zitadel/cmd/defaults.yaml

Log:
  Level: info
  Formatter:
    Format: text

# Exposes metrics on /debug/metrics
Metrics:
  # Select type otel (OpenTelemetry) or none (disables collection and endpoint)
  Type: otel

Tracing:
  # Choose one in "otel", "google", "log" and "none"
  Type: none
  Fraction: 1.0
  MetricPrefix: zitadel

# Port ZITADEL will listen on
Port: 8080
# Port ZITADEL is exposed on, it can differ from port e.g. if you proxy the traffic
# !!! Changing this after initial setup breaks your system !!!
ExternalPort: 8080
# Domain / hostname ZITADEL is exposed externally
# !!! Changing this after initial setup breaks your system !!!
ExternalDomain: localhost
# specifies if ZITADEL is exposed externally through TLS
# this must be set to true even if TLS is not enabled on ZITADEL itself
# but TLS traffic is terminated on a reverse proxy
# !!! Changing this after initial setup breaks your system !!!
ExternalSecure: true
TLS:
  # if enabled, ZITADEL will serve all traffic over TLS (HTTPS and gRPC)
  # you must then also provide a private key and certificate to be used for the connection
  # either directly or by a path to the corresponding file
  Enabled: true
  # Path to the private key of the TLS certificate, it will be loaded into the Key
  # and overwrite any exising value
  KeyPath: #/path/to/key/file.pem
  # Private key of the TLS certificate (KeyPath will this overwrite, if specified)
  Key: #<bas64 encoded content of a pem file>
  # Path to the certificate for the TLS connection, it will be loaded into the Cert
  # and overwrite any exising value
  CertPath: #/path/to/cert/file.pem
  # Certificate for the TLS connection (CertPath will this overwrite, if specified)
  Cert: #<bas64 encoded content of a pem file>

# Header name of HTTP2 (incl. gRPC) calls from which the instance will be matched
HTTP2HostHeader: ":authority"
# Header name of HTTP1 calls from which the instance will be matched
HTTP1HostHeader: "host"

WebAuthNName: ZITADEL

Database:
  # CockroachDB is the default datbase of ZITADEL
  cockroach:
    Host: localhost
    Port: 26257
    Database: zitadel
    MaxOpenConns: 20
    MaxIdleConns: 10
    MaxConnLifetime: 30m
    MaxConnIdleTime: 5m
    Options: ""
    User:
      Username: zitadel
      Password: ""
      SSL:
        Mode: disable
        RootCert: ""
        Cert: ""
        Key: ""
    Admin:
      Username: root
      Password: ""
      SSL:
        Mode: disable
        RootCert: ""
        Cert: ""
        Key: ""
  # Postgres is used as soon as a value is set
  # The values describe the possible fields to set values
  postgres:
    Host:
    Port:
    Database:
    MaxOpenConns:
    MaxIdleConns:
    MaxConnLifetime:
    MaxConnIdleTime:
    Options:
    User:
      Username:
      Password:
      SSL:
        Mode:
        RootCert:
        Cert:
        Key:
    Admin:
      Username:
      Password:
      SSL:
        Mode:
        RootCert:
        Cert:
        Key:

Machine:
  # Cloud hosted VMs need to specify their metadata endpoint so that the machine can be uniquely identified.
  Identification:
    # Use private IP to identify machines uniquely
    PrivateIp:
      Enabled: true
    # Use hostname to identify machines uniquely
    # You want the process to be identified uniquely, so this works well in k8s where each pod gets its own
    # unique host name, but not as well in some other hosting environments.
    Hostname:
      Enabled: false
    # Use a webhook response to identify machines uniquely
    # Google Cloud Configuration
    Webhook:
      Enabled: true
      Url: "http://metadata.google.internal/computeMetadata/v1/instance/id"
      Headers:
        "Metadata-Flavor": "Google"
    #
    # AWS EC2 IMDSv1 Configuration: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
    # Webhook:
    #   Url: "http://169.254.169.254/latest/meta-data/ami-id"
    #
    # AWS ECS v4 Configuration: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-metadata-endpoint-v4.html
    # Webhook:
    #   Url: "${ECS_CONTAINER_METADATA_URI_V4}"
    #   JPath: "$.DockerId"
    #
    # Azure Configuration: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=linux
    # Webhook:
    #   Url: "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
    #   JPath: "$.compute.vmId"

# Storage for assets like user avatar, organization logo, icon, font, ...
AssetStorage:
  Type: db
  # HTTP cache control settings for serving assets in the assets API and login UI
  # the assets will also be served with an etag and last-modified header
  Cache:
    MaxAge: 5s
    SharedMaxAge: 168h #7d

# The Projections section defines the behaviour for the scheduled and synchronous events projections.
Projections:
  # Time interval between scheduled projections
  RequeueEvery: 60s
  # Time between retried database statements resulting from projected events
  RetryFailedAfter: 1s
  # Retried execution number of database statements resulting from projected events
  MaxFailureCount: 5
  # Number of concurrent projection routines. Values of 0 and below are overwritten to 1
  ConcurrentInstances: 1
  # Limit of returned events per query
  BulkLimit: 200
  # Only instance are projected, for which at least a projection relevant event exists withing the timeframe
  # from HandleActiveInstances duration in the past until the projections current time
  # Defaults to twice the RequeueEvery duration
  HandleActiveInstances: 120s
  # In the Customizations section, all settings from above can be overwritten for each specific projection
  Customizations:
    Projects:
      BulkLimit: 2000
    # The Notifications projection is used for sending emails and SMS to users
    Notifications:
      # As notification projections don't result in database statements, retries don't have an effect
      MaxFailureCount: 0
    # The NotificationsQuotas projection is used for calling quota webhooks
    NotificationsQuotas:
      # Delivery guarantee requirements are probably higher for quota webhooks
      # Defaults to 45 days
      HandleActiveInstances: 1080h
      # As quota notification projections don't result in database statements, retries don't have an effect
      MaxFailureCount: 0
      # Quota notifications are not so time critical. Setting RequeueEvery every five minutes doesn't annoy the db too much.
      RequeueEvery: 300s

Auth:
  SearchLimit: 1000
  Spooler:
    ConcurrentWorkers: 1
    ConcurrentInstances: 1
    BulkLimit: 10000
    FailureCountUntilSkip: 5

Admin:
  SearchLimit: 1000
  Spooler:
    ConcurrentWorkers: 1
    ConcurrentInstances: 1
    BulkLimit: 10000
    FailureCountUntilSkip: 5

UserAgentCookie:
  Name: zitadel.useragent
  MaxAge: 8760h #365*24h (1 year)

OIDC:
  CodeMethodS256: true
  AuthMethodPost: true
  AuthMethodPrivateKeyJWT: true
  GrantTypeRefreshToken: true
  RequestObjectSupported: true
  SigningKeyAlgorithm: RS256
  # Sets the default values for lifetime and expiration for OIDC
  # This default can be overwritten in the default instance configuration and for each instance during runtime
  # !!! Changing this after initial setup will have no impact without a restart !!!
  DefaultAccessTokenLifetime: 12h
  DefaultIdTokenLifetime: 12h
  DefaultRefreshTokenIdleExpiration: 720h #30d
  DefaultRefreshTokenExpiration: 2160h #90d
  Cache:
    MaxAge: 12h
    SharedMaxAge: 168h #7d
  CustomEndpoints:
    Auth:
      Path: /oauth/v2/authorize
    Token:
      Path: /oauth/v2/token
    Introspection:
      Path: /oauth/v2/introspect
    Userinfo:
      Path: /oidc/v1/userinfo
    Revocation:
      Path: /oauth/v2/revoke
    EndSession:
      Path: /oidc/v1/end_session
    Keys:
      Path: /oauth/v2/keys
    DeviceAuth:
      Path: /oauth/v2/device_authorization

SAML:
  ProviderConfig:
    MetadataConfig:
      Path: "/metadata"
      SignatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
    IDPConfig:
      SignatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
      WantAuthRequestsSigned: true
      Endpoints:
    #Organisation:
    #  Name: ZITADEL
    #  URL: https://zitadel.com
    #ContactPerson:
    #  ContactType: "technical"
    #  Company: ZITADEL
    #  EmailAddress: hi@zitadel.com

Login:
  LanguageCookieName: zitadel.login.lang
  CSRFCookieName: zitadel.login.csrf
  Cache:
    MaxAge: 12h
    SharedMaxAge: 168h #7d

Console:
  ShortCache:
    MaxAge: 0m
    SharedMaxAge: 5m
  LongCache:
    MaxAge: 12h
    SharedMaxAge: 168h #7d
  InstanceManagementURL: ""

Notification:
  Repository:
    Spooler:
      ConcurrentWorkers: 1
      ConcurrentInstances: 10
      BulkLimit: 10000
      FailureCountUntilSkip: 5
      Handlers:

EncryptionKeys:
  DomainVerification:
    EncryptionKeyID: "domainVerificationKey"
    DecryptionKeyIDs:
  IDPConfig:
    EncryptionKeyID: "idpConfigKey"
    DecryptionKeyIDs:
  OIDC:
    EncryptionKeyID: "oidcKey"
    DecryptionKeyIDs:
  SAML:
    EncryptionKeyID: "samlKey"
    DecryptionKeyIDs:
  OTP:
    EncryptionKeyID: "otpKey"
    DecryptionKeyIDs:
  SMS:
    EncryptionKeyID: "smsKey"
    DecryptionKeyIDs:
  SMTP:
    EncryptionKeyID: "smtpKey"
    DecryptionKeyIDs:
  User:
    EncryptionKeyID: "userKey"
    DecryptionKeyIDs:
  CSRFCookieKeyID: "csrfCookieKey"
  UserAgentCookieKeyID: "userAgentCookieKey"

SystemAPIUsers:
# add keys for authentication of the systemAPI here:
# you can specify any name for the user, but they will have to match the `issuer` and `sub` claim in the JWT:
# - superuser:
#     Path: /path/to/superuser/key.pem  # you can provide the key either by reference with the path
# - superuser2:
#     KeyData: <base64 encoded key>     # or you can directly embed it as base64 encoded value

#TODO: remove as soon as possible
SystemDefaults:
  SecretGenerators:
    PasswordSaltCost: 14
    MachineKeySize: 2048
    ApplicationKeySize: 2048
  Multifactors:
    OTP:
      # If this is empty, the issuer is the requested domain
      # This is helpful in scenarios with multiple ZITADEL environments or virtual instances
      Issuer: "ZITADEL"
  DomainVerification:
    VerificationGenerator:
      Length: 32
      IncludeLowerLetters: true
      IncludeUpperLetters: true
      IncludeDigits: true
      IncludeSymbols: false
  Notifications:
    FileSystemPath: ".notifications/"
  KeyConfig:
    Size: 2048
    CertificateSize: 4096
    PrivateKeyLifetime: 6h
    PublicKeyLifetime: 30h
    CertificateLifetime: 8766h

Actions:
  HTTP:
    # wildcard sub domains are currently unsupported
    DenyList:
      - localhost
      - "127.0.0.1"

LogStore:
  Access:
    Database:
      # If enabled, all access logs are stored in the database table logstore.access
      Enabled: false
      # Logs that are older than the keep duration are cleaned up continuously
      Keep: 2160h # 90 days
      # CleanupInterval defines the time between cleanup iterations
      CleanupInterval: 4h
      # Debouncing enables to asynchronously emit log entries, so the normal execution performance is not impaired
      # Log entries are held in-memory until one of the conditions MinFrequency or MaxBulkSize meets.
      Debounce:
        MinFrequency: 2m
        MaxBulkSize: 100
    Stdout:
      # If enabled, all access logs are printed to the binaries standard output
      Enabled: false
      # Debouncing enables to asynchronously emit log entries, so the normal execution performance is not impaired
      # Log entries are held in-memory until one of the conditions MinFrequency or MaxBulkSize meets.
      Debounce:
        MinFrequency: 0s
        MaxBulkSize: 0
  Execution:
    Database:
      # If enabled, all action execution logs are stored in the database table logstore.execution
      Enabled: false
      # Logs that are older than the keep duration are cleaned up continuously
      Keep: 2160h # 90 days
      # CleanupInterval defines the time between cleanup iterations
      CleanupInterval: 4h
      # Debouncing enables to asynchronously emit log entries, so the normal execution performance is not impaired
      # Log entries are held in-memory until one of the conditions MinFrequency or MaxBulkSize meets.
      Debounce:
        MinFrequency: 0s
        MaxBulkSize: 0
    Stdout:
      # If enabled, all execution logs are printed to the binaries standard output
      Enabled: true
      # Debouncing enables to asynchronously emit log entries, so the normal execution performance is not impaired
      # Log entries are held in-memory until one of the conditions MinFrequency or MaxBulkSize meets.
      Debounce:
        MinFrequency: 0s
        MaxBulkSize: 0

Quotas:
  Access:
    ExhaustedCookieKey: "zitadel.quota.exhausted"
    ExhaustedCookieMaxAge: "300s"

Eventstore:
  PushTimeout: 15s
  AllowOrderByCreationDate: false

DefaultInstance:
  InstanceName:
  DefaultLanguage: en
  Org:
    Name:
    Human:
      # in case that UserLoginMustBeDomain is false (default) and if you don't overwrite the username with an email,
      # it will be suffixed by the org domain (org-name + domain from config).
      # for example: zitadel-admin in org `My Org` on domain.tld -> zitadel-admin@my-org.domain.tld
      UserName: zitadel-admin
      FirstName: ZITADEL
      LastName: Admin
      NickName:
      DisplayName:
      Email:
        Address:
        Verified: false
      PreferredLanguage: en
      Gender:
      Phone:
        Number:
        Verified:
      Password:
    Machine:
      Machine:
        Username:
        Name:
      MachineKey:
        ExpirationDate:
        Type:
      Pat:
        ExpirationDate:
  SecretGenerators:
    PasswordSaltCost: 14
    ClientSecret:
      Length: 64
      IncludeLowerLetters: true
      IncludeUpperLetters: true
      IncludeDigits: true
      IncludeSymbols: false
    InitializeUserCode:
      Length: 6
      Expiry: "72h"
      IncludeLowerLetters: false
      IncludeUpperLetters: true
      IncludeDigits: true
      IncludeSymbols: false
    EmailVerificationCode:
      Length: 6
      Expiry: "1h"
      IncludeLowerLetters: false
      IncludeUpperLetters: true
      IncludeDigits: true
      IncludeSymbols: false
    PhoneVerificationCode:
      Length: 6
      Expiry: "1h"
      IncludeLowerLetters: false
      IncludeUpperLetters: true
      IncludeDigits: true
      IncludeSymbols: false
    PasswordVerificationCode:
      Length: 6
      Expiry: "1h"
      IncludeLowerLetters: false
      IncludeUpperLetters: true
      IncludeDigits: true
      IncludeSymbols: false
    PasswordlessInitCode:
      Length: 12
      Expiry: "1h"
      IncludeLowerLetters: true
      IncludeUpperLetters: true
      IncludeDigits: true
      IncludeSymbols: false
    DomainVerification:
      Length: 32
      IncludeLowerLetters: true
      IncludeUpperLetters: true
      IncludeDigits: true
      IncludeSymbols: false
  PasswordComplexityPolicy:
    MinLength: 8
    HasLowercase: true
    HasUppercase: true
    HasNumber: true
    HasSymbol: true
  PasswordAgePolicy:
    ExpireWarnDays: 0
    MaxAgeDays: 0
  DomainPolicy:
    UserLoginMustBeDomain: false
    ValidateOrgDomains: true
    SMTPSenderAddressMatchesInstanceDomain: false
  LoginPolicy:
    AllowUsernamePassword: true
    AllowRegister: true
    AllowExternalIDP: true
    ForceMFA: false
    HidePasswordReset: false
    IgnoreUnknownUsernames: false
    AllowDomainDiscovery: false
    PasswordlessType: 1 #1: allowed 0: not allowed
    DefaultRedirectURI: #empty because we use the Console UI
    PasswordCheckLifetime: 240h #10d
    ExternalLoginCheckLifetime: 240h #10d
    MfaInitSkipLifetime: 720h #30d
    SecondFactorCheckLifetime: 18h
    MultiFactorCheckLifetime: 12h
  PrivacyPolicy:
    TOSLink: https://zitadel.com/docs/legal/terms-of-service
    PrivacyLink: https://zitadel.com/docs/legal/privacy-policy
    HelpLink: ""
    SupportEmail: ""
  NotificationPolicy:
    PasswordChange: true
  LabelPolicy:
    PrimaryColor: "#5469d4"
    BackgroundColor: "#fafafa"
    WarnColor: "#cd3d56"
    FontColor: "#000000"
    PrimaryColorDark: "#2073c4"
    BackgroundColorDark: "#111827"
    WarnColorDark: "#ff3b5b"
    FontColorDark: "#ffffff"
    HideLoginNameSuffix: false
    ErrorMsgPopup: false
    DisableWatermark: false
  LockoutPolicy:
    MaxAttempts: 0
    ShouldShowLockoutFailure: true
  EmailTemplate: CjwhZG9jdHlwZSBodG1sPgo8aHRtbCB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94aHRtbCIgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSI+CjxoZWFkPgogIDx0aXRsZT4KCiAgPC90aXRsZT4KICA8IS0tW2lmICFtc29dPjwhLS0+CiAgPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1Db21wYXRpYmxlIiBjb250ZW50PSJJRT1lZGdlIj4KICA8IS0tPCFbZW5kaWZdLS0+CiAgPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPgogIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwtc2NhbGU9MSI+CiAgPHN0eWxlIHR5cGU9InRleHQvY3NzIj4KICAgICNvdXRsb29rIGEgeyBwYWRkaW5nOjA7IH0KICAgIGJvZHkgeyBtYXJnaW46MDtwYWRkaW5nOjA7LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OjEwMCU7LW1zLXRleHQtc2l6ZS1hZGp1c3Q6MTAwJTsgfQogICAgdGFibGUsIHRkIHsgYm9yZGVyLWNvbGxhcHNlOmNvbGxhcHNlO21zby10YWJsZS1sc3BhY2U6MHB0O21zby10YWJsZS1yc3BhY2U6MHB0OyB9CiAgICBpbWcgeyBib3JkZXI6MDtoZWlnaHQ6YXV0bztsaW5lLWhlaWdodDoxMDAlOyBvdXRsaW5lOm5vbmU7dGV4dC1kZWNvcmF0aW9uOm5vbmU7LW1zLWludGVycG9sYXRpb24tbW9kZTpiaWN1YmljOyB9CiAgICBwIHsgZGlzcGxheTpibG9jazttYXJnaW46MTNweCAwOyB9CiAgPC9zdHlsZT4KICA8IS0tW2lmIG1zb10+CiAgPHhtbD4KICAgIDxvOk9mZmljZURvY3VtZW50U2V0dGluZ3M+CiAgICAgIDxvOkFsbG93UE5HLz4KICAgICAgPG86UGl4ZWxzUGVySW5jaD45NjwvbzpQaXhlbHNQZXJJbmNoPgogICAgPC9vOk9mZmljZURvY3VtZW50U2V0dGluZ3M+CiAgPC94bWw+CiAgPCFbZW5kaWZdLS0+CiAgPCEtLVtpZiBsdGUgbXNvIDExXT4KICA8c3R5bGUgdHlwZT0idGV4dC9jc3MiPgogICAgLm1qLW91dGxvb2stZ3JvdXAtZml4IHsgd2lkdGg6MTAwJSAhaW1wb3J0YW50OyB9CiAgPC9zdHlsZT4KICA8IVtlbmRpZl0tLT4KCgogIDxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+CiAgICBAbWVkaWEgb25seSBzY3JlZW4gYW5kIChtaW4td2lkdGg6NDgwcHgpIHsKICAgICAgLm1qLWNvbHVtbi1wZXItMTAwIHsgd2lkdGg6MTAwJSAhaW1wb3J0YW50OyBtYXgtd2lkdGg6IDEwMCU7IH0KICAgICAgLm1qLWNvbHVtbi1wZXItNjAgeyB3aWR0aDo2MCUgIWltcG9ydGFudDsgbWF4LXdpZHRoOiA2MCU7IH0KICAgIH0KICA8L3N0eWxlPgoKCiAgPHN0eWxlIHR5cGU9InRleHQvY3NzIj4KCgoKICAgIEBtZWRpYSBvbmx5IHNjcmVlbiBhbmQgKG1heC13aWR0aDo0ODBweCkgewogICAgICB0YWJsZS5tai1mdWxsLXdpZHRoLW1vYmlsZSB7IHdpZHRoOiAxMDAlICFpbXBvcnRhbnQ7IH0KICAgICAgdGQubWotZnVsbC13aWR0aC1tb2JpbGUgeyB3aWR0aDogYXV0byAhaW1wb3J0YW50OyB9CiAgICB9CgogIDwvc3R5bGU+CiAgPHN0eWxlIHR5cGU9InRleHQvY3NzIj4uc2hhZG93IGEgewogICAgYm94LXNoYWRvdzogMHB4IDNweCAxcHggLTJweCByZ2JhKDAsIDAsIDAsIDAuMiksIDBweCAycHggMnB4IDBweCByZ2JhKDAsIDAsIDAsIDAuMTQpLCAwcHggMXB4IDVweCAwcHggcmdiYSgwLCAwLCAwLCAwLjEyKTsKICB9PC9zdHlsZT4KCiAge3tpZiAuRm9udFVSTH19CiAgPHN0eWxlPgogICAgQGZvbnQtZmFjZSB7CiAgICAgIGZvbnQtZmFtaWx5OiAne3suRm9udEZhY2VGYW1pbHl9fSc7CiAgICAgIGZvbnQtc3R5bGU6IG5vcm1hbDsKICAgICAgZm9udC1kaXNwbGF5OiBzd2FwOwogICAgICBzcmM6IHVybCh7ey5Gb250VVJMfX0pOwogICAgfQogIDwvc3R5bGU+CiAge3tlbmR9fQoKPC9oZWFkPgo8Ym9keSBzdHlsZT0id29yZC1zcGFjaW5nOm5vcm1hbDsiPgoKCjxkaXYKICAgICAgICBzdHlsZT0iIgo+CgogIDx0YWJsZQogICAgICAgICAgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIHJvbGU9InByZXNlbnRhdGlvbiIgc3R5bGU9ImJhY2tncm91bmQ6e3suQmFja2dyb3VuZENvbG9yfX07YmFja2dyb3VuZC1jb2xvcjp7ey5CYWNrZ3JvdW5kQ29sb3J9fTt3aWR0aDoxMDAlO2JvcmRlci1yYWRpdXM6MTZweDsiCiAgPgogICAgPHRib2R5PgogICAgPHRyPgogICAgICA8dGQ+CgoKICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48dGFibGUgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIGNsYXNzPSIiIHN0eWxlPSJ3aWR0aDo4MDBweDsiIHdpZHRoPSI4MDAiID48dHI+PHRkIHN0eWxlPSJsaW5lLWhlaWdodDowcHg7Zm9udC1zaXplOjBweDttc28tbGluZS1oZWlnaHQtcnVsZTpleGFjdGx5OyI+PCFbZW5kaWZdLS0+CgoKICAgICAgICA8ZGl2ICBzdHlsZT0ibWFyZ2luOjBweCBhdXRvO2JvcmRlci1yYWRpdXM6MTZweDttYXgtd2lkdGg6ODAwcHg7Ij4KCiAgICAgICAgICA8dGFibGUKICAgICAgICAgICAgICAgICAgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIHJvbGU9InByZXNlbnRhdGlvbiIgc3R5bGU9IndpZHRoOjEwMCU7Ym9yZGVyLXJhZGl1czoxNnB4OyIKICAgICAgICAgID4KICAgICAgICAgICAgPHRib2R5PgogICAgICAgICAgICA8dHI+CiAgICAgICAgICAgICAgPHRkCiAgICAgICAgICAgICAgICAgICAgICBzdHlsZT0iZGlyZWN0aW9uOmx0cjtmb250LXNpemU6MHB4O3BhZGRpbmc6MjBweCAwO3BhZGRpbmctbGVmdDowO3RleHQtYWxpZ246Y2VudGVyOyIKICAgICAgICAgICAgICA+CiAgICAgICAgICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48dGFibGUgcm9sZT0icHJlc2VudGF0aW9uIiBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCI+PHRyPjx0ZCBjbGFzcz0iIiB3aWR0aD0iODAwcHgiID48IVtlbmRpZl0tLT4KCiAgICAgICAgICAgICAgIC
  # Sets the default values for lifetime and expiration for OIDC in each newly created instance
  # This default can be overwritten for each instance during runtime
  # Overwrites the system defaults
  # If defined but not all durations are set it will result in an error
  OIDCSettings:
    AccessTokenLifetime: 12h
    IdTokenLifetime: 12h
    RefreshTokenIdleExpiration: 720h #30d
    RefreshTokenExpiration: 2160h #90d
  # this configuration sets the default email configuration
  SMTPConfiguration:
    # configuration of the host
    SMTP:
      # must include the port, like smtp.mailtrap.io:2525. IPv6 is also supported, like [2001:db8::1]:2525
      Host:
      User:
      Password:
    TLS:
    # if the host of the sender is different from ExternalDomain set DefaultInstance.DomainPolicy.SMTPSenderAddressMatchesInstanceDomain to false
    From:
    FromName:
  MessageTexts:
    - MessageTextType: InitCode
      Language: de
      Title: Zitadel - User initialisieren
      PreHeader: User initialisieren
      Subject: User initialisieren
      Greeting: Hallo {{.DisplayName}},
      Text: Dieser Benutzer wurde soeben im Zitadel erstellt. Mit dem Benutzernamen &lt;br&gt;&lt;strong&gt;{{.PreferredLoginName}}&lt;/strong&gt;&lt;br&gt; kannst du dich anmelden. Nutze den untenstehenden Button, um die Initialisierung abzuschliessen &lt;br&gt;(Code &lt;strong&gt;{{.Code}}&lt;/strong&gt;).&lt;br&gt; Falls du dieses Mail nicht angefordert hast, kannst du es einfach ignorieren.
      ButtonText: Initialisierung abschliessen
    - MessageTextType: PasswordReset
      Language: de
      Title: Zitadel - Passwort zurücksetzen
      PreHeader: Passwort zurücksetzen
      Subject: Passwort zurücksetzen
      Greeting: Hallo {{.DisplayName}},
      Text: Wir haben eine Anfrage für das Zurücksetzen deines Passwortes bekommen. Du kannst den untenstehenden Button verwenden, um dein Passwort zurückzusetzen &lt;br&gt;(Code &lt;strong&gt;{{.Code}}&lt;/strong&gt;).&lt;br&gt; Falls du dieses Mail nicht angefordert hast, kannst du es ignorieren.
      ButtonText: Passwort zurücksetzen
    - MessageTextType: VerifyEmail
      Language: de
      Title: Zitadel - Email verifizieren
      PreHeader: Email verifizieren
      Subject: Email verifizieren
      Greeting: Hallo {{.DisplayName}},
      Text: Eine neue E-Mail Adresse wurde hinzugefügt. Bitte verwende den untenstehenden Button um diese zu verifizieren &lt;br&gt;(Code &lt;strong&gt;{{.Code}}&lt;/strong&gt;).&lt;br&gt; Falls du deine E-Mail Adresse nicht selber hinzugefügt hast, kannst du dieses E-Mail ignorieren.
      ButtonText: Email verifizieren
    - MessageTextType: VerifyPhone
      Language: de
      Title: Zitadel - Telefonnummer verifizieren
      PreHeader: Telefonnummer verifizieren
      Subject: Telefonnummer verifizieren
      Greeting: Hallo {{.DisplayName}},
      Text: Eine Telefonnummer wurde hinzugefügt. Bitte verifiziere diese in dem du folgenden Code eingibst (Code {{.Code}})
      ButtonText: Telefon verifizieren
    - MessageTextType: DomainClaimed
      Language: de
      Title: Zitadel - Domain wurde beansprucht
      PreHeader: Email / Username ändern
      Subject: Domain wurde beansprucht
      Greeting: Hallo {{.DisplayName}},
      Text: Die Domain {{.Domain}} wurde von einer Organisation beansprucht. Dein derzeitiger User {{.Username}} ist nicht Teil dieser Organisation. Daher musst du beim nächsten Login eine neue Email hinterlegen. Für diesen Login haben wir dir einen temporären Usernamen ({{.TempUsername}}) erstellt.
      ButtonText: Login
    - MessageTextType: PasswordChange
      Language: de
      Title: ZITADEL - Passwort von Benutzer wurde geändert
      PreHeader: Passwort Änderung
      Subject: Passwort von Benutzer wurde geändert
      Greeting: Hallo {{.DisplayName}},
      Text: Das Password vom Benutzer wurde geändert. Wenn diese Änderung von jemand anderem gemacht wurde, empfehlen wir die sofortige Zurücksetzung ihres Passworts.
      ButtonText: Login
    - MessageTextType: InitCode
      Language: en
      Title: Zitadel - Initialize User
      PreHeader: Initialize User
      Subject: Initialize User
      Greeting: Hello {{.DisplayName}},
      Text: This user was created in Zitadel. Use the username {{.PreferredLoginName}} to login. Please click the button below to finish the initialization process. (Code {{.Code}}) If you didn't ask for this mail, please ignore it.
      ButtonText: Finish initialization
    - MessageTextType: PasswordReset
      Language: en
      Title: Zitadel - Reset password
      PreHeader: Reset password
      Subject: Reset password
      Greeting: Hello {{.DisplayName}},
      Text: We received a password reset request. Please use the button below to reset your password. (Code {{.Code}}) If you didn't ask for this mail, please ignore it.
      ButtonText: Reset password
    - MessageTextType: VerifyEmail
      Language: en
      Title: Zitadel - Verify email
      PreHeader: Verify email
      Subject: Verify email
      Greeting: Hello {{.DisplayName}},
      Text: A new email has been added. Please use the button below to verify your mail. (Code {{.Code}}) If you din't add a new email, please ignore this email.
      ButtonText: Verify email
    - MessageTextType: VerifyPhone
      Language: en
      Title: Zitadel - Verify phone
      PreHeader: Verify phone
      Subject: Verify phone
      Greeting: Hello {{.DisplayName}},
      Text: A new phonenumber has been added. Please use the following code to verify it {{.Code}}.
      ButtonText: Verify phone
    - MessageTextType: DomainClaimed
      Language: en
      Title: Zitadel - Domain has been claimed
      PreHeader: Change email / username
      Subject: Domain has been claimed
      Greeting: Hello {{.DisplayName}},
      Text: The domain {{.Domain}} has been claimed by an organisation. Your current user {{.UserName}} is not part of this organisation. Therefore you'll have to change your email when you login. We have created a temporary username ({{.TempUsername}}) for this login.
      ButtonText: Login
    - MessageTextType: PasswordChange
      Language: en
      Title: ZITADEL - Password of user has changed
      PreHeader: Change password
      Subject: Password of user has changed
      Greeting: Hello {{.DisplayName}},
      Text: The password of your user has changed. If this change was not done by you, please be advised to immediately reset your password.
      ButtonText: Login

  Quotas:
    # Items takes a slice of quota configurations, whereas for each unit type and instance, one or zero quotas may exist.
    # The following unit types are supported

    # "requests.all.authenticated"
    # The sum of all requests to the ZITADEL API with an authorization header,
    # excluding the following exceptions
    # - Calls to the System API
    # - Calls that cause internal server errors
    # - Failed authorizations
    # - Requests after the quota already exceeded

    # "actions.all.runs.seconds"
    # The sum of all actions run durations in seconds
    Items:
#      - Unit: "requests.all.authenticated"
#        # From defines the starting time from which the current quota period is calculated from.
#        # This is relevant for querying the current usage.
#        From: "2023-01-01T00:00:00Z"
#        # ResetInterval defines the quota periods duration
#        ResetInterval: 720h # 30 days
#        # Amount defines the number of units for this quota
#        Amount: 25000
#        # Limit defines whether ZITADEL should block further usage when the configured amount is used
#        Limit: false
#        # Notifications are emitted by ZITADEL when certain quota percentages are reached
#        Notifications:
#            # Percent defines the relative amount of used units, after which a notification should be emitted.
#          - Percent: 100
#            # Repeat defines, whether a notification should be emitted each time when a multitude of the configured Percent is used.
#            Repeat: true
#            # CallURL is called when a relative amount of the quota is used.
#            CallURL: "https://httpbin.org/post"

AuditLogRetention: 0s

InternalAuthZ:
  RolePermissionMappings:
    - Role: "IAM_OWNER"
      Permissions:
        - "iam.read"
        - "iam.write"
        - "iam.policy.read"
        - "iam.policy.write"
        - "iam.policy.delete"
        - "iam.member.read"
        - "iam.member.write"
        - "iam.member.delete"
        - "iam.idp.read"
        - "iam.idp.write"
        - "iam.idp.delete"
        - "iam.action.read"
        - "iam.action.write"
        - "iam.action.delete"
        - "iam.flow.read"
        - "iam.flow.write"
        - "iam.flow.delete"
        - "org.read"
        - "org.global.read"
        - "org.create"
        - "org.write"
        - "org.delete"
        - "org.member.read"
        - "org.member.write"
        - "org.member.delete"
        - "org.idp.read"
        - "org.idp.write"
        - "org.idp.delete"
        - "org.action.read"
        - "org.action.write"
        - "org.action.delete"
        - "org.flow.read"
        - "org.flow.write"
        - "org.flow.delete"
        - "user.read"
        - "user.global.read"
        - "user.write"
        - "user.delete"
        - "user.grant.read"
        - "user.grant.write"
        - "user.grant.delete"
        - "user.membership.read"
        - "user.credential.write"
        - "user.passkey.write"
        - "policy.read"
        - "policy.write"
        - "policy.delete"
        - "project.read"
        - "project.create"
        - "project.write"
        - "project.delete"
        - "project.member.read"
        - "project.member.write"
        - "project.member.delete"
        - "project.role.read"
        - "project.role.write"
        - "project.role.delete"
        - "project.app.read"
        - "project.app.write"
        - "project.app.delete"
        - "project.grant.read"
        - "project.grant.write"
        - "project.grant.delete"
        - "project.grant.member.read"
        - "project.grant.member.write"
        - "project.grant.member.delete"
        - "events.read"
    - Role: "IAM_OWNER_VIEWER"
      Permissions:
        - "iam.read"
        - "iam.policy.read"
        - "iam.member.read"
        - "iam.idp.read"
        - "iam.action.read"
        - "iam.flow.read"
        - "org.read"
        - "org.member.read"
        - "org.idp.read"
        - "org.action.read"
        - "org.flow.read"
        - "user.read"
        - "user.global.read"
        - "user.grant.read"
        - "user.membership.read"
        - "policy.read"
        - "project.read"
        - "project.member.read"
        - "project.role.read"
        - "project.app.read"
        - "project.grant.read"
        - "project.grant.member.read"
        - "events.read"
    - Role: "IAM_ORG_MANAGER"
      Permissions:
        - "org.read"
        - "org.global.read"
        - "org.create"
        - "org.write"
        - "org.delete"
        - "org.member.read"
        - "org.member.write"
        - "org.member.delete"
        - "org.idp.read"
        - "org.idp.write"
        - "org.idp.delete"
        - "org.action.read"
        - "org.action.write"
        - "org.action.delete"
        - "org.flow.read"
        - "org.flow.write"
        - "org.flow.delete"
        - "user.read"
        - "user.global.read"
        - "user.write"
        - "user.delete"
        - "user.grant.read"
        - "user.grant.write"
        - "user.grant.delete"
        - "user.membership.read"
        - "user.credential.write"
        - "user.passkey.write"
        - "policy.read"
        - "policy.write"
        - "policy.delete"
        - "project.read"
        - "project.create"
        - "project.write"
        - "project.delete"
        - "project.member.read"
        - "project.member.write"
        - "project.member.delete"
        - "project.role.read"
        - "project.role.write"
        - "project.role.delete"
        - "project.app.read"
        - "project.app.write"
        - "project.app.delete"
        - "project.grant.read"
        - "project.grant.write"
        - "project.grant.delete"
        - "project.grant.member.read"
        - "project.grant.member.write"
        - "project.grant.member.delete"
    - Role: "IAM_USER_MANAGER"
      Permissions:
        - "org.read"
        - "org.global.read"
        - "org.member.read"
        - "org.member.delete"
        - "user.read"
        - "user.global.read"
        - "user.write"
        - "user.delete"
        - "user.grant.read"
        - "user.grant.write"
        - "user.grant.delete"
        - "user.membership.read"
        - "user.passkey.write"
        - "project.read"
        - "project.member.read"
        - "project.role.read"
        - "project.app.read"
        - "project.grant.read"
        - "project.grant.write"
        - "project.grant.delete"
        - "project.grant.member.read"
    - Role: "ORG_OWNER"
      Permissions:
        - "org.read"
        - "org.global.read"
        - "org.write"
        - "org.delete"
        - "org.member.read"
        - "org.member.write"
        - "org.member.delete"
        - "org.idp.read"
        - "org.idp.write"
        - "org.idp.delete"
        - "org.action.read"
        - "org.action.write"
        - "org.action.delete"
        - "org.flow.read"
        - "org.flow.write"
        - "org.flow.delete"
        - "user.read"
        - "user.global.read"
        - "user.write"
        - "user.delete"
        - "user.grant.read"
        - "user.grant.write"
        - "user.grant.delete"
        - "user.membership.read"
        - "user.credential.write"
        - "user.passkey.write"
        - "policy.read"
        - "policy.write"
        - "policy.delete"
        - "project.read"
        - "project.create"
        - "project.write"
        - "project.delete"
        - "project.member.read"
        - "project.member.write"
        - "project.member.delete"
        - "project.role.read"
        - "project.role.write"
        - "project.role.delete"
        - "project.app.read"
        - "project.app.write"
        - "project.grant.read"
        - "project.grant.write"
        - "project.grant.delete"
        - "project.grant.member.read"
        - "project.grant.member.write"
        - "project.grant.member.delete"
    - Role: "ORG_USER_MANAGER"
      Permissions:
        - "org.read"
        - "user.read"
        - "user.global.read"
        - "user.write"
        - "user.delete"
        - "user.grant.read"
        - "user.grant.write"
        - "user.grant.delete"
        - "user.membership.read"
        - "policy.read"
        - "project.read"
        - "project.role.read"
    - Role: "ORG_OWNER_VIEWER"
      Permissions:
        - "org.read"
        - "org.member.read"
        - "org.idp.read"
        - "org.action.read"
        - "org.flow.read"
        - "user.read"
        - "user.global.read"
        - "user.grant.read"
        - "user.membership.read"
        - "policy.read"
        - "project.read"
        - "project.member.read"
        - "project.role.read"
        - "project.app.read"
        - "project.grant.read"
        - "project.grant.member.read"
        - "project.grant.user.grant.read"
    - Role: "ORG_SETTINGS_MANAGER"
      Permissions:
        - "org.read"
        - "org.write"
        - "org.member.read"
        - "org.idp.read"
        - "org.idp.write"
        - "org.idp.delete"
        - "policy.read"
        - "policy.write"
        - "policy.delete"
    - Role: "ORG_USER_PERMISSION_EDITOR"
      Permissions:
        - "org.read"
        - "org.member.read"
        - "user.read"
        - "user.global.read"
        - "user.grant.read"
        - "user.grant.write"
        - "user.grant.delete"
        - "policy.read"
        - "project.read"
        - "project.member.read"
        - "project.role.read"
        - "project.app.read"
        - "project.grant.read"
        - "project.grant.member.read"
    - Role: "ORG_PROJECT_PERMISSION_EDITOR"
      Permissions:
        - "org.read"
        - "org.member.read"
        - "user.read"
        - "user.global.read"
        - "user.grant.read"
        - "user.grant.write"
        - "user.grant.delete"
        - "policy.read"
        - "project.read"
        - "project.member.read"
        - "project.role.read"
        - "project.app.read"
        - "project.grant.read"
        - "project.grant.write"
        - "project.grant.delete"
        - "project.grant.member.read"
    - Role: "ORG_PROJECT_CREATOR"
      Permissions:
        - "user.global.read"
        - "policy.read"
        - "project.read:self"
        - "project.create"
    - Role: "PROJECT_OWNER"
      Permissions:
        - "org.global.read"
        - "policy.read"
        - "project.read"
        - "project.write"
        - "project.delete"
        - "project.member.read"
        - "project.member.write"
        - "project.member.delete"
        - "project.role.read"
        - "project.role.write"
        - "project.role.delete"
        - "project.app.read"
        - "project.app.write"
        - "project.app.delete"
        - "project.grant.read"
        - "project.grant.write"
        - "project.grant.delete"
        - "project.grant.member.read"
        - "project.grant.member.write"
        - "project.grant.member.delete"
        - "user.read"
        - "user.global.read"
        - "user.grant.read"
        - "user.grant.write"
        - "user.grant.delete"
        - "user.membership.read"
    - Role: "PROJECT_OWNER_VIEWER"
      Permissions:
        - "policy.read"
        - "project.read"
        - "project.member.read"
        - "project.role.read"
        - "project.app.read"
        - "project.grant.read"
        - "project.grant.member.read"
        - "user.read"
        - "user.global.read"
        - "user.grant.read"
        - "user.membership.read"
    - Role: "SELF_MANAGEMENT_GLOBAL"
      Permissions:
        - "org.create"
        - "policy.read"
        - "user.self.delete"
    - Role: "PROJECT_OWNER_GLOBAL"
      Permissions:
        - "org.global.read"
        - "policy.read"
        - "project.read"
        - "project.write"
        - "project.delete"
        - "project.member.read"
        - "project.member.write"
        - "project.member.delete"
        - "project.role.read"
        - "project.role.write"
        - "project.role.delete"
        - "project.app.read"
        - "project.app.write"
        - "project.app.delete"
        - "user.global.read"
        - "user.grant.read"
        - "user.grant.write"
        - "user.grant.delete"
        - "user.membership.read"
    - Role: "PROJECT_OWNER_VIEWER_GLOBAL"
      Permissions:
        - "policy.read"
        - "project.read"
        - "project.member.read"
        - "project.role.read"
        - "project.app.read"
        - "project.grant.read"
        - "project.grant.member.read"
        - "user.global.read"
        - "user.grant.read"
        - "user.membership.read"
    - Role: "PROJECT_GRANT_OWNER"
      Permissions:
        - "policy.read"
        - "org.global.read"
        - "project.read"
        - "project.grant.read"
        - "project.grant.member.read"
        - "project.grant.member.write"
        - "project.grant.member.delete"
        - "user.read"
        - "user.global.read"
        - "user.grant.read"
        - "user.grant.write"
        - "user.grant.delete"
        - "user.membership.read"
    - Role: "PROJECT_GRANT_OWNER_VIEWER"
      Permissions:
        - "policy.read"
        - "project.read"
        - "project.grant.read"
        - "project.grant.member.read"
        - "user.read"
        - "user.global.read"
        - "user.grant.read"
        - "user.membership.read"