All configuration

Complete list of all build options and configuration for Keycloak

Cache

Value

	Value
`cache` Defines the cache mechanism for high-availability. By default, a `ispn` cache is used to create a cluster between multiple server nodes. A `local` cache disables clustering and is intended for development and testing purposes. CLI: `--cache` Env: `KC_CACHE`	`ispn` (default), `local`
`cache-config-file` Defines the file from which cache configuration should be loaded from. The configuration file is relative to the `conf/` directory. CLI: `--cache-config-file` Env: `KC_CACHE_CONFIG_FILE`
`cache-stack` Define the default stack to use for cluster communication and node discovery. This option only takes effect if `cache` is set to `ispn`. Default: udp. CLI: `--cache-stack` Env: `KC_CACHE_STACK`	`tcp`, `udp`, `kubernetes`, `ec2`, `azure`, `google`

cache

Defines the cache mechanism for high-availability.

By default, a ispn cache is used to create a cluster between multiple server nodes. A local cache disables clustering and is intended for development and testing purposes.

CLI: --cache
Env: KC_CACHE

ispn (default), local

cache-config-file

Defines the file from which cache configuration should be loaded from.

The configuration file is relative to the conf/ directory.

CLI: --cache-config-file
Env: KC_CACHE_CONFIG_FILE

cache-stack

Define the default stack to use for cluster communication and node discovery.

This option only takes effect if cache is set to ispn. Default: udp.

CLI: --cache-stack
Env: KC_CACHE_STACK

tcp, udp, kubernetes, ec2, azure, google

Database

Value

	Value
`db` The database vendor. CLI: `--db` Env: `KC_DB`	`dev-file` (default), `dev-mem`, `mariadb`, `mssql`, `mysql`, `oracle`, `postgres`
`db-driver` The fully qualified class name of the JDBC driver. If not set, a default driver is set accordingly to the chosen database. CLI: `--db-driver` Env: `KC_DB_DRIVER`
`db-password` The password of the database user. CLI: `--db-password` Env: `KC_DB_PASSWORD`
`db-pool-initial-size` The initial size of the connection pool. CLI: `--db-pool-initial-size` Env: `KC_DB_POOL_INITIAL_SIZE`
`db-pool-max-size` The maximum size of the connection pool. CLI: `--db-pool-max-size` Env: `KC_DB_POOL_MAX_SIZE`	`100` (default)
`db-pool-min-size` The minimal size of the connection pool. CLI: `--db-pool-min-size` Env: `KC_DB_POOL_MIN_SIZE`
`db-schema` The database schema to be used. CLI: `--db-schema` Env: `KC_DB_SCHEMA`
`db-url` The full database JDBC URL. If not provided, a default URL is set based on the selected database vendor. For instance, if using `postgres`, the default JDBC URL would be `jdbc:postgresql://localhost/keycloak`. CLI: `--db-url` Env: `KC_DB_URL`
`db-url-database` Sets the database name of the default JDBC URL of the chosen vendor. If the `db-url` option is set, this option is ignored. CLI: `--db-url-database` Env: `KC_DB_URL_DATABASE`
`db-url-host` Sets the hostname of the default JDBC URL of the chosen vendor. If the `db-url` option is set, this option is ignored. CLI: `--db-url-host` Env: `KC_DB_URL_HOST`
`db-url-port` Sets the port of the default JDBC URL of the chosen vendor. If the `db-url` option is set, this option is ignored. CLI: `--db-url-port` Env: `KC_DB_URL_PORT`
`db-url-properties` Sets the properties of the default JDBC URL of the chosen vendor. If the `db-url` option is set, this option is ignored. CLI: `--db-url-properties` Env: `KC_DB_URL_PROPERTIES`
`db-username` The username of the database user. CLI: `--db-username` Env: `KC_DB_USERNAME`

db

The database vendor.

CLI: --db
Env: KC_DB

dev-file (default), dev-mem, mariadb, mssql, mysql, oracle, postgres

db-driver

The fully qualified class name of the JDBC driver.

If not set, a default driver is set accordingly to the chosen database.

CLI: --db-driver
Env: KC_DB_DRIVER

db-password

The password of the database user.

CLI: --db-password
Env: KC_DB_PASSWORD

db-pool-initial-size

The initial size of the connection pool.

CLI: --db-pool-initial-size
Env: KC_DB_POOL_INITIAL_SIZE

db-pool-max-size

The maximum size of the connection pool.

CLI: --db-pool-max-size
Env: KC_DB_POOL_MAX_SIZE

100 (default)

db-pool-min-size

The minimal size of the connection pool.

CLI: --db-pool-min-size
Env: KC_DB_POOL_MIN_SIZE

db-schema

The database schema to be used.

CLI: --db-schema
Env: KC_DB_SCHEMA

db-url

The full database JDBC URL.

If not provided, a default URL is set based on the selected database vendor. For instance, if using postgres, the default JDBC URL would be jdbc:postgresql://localhost/keycloak.

CLI: --db-url
Env: KC_DB_URL

db-url-database

Sets the database name of the default JDBC URL of the chosen vendor.

If the db-url option is set, this option is ignored.

CLI: --db-url-database
Env: KC_DB_URL_DATABASE

db-url-host

Sets the hostname of the default JDBC URL of the chosen vendor.

If the db-url option is set, this option is ignored.

CLI: --db-url-host
Env: KC_DB_URL_HOST

db-url-port

Sets the port of the default JDBC URL of the chosen vendor.

If the db-url option is set, this option is ignored.

CLI: --db-url-port
Env: KC_DB_URL_PORT

db-url-properties

Sets the properties of the default JDBC URL of the chosen vendor.

If the db-url option is set, this option is ignored.

CLI: --db-url-properties
Env: KC_DB_URL_PROPERTIES

db-username

The username of the database user.

CLI: --db-username
Env: KC_DB_USERNAME

Transaction

Value

	Value
`transaction-xa-enabled` If set to false, Keycloak uses a non-XA datasource in case the database does not support XA transactions. CLI: `--transaction-xa-enabled` Env: `KC_TRANSACTION_XA_ENABLED`	`true` (default), `false`

transaction-xa-enabled

If set to false, Keycloak uses a non-XA datasource in case the database does not support XA transactions.

CLI: --transaction-xa-enabled
Env: KC_TRANSACTION_XA_ENABLED

true (default), false

Feature

Value

	Value
`features` Enables a set of one or more features. CLI: `--features` Env: `KC_FEATURES`	`account-api`, `account2`, `account3`, `admin-api`, `admin-fine-grained-authz`, `admin2`, `authorization`, `ciba`, `client-policies`, `client-secret-rotation`, `declarative-user-profile`, `docker`, `dynamic-scopes`, `fips`, `impersonation`, `js-adapter`, `kerberos`, `map-storage`, `openshift-integration`, `par`, `preview`, `recovery-codes`, `scripts`, `step-up-authentication`, `token-exchange`, `update-email`, `web-authn`
`features-disabled` Disables a set of one or more features. CLI: `--features-disabled` Env: `KC_FEATURES_DISABLED`	`account-api`, `account2`, `account3`, `admin-api`, `admin-fine-grained-authz`, `admin2`, `authorization`, `ciba`, `client-policies`, `client-secret-rotation`, `declarative-user-profile`, `docker`, `dynamic-scopes`, `fips`, `impersonation`, `js-adapter`, `kerberos`, `map-storage`, `openshift-integration`, `par`, `preview`, `recovery-codes`, `scripts`, `step-up-authentication`, `token-exchange`, `update-email`, `web-authn`

features

Enables a set of one or more features.

CLI: --features
Env: KC_FEATURES

account-api, account2, account3, admin-api, admin-fine-grained-authz, admin2, authorization, ciba, client-policies, client-secret-rotation, declarative-user-profile, docker, dynamic-scopes, fips, impersonation, js-adapter, kerberos, map-storage, openshift-integration, par, preview, recovery-codes, scripts, step-up-authentication, token-exchange, update-email, web-authn

features-disabled

Disables a set of one or more features.

CLI: --features-disabled
Env: KC_FEATURES_DISABLED

Hostname

Value

	Value
`hostname` Hostname for the Keycloak server. CLI: `--hostname` Env: `KC_HOSTNAME`
`hostname-admin` The hostname for accessing the administration console. Use this option if you are exposing the administration console using a hostname other than the value set to the `hostname` option. CLI: `--hostname-admin` Env: `KC_HOSTNAME_ADMIN`
`hostname-admin-url` Set the base URL for accessing the administration console, including scheme, host, port and path CLI: `--hostname-admin-url` Env: `KC_HOSTNAME_ADMIN_URL`
`hostname-path` This should be set if proxy uses a different context-path for Keycloak. CLI: `--hostname-path` Env: `KC_HOSTNAME_PATH`
`hostname-port` The port used by the proxy when exposing the hostname. Set this option if the proxy uses a port other than the default HTTP and HTTPS ports. CLI: `--hostname-port` Env: `KC_HOSTNAME_PORT`	`-1` (default)
`hostname-strict` Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless proxy verifies the Host header. CLI: `--hostname-strict` Env: `KC_HOSTNAME_STRICT`	`true` (default), `false`
`hostname-strict-backchannel` By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all applications use the public URL this option should be enabled. CLI: `--hostname-strict-backchannel` Env: `KC_HOSTNAME_STRICT_BACKCHANNEL`	`true`, `false` (default)
`hostname-url` Set the base URL for frontend URLs, including scheme, host, port and path. CLI: `--hostname-url` Env: `KC_HOSTNAME_URL`

hostname

Hostname for the Keycloak server.

CLI: --hostname
Env: KC_HOSTNAME

hostname-admin

The hostname for accessing the administration console.

Use this option if you are exposing the administration console using a hostname other than the value set to the hostname option.

CLI: --hostname-admin
Env: KC_HOSTNAME_ADMIN

hostname-admin-url

Set the base URL for accessing the administration console, including scheme, host, port and path

CLI: --hostname-admin-url
Env: KC_HOSTNAME_ADMIN_URL

hostname-path

This should be set if proxy uses a different context-path for Keycloak.

CLI: --hostname-path
Env: KC_HOSTNAME_PATH

hostname-port

The port used by the proxy when exposing the hostname.

Set this option if the proxy uses a port other than the default HTTP and HTTPS ports.

CLI: --hostname-port
Env: KC_HOSTNAME_PORT

-1 (default)

hostname-strict

Disables dynamically resolving the hostname from request headers.

Should always be set to true in production, unless proxy verifies the Host header.

CLI: --hostname-strict
Env: KC_HOSTNAME_STRICT

true (default), false

hostname-strict-backchannel

By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications.

If all applications use the public URL this option should be enabled.

CLI: --hostname-strict-backchannel
Env: KC_HOSTNAME_STRICT_BACKCHANNEL

true, false (default)

hostname-url

Set the base URL for frontend URLs, including scheme, host, port and path.

CLI: --hostname-url
Env: KC_HOSTNAME_URL

HTTP/TLS

Value

	Value
`http-enabled` Enables the HTTP listener. CLI: `--http-enabled` Env: `KC_HTTP_ENABLED`	`true`, `false` (default)
`http-host` The used HTTP Host. CLI: `--http-host` Env: `KC_HTTP_HOST`	`0.0.0.0` (default)
`http-port` The used HTTP port. CLI: `--http-port` Env: `KC_HTTP_PORT`	`8080` (default)
`http-relative-path` Set the path relative to `/` for serving resources. The path must start with a `/`. CLI: `--http-relative-path` Env: `KC_HTTP_RELATIVE_PATH`	`/` (default)
`https-certificate-file` The file path to a server certificate or certificate chain in PEM format. CLI: `--https-certificate-file` Env: `KC_HTTPS_CERTIFICATE_FILE`
`https-certificate-key-file` The file path to a private key in PEM format. CLI: `--https-certificate-key-file` Env: `KC_HTTPS_CERTIFICATE_KEY_FILE`
`https-cipher-suites` The cipher suites to use. If none is given, a reasonable default is selected. CLI: `--https-cipher-suites` Env: `KC_HTTPS_CIPHER_SUITES`
`https-client-auth` Configures the server to require/request client authentication. CLI: `--https-client-auth` Env: `KC_HTTPS_CLIENT_AUTH`	`none` (default), `request`, `required`
`https-key-store-file` The key store which holds the certificate information instead of specifying separate files. CLI: `--https-key-store-file` Env: `KC_HTTPS_KEY_STORE_FILE`
`https-key-store-password` The password of the key store file. CLI: `--https-key-store-password` Env: `KC_HTTPS_KEY_STORE_PASSWORD`	`password` (default)
`https-key-store-type` The type of the key store file. If not given, the type is automatically detected based on the file name. If `fips-mode` is set to `strict` and no value is set, it defaults to `BCFKS`. CLI: `--https-key-store-type` Env: `KC_HTTPS_KEY_STORE_TYPE`
`https-port` The used HTTPS port. CLI: `--https-port` Env: `KC_HTTPS_PORT`	`8443` (default)
`https-protocols` The list of protocols to explicitly enable. CLI: `--https-protocols` Env: `KC_HTTPS_PROTOCOLS`	`TLSv1.3` (default)
`https-trust-store-file` The trust store which holds the certificate information of the certificates to trust. CLI: `--https-trust-store-file` Env: `KC_HTTPS_TRUST_STORE_FILE`
`https-trust-store-password` The password of the trust store file. CLI: `--https-trust-store-password` Env: `KC_HTTPS_TRUST_STORE_PASSWORD`
`https-trust-store-type` The type of the trust store file. If not given, the type is automatically detected based on the file name. If `fips-mode` is set to `strict` and no value is set, it defaults to `BCFKS`. CLI: `--https-trust-store-type` Env: `KC_HTTPS_TRUST_STORE_TYPE`

http-enabled

Enables the HTTP listener.

CLI: --http-enabled
Env: KC_HTTP_ENABLED

true, false (default)

http-host

The used HTTP Host.

CLI: --http-host
Env: KC_HTTP_HOST

0.0.0.0 (default)

http-port

The used HTTP port.

CLI: --http-port
Env: KC_HTTP_PORT

8080 (default)

http-relative-path

Set the path relative to / for serving resources.

The path must start with a /.

CLI: --http-relative-path
Env: KC_HTTP_RELATIVE_PATH

/ (default)

https-certificate-file

The file path to a server certificate or certificate chain in PEM format.

CLI: --https-certificate-file
Env: KC_HTTPS_CERTIFICATE_FILE

https-certificate-key-file

The file path to a private key in PEM format.

CLI: --https-certificate-key-file
Env: KC_HTTPS_CERTIFICATE_KEY_FILE

https-cipher-suites

The cipher suites to use.

If none is given, a reasonable default is selected.

CLI: --https-cipher-suites
Env: KC_HTTPS_CIPHER_SUITES

https-client-auth

Configures the server to require/request client authentication.

CLI: --https-client-auth
Env: KC_HTTPS_CLIENT_AUTH

none (default), request, required

https-key-store-file

The key store which holds the certificate information instead of specifying separate files.

CLI: --https-key-store-file
Env: KC_HTTPS_KEY_STORE_FILE

https-key-store-password

The password of the key store file.

CLI: --https-key-store-password
Env: KC_HTTPS_KEY_STORE_PASSWORD

password (default)

https-key-store-type

The type of the key store file.

If not given, the type is automatically detected based on the file name. If fips-mode is set to strict and no value is set, it defaults to BCFKS.

CLI: --https-key-store-type
Env: KC_HTTPS_KEY_STORE_TYPE

https-port

The used HTTPS port.

CLI: --https-port
Env: KC_HTTPS_PORT

8443 (default)

https-protocols

The list of protocols to explicitly enable.

CLI: --https-protocols
Env: KC_HTTPS_PROTOCOLS

TLSv1.3 (default)

https-trust-store-file

The trust store which holds the certificate information of the certificates to trust.

CLI: --https-trust-store-file
Env: KC_HTTPS_TRUST_STORE_FILE

https-trust-store-password

The password of the trust store file.

CLI: --https-trust-store-password
Env: KC_HTTPS_TRUST_STORE_PASSWORD

https-trust-store-type

The type of the trust store file.

If not given, the type is automatically detected based on the file name. If fips-mode is set to strict and no value is set, it defaults to BCFKS.

CLI: --https-trust-store-type
Env: KC_HTTPS_TRUST_STORE_TYPE

Health

Value

	Value
`health-enabled` If the server should expose health check endpoints. If enabled, health checks are available at the `/health`, `/health/ready` and `/health/live` endpoints. CLI: `--health-enabled` Env: `KC_HEALTH_ENABLED`	`true`, `false` (default)

health-enabled

If the server should expose health check endpoints.

If enabled, health checks are available at the /health, /health/ready and /health/live endpoints.

CLI: --health-enabled
Env: KC_HEALTH_ENABLED

true, false (default)

Metrics

Value

	Value
`metrics-enabled` If the server should expose metrics. If enabled, metrics are available at the `/metrics` endpoint. CLI: `--metrics-enabled` Env: `KC_METRICS_ENABLED`	`true`, `false` (default)

metrics-enabled

If the server should expose metrics.

If enabled, metrics are available at the /metrics endpoint.

CLI: --metrics-enabled
Env: KC_METRICS_ENABLED

true, false (default)

Proxy

Value

	Value
`proxy` The proxy address forwarding mode if the server is behind a reverse proxy. CLI: `--proxy` Env: `KC_PROXY`	`none` (default), `edge`, `reencrypt`, `passthrough`

proxy

The proxy address forwarding mode if the server is behind a reverse proxy.

CLI: --proxy
Env: KC_PROXY

none (default), edge, reencrypt, passthrough

Vault

Value

	Value
`vault` Enables a vault provider. CLI: `--vault` Env: `KC_VAULT`	`file`
`vault-dir` If set, secrets can be obtained by reading the content of files within the given directory. CLI: `--vault-dir` Env: `KC_VAULT_DIR`

vault

Enables a vault provider.

CLI: --vault
Env: KC_VAULT

file

vault-dir

If set, secrets can be obtained by reading the content of files within the given directory.

CLI: --vault-dir
Env: KC_VAULT_DIR

Logging

Value

	Value
`log` Enable one or more log handlers in a comma-separated list. CLI: `--log` Env: `KC_LOG`	`console` (default), `file`, `gelf`
`log-console-color` Enable or disable colors when logging to console. CLI: `--log-console-color` Env: `KC_LOG_CONSOLE_COLOR`	`true`, `false` (default)
`log-console-format` The format of unstructured console log entries. If the format has spaces in it, escape the value using "<format>". CLI: `--log-console-format` Env: `KC_LOG_CONSOLE_FORMAT`	`%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n` (default)
`log-console-output` Set the log output to JSON or default (plain) unstructured logging. CLI: `--log-console-output` Env: `KC_LOG_CONSOLE_OUTPUT`	`default` (default), `json`
`log-file` Set the log file path and filename. CLI: `--log-file` Env: `KC_LOG_FILE`	`data/log/keycloak.log` (default)
`log-file-format` Set a format specific to file log entries. CLI: `--log-file-format` Env: `KC_LOG_FILE_FORMAT`	`%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n` (default)
`log-file-output` Set the log output to JSON or default (plain) unstructured logging. CLI: `--log-file-output` Env: `KC_LOG_FILE_OUTPUT`	`default` (default), `json`
`log-gelf-facility` The facility (name of the process) that sends the message. CLI: `--log-gelf-facility` Env: `KC_LOG_GELF_FACILITY`	`keycloak` (default)
`log-gelf-host` Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the host with `tcp:` to switch to TCP. Example: `tcp:localhost` CLI: `--log-gelf-host` Env: `KC_LOG_GELF_HOST`	`localhost` (default)
`log-gelf-include-location` Include source code location. CLI: `--log-gelf-include-location` Env: `KC_LOG_GELF_INCLUDE_LOCATION`	`true` (default), `false`
`log-gelf-include-message-parameters` Include message parameters from the log event. CLI: `--log-gelf-include-message-parameters` Env: `KC_LOG_GELF_INCLUDE_MESSAGE_PARAMETERS`	`true` (default), `false`
`log-gelf-include-stack-trace` If set to true, occuring stack traces are included in the `StackTrace` field in the GELF output. CLI: `--log-gelf-include-stack-trace` Env: `KC_LOG_GELF_INCLUDE_STACK_TRACE`	`true` (default), `false`
`log-gelf-level` The log level specifying which message levels will be logged by the GELF logger. Message levels lower than this value will be discarded. CLI: `--log-gelf-level` Env: `KC_LOG_GELF_LEVEL`	`INFO` (default)
`log-gelf-max-message-size` Maximum message size (in bytes). If the message size is exceeded, GELF will submit the message in multiple chunks. CLI: `--log-gelf-max-message-size` Env: `KC_LOG_GELF_MAX_MESSAGE_SIZE`	`8192` (default)
`log-gelf-port` The port the Logstash or Graylog Host is called on. CLI: `--log-gelf-port` Env: `KC_LOG_GELF_PORT`	`12201` (default)
`log-gelf-timestamp-format` Set the format for the GELF timestamp field. Uses Java SimpleDateFormat pattern. CLI: `--log-gelf-timestamp-format` Env: `KC_LOG_GELF_TIMESTAMP_FORMAT`	`yyyy-MM-dd HH:mm:ss,SSS` (default)
`log-level` The log level of the root category or a comma-separated list of individual categories and their levels. For the root category, you don’t need to specify a category. CLI: `--log-level` Env: `KC_LOG_LEVEL`	`info` (default)

log

Enable one or more log handlers in a comma-separated list.

CLI: --log
Env: KC_LOG

console (default), file, gelf

log-console-color

Enable or disable colors when logging to console.

CLI: --log-console-color
Env: KC_LOG_CONSOLE_COLOR

true, false (default)

log-console-format

The format of unstructured console log entries.

If the format has spaces in it, escape the value using "<format>".

CLI: --log-console-format
Env: KC_LOG_CONSOLE_FORMAT

%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n (default)

log-console-output

Set the log output to JSON or default (plain) unstructured logging.

CLI: --log-console-output
Env: KC_LOG_CONSOLE_OUTPUT

default (default), json

log-file

Set the log file path and filename.

CLI: --log-file
Env: KC_LOG_FILE

data/log/keycloak.log (default)

log-file-format

Set a format specific to file log entries.

CLI: --log-file-format
Env: KC_LOG_FILE_FORMAT

%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n (default)

log-file-output

Set the log output to JSON or default (plain) unstructured logging.

CLI: --log-file-output
Env: KC_LOG_FILE_OUTPUT

default (default), json

log-gelf-facility

The facility (name of the process) that sends the message.

CLI: --log-gelf-facility
Env: KC_LOG_GELF_FACILITY

keycloak (default)

log-gelf-host

Hostname of the Logstash or Graylog Host.

By default UDP is used, prefix the host with tcp: to switch to TCP. Example: tcp:localhost

CLI: --log-gelf-host
Env: KC_LOG_GELF_HOST

localhost (default)

log-gelf-include-location

Include source code location.

CLI: --log-gelf-include-location
Env: KC_LOG_GELF_INCLUDE_LOCATION

true (default), false

log-gelf-include-message-parameters

Include message parameters from the log event.

CLI: --log-gelf-include-message-parameters
Env: KC_LOG_GELF_INCLUDE_MESSAGE_PARAMETERS

true (default), false

log-gelf-include-stack-trace

If set to true, occuring stack traces are included in the StackTrace field in the GELF output.

CLI: --log-gelf-include-stack-trace
Env: KC_LOG_GELF_INCLUDE_STACK_TRACE

true (default), false

log-gelf-level

The log level specifying which message levels will be logged by the GELF logger.

Message levels lower than this value will be discarded.

CLI: --log-gelf-level
Env: KC_LOG_GELF_LEVEL

INFO (default)

log-gelf-max-message-size

Maximum message size (in bytes).

If the message size is exceeded, GELF will submit the message in multiple chunks.

CLI: --log-gelf-max-message-size
Env: KC_LOG_GELF_MAX_MESSAGE_SIZE

8192 (default)

log-gelf-port

The port the Logstash or Graylog Host is called on.

CLI: --log-gelf-port
Env: KC_LOG_GELF_PORT

12201 (default)

log-gelf-timestamp-format

Set the format for the GELF timestamp field.

Uses Java SimpleDateFormat pattern.

CLI: --log-gelf-timestamp-format
Env: KC_LOG_GELF_TIMESTAMP_FORMAT

yyyy-MM-dd HH:mm:ss,SSS (default)

log-level

The log level of the root category or a comma-separated list of individual categories and their levels.

For the root category, you don’t need to specify a category.

CLI: --log-level
Env: KC_LOG_LEVEL

info (default)

Security

Value

	Value
`fips-mode` Sets the FIPS mode. If `non-strict` is set, FIPS is enabled but on non-approved mode. For full FIPS compliance, set `strict` to run on approved mode. This option defaults to `disabled` when `fips` feature is disabled, which is by default. This option defaults to `non-strict` when `fips` feature is enabled. CLI: `--fips-mode` Env: `KC_FIPS_MODE`	`non-strict`, `strict`

fips-mode

Sets the FIPS mode.

If non-strict is set, FIPS is enabled but on non-approved mode. For full FIPS compliance, set strict to run on approved mode. This option defaults to disabled when fips feature is disabled, which is by default. This option defaults to non-strict when fips feature is enabled.

CLI: --fips-mode
Env: KC_FIPS_MODE

non-strict, strict

Export

Value

	Value
`dir` Set the path to a directory where files will be created with the exported data. CLI: `--dir` Env: `KC_DIR`
`realm` Set the name of the realm to export. If not set, all realms are going to be exported. CLI: `--realm` Env: `KC_REALM`
`users` Set how users should be exported. CLI: `--users` Env: `KC_USERS`	`skip`, `realm_file`, `same_file`, `different_files` (default)
`users-per-file` Set the number of users per file. It is used only if `users` is set to `different_files`. CLI: `--users-per-file` Env: `KC_USERS_PER_FILE`	`50` (default)

dir

Set the path to a directory where files will be created with the exported data.

CLI: --dir
Env: KC_DIR

realm

Set the name of the realm to export.

If not set, all realms are going to be exported.

CLI: --realm
Env: KC_REALM

users

Set how users should be exported.

CLI: --users
Env: KC_USERS

skip, realm_file, same_file, different_files (default)

users-per-file

Set the number of users per file.

It is used only if users is set to different_files.

CLI: --users-per-file
Env: KC_USERS_PER_FILE

50 (default)

Import

Value

	Value
`file` Set the path to a file that will be read. CLI: `--file` Env: `KC_FILE`
`override` Set if existing data should be overwritten. If set to false, data will be ignored. CLI: `--override` Env: `KC_OVERRIDE`	`true` (default), `false`

file

Set the path to a file that will be read.

CLI: --file
Env: KC_FILE

override

Set if existing data should be overwritten.

If set to false, data will be ignored.

CLI: --override
Env: KC_OVERRIDE

true (default), false

On this page

Edit this guide