Advanced
This page covers configuration that is not necessary for a regular operator but allows fine-tuning of server behaviour.
advanced
This section holds configuration that will change the general behavior of the server.
| Key | Type | Description | Required Default |
|---|---|---|---|
invitation | object | Invitation token settings. See advanced.invitation. | YES |
jwt | object | YES | |
keys-generation-strategy | string | YESautoincrement | |
user-merging-strategy | string | Deprecated — replaced by auth.user-merging-enabled. | YESby-mail |
validation-code | object | See advanced.validation-code. | YES |
advanced.hash
| Key | Type | Description | Required Default |
|---|---|---|---|
block-size | int | YES8 | |
cost-parameter | int | YES16384 | |
key-length | int | Number of bytes generated as output of the hashing algorithm. | YES32 |
parallelization-parameter | int | YES1 | |
salt-length | int | Number of random bytes to generate and then use as a salt for the hashing algorithm. | YES256 |
advanced.invitation
Configuration for invitation token generation and expiration.
| Key | Type | Description | Required Default |
|---|---|---|---|
default-expiration | duration | Default validity period when no expires_at is provided at creation. | YES7d |
max-expiration | duration | Maximum allowed validity period. expires_at values beyond this limit are capped. | YES30d |
token-length | int | Number of random bytes for token generation (before base64url encoding). | YES32 |
advanced.invitation.hash
Scrypt parameters for hashing invitation tokens. Follows the same structure as advanced.hash.
| Key | Type | Description | Required Default |
|---|---|---|---|
block-size | int | Scrypt block size parameter (r). | YES8 |
cost-parameter | int | Scrypt CPU/memory cost parameter (N). | YES16384 |
key-length | int | Number of bytes generated as output of the hashing algorithm. | YES32 |
parallelization-parameter | int | Scrypt parallelization parameter (p). | YES1 |
salt-length | int | Number of random bytes to generate and then use as a salt for the hashing algorithm. | YES256 |
advanced.jwt
| Key | Type | Description | Required Default |
|---|---|---|---|
access-alg | string | Algorithm used to sign access tokens. The algorithm MUST be asymmetric and support a public key. Access tokens are signed with a dedicated key, separate from ID tokens per RFC 9068. | YESrs256 |
public-alg | string | Algorithm used to sign ID tokens and other keys shared publicly. The algorithm MUST be asymmetric and support a public key. | YESrs256 |
private-alg | string | Algorithm used to encrypt internal keys. The algorithm only have to support public key. | YESrs256 |
advanced.validation-code
| Key | Type | Description | Required Default |
|---|---|---|---|
expiration | duration | Duration, after the validation code has been generated, where the server will accept it. | YES10m |
length | int | Number of digit expected in validation code generate by this authorization server. | YES6 |
resend-delay | duration | Duration the end-user has to wait before being able to request a new validation code to be sent. | YES1m |