Configuration Properties
This page lists all configuration properties for each In-App Protection component. Properties shared across components are listed first, followed by component-specific sections.
Shared Properties
| Environment Variable | Default Value | Description |
|---|---|---|
| DATASOURCE_URL | R2DBC connection URL to PostgreSQL, e.g. r2dbc:postgresql://host.docker.internal:5432/iap |
|
| DATASOURCE_USERNAME | PostgreSQL database username | |
| DATASOURCE_PASSWORD | PostgreSQL database password | |
| REDIS_URL | Redis connection URL, e.g. redis://host.docker.internal:6379 |
Device API
The Device API collects security telemetry from mobile applications and triggers configurable callback.
Callbacks
Callbacks enables integration with external systems by delivering security events to configured endpoints. For each monitored application, one or more callback URLs can be registered to receive notifications about security events. When such an event is generated, it is first written to a Redis Stream for asynchronous delivery by the Integration API.
Redis Publisher Configuration
The following properties control the Redis Stream used to queue and redeliver outgoing callback messages.
| Environment Variable | Default Value | Description |
|---|---|---|
| INAPPPROTECTION_CALLBACK_REDIS_STREAMKEY | iap-callback-queue |
Redis stream key name |
| INAPPPROTECTION_CALLBACK_REDIS_STREAMENTRYPAYLOADKEY | payload |
Field name that carries the message payload within a stream entry |
| INAPPPROTECTION_CALLBACK_REDIS_REPUBLISHATTEMPTS | 3 |
Number of attempts to publish a message to Redis |
| INAPPPROTECTION_CALLBACK_REDIS_REPUBLISHBACKOFF | 2s |
Delay between consecutive republish retry attempts |
| INAPPPROTECTION_CALLBACK_REDIS_REPUBLISHINTERVAL | 5s |
Interval between scheduled republish job runs |
| INAPPPROTECTION_CALLBACK_REDIS_REPUBLISHLIMIT | 100 |
Maximum number of messages to republish per scheduled job run |
Integration API
The Integration API consumes callback events from the Redis Stream and dispatches them as HTTP requests to external URLs registered per application. It also consumes email events from the Redis Stream and delivers them via the Gmail API.
| Environment Variable | Default Value | Description |
|---|---|---|
| INAPPPROTECTION_CONSOLEURL | Public URL of the Console Web frontend |
Callbacks
Redis Consumer Configuration
The following properties control the Redis Stream consumer used to dispatch callback messages.
| Environment Variable | Default Value | Description |
|---|---|---|
| INAPPPROTECTION_CALLBACK_REDIS_STREAMKEY | iap-callback-queue |
Redis stream key name |
| INAPPPROTECTION_CALLBACK_REDIS_STREAMGROUPNAME | iap-callback-queue-group |
Consumer group name |
| INAPPPROTECTION_CALLBACK_REDIS_STREAMCONSUMERNAMEPREFIX | iap-callback-queue-consumer- |
Prefix for consumer names; a random UUID suffix is appended at runtime |
| INAPPPROTECTION_CALLBACK_REDIS_STREAMENTRYPAYLOADKEY | payload |
Field name that carries the message payload within a stream entry |
| INAPPPROTECTION_CALLBACK_REDIS_MESSAGEIDLETIME | 3m |
Minimum time a message must be idle before it is reprocessed by another consumer |
| INAPPPROTECTION_CALLBACK_REDIS_CHECKIDLEINTERVAL | 5s |
How often the scheduler checks for idle messages to reprocess |
| INAPPPROTECTION_CALLBACK_REDIS_RETRYIDELIMIT | 10 |
Maximum number of idle messages to retry per scheduler run |
| INAPPPROTECTION_CALLBACK_REDIS_CHECKIDLECONSUMERSINTERVAL | 60m |
How often the scheduler removes idle consumers from the consumer group |
| INAPPPROTECTION_CALLBACK_REDIS_CONSUMERIDLETIME | 30m |
Minimum idle duration before a consumer is considered inactive and eligible for removal |
Web Client Configuration
The following properties control the HTTP client used to deliver callback requests, including timeouts and the circuit breaker that prevents repeated calls to unresponsive endpoints.
| Environment Variable | Default Value | Description |
|---|---|---|
| INAPPPROTECTION_CALLBACK_WEBCLIENT_CONNECTIONTIMEOUT | 5s |
Timeout for establishing a connection to the callback URL |
| INAPPPROTECTION_CALLBACK_WEBCLIENT_RESPONSETIMEOUT | 60s |
Timeout for receiving a response from the callback URL |
| INAPPPROTECTION_CALLBACK_WEBCLIENT_REFRESHCACHEAFTER | 5m |
Interval after which cached web clients are refreshed |
| INAPPPROTECTION_CALLBACK_WEBCLIENT_CIRCUITBREAKER_FAILURETHRESHOLD | 100 |
Number of failures within the opening interval that causes the circuit breaker to open |
| INAPPPROTECTION_CALLBACK_WEBCLIENT_CIRCUITBREAKER_OPENINGINTERVAL | 2m |
Time window over which failures are counted when deciding whether to open the circuit breaker |
| INAPPPROTECTION_CALLBACK_WEBCLIENT_CIRCUITBREAKER_CLOSINGINTERVAL | 5m |
How long the circuit breaker stays open before attempting to close |
Emails
The Integration API consumes email events from the Redis Stream and delivers them via the Gmail API. Email
delivery is enabled by default and requires Gmail API credentials to be configured. To disable it, set
INAPPPROTECTION_EMAIL_ENABLED=false.
| Environment Variable | Default Value | Description |
|---|---|---|
| INAPPPROTECTION_EMAIL_ENABLED | true |
Enables email delivery |
Email Client Configuration
| Environment Variable | Default Value | Description |
|---|---|---|
| INAPPPROTECTION_EMAIL_SENDEREMAIL | Email address used as the sender | |
| INAPPPROTECTION_EMAIL_SENDERNAME | Display name associated with the sender address | |
| INAPPPROTECTION_EMAIL_REPLYTOEMAIL | Email address set as the reply-to address | |
| INAPPPROTECTION_EMAIL_REPLYTONAME | Display name associated with the reply-to address | |
| INAPPPROTECTION_EMAIL_MAXRETRYATTEMPTS | 3 |
Maximum number of send retry attempts |
| INAPPPROTECTION_EMAIL_RETRYBACKOFF | 2s |
Backoff delay between send retry attempts |
Google Mail Client
OAuth 2.0 credentials for the Google Mail API. These are required when email sending is enabled.
The OAuth credential must be authorized with at least the gmail.send scope.
To obtain these credentials, create OAuth 2.0 credentials in the Google Cloud Console and request the refresh token.
| Environment Variable | Default Value | Description |
|---|---|---|
| INAPPPROTECTION_EMAIL_GOOGLE_API_APPNAME | Application name registered in Google API | |
| INAPPPROTECTION_EMAIL_GOOGLE_API_CLIENTID | OAuth 2.0 Client ID registered in the Google Cloud project | |
| INAPPPROTECTION_EMAIL_GOOGLE_API_CLIENTSECRET | Client secret of the OAuth 2.0 Client | |
| INAPPPROTECTION_EMAIL_GOOGLE_API_REFRESHTOKEN | OAuth 2.0 refresh token |
Redis Consumer Configuration
The following properties control the Redis Stream consumer used to dispatch email messages.
| Environment Variable | Default Value | Description |
|---|---|---|
| INAPPPROTECTION_EMAIL_REDIS_STREAMKEY | iap-email-queue |
Redis stream key name |
| INAPPPROTECTION_EMAIL_REDIS_STREAMGROUPNAME | iap-email-queue-group |
Consumer group name |
| INAPPPROTECTION_EMAIL_REDIS_STREAMCONSUMERNAMEPREFIX | iap-email-queue-consumer- |
Prefix for consumer names; a random UUID suffix is appended at runtime |
| INAPPPROTECTION_EMAIL_REDIS_STREAMENTRYPAYLOADKEY | payload |
Field name that carries the message payload within a stream entry |
| INAPPPROTECTION_EMAIL_REDIS_MESSAGEIDLETIME | 3m |
Minimum time a message must be idle before it is reprocessed by another consumer |
| INAPPPROTECTION_EMAIL_REDIS_CHECKIDLEINTERVAL | 5s |
How often the scheduler checks for idle messages to reprocess |
| INAPPPROTECTION_EMAIL_REDIS_RETRYIDELIMIT | 10 |
Maximum number of idle messages to retry per scheduler run |
| INAPPPROTECTION_EMAIL_REDIS_CHECKIDLECONSUMERSINTERVAL | 60m |
How often the scheduler removes idle consumers from the consumer group |
| INAPPPROTECTION_EMAIL_REDIS_CONSUMERIDLETIME | 30m |
Minimum idle duration before a consumer is considered inactive and eligible for removal |
Password Reset Email Content
You can customize both the subject line and the HTML body of the password reset email. These settings are optional, if not provided, the system will fall back to the default values.
| Environment Variable | Default Value | Description |
|---|---|---|
| INAPPPROTECTION_EMAIL_PASSWORDRESET_SUBJECT | In-App Protection Console Password Reset |
Defines the email subject. |
| INAPPPROTECTION_EMAIL_PASSWORDRESET_BODYTEMPLATEPATH | Specifies the resource path to a custom HTML body template, e.g. file:/config/email/password-reset.html |
If you provide a custom HTML template, it must include the ${PASSWORD_RESET_URL} placeholder to display the reset link
to the user. Available placeholders are:
| Placeholder | Value |
|---|---|
${PASSWORD_RESET_URL} |
Full password reset link |
${WEB_CONSOLE_URL} |
Base URL of the Web Console |
Console API
The Console API provides the backend for the Console Web. It handles authentication, user management, and access to operational data.
| Environment Variable | Default Value | Description |
|---|---|---|
| INAPPPROTECTION_CONSOLEURL | Public URL of the Console Web frontend | |
| INAPPPROTECTION_CSRFCOOKIEDOMAIN | Domain for the CSRF cookie | |
| INAPPPROTECTION_ARTIFACTORYURL | https://wultra.jfrog.io |
Base URL of the Artifactory instance |
TOTP (Two-Factor Authentication)
Console users can secure their accounts with a time-based one-time password (TOTP). The following properties configure code generation and QR code rendering for authenticator app setup.
Compatibility Requirement
The authenticator application must support the SHA-256 algorithm. Google Authenticator has been tested and is known to
be compatible with the default settings.
| Environment Variable | Default Value | Description |
|---|---|---|
| INAPPPROTECTION_TOTP_SECRETKEYBYTES | 20 |
Length in bytes of the TOTP secret key generated per user |
| INAPPPROTECTION_TOTP_CODELENGTH | 6 |
Number of digits in the generated TOTP code (6–8) |
| INAPPPROTECTION_TOTP_STEPDURATION | 30s |
Time-step duration for TOTP code validity |
| INAPPPROTECTION_TOTP_ALLOWEDBACKWARDSTEPS | 1 |
Number of past time-steps accepted during validation to allow clock skew |
| INAPPPROTECTION_TOTP_QRCODESIZE | 350 |
Size in pixels of the QR code image generated for authenticator setup |
| INAPPPROTECTION_TOTP_AUTHENTICATORISSUER | In-App Protection |
Issuer name displayed in the TOTP authenticator application |
Password Reset
These properties control the self-service password reset flow, including the security token generated and included in the password reset link sent to the user.
| Environment Variable | Default Value | Description |
|---|---|---|
| INAPPPROTECTION_PASSWORD_RESET_TOKENLENGTHBYTES | 16 |
Length in bytes of the generated password reset token |
| INAPPPROTECTION_PASSWORD_RESET_TOKENEXPIRATIONDURATION | 15m |
Period after which the password reset token expires |
The Console API publishes email events to a Redis Stream for asynchronous delivery by the Integration API.
Redis Publisher Configuration
The following properties control how the Console API writes outgoing email messages to the Redis Stream, including retry behaviour when publishing fails.
| Environment Variable | Default Value | Description |
|---|---|---|
| INAPPPROTECTION_EMAIL_REDIS_STREAMKEY | iap-email-queue |
Redis stream key name |
| INAPPPROTECTION_EMAIL_REDIS_STREAMENTRYPAYLOADKEY | payload |
Field name that carries the message payload within a stream entry |
| INAPPPROTECTION_EMAIL_REDIS_REPUBLISHATTEMPTS | 3 |
Number of attempts to publish a message to Redis |
| INAPPPROTECTION_EMAIL_REDIS_REPUBLISHBACKOFF | 2s |
Delay between consecutive republish retry attempts |
| INAPPPROTECTION_EMAIL_REDIS_REPUBLISHINTERVAL | 5s |
Interval between scheduled republish job runs |
| INAPPPROTECTION_EMAIL_REDIS_REPUBLISHLIMIT | 100 |
Maximum number of messages to republish per scheduled job run |
Logstash
Logstash polls the PostgreSQL database for new security events and ships them to Elasticsearch. All connection details are provided via environment variables.
| Environment Variable | Default Value | Description |
|---|---|---|
JDBC_URL |
jdbc:postgresql://postgres:5432/inappprotection |
PostgreSQL JDBC connection URL |
JDBC_USERNAME |
inappprotection |
PostgreSQL username |
JDBC_PASSWORD |
PostgreSQL password | |
JDBC_DRIVER_PATH |
/usr/share/logstash/drivers/postgresql.jar |
Path to the PostgreSQL JDBC driver inside the container |
ES_URL |
Elasticsearch base URL, e.g. https://my-cluster.es.azure.elastic-cloud.com |
|
ES_USERNAME |
Elasticsearch username | |
ES_PASSWORD |
Elasticsearch password | |
POLL_INTERVAL |
*/30 * * * * * |
Cron expression controlling how often Logstash queries PostgreSQL for new data |
PIPELINE_WORKERS |
2 |
Number of Logstash pipeline worker threads |
PIPELINE_BATCH_SIZE |
125 |
Number of events processed per pipeline batch |