| HASURA_GRAPHQL_JWT_SECRET* |
Key used for generating JWTs. Must be HMAC-SHA-based and the same as configured in Hasura. More info |
|
| HASURA_GRAPHQL_DATABASE_URL* |
PostgreSQL connection URI. Required to inject the auth schema into the database. |
|
| HASURA_GRAPHQL_GRAPHQL_URL* |
Hasura GraphQL endpoint. Required to manipulate account data. For instance: https://graphql-engine:8080/v1/graphql |
|
| HASURA_GRAPHQL_ADMIN_SECRET* |
Hasura GraphQL Admin Secret. Required to manipulate account data. |
|
| AUTH_HOST |
Server host. This option is available until Hasura-auth v0.6.0. Docs |
0.0.0.0 |
| AUTH_PORT |
Server port. Docs |
4000 |
| AUTH_API_PREFIX |
API prefix |
/ |
| AUTH_SERVER_URL |
Server URL of where Hasura Backend Plus is running. This value is to used as a callback in email templates and for the OAuth authentication process. |
|
| AUTH_CLIENT_URL |
URL of your frontend application. Used to redirect users to the right page once actions based on emails or OAuth succeed. |
|
| AUTH_CONCEAL_ERRORS |
Conceal sensitive error messages to avoid leaking information about user accounts to attackers |
false |
| AUTH_SMTP_HOST |
SMTP server hostname used for sending emails |
|
| AUTH_SMTP_PORT |
SMTP port |
587 |
| AUTH_SMTP_USER |
Username to use to authenticate on the SMTP server |
|
| AUTH_SMTP_PASS |
Password to use to authenticate on the SMTP server |
|
| AUTH_SMTP_SENDER |
Email to use in the From field of the email |
|
| AUTH_SMTP_AUTH_METHOD |
SMTP authentication method |
PLAIN |
| AUTH_SMTP_SECURE |
Enables SSL. More info. |
false |
| AUTH_GRAVATAR_ENABLED |
|
true |
| AUTH_GRAVATAR_DEFAULT |
One of '404', 'mp', 'identicon', 'monsterid', 'wavatar', 'retro', 'robohash', 'blank'. |
blank |
| AUTH_GRAVATAR_RATING |
One of 'g', 'pg', 'r', 'x'. |
g |
| AUTH_ANONYMOUS_USERS_ENABLED |
Enables users to register as an anonymous user. |
false |
| AUTH_DISABLE_NEW_USERS |
If set, new users will be disabled after finishing registration and won't be able to connect. |
false |
| AUTH_DISABLE_SIGNUP |
If set to true, all signup methods will throw an unauthorized error. |
false |
| AUTH_ACCESS_CONTROL_ALLOWED_EMAILS |
Comma-separated list of emails that are allowed to register. |
|
| AUTH_ACCESS_CONTROL_ALLOWED_EMAIL_DOMAINS |
Comma-separated list of email domains that are allowed to register. If ALLOWED_EMAIL_DOMAINS is tesla.com,ikea.se, only emails from tesla.com and ikea.se would be allowed to register an account. |
`` (allow all email domains) |
| AUTH_ACCESS_CONTROL_BLOCKED_EMAILS |
Comma-separated list of emails that cannot register. |
|
| AUTH_ACCESS_CONTROL_BLOCKED_EMAIL_DOMAINS |
Comma-separated list of email domains that cannot register. |
|
| AUTH_PASSWORD_MIN_LENGTH |
Minimum password length. |
3 |
| AUTH_PASSWORD_HIBP_ENABLED |
User's password is checked against Pwned Passwords. |
false |
| AUTH_USER_DEFAULT_ROLE |
Default user role for registered users. |
user |
| AUTH_USER_DEFAULT_ALLOWED_ROLES |
Comma-separated list of default allowed user roles. |
me,$AUTH_USER_DEFAULT_ROLE |
| AUTH_LOCALE_DEFAULT |
|
en |
| AUTH_LOCALE_ALLOWED_LOCALES |
|
en |
| AUTH_LOG_LEVEL |
Define the log level of the application:. Accepted values: debug, info, warn, error, silent. |
info |
| AUTH_EMAIL_PASSWORDLESS_ENABLED |
Enables passwordless authentication by email. The SMTP server must then be configured. |
false |
| AUTH_SMS_PASSWORDLESS_ENABLED |
Enables passwordless authentication by SMS. An SMS provider must then be configured. |
false |
| AUTH_SHOW_LOG_QUERY_PARAMS |
Shows all query parameters in the logs. Make sure you know what you do because this setting can potentially reveal secure information. |
false |
| AUTH_SMS_PROVIDER |
SMS provider name. Only twilio is possible as an option for now. |
|
| AUTH_SMS_TEST_PHONE_NUMBERS |
Comma separated list of test phone numbers which can be used without any provider set. The verification code can be found in the logs upon sign in. |
|
| AUTH_SMS_TWILIO_ACCOUNT_SID |
|
|
| AUTH_SMS_TWILIO_AUTH_TOKEN |
|
|
| AUTH_SMS_TWILIO_MESSAGING_SERVICE_ID |
|
|
| AUTH_EMAIL_SIGNIN_EMAIL_VERIFIED_REQUIRED |
When enabled, any email-based authentication requires emails to be verified by a link sent to this email. |
true |
| AUTH_ACCESS_CONTROL_ALLOWED_REDIRECT_URLS |
Comma-separated list of allowed redirect URLs that can be passed on as an option. Any sub-path will be considered valid. Supports wildcards and other micromatch patterns |
|
| AUTH_MFA_ENABLED |
Enables users to use Multi Factor Authentication. |
false |
| AUTH_MFA_TOTP_ISSUER |
The name of the One Time Password (OTP) issuer. Probably your app's name. |
hasura-auth |
| AUTH_ACCESS_TOKEN_EXPIRES_IN |
Number of seconds before the access token (JWT) expires. |
900(15 minutes) |
| AUTH_REFRESH_TOKEN_EXPIRES_IN |
Number of seconds before the refresh token expires. |
2592000 (30 days) |
| AUTH_JWT_CUSTOM_CLAIMS |
|
|
| AUTH_WEBAUTHN_ENABLED |
When enabled, passwordless Webauthn authentication can be done via device supported strong authenticators like fingerprint, Face ID, etc. |
false |
| AUTH_WEBAUTHN_RP_NAME |
Relying party name. Friendly name visual to the user informing who requires the authentication. Probably your app's name. |
|
| AUTH_WEBAUTHN_RP_ID |
Relying party id. If not set AUTH_CLIENT_URL will be used as a default. |
|
| AUTH_WEBAUTHN_RP_ORIGINS |
Array of URLs where the registration is permitted and should have occurred on. AUTH_CLIENT_URL will be automatically added to the list of origins if is set. |
|
| AUTH_WEBAUTHN_ATTESTATION_TIMEOUT |
How long (in ms) the user can take to complete authentication. |
60000 (1 minute) |
| AUTH_REQUIRE_ELEVATED_CLAIM |
Require x-hasura-auth-elevated claim to perform certain actions: create PATs, change email and/or password, enable/disable MFA and add security keys. If set to recommended the claim check is only performed if the user has a security key attached. If set to required the only action that won't require the claim is setting a security key for the first time. |
disabled |