uses the configured database (postgres or cockraochdb) as cache. # It is suitable for deployments with multiple containers. # The cache is enabled by default because it is the default cache states for IdP form callbacks Postgres: Enabled: true AutoPrune: Interval: 15m TimeOut: 30s Redis: Enabled: false # The network type, either tcp or unix. # Default is tcp. # Network string # host:port address. Addr: localhost:6379 # ClientName will execute the `CLIENT SETNAME ClientName` command for each conn. ClientName: "" # Use the specified Username to authenticate the current connection # with one of the connections defined in the ACL list when connecting # to a Redis 6.0 instance, or greater, that is using the Redis ACL system. Username: "" # Optional password. Must match the password specified in the # requirepass server configuration option (if connecting to a Redis 5.0 instance, or lower), # or the User Password when connecting to a Redis 6.0 instance, or greater, # that is using the Redis ACL system. Password: "" # Each ZITADEL cache uses an incremental DB namespace. # This option offsets the first DB so it doesn't conflict with other databases on the same server. # Note that ZITADEL uses FLUSHDB command to truncate a cache. # This can have destructive consequences when overlapping DB namespaces are used. DBOffset: 10 # Maximum number of retries before giving up. # Default is 3 retries; -1 (not 0) disables retries. MaxRetries: 3 # Minimum backoff between each retry. # Default is 8 milliseconds; -1 disables backoff. MinRetryBackoff: 8ms # Maximum backoff between each retry. # Default is 512 milliseconds; -1 disables backoff. MaxRetryBackoff: 512ms # Dial timeout for establishing new connections. # Default is 5 seconds. DialTimeout: 1s # Timeout for socket reads. If reached, commands will fail # with a timeout instead of blocking. Supported values: # - `0` - default timeout (3 seconds). # - `-1` - no timeout (block indefinitely). # - `-2` - disables SetReadDeadline calls completely. ReadTimeout: 100ms # Timeout for socket writes. If reached, commands will fail # with a timeout instead of blocking. Supported values: # - `0` - default timeout (3 seconds). # - `-1` - no timeout (block indefinitely). # - `-2` - disables SetWriteDeadline calls completely. WriteTimeout: 100ms # Type of connection pool. # true for FIFO pool, false for LIFO pool. # Note that FIFO has slightly higher overhead compared to LIFO, # but it helps closing idle connections faster reducing the pool size. PoolFIFO: false # Base number of socket connections. # Default is 10 connections per every available CPU as reported by runtime.GOMAXPROCS. # If there is not enough connections in the pool, new connections will be allocated in excess of PoolSize, # you can limit it through MaxActiveConns PoolSize: 20 # Amount of time client waits for connection if all connections # are busy before returning an error. # Default is ReadTimeout + 1 second. PoolTimeout: 100ms # Minimum number of idle connections which is useful when establishing # new connection is slow. # Default is 0. the idle connections are not closed by default. MinIdleConns: 5 # Maximum number of idle connections. # Default is 0. the idle connections are not closed by default. MaxIdleConns: 10 # Maximum number of connections allocated by the pool at a given time. # When zero, there is no limit on the number of connections in the pool. MaxActiveConns: 40 # ConnMaxIdleTime is the maximum amount of time a connection may be idle. # Should be less than server's timeout. # Expired connections may be closed lazily before reuse. # If d <= 0, connections are not closed due to a connection's idle time. # Default is 30 minutes. -1 disables idle timeout check. ConnMaxIdleTime: 30m # ConnMaxLifetime is the maximum amount of time a connection may be reused. # Expired connections may be closed lazily before reuse. # If <= 0, connections are not closed due to a connection's age. # Default is to not close idle connections. ConnMaxLifetime: -1 # Enable TLS server authentication using the default system bundle. EnableTLS: false # Disable set-lib on connect. Default is false. DisableIndentity: false # Add suffix to client name. Default is empty. IdentitySuffix: "" # Implementation of [Circuit Breaker Pattern](https://learn.microsoft.com/en-us/previous-versions/msp-n-p/dn589784(v=pandp.10)?redirectedfrom=MSDN) CircuitBreaker: # Interval when the counters are reset to 0. # 0 interval never resets the counters until the CB is opened. Interval: 0 # Amount of consecutive failures permitted MaxConsecutiveFailures: 5 # The ratio of failed requests out of total requests MaxFailureRatio: 0.1 # Timeout after opening of the CB, until the state is set to half-open. Timeout: 60s # The allowed amount of requests that are allowed to pass when the CB is half-open. MaxRetryRequests: 1 # Instance caches auth middleware instances, gettable by domain or ID. Instance: # Connector must be enabled above. # When connector is empty, this cache will be disabled. Connector: "" MaxAge: 1h LastUseAge: 10m # Log enables cache-specific logging. Default to error log to stderr when omitted. Log: Level: error AddSource: true Formatter: Format: text # Milestones caches instance milestone state, gettable by instance ID Milestones: Connector: "" MaxAge: 1h LastUseAge: 10m Log: Level: error AddSource: true Formatter: Format: text # Organization cache, gettable by primary domain or ID. Organization: Connector: "" MaxAge: 1h LastUseAge: 10m Log: Level: error AddSource: true Formatter: Format: text # IdP callbacks using form POST cache, required for handling them securely and without possible too big request urls. IdPFormCallbacks: Connector: "postgres" MaxAge: 1h LastUseAge: 10m Log: Level: error AddSource: true Formatter: Format: text Machine: # Cloud-hosted VMs need to specify their metadata endpoint so that the machine can be uniquely identified. Identification: # Use private IP to identify machines uniquely PrivateIp: Enabled: true # ZITADEL_MACHINE_IDENTIFICATION_PRIVATEIP_ENABLED # Use hostname to identify machines uniquely # You want the process to be identified uniquely, so this works well in k8s where each pod gets its own # unique hostname, but not as well in some other hosting environments. Hostname: Enabled: false # ZITADEL_MACHINE_IDENTIFICATION_HOSTNAME_ENABLED # Use a webhook response to identify machines uniquely # Google Cloud Configuration Webhook: Enabled: false # ZITADEL_MACHINE_IDENTIFICATION_WEBHOOK_ENABLED Url: "http://metadata.google.internal/computeMetadata/v1/instance/id" # ZITADEL_MACHINE_IDENTIFICATION_WEBHOOK_URL Headers: "Metadata-Flavor": "Google" # # AWS EC2 IMDSv1 Configuration: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html # Webhook: # Url: "http://169.254.169.254/latest/meta-data/ami-id" # ZITADEL_MACHINE_IDENTIFICATION_WEBHOOK_URL # # AWS ECS v4 Configuration: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-metadata-endpoint-v4.html # Webhook: # Url: "${ECS_CONTAINER_METADATA_URI_V4}" # ZITADEL_MACHINE_IDENTIFICATION_WEBHOOK_URL # JPath: "$.DockerId" # ZITADEL_MACHINE_IDENTIFICATION_WEBHOOK_JPATH # # Azure Configuration: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=linux # Webhook: # Url: "http://169.254.169.254/metadata/instance?api-version=2021-02-01" # ZITADEL_MACHINE_IDENTIFICATION_WEBHOOK_URL # JPath: "$.compute.vmId" # ZITADEL_MACHINE_IDENTIFICATION_WEBHOOK_JPATH # Storage for assets like user avatar, organization logo, icon, font, ... AssetStorage: Type: db # ZITADEL_ASSET_STORAGE_TYPE # HTTP cache control settings for serving assets in the assets API and login UI # the assets will also be served with an etag and last-modified header Cache: MaxAge: 5s # ZITADEL_ASSETSTORAGE_CACHE_MAXAGE # 168h are 7 days SharedMaxAge: 168h # ZITADEL_ASSETSTORAGE_CACHE_SHAREDMAXAGE # The Projections section defines the behavior for the scheduled and synchronous events projections. Projections: # The maximum duration a transaction remains open # before it spots left folding additional events # and updates the table. TransactionDuration: 1m # ZITADEL_PROJECTIONS_TRANSACTIONDURATION # Time interval between scheduled projections RequeueEvery: 60s # ZITADEL_PROJECTIONS_REQUEUEEVERY # Time between retried database statements resulting from projected events RetryFailedAfter: 1s # ZITADEL_PROJECTIONS_RETRYFAILEDAFTER # Retried execution number of database statements resulting from projected events MaxFailureCount: 5 # ZITADEL_PROJECTIONS_MAXFAILURECOUNT # Limit of returned events per query BulkLimit: 200 # ZITADEL_PROJECTIONS_BULKLIMIT # Only instances are projected, for which at least a projection-relevant event exists within the timeframe # from HandleActiveInstances duration in the past until the projection's current time # If set to 0 (default), every instance is always considered active HandleActiveInstances: 0s # ZITADEL_PROJECTIONS_HANDLEACTIVEINSTANCES # Maximum amount of instances cached as active # If set to 0, every instance is always considered active MaxActiveInstances: 0 # ZITADEL_PROJECTIONS_MAXACTIVEINSTANCES # In the Customizations section, all settings from above can be overwritten for each specific projection Customizations: custom_texts: BulkLimit: 400 project_grant_fields: TransactionDuration: 0s BulkLimit: 2000 org_domain_verified_fields: TransactionDuration: 0s BulkLimit: 2000 # The Notifications projection is used for preparing the messages (emails and SMS) to be sent to users Notifications: # As notification projections don't result in database statements, retries don't have an effect MaxFailureCount: 10 # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_NOTIFICATIONS_MAXFAILURECOUNT password_complexities: TransactionDuration: 2s # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_PASSWORD_COMPLEXITIES_TRANSACTIONDURATION lockout_policy: TransactionDuration: 2s # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_LOCKOUT_POLICY_TRANSACTIONDURATION # The NotificationsQuotas projection is used for calling quota webhooks NotificationsQuotas: # As quota notification projections don't result in database statements, retries don't have an effect MaxFailureCount: 10 # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_NOTIFICATIONSQUOTAS_MAXFAILURECOUNT # Quota notifications are not so time critical. Setting RequeueEvery every five minutes doesn't annoy the db too much. RequeueEvery: 300s # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_NOTIFICATIONSQUOTAS_REQUEUEEVERY # Sending emails can take longer than 500ms TransactionDuration: 5s # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_NOTIFICATIONQUOTAS_TRANSACTIONDURATION milestones: BulkLimit: 50 # The Telemetry projection is used for calling telemetry webhooks Telemetry: # As sending telemetry data doesn't result in database statements, retries don't have any effects MaxFailureCount: 0 # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_TELEMETRY_MAXFAILURECOUNT # Telemetry data synchronization is not time critical. Setting RequeueEvery to 55 minutes doesn't annoy the database too much. RequeueEvery: 3300s # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_TELEMETRY_REQUEUEEVERY Notifications: # Notifications can be processed by either a sequential mode (legacy) or a new parallel mode. # The parallel mode is currently only recommended for Postgres databases. # For CockroachDB, the sequential mode is recommended, see: https://github.com/zitadel/zitadel/issues/9002 # If legacy mode is enabled, the worker config below is ignored. LegacyEnabled: false # ZITADEL_NOTIFICATIONS_LEGACYENABLED # The amount of workers processing the notification request events. # If set to 0, no notification request events will be handled. This can be useful when running in # multi binary / pod setup and allowing only certain executables to process the events. Workers: 1 # ZITADEL_NOTIFIACATIONS_WORKERS # The maximum duration a job can do it's work before it is considered as failed. TransactionDuration: 10s # ZITADEL_NOTIFIACATIONS_TRANSACTIONDURATION # Automatically cancel the notification after the amount of failed attempts MaxAttempts: 3 # ZITADEL_NOTIFIACATIONS_MAXATTEMPTS # Automatically cancel the notification if it cannot be handled within a specific time MaxTtl: 5m # ZITADEL_NOTIFIACATIONS_MAXTTL Auth: # See Projections.BulkLimit SearchLimit: 1000 # ZITADEL_AUTH_SEARCHLIMIT Spooler: # See Projections.TransationDuration TransactionDuration: 10s #ZITADEL_AUTH_SPOOLER_TRANSACTIONDURATION # See Projections.BulkLimit BulkLimit: 100 #ZITADEL_AUTH_SPOOLER_BULKLIMIT # See Projections.MaxFailureCount FailureCountUntilSkip: 5 #ZITADEL_AUTH_SPOOLER_FAILURECOUNTUNTILSKIP # Defines the amount of auth requests stored in the LRU caches. # There are two caches implemented one for id and one for code AmountOfCachedAuthRequests: 0 #ZITADEL_AUTH_AMOUNTOFCACHEDAUTHREQUESTS Admin: # See Projections.BulkLimit SearchLimit: 1000 # ZITADEL_ADMIN_SEARCHLIMIT Spooler: # See Projections.TransationDuration TransactionDuration: 10s # See Projections.BulkLimit BulkLimit: 200 # See Projections.MaxFailureCount FailureCountUntilSkip: 5 UserAgentCookie: Name: zitadel.useragent # ZITADEL_USERAGENTCOOKIE_NAME # 8760h are 365 days, one year MaxAge: 8760h # ZITADEL_USERAGENTCOOKIE_MAXAGE OIDC: CodeMethodS256: true # ZITADEL_OIDC_CODEMETHODS256 AuthMethodPost: true # ZITADEL_OIDC_AUTHMETHODPOST AuthMethodPrivateKeyJWT: true # ZITADEL_OIDC_AUTHMETHODPRIVATEKEYJWT GrantTypeRefreshToken: true # ZITADEL_OIDC_GRANTTYPEREFRESHTOKEN RequestObjectSupported: true # ZITADEL_OIDC_REQUESTOBJECTSUPPORTED # Sets the default values for lifetime and expiration for OIDC # This default can be overwritten in the default instance configuration and for each instance during runtime # !!! Changing this after the initial setup will have no impact without a restart !!! DefaultAccessTokenLifetime: 12h # ZITADEL_OIDC_DEFAULTACCESSTOKENLIFETIME DefaultIdTokenLifetime: 12h # ZITADEL_OIDC_DEFAULTIDTOKENLIFETIME # 720h are 30 days, one month DefaultRefreshTokenIdleExpiration: 720h # ZITADEL_OIDC_DEFAULTREFRESHTOKENIDLEEXPIRATION # 2160h are 90 days, three months DefaultRefreshTokenExpiration: 2160h # ZITADEL_OIDC_DEFAULTREFRESHTOKENEXPIRATION # HTTP Cache-Control max-age header value to set on the jwks endpoint. # Only used when the web keys feature is enabled. 0 sets a no-store value. JWKSCacheControlMaxAge: 5m # ZITADEL_OIDC_JWKSCACHECONTROLMAXAGE CustomEndpoints: Auth: Path: /oauth/v2/authorize # ZITADEL_OIDC_CUSTOMENDPOINTS_AUTH_PATH Token: Path: /oauth/v2/token # ZITADEL_OIDC_CUSTOMENDPOINTS_TOKEN_PATH Introspection: Path: /oauth/v2/introspect # ZITADEL_OIDC_CUSTOMENDPOINTS_INTROSPECTION_PATH Userinfo: Path: /oidc/v1/userinfo # ZITADEL_OIDC_CUSTOMENDPOINTS_USERINFO_PATH Revocation: Path: /oauth/v2/revoke # ZITADEL_OIDC_CUSTOMENDPOINTS_REVOCATION_PATH EndSession: Path: /oidc/v1/end_session # ZITADEL_OIDC_CUSTOMENDPOINTS_ENDSESSION_PATH Keys: Path: /oauth/v2/keys # ZITADEL_OIDC_CUSTOMENDPOINTS_KEYS_PATH DeviceAuth: Path: /oauth/v2/device_authorization # ZITADEL_OIDC_CUSTOMENDPOINTS_DEVICEAUTH_PATH DeviceAuth: Lifetime: 5m # ZITADEL_OIDC_DEVICEAUTH_LIFETIME PollInterval: 5s # ZITADEL_OIDC_DEVICEAUTH_POLLINTERVAL UserCode: CharSet: "BCDFGHJKLMNPQRSTVWXZ" # ZITADEL_OIDC_DEVICEAUTH_USERCODE_CHARSET CharAmount: 8 # ZITADEL_OIDC_DEVICEAUTH_USERCODE_CHARARMOUNT DashInterval: 4 # ZITADEL_OIDC_DEVICEAUTH_USERCODE_DASHINTERVAL DefaultLoginURLV2: "/login?authRequest=" # ZITADEL_OIDC_DEFAULTLOGINURLV2 DefaultLogoutURLV2: "/logout?post_logout_redirect=" # ZITADEL_OIDC_DEFAULTLOGOUTURLV2 PublicKeyCacheMaxAge: 24h # ZITADEL_OIDC_PUBLICKEYCACHEMAXAGE DefaultBackChannelLogoutLifetime: 15m # ZITADEL_OIDC_DEFAULTBACKCHANNELLOGOUTLIFETIME SAML: DefaultLoginURLV2: "/login?authRequest=" # ZITADEL_SAML_DEFAULTLOGINURLV2 ProviderConfig: MetadataConfig: Path: "/metadata" # ZITADEL_SAML_PROVIDERCONFIG_METADATACONFIG_PATH SignatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" # ZITADEL_SAML_PROVIDERCONFIG_METADATACONFIG_SIGNATUREALGORITHM IDPConfig: SignatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" # ZITADEL_SAML_PROVIDERCONFIG_IDPCONFIG_SIGNATUREALGORITHM WantAuthRequestsSigned: true # ZITADEL_SAML_PROVIDERCONFIG_IDPCONFIG_WANTAUTHREQUESTSSIGNED Endpoints: #Organisation: # Name: ZITADEL # ZITADEL_SAML_PROVIDERCONFIG_ORGANISATION_NAME # URL: https://zitadel.com # ZITADEL_SAML_PROVIDERCONFIG_ORGANISATION_URL #ContactPerson: # ContactType: "technical" # ZITADEL_SAML_PROVIDERCONFIG_CONTACTPERSON_CONTACTTYPE # Company: ZITADEL # ZITADEL_SAML_PROVIDERCONFIG_CONTACTPERSON_COMPANY # EmailAddress: hi@zitadel.com # ZITADEL_SAML_PROVIDERCONFIG_CONTACTPERSON_EMAILADDRESS SCIM: DocumentationUrl: https://zitadel.com/docs/guides/manage/user/scim2 AuthenticationSchemes: - Name: Zitadel authentication token Description: Authentication scheme using the OAuth Bearer Token Standard SpecUri: https://www.rfc-editor.org/info/rfc6750 DocumentationUri: https://zitadel.com/docs/guides/integrate/service-users/authenticate-service-users Type: oauthbearertoken # default values whether an email/phone is considered verified when a users email/phone is created or updated EmailVerified: true # ZITADEL_SCIM_EMAILVERIFIED PhoneVerified: true # ZITADEL_SCIM_PHONEVERIFIED MaxRequestBodySize: 1_000_000 # ZITADEL_SCIM_MAXREQUESTBODYSIZE Bulk: MaxOperationsCount: 100 # ZITADEL_SCIM_BULK_MAXOPERATIONSCOUNT Login: LanguageCookieName: zitadel.login.lang # ZITADEL_LOGIN_LANGUAGECOOKIENAME CSRFCookieName: zitadel.login.csrf # ZITADEL_LOGIN_CSRFCOOKIENAME Cache: MaxAge: 12h # ZITADEL_LOGIN_CACHE_MAXAGE # 168h is 7 days, one week SharedMaxAge: 168h # ZITADEL_LOGIN_CACHE_SHAREDMAXAGE DefaultOTPEmailURLV2: "/otp/verify?loginName={{.LoginName}}&code={{.Code}}" # ZITADEL_LOGIN_CACHE_DEFAULTOTPEMAILURLV2 Console: ShortCache: MaxAge: 0m # ZITADEL_CONSOLE_SHORTCACHE_MAXAGE SharedMaxAge: 5m # ZITADEL_CONSOLE_SHORTCACHE_SHAREDMAXAGE LongCache: MaxAge: 12h # ZITADEL_CONSOLE_LONGCACHE_MAXAGE # 168h is 7 days, one week SharedMaxAge: 168h # ZITADEL_CONSOLE_LONGCACHE_SHAREDMAXAGE InstanceManagementURL: "" # ZITADEL_CONSOLE_INSTANCEMANAGEMENTURL PostHog: URL: "" # ZITADEL_CONSOLE_POSTHOG_URL Token: "" # ZITADEL_CONSOLE_POSTHOG_TOKEN EncryptionKeys: DomainVerification: EncryptionKeyID: "domainVerificationKey" # ZITADEL_ENCRYPTIONKEYS_DOMAINVERIFICATION_ENCRYPTIONKEYID DecryptionKeyIDs: # ZITADEL_ENCRYPTIONKEYS_DOMAINVERIFICATION_DECRYPTIONKEYIDS (comma separated list) IDPConfig: EncryptionKeyID: "idpConfigKey" # ZITADEL_ENCRYPTIONKEYS_IDPCONFIG_ENCRYPTIONKEYID DecryptionKeyIDs: # ZITADEL_ENCRYPTIONKEYS_IDPCONFIG_DECRYPTIONKEYIDS (comma separated list) OIDC: EncryptionKeyID: "oidcKey" # ZITADEL_ENCRYPTIONKEYS_OIDC_ENCRYPTIONKEYID DecryptionKeyIDs: # ZITADEL_ENCRYPTIONKEYS_OIDC_DECRYPTIONKEYIDS (comma separated list) SAML: EncryptionKeyID: "samlKey" # ZITADEL_ENCRYPTIONKEYS_SAML_ENCRYPTIONKEYID DecryptionKeyIDs: # ZITADEL_ENCRYPTIONKEYS_SAML_DECRYPTIONKEYIDS (comma separated list) OTP: EncryptionKeyID: "otpKey" # ZITADEL_ENCRYPTIONKEYS_OTP_ENCRYPTIONKEYID DecryptionKeyIDs: # ZITADEL_ENCRYPTIONKEYS_OTP_DECRYPTIONKEYIDS (comma separated list) SMS: EncryptionKeyID: "smsKey" # ZITADEL_ENCRYPTIONKEYS_SMS_ENCRYPTIONKEYID DecryptionKeyIDs: # ZITADEL_ENCRYPTIONKEYS_SMS_DECRYPTIONKEYIDS (comma separated list) SMTP: EncryptionKeyID: "smtpKey" # ZITADEL_ENCRYPTIONKEYS_SMTP_ENCRYPTIONKEYID DecryptionKeyIDs: # ZITADEL_ENCRYPTIONKEYS_SMTP_DECRYPTIONKEYIDS (comma separated list) User: EncryptionKeyID: "userKey" # ZITADEL_ENCRYPTIONKEYS_USER_ENCRYPTIONKEYID DecryptionKeyIDs: # ZITADEL_ENCRYPTIONKEYS_USER_DECRYPTIONKEYIDS (comma separated list) Target: EncryptionKeyID: "targetKey" # ZITADEL_ENCRYPTIONKEYS_TARGET_ENCRYPTIONKEYID DecryptionKeyIDs: # ZITADEL_ENCRYPTIONKEYS_TARGET_DECRYPTIONKEYIDS (comma separated list) CSRFCookieKeyID: "csrfCookieKey" # ZITADEL_ENCRYPTIONKEYS_CSRFCOOKIEKEYID UserAgentCookieKeyID: "userAgentCookieKey" # ZITADEL_ENCRYPTIONKEYS_USERAGENTCOOKIEKEYID SystemAPIUsers: # # Add keys for authentication of the systemAPI here: # # you can specify any name for the user, but they will have to match the `issuer` and `sub` claim in the JWT: # - superuser: # Path: /path/to/superuser/ey.pem # you can provide the key either by reference with the path # Memberships: # # MemberType System allows the user to access all APIs for all instances or organizations # - MemberType: System # Roles: # - "SYSTEM_OWNER" # # Actually, we don't recommend adding IAM_OWNER and ORG_OWNER to the System membership, as this basically enables god mode for the system user # - "IAM_OWNER" # - "ORG_OWNER" # # MemberType IAM and Organization let you restrict access to a specific instance or organization by specifying the AggregateID # - MemberType: IAM # Roles: "IAM_OWNER" # AggregateID: "123456789012345678" # - MemberType: Organization # Roles: "ORG_OWNER" # AggregateID: "123456789012345678" # - superuser2: # # If no memberships are specified, the user has a membership of type System with the role "SYSTEM_OWNER" # KeyData: # or you can directly embed it as base64 encoded value # Configure the SystemAPIUsers by environment variable using JSON notation: # ZITADEL_SYSTEMAPIUSERS='{"systemuser":{"Path":"/path/to/superuser/key.pem"},"systemuser2":{"KeyData":""}}' - system-user: Path: /system-user.pub SystemDefaults: SecretGenerators: MachineKeySize: 2048 # ZITADEL_SYSTEMDEFAULTS_SECRETGENERATORS_MACHINEKEYSIZE ApplicationKeySize: 2048 # ZITADEL_SYSTEMDEFAULTS_SECRETGENERATORS_APPLICATIONKEYSIZE PasswordHasher: # Set hasher configuration for user passwords. # Passwords previously hashed with a different algorithm # or cost are automatically re-hashed using this config, # upon password validation or update. Hasher: # Supported algorithms: "argon2i", "argon2id", "bcrypt", "scrypt", "pbkdf2" # Depending on the algorithm, different configuration options take effect. Algorithm: bcrypt # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_ALGORITHM # Cost takes effect for the algorithms bcrypt and scrypt Cost: 14 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_COST # Time takes effect for the algorithms argon2i and argon2id Time: 3 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_TIME # Memory takes effect for the algorithms argon2i and argon2id Memory: 32768 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_MEMORY # Threads takes effect for the algorithms argon2i and argon2id Threads: 4 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_THREADS # Rounds takes effect for the algorithm pbkdf2 Rounds: 290000 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_ROUNDS # Hash takes effect for the algorithm pbkdf2 # Can be "sha1", "sha224", "sha256", "sha384" or "sha512" Hash: sha256 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_HASH # Verifiers enable the possibility of verifying # passwords that are previously hashed using another # algorithm then the Hasher. # This can be used when migrating from one algorithm to another, # or when importing users with hashed passwords. # There is no need to enable a Verifier of the same algorithm # as the Hasher. # # The format of the encoded hash strings must comply # with https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md # https://passlib.readthedocs.io/en/stable/modular_crypt_format.html # # Supported verifiers: (uncomment to enable) Verifiers: # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_VERIFIERS # - "argon2" # verifier for both argon2i and argon2id. # - "bcrypt" # - "md5" # md5Crypt with salt and password shuffling. # - "md5plain" # md5 digest of a password without salt # - "scrypt" # - "pbkdf2" # verifier for all pbkdf2 hash modes. SecretHasher: # Set hasher configuration for machine users, API and OIDC client secrets. Hasher: # Supported algorithms: "argon2i", "argon2id", "bcrypt", "scrypt", "pbkdf2" # Depending on the algorithm, different configuration options take effect. Algorithm: bcrypt # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_ALGORITHM # Cost takes effect for the algorithms bcrypt and scrypt Cost: 4 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_COST # Time takes effect for the algorithms argon2i and argon2id Time: 3 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_TIME # Memory takes effect for the algorithms argon2i and argon2id Memory: 32768 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_MEMORY # Threads takes effect for the algorithms argon2i and argon2id Threads: 4 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_THREADS # Rounds takes effect for the algorithm pbkdf2 Rounds: 290000 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_ROUNDS # Hash takes effect for the algorithm pbkdf2 # Can be "sha1", "sha224", "sha256", "sha384" or "sha512" Hash: sha256 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_HASH Verifiers: # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_VERIFIERS Multifactors: OTP: # If this is empty, the issuer is the requested domain # This is helpful in scenarios with multiple ZITADEL environments or virtual instances Issuer: "ZITADEL" # ZITADEL_SYSTEMDEFAULTS_MULTIFACTORS_OTP_ISSUER DomainVerification: VerificationGenerator: Length: 32 # ZITADEL_SYSTEMDEFAULTS_DOMAINVERIFICATION_VERIFICATIONGENERATOR_LENGTH IncludeLowerLetters: true # ZITADEL_SYSTEMDEFAULTS_DOMAINVERIFICATION_VERIFICATIONGENERATOR_INCLUDELOWERLETTERS IncludeUpperLetters: true # ZITADEL_SYSTEMDEFAULTS_DOMAINVERIFICATION_VERIFICATIONGENERATOR_INCLUDEUPPERLETTERS IncludeDigits: true # ZITADEL_SYSTEMDEFAULTS_DOMAINVERIFICATION_VERIFICATIONGENERATOR_INCLUDEDIGITS IncludeSymbols: false # ZITADEL_SYSTEMDEFAULTS_DOMAINVERIFICATION_VERIFICATIONGENERATOR_INCLUDESYMBOLS Notifications: FileSystemPath: ".notifications/" # ZITADEL_SYSTEMDEFAULTS_NOTIFICATIONS_FILESYSTEMPATH KeyConfig: Size: 2048 # ZITADEL_SYSTEMDEFAULTS_KEYCONFIG_SIZE CertificateSize: 4096 # ZITADEL_SYSTEMDEFAULTS_KEYCONFIG_CERTIFICATESIZE PrivateKeyLifetime: 6h # ZITADEL_SYSTEMDEFAULTS_KEYCONFIG_PRIVATEKEYLIFETIME PublicKeyLifetime: 30h # ZITADEL_SYSTEMDEFAULTS_KEYCONFIG_PUBLICKEYLIFETIME # 8766h are 1 year CertificateLifetime: 8766h # ZITADEL_SYSTEMDEFAULTS_KEYCONFIG_CERTIFICATELIFETIME # DefaultQueryLimit limits the number of items that can be queried in a single v3 API search request without explicitly passing a limit. DefaultQueryLimit: 100 # ZITADEL_SYSTEMDEFAULTS_DEFAULTQUERYLIMIT # MaxQueryLimit limits the number of items that can be queried in a single v3 API search request with explicitly passing a limit. MaxQueryLimit: 1000 # ZITADEL_SYSTEMDEFAULTS_MAXQUERYLIMIT Actions: HTTP: # Wildcard sub domains are currently unsupported DenyList: # ZITADEL_ACTIONS_HTTP_DENYLIST (comma separated list) - localhost - "127.0.0.0/8" - "::1" - "0.0.0.0" - "::" LogStore: Access: Stdout: # If enabled, all access logs are printed to the binary's standard output Enabled: false # ZITADEL_LOGSTORE_ACCESS_STDOUT_ENABLED Execution: Stdout: # If enabled, all execution logs are printed to the binary's standard output Enabled: true # ZITADEL_LOGSTORE_EXECUTION_STDOUT_ENABLED Quotas: Access: # If enabled, authenticated requests are counted and potentially limited depending on the configured quota of the instance Enabled: false # ZITADEL_QUOTAS_ACCESS_ENABLED Debounce: MinFrequency: 0s # ZITADEL_QUOTAS_ACCESS_DEBOUNCE_MINFREQUENCY MaxBulkSize: 0 # ZITADEL_QUOTAS_ACCESS_DEBOUNCE_MAXBULKSIZE ExhaustedCookieKey: "zitadel.quota.exhausted" # ZITADEL_QUOTAS_ACCESS_EXHAUSTEDCOOKIEKEY ExhaustedCookieMaxAge: "300s" # ZITADEL_QUOTAS_ACCESS_EXHAUSTEDCOOKIEMAXAGE Execution: # If enabled, all action executions are counted and potentially limited depending on the configured quota of the instance Enabled: false # ZITADEL_QUOTAS_EXECUTION_DATABASE_ENABLED Debounce: MinFrequency: 0s # ZITADEL_QUOTAS_EXECUTION_DEBOUNCE_MINFREQUENCY MaxBulkSize: 0 # ZITADEL_QUOTAS_EXECUTION_DEBOUNCE_MAXBULKSIZE Eventstore: # Sets the maximum duration of transactions pushing events PushTimeout: 15s #ZITADEL_EVENTSTORE_PUSHTIMEOUT # Maximum amount of push retries in case of primary key violation on the sequence MaxRetries: 5 #ZITADEL_EVENTSTORE_MAXRETRIES # AuditLogRetention limits the number of events that can be queried via the events API by their age. # A value of "0s" means that all events are available. # If an audit log retention is set using an instance limit, it will overwrite the system default. AuditLogRetention: 0s # ZITADEL_AUDITLOGRETENTION #InternalAuthZ: # # Configure the RolePermissionMappings by environment variable using JSON notation: # # ZITADEL_INTERNALAUTHZ_ROLEPERMISSIONMAPPINGS='[{"role": "IAM_OWNER", "permissions": ["iam.write"]}, {"role": "ORG_OWNER", "permissions": ["org.write"]}]' # # Beware that if you configure the RolePermissionMappings by environment variable, all the default RolePermissionMappings are lost. # # # # Warning: RolePermissionMappings are synhronized to the database. # # Changes here will only be applied after running `zitadel setup` or `zitadel start-from-setup`. # RolePermissionMappings: # - Role: "SYSTEM_OWNER" # Permissions: # - "system.instance.read" # - "system.instance.write" # - "system.instance.delete" # - "system.domain.read" # - "system.domain.write" # - "system.domain.delete" # - "system.debug.read" # - "system.debug.write" # - "system.debug.delete" # - "system.feature.read" # - "system.feature.write" # - "system.feature.delete" # - "system.limits.write" # - "system.limits.delete" # - "system.quota.write" # - "system.quota.delete" # - "system.iam.member.read" # - Role: "SYSTEM_OWNER_VIEWER" # Permissions: # - "system.instance.read" # - "system.domain.read" # - "system.debug.read" # - "system.feature.read" # - "system.iam.member.read" # - Role: "IAM_OWNER" # Permissions: # - "iam.read" # - "iam.write" # - "iam.policy.read" # - "iam.policy.write" # - "iam.policy.delete" # - "iam.member.read" # - "iam.member.write" # - "iam.member.delete" # - "iam.idp.read" # - "iam.idp.write" # - "iam.idp.delete" # - "iam.action.read" # - "iam.action.write" # - "iam.action.delete" # - "iam.flow.read" # - "iam.flow.write" # - "iam.flow.delete" # - "iam.feature.read" # - "iam.feature.write" # - "iam.feature.delete" # - "iam.restrictions.read" # - "iam.restrictions.write" # - "iam.web_key.write" # - "iam.web_key.delete" # - "iam.web_key.read" # - "iam.debug.write" # - "iam.debug.read" # - "org.read" # - "org.global.read" # - "org.create" # - "org.write" # - "org.delete" # - "org.member.read" # - "org.member.write" # - "org.member.delete" # - "org.idp.read" # - "org.idp.write" # - "org.idp.delete" # - "org.action.read" # - "org.action.write" # - "org.action.delete" # - "org.flow.read" # - "org.flow.write" # - "org.flow.delete" # - "org.feature.read" # - "org.feature.write" # - "org.feature.delete" # - "user.read" # - "user.global.read" # - "user.write" # - "user.delete" # - "user.grant.read" # - "user.grant.write" # - "user.grant.delete" # - "user.membership.read" # - "user.credential.write" # - "user.passkey.write" # - "user.feature.read" # - "user.feature.write" # - "user.feature.delete" # - "policy.read" # - "policy.write" # - "policy.delete" # - "project.read" # - "project.create" # - "project.write" # - "project.delete" # - "project.member.read" # - "project.member.write" # - "project.member.delete" # - "project.role.read" # - "project.role.write" # - "project.role.delete" # - "project.app.read" # - "project.app.write" # - "project.app.delete" # - "project.grant.read" # - "project.grant.write" # - "project.grant.delete" # - "project.grant.member.read" # - "project.grant.member.write" # - "project.grant.member.delete" # - "events.read" # - "milestones.read" # - "session.read" # - "session.delete" # - "action.target.read" # - "action.target.write" # - "action.target.delete" # - "action.execution.read" # - "action.execution.write" # - "userschema.read" # - "userschema.write" # - "userschema.delete" # - "session.read" # - "session.delete" # - Role: "IAM_OWNER_VIEWER" # Permissions: # - "iam.read" # - "iam.policy.read" # - "iam.member.read" # - "iam.idp.read" # - "iam.action.read" # - "iam.flow.read" # - "iam.restrictions.read" # - "iam.feature.read" # - "iam.web_key.read" # - "iam.debug.read" # - "org.read" # - "org.member.read" # - "org.idp.read" # - "org.action.read" # - "org.flow.read" # - "org.feature.read" # - "user.read" # - "user.global.read" # - "user.grant.read" # - "user.membership.read" # - "user.feature.read" # - "policy.read" # - "project.read" # - "project.member.read" # - "project.role.read" # - "project.app.read" # - "project.grant.read" # - "project.grant.member.read" # - "events.read" # - "milestones.read" # - "action.target.read" # - "action.execution.read" # - "userschema.read" # - "session.read" # - Role: "IAM_ORG_MANAGER" # Permissions: # - "org.read" # - "org.global.read" # - "org.create" # - "org.write" # - "org.delete" # - "org.member.read" # - "org.member.write" # - "org.member.delete" # - "org.idp.read" # - "org.idp.write" # - "org.idp.delete" # - "org.action.read" # - "org.action.write" # - "org.action.delete" # - "org.flow.read" # - "org.flow.write" # - "org.flow.delete" # - "org.feature.read" # - "org.feature.write" # - "org.feature.delete" # - "user.read" # - "user.global.read" # - "user.write" # - "user.delete" # - "user.grant.read" # - "user.grant.write" # - "user.grant.delete" # - "user.membership.read" # - "user.credential.write" # - "user.passkey.write" # - "user.feature.read" # - "user.feature.write" # - "user.feature.delete" # - "policy.read" # - "policy.write" # - "policy.delete" # - "project.read" # - "project.create" # - "project.write" # - "project.delete" # - "project.member.read" # - "project.member.write" # - "project.member.delete" # - "project.role.read" # - "project.role.write" # - "project.role.delete" # - "project.app.read" # - "project.app.write" # - "project.app.delete" # - "project.grant.read" # - "project.grant.write" # - "project.grant.delete" # - "project.grant.member.read" # - "project.grant.member.write" # - "project.grant.member.delete" # - "session.delete" # - Role: "IAM_USER_MANAGER" # Permissions: # - "org.read" # - "org.global.read" # - "org.member.read" # - "org.member.delete" # - "user.read" # - "user.global.read" # - "user.write" # - "user.delete" # - "user.grant.read" # - "user.grant.write" # - "user.grant.delete" # - "user.membership.read" # - "user.passkey.write" # - "user.feature.read" # - "user.feature.write" # - "user.feature.delete" # - "project.read" # - "project.member.read" # - "project.role.read" # - "project.app.read" # - "project.grant.read" # - "project.grant.write" # - "project.grant.delete" # - "project.grant.member.read" # - "session.delete" # - Role: "IAM_ADMIN_IMPERSONATOR" # Permissions: # - "admin.impersonation" # - "impersonation" # - Role: "IAM_END_USER_IMPERSONATOR" # Permissions: # - "impersonation" # - Role: "ORG_OWNER" # Permissions: # - "org.read" # - "org.global.read" # - "org.write" # - "org.delete" # - "org.member.read" # - "org.member.write" # - "org.member.delete" # - "org.idp.read" # - "org.idp.write" # - "org.idp.delete" # - "org.action.read" # - "org.action.write" # - "org.action.delete" # - "org.flow.read" # - "org.flow.write" # - "org.flow.delete" # - "org.feature.read" # - "org.feature.write" # - "org.feature.delete" # - "user.read" # - "user.global.read" # - "user.write" # - "user.delete" # - "user.grant.read" # - "user.grant.write" # - "user.grant.delete" # - "user.membership.read" # - "user.credential.write" # - "user.passkey.write" # - "user.feature.read" # - "user.feature.write" # - "user.feature.delete" # - "policy.read" # - "policy.write" # - "policy.delete" # - "project.read" # - "project.create" # - "project.write" # - "project.delete" # - "project.member.read" # - "project.member.write" # - "project.member.delete" # - "project.role.read" # - "project.role.write" # - "project.role.delete" # - "project.app.read" # - "project.app.write" # - "project.grant.read" # - "project.grant.write" # - "project.grant.delete" # - "project.grant.member.read" # - "project.grant.member.write" # - "project.grant.member.delete" # - "session.delete" # - Role: "IAM_LOGIN_CLIENT" # Permissions: # - "iam.read" # - "iam.policy.read" # - "iam.member.read" # - "iam.member.write" # - "iam.idp.read" # - "iam.feature.read" # - "iam.restrictions.read" # - "org.read" # - "org.member.read" # - "org.member.write" # - "org.idp.read" # - "org.feature.read" # - "user.read" # - "user.write" # - "user.grant.read" # - "user.grant.write" # - "user.membership.read" # - "user.credential.write" # - "user.passkey.write" # - "user.feature.read" # - "policy.read" # - "project.read" # - "project.member.read" # - "project.member.write" # - "project.role.read" # - "project.app.read" # - "project.member.read" # - "project.member.write" # - "project.grant.read" # - "project.grant.member.read" # - "project.grant.member.write" # - "session.read" # - "session.link" # - "session.delete" # - "userschema.read" # - Role: "ORG_USER_MANAGER" # Permissions: # - "org.read" # - "user.read" # - "user.global.read" # - "user.write" # - "user.delete" # - "user.grant.read" # - "user.grant.write" # - "user.grant.delete" # - "user.membership.read" # - "user.feature.read" # - "user.feature.write" # - "user.feature.delete" # - "policy.read" # - "project.read" # - "project.role.read" # - "session.delete" # - Role: "ORG_OWNER_VIEWER" # Permissions: # - "org.read" # - "org.member.read" # - "org.idp.read" # - "org.action.read" # - "org.flow.read" # - "org.feature.read" # - "user.read" # - "user.global.read" # - "user.grant.read" # - "user.membership.read" # - "user.feature.read" # - "policy.read" # - "project.read" # - "project.member.read" # - "project.role.read" # - "project.app.read" # - "project.grant.read" # - "project.grant.member.read" # - "project.grant.user.grant.read" # - Role: "ORG_SETTINGS_MANAGER" # Permissions: # - "org.read" # - "org.write" # - "org.member.read" # - "org.idp.read" # - "org.idp.write" # - "org.idp.delete" # - "org.feature.read" # - "org.feature.write" # - "org.feature.delete" # - "policy.read" # - "policy.write" # - "policy.delete" # - Role: "ORG_USER_PERMISSION_EDITOR" # Permissions: # - "org.read" # - "org.member.read" # - "user.read" # - "user.global.read" # - "user.grant.read" # - "user.grant.write" # - "user.grant.delete" # - "policy.read" # - "project.read" # - "project.member.read" # - "project.role.read" # - "project.app.read" # - "project.grant.read" # - "project.grant.member.read" # - Role: "ORG_PROJECT_PERMISSION_EDITOR" # Permissions: # - "org.read" # - "org.member.read" # - "user.read" # - "user.global.read" # - "user.grant.read" # - "user.grant.write" # - "user.grant.delete" # - "policy.read" # - "project.read" # - "project.member.read" # - "project.role.read" # - "project.app.read" # - "project.grant.read" # - "project.grant.write" # - "project.grant.delete" # - "project.grant.member.read" # - Role: "ORG_PROJECT_CREATOR" # Permissions: # - "user.global.read" # - "policy.read" # - "project.read:self" # - "project.create" # - Role: "ORG_ADMIN_IMPERSONATOR" # Permissions: # - "admin.impersonation" # - "impersonation" # - Role: "ORG_END_USER_IMPERSONATOR" # Permissions: # - "impersonation" # - Role: "PROJECT_OWNER" # Permissions: # - "org.global.read" # - "policy.read" # - "project.read" # - "project.write" # - "project.delete" # - "project.member.read" # - "project.member.write" # - "project.member.delete" # - "project.role.read" # - "project.role.write" # - "project.role.delete" # - "project.app.read" # - "project.app.write" # - "project.app.delete" # - "project.grant.read" # - "project.grant.write" # - "project.grant.delete" # - "project.grant.member.read" # - "project.grant.member.write" # - "project.grant.member.delete" # - "user.read" # - "user.global.read" # - "user.grant.read" # - "user.grant.write" # - "user.grant.delete" # - "user.membership.read" # - Role: "PROJECT_OWNER_VIEWER" # Permissions: # - "policy.read" # - "project.read" # - "project.member.read" # - "project.role.read" # - "project.app.read" # - "project.grant.read" # - "project.grant.member.read" # - "user.read" # - "user.global.read" # - "user.grant.read" # - "user.membership.read" # - Role: "SELF_MANAGEMENT_GLOBAL" # Permissions: # - "org.create" # - "policy.read" # - "user.self.delete" # - Role: "ORG_USER_SELF_MANAGER" # Permissions: # - "policy.read" # - "user.self.delete" # - Role: "PROJECT_OWNER_GLOBAL" # Permissions: # - "org.global.read" # - "policy.read" # - "project.read" # - "project.write" # - "project.delete" # - "project.member.read" # - "project.member.write" # - "project.member.delete" # - "project.role.read" # - "project.role.write" # - "project.role.delete" # - "project.app.read" # - "project.app.write" # - "project.app.delete" # - "user.global.read" # - "user.grant.read" # - "user.grant.write" # - "user.grant.delete" # - "user.membership.read" # - Role: "PROJECT_OWNER_VIEWER_GLOBAL" # Permissions: # - "policy.read" # - "project.read" # - "project.member.read" # - "project.role.read" # - "project.app.read" # - "project.grant.read" # - "project.grant.member.read" # - "user.global.read" # - "user.grant.read" # - "user.membership.read" # - Role: "PROJECT_GRANT_OWNER" # Permissions: # - "policy.read" # - "org.global.read" # - "project.read" # - "project.grant.read" # - "project.grant.member.read" # - "project.grant.member.write" # - "project.grant.member.delete" # - "user.read" # - "user.global.read" # - "user.grant.read" # - "user.grant.write" # - "user.grant.delete" # - "user.membership.read" # - Role: "PROJECT_GRANT_OWNER_VIEWER" # Permissions: # - "policy.read" # - "project.read" # - "project.grant.read" # - "project.grant.member.read" # - "user.read" # - "user.global.read" # - "user.grant.read" # - "user.membership.read" # If a new projection is introduced it will be prefilled during the setup process (if enabled) # This can prevent serving outdated data after a version upgrade, but might require a longer setup / upgrade process: # https://zitadel.com/docs/self-hosting/manage/updating_scaling InitProjections: Enabled: true # ZITADEL_INITPROJECTIONS_ENABLED RetryFailedAfter: 100ms # ZITADEL_INITPROJECTIONS_RETRYFAILEDAFTER MaxFailureCount: 2 # ZITADEL_INITPROJECTIONS_MAXFAILURECOUNT BulkLimit: 1000 # ZITADEL_INITPROJECTIONS_BULKLIMIT