Select release
Introduction

Home

System Requirements

Installation

Configuration

Artifact Signing

Reference

Architecture

Data Categorization

Configuration Properties

Callbacks

Reporting

RASP Reporting

Logstash HA & Runbooks

Configuration Properties

Edit on Github Send Feedback develop

This page lists all configuration properties for each In-App Protection component. Properties shared across components are listed first, followed by component-specific sections.

Shared Properties

Environment Variable Default Value Description
DATASOURCE_URL   R2DBC connection URL to PostgreSQL, e.g. r2dbc:postgresql://host.docker.internal:5432/iap
DATASOURCE_USERNAME   PostgreSQL database username
DATASOURCE_PASSWORD   PostgreSQL database password
INAPPPROTECTION_REDIS_HOST localhost Redis host name, e.g. host.docker.internal
INAPPPROTECTION_REDIS_PORT 6379 Redis port

Redis Topologies

In-App Protection components connect to Redis through Lettuce and support both a single Redis instance (standalone) and a Redis OSS cluster. Redis is configured through In-App Protection-specific INAPPPROTECTION_REDIS_* environment variables, which map onto the underlying Spring Data Redis (spring.data.redis.*) properties.

[!IMPORTANT] Do not configure Redis with a connection URL (INAPPPROTECTION_REDIS_URL). Use the discrete host/port (or cluster nodes) properties instead. A Redis URL forces standalone mode and silently overrides INAPPPROTECTION_REDIS_CLUSTER_NODES, breaking OSS cluster deployments. It also embeds the access key in a single string, which the components deliberately avoid in favour of a separate INAPPPROTECTION_REDIS_PASSWORD.

The Lettuce client is forced to use the RESP2 protocol. This is required for managed Redis services (such as Azure Managed Redis with the OSS cluster policy) whose nodes reject the unauthenticated HELLO handshake that the default RESP3 protocol performs before authentication.

Authentication and TLS

The following properties apply to both topologies. Leave them unset for an unauthenticated local Redis; set them for managed Redis services (such as Azure Managed Redis).

Environment Variable Default Value Description
INAPPPROTECTION_REDIS_USERNAME   Redis username. Leave unset for access-key (password-only) authentication
INAPPPROTECTION_REDIS_PASSWORD   Redis password / access key
INAPPPROTECTION_REDIS_SSL_ENABLED false Set to true for TLS-secured managed Redis endpoints

Standalone

A standalone instance is the default. Point the components at it with INAPPPROTECTION_REDIS_HOST / INAPPPROTECTION_REDIS_PORT as listed in the shared properties above. This is also the correct topology for managed Redis using the Enterprise cluster policy, where a proxy hides cluster routing behind a single endpoint.

OSS Cluster

To run against a Redis OSS cluster (for example Azure Managed Redis with the OSS cluster policy), activate the redis-cluster Spring profile and provide the cluster nodes:

SPRING_PROFILES_ACTIVE=redis-cluster
INAPPPROTECTION_REDIS_CLUSTER_NODES=node1:6380,node2:6380

The cluster properties live in a profile-specific resource (application-redis-cluster.properties) that is loaded only when the redis-cluster profile is active. While the profile is inactive (the default), the cluster configuration is absent and the component runs standalone — so the same image serves both topologies. Activating the profile switches the components to cluster mode; INAPPPROTECTION_REDIS_HOST / INAPPPROTECTION_REDIS_PORT are then ignored. The authentication and TLS variables above apply to both topologies.

[!NOTE] Activating the redis-cluster profile without setting INAPPPROTECTION_REDIS_CLUSTER_NODES fails fast at startup. Set both together, or neither.

[!TIP] INAPPPROTECTION_REDIS_CLUSTER_NODES only needs seed nodes, not the full cluster. Lettuce performs cluster topology discovery from any reachable seed and then keeps the topology current through adaptive and periodic refresh (see the variables below). For managed Redis with the OSS cluster policy (such as Azure Managed Redis), the service exposes a single stable endpoint — point INAPPPROTECTION_REDIS_CLUSTER_NODES at that one endpoint and the remaining nodes are discovered automatically.

The following variables are honoured only when the redis-cluster profile is active:

Environment Variable Default Value Description
INAPPPROTECTION_REDIS_CLUSTER_NODES   Comma-separated list of seed node host:port pairs, e.g. node1:6380,node2:6380. A single endpoint is sufficient; the rest of the cluster is discovered automatically
INAPPPROTECTION_REDIS_CLUSTER_MAX_REDIRECTS 5 Maximum number of MOVED / ASK redirects to follow. Recommended for OSS cluster
INAPPPROTECTION_REDIS_LETTUCE_CLUSTER_REFRESH_ADAPTIVE true Enable adaptive topology refresh so MOVED / ASK trigger a cluster topology refresh
INAPPPROTECTION_REDIS_LETTUCE_CLUSTER_REFRESH_PERIOD 30s Periodic cluster topology refresh interval

Device API

The Device API collects security telemetry from mobile applications and triggers configurable callback.

Callbacks

Callbacks enables integration with external systems by delivering security events to configured endpoints. For each monitored application, one or more callback URLs can be registered to receive notifications about security events. When such an event is generated, it is first written to a Redis Stream for asynchronous delivery by the Integration API.

Redis Publisher Configuration

The following properties control the Redis Stream used to queue and redeliver outgoing callback messages.

Environment Variable Default Value Description
INAPPPROTECTION_CALLBACK_REDIS_STREAMKEY iap-callback-queue Redis stream key name
INAPPPROTECTION_CALLBACK_REDIS_STREAMENTRYPAYLOADKEY payload Field name that carries the message payload within a stream entry
INAPPPROTECTION_CALLBACK_REDIS_REPUBLISHATTEMPTS 3 Number of attempts to publish a message to Redis
INAPPPROTECTION_CALLBACK_REDIS_REPUBLISHBACKOFF 2s Delay between consecutive republish retry attempts
INAPPPROTECTION_CALLBACK_REDIS_REPUBLISHINTERVAL 5s Interval between scheduled republish job runs
INAPPPROTECTION_CALLBACK_REDIS_REPUBLISHLIMIT 100 Maximum number of messages to republish per scheduled job run

Integration API

The Integration API consumes callback events from the Redis Stream and dispatches them as HTTP requests to external URLs registered per application. It also consumes email events from the Redis Stream and delivers them via the Gmail API.

Environment Variable Default Value Description
INAPPPROTECTION_CONSOLEURL   Public URL of the Console Web frontend

Callbacks

Redis Consumer Configuration

The following properties control the Redis Stream consumer used to dispatch callback messages.

Environment Variable Default Value Description
INAPPPROTECTION_CALLBACK_REDIS_STREAMKEY iap-callback-queue Redis stream key name
INAPPPROTECTION_CALLBACK_REDIS_STREAMGROUPNAME iap-callback-queue-group Consumer group name
INAPPPROTECTION_CALLBACK_REDIS_STREAMCONSUMERNAMEPREFIX iap-callback-queue-consumer- Prefix for consumer names; a random UUID suffix is appended at runtime
INAPPPROTECTION_CALLBACK_REDIS_STREAMENTRYPAYLOADKEY payload Field name that carries the message payload within a stream entry
INAPPPROTECTION_CALLBACK_REDIS_MESSAGEIDLETIME 3m Minimum time a message must be idle before it is reprocessed by another consumer
INAPPPROTECTION_CALLBACK_REDIS_CHECKIDLEINTERVAL 5s How often the scheduler checks for idle messages to reprocess
INAPPPROTECTION_CALLBACK_REDIS_RETRYIDELIMIT 10 Maximum number of idle messages to retry per scheduler run
INAPPPROTECTION_CALLBACK_REDIS_CHECKIDLECONSUMERSINTERVAL 60m How often the scheduler removes idle consumers from the consumer group
INAPPPROTECTION_CALLBACK_REDIS_CONSUMERIDLETIME 30m Minimum idle duration before a consumer is considered inactive and eligible for removal

Web Client Configuration

The following properties control the HTTP client used to deliver callback requests, including timeouts and the circuit breaker that prevents repeated calls to unresponsive endpoints.

Environment Variable Default Value Description
INAPPPROTECTION_CALLBACK_WEBCLIENT_CONNECTIONTIMEOUT 5s Timeout for establishing a connection to the callback URL
INAPPPROTECTION_CALLBACK_WEBCLIENT_RESPONSETIMEOUT 60s Timeout for receiving a response from the callback URL
INAPPPROTECTION_CALLBACK_WEBCLIENT_REFRESHCACHEAFTER 5m Interval after which cached web clients are refreshed
INAPPPROTECTION_CALLBACK_WEBCLIENT_CIRCUITBREAKER_FAILURETHRESHOLD 100 Number of failures within the opening interval that causes the circuit breaker to open
INAPPPROTECTION_CALLBACK_WEBCLIENT_CIRCUITBREAKER_OPENINGINTERVAL 2m Time window over which failures are counted when deciding whether to open the circuit breaker
INAPPPROTECTION_CALLBACK_WEBCLIENT_CIRCUITBREAKER_CLOSINGINTERVAL 5m How long the circuit breaker stays open before attempting to close

Emails

The Integration API consumes email events from the Redis Stream and delivers them via the Gmail API. Email delivery is enabled by default and requires Gmail API credentials to be configured. To disable it, set INAPPPROTECTION_EMAIL_ENABLED=false.

Environment Variable Default Value Description
INAPPPROTECTION_EMAIL_ENABLED true Enables email delivery

Email Client Configuration

Environment Variable Default Value Description
INAPPPROTECTION_EMAIL_SENDEREMAIL   Email address used as the sender
INAPPPROTECTION_EMAIL_SENDERNAME   Display name associated with the sender address
INAPPPROTECTION_EMAIL_REPLYTOEMAIL   Email address set as the reply-to address
INAPPPROTECTION_EMAIL_REPLYTONAME   Display name associated with the reply-to address
INAPPPROTECTION_EMAIL_MAXRETRYATTEMPTS 3 Maximum number of send retry attempts
INAPPPROTECTION_EMAIL_RETRYBACKOFF 2s Backoff delay between send retry attempts

Google Mail Client

OAuth 2.0 credentials for the Google Mail API. These are required when email sending is enabled. The OAuth credential must be authorized with at least the gmail.send scope.

To obtain these credentials, create OAuth 2.0 credentials in the Google Cloud Console and request the refresh token.

Environment Variable Default Value Description
INAPPPROTECTION_EMAIL_GOOGLE_API_APPNAME   Application name registered in Google API
INAPPPROTECTION_EMAIL_GOOGLE_API_CLIENTID   OAuth 2.0 Client ID registered in the Google Cloud project
INAPPPROTECTION_EMAIL_GOOGLE_API_CLIENTSECRET   Client secret of the OAuth 2.0 Client
INAPPPROTECTION_EMAIL_GOOGLE_API_REFRESHTOKEN   OAuth 2.0 refresh token

Redis Consumer Configuration

The following properties control the Redis Stream consumer used to dispatch email messages.

Environment Variable Default Value Description
INAPPPROTECTION_EMAIL_REDIS_STREAMKEY iap-email-queue Redis stream key name
INAPPPROTECTION_EMAIL_REDIS_STREAMGROUPNAME iap-email-queue-group Consumer group name
INAPPPROTECTION_EMAIL_REDIS_STREAMCONSUMERNAMEPREFIX iap-email-queue-consumer- Prefix for consumer names; a random UUID suffix is appended at runtime
INAPPPROTECTION_EMAIL_REDIS_STREAMENTRYPAYLOADKEY payload Field name that carries the message payload within a stream entry
INAPPPROTECTION_EMAIL_REDIS_MESSAGEIDLETIME 3m Minimum time a message must be idle before it is reprocessed by another consumer
INAPPPROTECTION_EMAIL_REDIS_CHECKIDLEINTERVAL 5s How often the scheduler checks for idle messages to reprocess
INAPPPROTECTION_EMAIL_REDIS_RETRYIDELIMIT 10 Maximum number of idle messages to retry per scheduler run
INAPPPROTECTION_EMAIL_REDIS_CHECKIDLECONSUMERSINTERVAL 60m How often the scheduler removes idle consumers from the consumer group
INAPPPROTECTION_EMAIL_REDIS_CONSUMERIDLETIME 30m Minimum idle duration before a consumer is considered inactive and eligible for removal

Password Reset Email Content

You can customize both the subject line and the HTML body of the password reset email. These settings are optional, if not provided, the system will fall back to the default values.

Environment Variable Default Value Description
INAPPPROTECTION_EMAIL_PASSWORDRESET_SUBJECT In-App Protection Console Password Reset Defines the email subject.
INAPPPROTECTION_EMAIL_PASSWORDRESET_BODYTEMPLATEPATH   Specifies the resource path to a custom HTML body template, e.g. file:/config/email/password-reset.html

If you provide a custom HTML template, it must include the ${PASSWORD_RESET_URL} placeholder to display the reset link to the user. Available placeholders are:

Placeholder Value
${PASSWORD_RESET_URL} Full password reset link
${WEB_CONSOLE_URL} Base URL of the Web Console

Console API

The Console API provides the backend for the Console Web. It handles authentication, user management, and access to operational data.

Environment Variable Default Value Description
INAPPPROTECTION_CONSOLEURL   Public URL of the Console Web frontend
INAPPPROTECTION_CSRFCOOKIEDOMAIN   Domain for the CSRF cookie
INAPPPROTECTION_ARTIFACTORYURL https://wultra.jfrog.io Base URL of the Artifactory instance

TOTP (Two-Factor Authentication)

Console users can secure their accounts with a time-based one-time password (TOTP). The following properties configure code generation and QR code rendering for authenticator app setup.

Compatibility Requirement
The authenticator application must support the SHA-256 algorithm. Google Authenticator has been tested and is known to be compatible with the default settings.

Environment Variable Default Value Description
INAPPPROTECTION_TOTP_SECRETKEYBYTES 20 Length in bytes of the TOTP secret key generated per user
INAPPPROTECTION_TOTP_CODELENGTH 6 Number of digits in the generated TOTP code (6–8)
INAPPPROTECTION_TOTP_STEPDURATION 30s Time-step duration for TOTP code validity
INAPPPROTECTION_TOTP_ALLOWEDBACKWARDSTEPS 1 Number of past time-steps accepted during validation to allow clock skew
INAPPPROTECTION_TOTP_QRCODESIZE 350 Size in pixels of the QR code image generated for authenticator setup
INAPPPROTECTION_TOTP_AUTHENTICATORISSUER In-App Protection Issuer name displayed in the TOTP authenticator application

Password Reset

These properties control the self-service password reset flow, including the security token generated and included in the password reset link sent to the user.

Environment Variable Default Value Description
INAPPPROTECTION_PASSWORD_RESET_TOKENLENGTHBYTES 16 Length in bytes of the generated password reset token
INAPPPROTECTION_PASSWORD_RESET_TOKENEXPIRATIONDURATION 15m Period after which the password reset token expires

Email

The Console API publishes email events to a Redis Stream for asynchronous delivery by the Integration API.

Redis Publisher Configuration

The following properties control how the Console API writes outgoing email messages to the Redis Stream, including retry behaviour when publishing fails.

Environment Variable Default Value Description
INAPPPROTECTION_EMAIL_REDIS_STREAMKEY iap-email-queue Redis stream key name
INAPPPROTECTION_EMAIL_REDIS_STREAMENTRYPAYLOADKEY payload Field name that carries the message payload within a stream entry
INAPPPROTECTION_EMAIL_REDIS_REPUBLISHATTEMPTS 3 Number of attempts to publish a message to Redis
INAPPPROTECTION_EMAIL_REDIS_REPUBLISHBACKOFF 2s Delay between consecutive republish retry attempts
INAPPPROTECTION_EMAIL_REDIS_REPUBLISHINTERVAL 5s Interval between scheduled republish job runs
INAPPPROTECTION_EMAIL_REDIS_REPUBLISHLIMIT 100 Maximum number of messages to republish per scheduled job run

Logstash

Logstash polls the PostgreSQL database for new security events and ships them to Elasticsearch. All connection details are provided via environment variables.

Environment Variable Default Value Description
JDBC_URL jdbc:postgresql://postgres:5432/inappprotection PostgreSQL JDBC connection URL
JDBC_USERNAME inappprotection PostgreSQL username
JDBC_PASSWORD   PostgreSQL password
JDBC_DRIVER_PATH /usr/share/logstash/drivers/postgresql.jar Path to the PostgreSQL JDBC driver inside the container
ES_URL   Elasticsearch base URL, e.g. https://my-cluster.es.azure.elastic-cloud.com
ES_USERNAME   Elasticsearch username
ES_PASSWORD   Elasticsearch password
POLL_INTERVAL */30 * * * * * Cron expression controlling how often Logstash queries PostgreSQL for new data
PIPELINE_WORKERS 2 Number of Logstash pipeline worker threads
PIPELINE_BATCH_SIZE 125 Number of events processed per pipeline batch
Last updated on Jun 12, 2026 (13:53) Edit on Github Send Feedback
On this page:

develop

In-App Protection