HASURA_GRAPHQL_JWT_SECRET* |
Key used for generating JWTs. Please, refer to the README.md for more details. |
|
HASURA_GRAPHQL_DATABASE_URL* |
PostgreSQL connection URI. Required to inject the auth schema into the database. |
|
HASURA_GRAPHQL_GRAPHQL_URL* |
Hasura GraphQL endpoint. Required to manipulate account data. For instance: https://graphql-engine:8080/v1/graphql |
|
HASURA_GRAPHQL_ADMIN_SECRET* |
Hasura GraphQL Admin Secret. Required to manipulate account data. |
|
AUTH_HOST |
Server host. This option is available until Hasura-auth v0.6.0 . Docs |
0.0.0.0 |
AUTH_PORT |
Server port. Docs |
4000 |
AUTH_API_PREFIX |
API prefix |
/ |
AUTH_SERVER_URL |
Server URL of where Hasura Backend Plus is running. This value is to used as a callback in email templates and for the OAuth authentication process. |
|
AUTH_CLIENT_URL |
URL of your frontend application. Used to redirect users to the right page once actions based on emails or OAuth succeed. |
|
AUTH_CONCEAL_ERRORS |
Conceal sensitive error messages to avoid leaking information about user accounts to attackers |
false |
AUTH_SMTP_HOST |
SMTP server hostname used for sending emails |
|
AUTH_SMTP_PORT |
SMTP port |
587 |
AUTH_SMTP_USER |
Username to use to authenticate on the SMTP server |
|
AUTH_SMTP_PASS |
Password to use to authenticate on the SMTP server |
|
AUTH_SMTP_SENDER |
Email to use in the From field of the email |
|
AUTH_SMTP_AUTH_METHOD |
SMTP authentication method |
PLAIN |
AUTH_SMTP_SECURE |
Enables SSL. More info. |
false |
AUTH_GRAVATAR_ENABLED |
|
true |
AUTH_GRAVATAR_DEFAULT |
One of '404', 'mp', 'identicon', 'monsterid', 'wavatar', 'retro', 'robohash', 'blank'. |
blank |
AUTH_GRAVATAR_RATING |
One of 'g', 'pg', 'r', 'x'. |
g |
AUTH_ANONYMOUS_USERS_ENABLED |
Enables users to register as an anonymous user. |
false |
AUTH_DISABLE_NEW_USERS |
If set, new users will be disabled after finishing registration and won't be able to connect. |
false |
AUTH_DISABLE_SIGNUP |
If set to true, all signup methods will throw an unauthorized error. |
false |
AUTH_ACCESS_CONTROL_ALLOWED_EMAILS |
Comma-separated list of emails that are allowed to register. |
|
AUTH_ACCESS_CONTROL_ALLOWED_EMAIL_DOMAINS |
Comma-separated list of email domains that are allowed to register. If ALLOWED_EMAIL_DOMAINS is tesla.com,ikea.se , only emails from tesla.com and ikea.se would be allowed to register an account. |
`` (allow all email domains) |
AUTH_ACCESS_CONTROL_BLOCKED_EMAILS |
Comma-separated list of emails that cannot register. |
|
AUTH_ACCESS_CONTROL_BLOCKED_EMAIL_DOMAINS |
Comma-separated list of email domains that cannot register. |
|
AUTH_PASSWORD_MIN_LENGTH |
Minimum password length. |
3 |
AUTH_PASSWORD_HIBP_ENABLED |
User's password is checked against Pwned Passwords. |
false |
AUTH_USER_DEFAULT_ROLE |
Default user role for registered users. |
user |
AUTH_USER_DEFAULT_ALLOWED_ROLES |
Comma-separated list of default allowed user roles. |
me,$AUTH_USER_DEFAULT_ROLE |
AUTH_LOCALE_DEFAULT |
|
en |
AUTH_LOCALE_ALLOWED_LOCALES |
|
en |
AUTH_LOG_LEVEL |
Define the log level of the application:. Accepted values: debug , info , warn , error , silent . |
info |
AUTH_EMAIL_PASSWORDLESS_ENABLED |
Enables passwordless authentication by email using magic links. The SMTP server must then be configured. |
false |
AUTH_OTP_EMAIL_ENABLED |
Enables passwordless authentication by email using OTP. The SMTP server must then be configured. |
false |
AUTH_SMS_PASSWORDLESS_ENABLED |
Enables passwordless authentication by SMS. An SMS provider must then be configured. |
false |
AUTH_SHOW_LOG_QUERY_PARAMS |
Shows all query parameters in the logs. Make sure you know what you do because this setting can potentially reveal secure information. |
false |
AUTH_SMS_PROVIDER |
SMS provider name. Only twilio is possible as an option for now. |
|
AUTH_SMS_TEST_PHONE_NUMBERS |
Comma separated list of test phone numbers which can be used without any provider set. The verification code can be found in the logs upon sign in. |
|
AUTH_SMS_TWILIO_ACCOUNT_SID |
|
|
AUTH_SMS_TWILIO_AUTH_TOKEN |
|
|
AUTH_SMS_TWILIO_MESSAGING_SERVICE_ID |
|
|
AUTH_EMAIL_SIGNIN_EMAIL_VERIFIED_REQUIRED |
When enabled, any email-based authentication requires emails to be verified by a link sent to this email. |
true |
AUTH_ACCESS_CONTROL_ALLOWED_REDIRECT_URLS |
Comma-separated list of allowed redirect URLs that can be passed on as an option. Any sub-path will be considered valid. Supports wildcards and other micromatch patterns |
|
AUTH_MFA_ENABLED |
Enables users to use Multi Factor Authentication. |
false |
AUTH_MFA_TOTP_ISSUER |
The name of the One Time Password (OTP) issuer. Probably your app's name. |
hasura-auth |
AUTH_ACCESS_TOKEN_EXPIRES_IN |
Number of seconds before the access token (JWT) expires. |
900 (15 minutes) |
AUTH_REFRESH_TOKEN_EXPIRES_IN |
Number of seconds before the refresh token expires. |
2592000 (30 days) |
AUTH_JWT_CUSTOM_CLAIMS |
|
|
AUTH_WEBAUTHN_ENABLED |
When enabled, passwordless Webauthn authentication can be done via device supported strong authenticators like fingerprint, Face ID, etc. |
false |
AUTH_WEBAUTHN_RP_NAME |
Relying party name. Friendly name visual to the user informing who requires the authentication. Probably your app's name. |
|
AUTH_WEBAUTHN_RP_ID |
Relying party id. If not set AUTH_CLIENT_URL will be used as a default. |
|
AUTH_WEBAUTHN_RP_ORIGINS |
Array of URLs where the registration is permitted and should have occurred on. AUTH_CLIENT_URL will be automatically added to the list of origins if is set. |
|
AUTH_WEBAUTHN_ATTESTATION_TIMEOUT |
How long (in ms) the user can take to complete authentication. |
60000 (1 minute) |
AUTH_REQUIRE_ELEVATED_CLAIM |
Require x-hasura-auth-elevated claim to perform certain actions: create PATs, change email and/or password, enable/disable MFA and add security keys. If set to recommended the claim check is only performed if the user has a security key attached. If set to required the only action that won't require the claim is setting a security key for the first time. |
disabled |