30/03/2023, 11:02 All configuration - Keycloak
Guides / Server / All configuration
All configuration
Complete list of all build options and configuration for Keycloak
Search All Build options
Configuration
Cache
Value
cache ispn (default),
Defines the cache mechanism for high-availability. local
cache-config-file
Defines the file from which cache configuration should be loaded from.
cache-stack tcp , udp ,
Define the default stack to use for cluster communication and node kubernetes , ec2 ,
discovery. azure , google
Storage (Experimental)
Value
storage jpa , chm , hotrod ,
Experimental: Sets the default storage mechanism for all areas. file
storage-area-auth-session jpa , chm , hotrod ,
Experimental: Sets a storage mechanism for authentication sessions. file
storage-area-authorization jpa , chm , hotrod ,
Experimental: Sets a storage mechanism for authorizations. file
https://www.keycloak.org/server/all-config 1/11
�30/03/2023, 11:02 All configuration - Keycloak
Value
storage-area-client jpa , chm , hotrod ,
Experimental: Sets a storage mechanism for clients. file
storage-area-client-scope jpa , chm , hotrod ,
Experimental: Sets a storage mechanism for client scopes. file
storage-area-event-admin jpa , chm , hotrod ,
Experimental: Sets a storage mechanism for admin events. file
storage-area-event-auth jpa , chm , hotrod ,
Experimental: Sets a storage mechanism for authentication and file
authorization events.
storage-area-group jpa , chm , hotrod ,
Experimental: Sets a storage mechanism for groups. file
storage-area-login-failure jpa , chm , hotrod ,
Experimental: Sets a storage mechanism for login failures. file
storage-area-realm jpa , chm , hotrod ,
Experimental: Sets a storage mechanism for realms. file
storage-area-role jpa , chm , hotrod ,
Experimental: Sets a storage mechanism for roles. file
storage-area-single-use-object jpa , chm , hotrod
Experimental: Sets a storage mechanism for single use objects.
storage-area-user jpa , chm , hotrod ,
Experimental: Sets a storage mechanism for users. file
storage-area-user-session jpa , chm , hotrod ,
Experimental: Sets a storage mechanism for user and client sessions. file
storage-deployment-state-version-seed
Experimental: Secret that serves as a seed to mask the version number
of Keycloak in URLs.
storage-file-dir
Experimental: Root directory for file map store.
storage-hotrod-host
Experimental: Sets the host of the Infinispan server.
https://www.keycloak.org/server/all-config 2/11
�30/03/2023, 11:02 All configuration - Keycloak
Value
storage-hotrod-password
Experimental: Sets the password of the Infinispan user.
storage-hotrod-port
Experimental: Sets the port of the Infinispan server.
storage-hotrod-username
Experimental: Sets the username of the Infinispan user.
Database
Value
db dev-file (default),
The database vendor. dev-mem , mariadb ,
mssql , mysql ,
oracle , postgres
db-password
The password of the database user.
db-pool-initial-size
The initial size of the connection pool.
db-pool-max-size 100 (default)
The maximum size of the connection pool.
db-pool-min-size
The minimal size of the connection pool.
db-schema
The database schema to be used.
db-url
The full database JDBC URL.
db-url-database
Sets the database name of the default JDBC URL of the chosen vendor.
db-url-host
Sets the hostname of the default JDBC URL of the chosen vendor.
https://www.keycloak.org/server/all-config 3/11
�30/03/2023, 11:02 All configuration - Keycloak
Value
db-url-port
Sets the port of the default JDBC URL of the chosen vendor.
db-url-properties
Sets the properties of the default JDBC URL of the chosen vendor.
db-username
The username of the database user.
Transaction
Value
transaction-xa-enabled true (default),
If set to false, Keycloak uses a non-XA datasource in case the database false
does not support XA transactions.
Feature
Value
features account-api ,
Enables a set of one or more features. account2 , admin-
api , admin-fine-
grained-authz ,
admin2 ,
authorization ,
ciba , client-
policies , client-
secret-rotation ,
declarative-user-
profile , docker ,
dynamic-scopes ,
fips ,
impersonation , js-
adapter , kerberos ,
map-storage ,
openshift-
https://www.keycloak.org/server/all-config 4/11
�30/03/2023, 11:02 All configuration - Keycloak
Value
integration , par ,
preview , recovery-
codes , scripts ,
step-up-
authentication ,
token-exchange ,
update-email , web-
authn
features-disabled account-api ,
Disables a set of one or more features. account2 , admin-
api , admin-fine-
grained-authz ,
admin2 ,
authorization ,
ciba , client-
policies , client-
secret-rotation ,
declarative-user-
profile , docker ,
dynamic-scopes ,
fips ,
impersonation , js-
adapter , kerberos ,
map-storage ,
openshift-
integration , par ,
preview , recovery-
codes , scripts ,
step-up-
authentication ,
token-exchange ,
update-email , web-
authn
Hostname
https://www.keycloak.org/server/all-config 5/11
�30/03/2023, 11:02 All configuration - Keycloak
Value
hostname
Hostname for the Keycloak server.
hostname-admin
The hostname for accessing the administration console.
hostname-admin-url
Set the base URL for accessing the administration console, including
scheme, host, port and path
hostname-path
This should be set if proxy uses a different context-path for Keycloak.
hostname-port -1 (default)
The port used by the proxy when exposing the hostname.
hostname-strict true (default),
Disables dynamically resolving the hostname from request headers. false
hostname-strict-backchannel true , false
By default backchannel URLs are dynamically resolved from request (default)
headers to allow internal and external applications.
hostname-url
Set the base URL for frontend URLs, including scheme, host, port and
path.
HTTP/TLS
Value
http-enabled true , false
Enables the HTTP listener. (default)
http-host 0.0.0.0 (default)
The used HTTP Host.
http-port 8080 (default)
The used HTTP port.
http-relative-path / (default)
https://www.keycloak.org/server/all-config 6/11
�30/03/2023, 11:02 All configuration - Keycloak
Value
Set the path relative to / for serving resources.
https-certificate-file
The file path to a server certificate or certificate chain in PEM format.
https-certificate-key-file
The file path to a private key in PEM format.
https-cipher-suites
The cipher suites to use.
https-client-auth none (default),
Configures the server to require/request client authentication. request , required
https-key-store-file
The key store which holds the certificate information instead of
specifying separate files.
https-key-store-password password (default)
The password of the key store file.
https-key-store-type
The type of the key store file.
https-port 8443 (default)
The used HTTPS port.
https-protocols TLSv1.3 (default)
The list of protocols to explicitly enable.
https-trust-store-file
The trust store which holds the certificate information of the
certificates to trust.
https-trust-store-password
The password of the trust store file.
https-trust-store-type
The type of the trust store file.
Health
https://www.keycloak.org/server/all-config 7/11
�30/03/2023, 11:02 All configuration - Keycloak
Value
health-enabled true , false
If the server should expose health check endpoints. (default)
Metrics
Value
metrics-enabled true , false
If the server should expose metrics. (default)
Proxy
Value
proxy none (default), edge ,
The proxy address forwarding mode if the server is behind a reverse reencrypt ,
proxy. passthrough
Vault
Value
vault file
Enables a vault provider.
vault-dir
If set, secrets can be obtained by reading the content of files within the
given directory.
Logging
https://www.keycloak.org/server/all-config 8/11
�30/03/2023, 11:02 All configuration - Keycloak
Value
log console (default),
Enable one or more log handlers in a comma-separated list. file , gelf
log-console-color true , false
Enable or disable colors when logging to console. (default)
log-console-format %d{yyyy-MM-dd
The format of unstructured console log entries. HH:mm:ss,SSS} %-5p [%c]
(%t) %s%e%n (default)
log-console-output default (default),
Set the log output to JSON or default (plain) unstructured logging. json
log-file data/log/keycloak.log
Set the log file path and filename. (default)
log-file-format %d{yyyy-MM-dd
Set a format specific to file log entries. HH:mm:ss,SSS} %-5p [%c]
(%t) %s%e%n (default)
log-file-output default (default),
Set the log output to JSON or default (plain) unstructured logging. json
log-gelf-facility keycloak (default)
The facility (name of the process) that sends the message.
log-gelf-host localhost (default)
Hostname of the Logstash or Graylog Host.
log-gelf-include-location true (default),
Include source code location. false
log-gelf-include-message-parameters true (default),
Include message parameters from the log event. false
log-gelf-include-stack-trace true (default),
If set to true, occuring stack traces are included in the StackTrace field false
in the GELF output.
log-gelf-level INFO (default)
The log level specifying which message levels will be logged by the
GELF logger.
log-gelf-max-message-size 8192 (default)
https://www.keycloak.org/server/all-config 9/11
�30/03/2023, 11:02 All configuration - Keycloak
Value
Maximum message size (in bytes).
log-gelf-port 12201 (default)
The port the Logstash or Graylog Host is called on.
log-gelf-timestamp-format yyyy-MM-dd HH:mm:ss,SSS
Set the format for the GELF timestamp field. (default)
log-level info (default)
The log level of the root category or a comma-separated list of
individual categories and their levels.
Security (Preview)
Value
fips-mode non-strict , strict
Preview: Sets the FIPS mode.
On this page
Cache
Storage (Experimental)
Database
Transaction
Feature
Hostname
HTTP/TLS
Health
Metrics
Proxy
Vault
Logging
Security (Preview)
https://www.keycloak.org/server/all-config 10/11
�30/03/2023, 11:02 All configuration - Keycloak
Edit this guide
Sponsored by
https://www.keycloak.org/server/all-config 11/11
