Select release
Introduction

Home

System Requirements

Installation

Configuration

Reference

Architecture

Data Categorization

Configuration Properties

Configuration Properties

Edit on Github Send Feedback develop

This page lists all configuration properties for each In-App Protection component. Properties shared across components are listed first, followed by component-specific sections.

Shared Properties

Environment Variable Default Value Description
DATASOURCE_URL   R2DBC connection URL to PostgreSQL, e.g. r2dbc:postgresql://host.docker.internal:5432/mlw
DATASOURCE_USERNAME   PostgreSQL database username
DATASOURCE_PASSWORD   PostgreSQL database password
REDIS_URL   Redis connection URL, e.g. redis://host.docker.internal:6379

Device API

The Device API collects security telemetry from mobile applications and supports configurable callbacks to notify systems of detected threats.

Callbacks

The callback subsystem delivers security events to external URLs registered per application. It uses Redis Streams as a durable outbox and guarantees at-least-once delivery.

Redis Configuration

The following properties control the Redis Stream used to queue and redeliver outgoing callback messages.

Environment Variable Default Value Description
MLW_CALLBACK_REDIS_STREAMKEY mlw-callback-queue Redis stream key name
MLW_CALLBACK_REDIS_STREAMGROUPNAME mlw-callback-queue-group Consumer group name
MLW_CALLBACK_REDIS_STREAMCONSUMERNAMEPREFIX mlw-callback-queue-consumer- Prefix for consumer names; a random UUID suffix is appended at runtime
MLW_CALLBACK_REDIS_STREAMENTRYPAYLOADKEY payload Field name that carries the message payload within a stream entry
MLW_CALLBACK_REDIS_MESSAGEIDLETIME 3m Minimum time a message must be idle before it is reprocessed by another consumer
MLW_CALLBACK_REDIS_CHECKIDLEINTERVAL 5s How often the scheduler checks for idle messages to reprocess
MLW_CALLBACK_REDIS_RETRYIDELIMIT 10 Maximum number of idle messages to retry per scheduler run
MLW_CALLBACK_REDIS_REPUBLISHATTEMPTS 3 Number of retry attempts when publishing a message to Redis fails
MLW_CALLBACK_REDIS_REPUBLISHBACKOFF 2s Delay between consecutive republish retry attempts
MLW_CALLBACK_REDIS_REPUBLISHINTERVAL 5s Interval between scheduled republish job runs
MLW_CALLBACK_REDIS_REPUBLISHLIMIT 100 Maximum number of messages to republish per scheduled job run
MLW_CALLBACK_REDIS_CHECKIDLECONSUMERSINTERVAL 60m How often the scheduler removes idle consumers from the consumer group
MLW_CALLBACK_REDIS_CONSUMERIDLETIME 30m Minimum idle duration before a consumer is considered inactive and eligible for removal

Web Client Configuration

The following properties control the HTTP client used to deliver callback requests, including timeouts and the circuit breaker that prevents repeated calls to unresponsive endpoints.

Environment Variable Default Value Description
MLW_CALLBACK_WEBCLIENT_CONNECTIONTIMEOUT 5s Timeout for establishing a connection to the callback URL
MLW_CALLBACK_WEBCLIENT_RESPONSETIMEOUT 60s Timeout for receiving a response from the callback URL
MLW_CALLBACK_WEBCLIENT_REFRESHCACHEAFTER 5m Interval after which cached web clients are refreshed
MLW_CALLBACK_WEBCLIENT_CIRCUITBREAKER_FAILURETHRESHOLD 100 Number of failures within the opening interval that causes the circuit breaker to open
MLW_CALLBACK_WEBCLIENT_CIRCUITBREAKER_OPENINGINTERVAL 2m Time window over which failures are counted when deciding whether to open the circuit breaker
MLW_CALLBACK_WEBCLIENT_CIRCUITBREAKER_CLOSINGINTERVAL 5m How long the circuit breaker stays open before attempting to close

Console API

The Console API provides the backend for the web management console. It handles authentication, user management, and integration with external services such as email and the Artifactory artifact registry.

Environment Variable Default Value Description
MLW_CONSOLE_URL   Public URL of the Console Web frontend
MLW_CSRFCOOKIEDOMAIN   Domain for the CSRF cookie
MLW_ARTIFACTORYURL https://wultra.jfrog.io Base URL of the Artifactory instance

TOTP (Two-Factor Authentication)

Console users can secure their accounts with a time-based one-time password (TOTP). The following properties configure code generation and QR code rendering for authenticator app setup.

Environment Variable Default Value Description
MLW_TOTP_SECRETKEYBYTES 20 Length in bytes of the TOTP secret key generated per user
MLW_TOTP_CODELENGTH 6 Number of digits in the generated TOTP code (6–8)
MLW_TOTP_STEPDURATION 30s Time-step duration for TOTP code validity
MLW_TOTP_ALLOWEDBACKWARDSTEPS 1 Number of past time-steps accepted during validation to allow clock skew
MLW_TOTP_QRCODESIZE 350 Size in pixels of the QR code image generated for authenticator setup
MLW_TOTP_AUTHENTICATORISSUER In-App Protection Issuer name displayed in the TOTP authenticator application

Password Reset

These properties control the self-service password reset flow, including the security token generated and sent to the user’s email address.

Environment Variable Default Value Description
MLW_PASSWORD_RESET_TOKENLENGTHBYTES 16 Length in bytes of the generated password reset token
MLW_PASSWORD_RESET_TOKENEXPIRATIONDURATION 15m Period after which the password reset token expires

Email

The Console API can send transactional emails (e.g. password reset links) via Google Mail. Email sending is disabled by default and must be explicitly enabled together with valid OAuth credentials.

Environment Variable Default Value Description
MLW_EMAIL_ENABLED false Whether email sending is enabled
MLW_EMAIL_SENDEREMAIL   Email address used as the sender
MLW_EMAIL_SENDERNAME   Display name associated with the sender address
MLW_EMAIL_REPLYTOEMAIL   Email address set as the reply-to address
MLW_EMAIL_REPLYTONAME   Display name associated with the reply-to address
MLW_EMAIL_MAXRETRYATTEMPTS 3 Maximum number of send retry attempts
MLW_EMAIL_RETRYBACKOFF 2s Backoff delay between send retry attempts

Google Mail Client

OAuth 2.0 credentials for the Google Mail API. These are required when email sending is enabled.

Environment Variable Default Value Description
MLW_EMAIL_APP_NAME   Application name registered in Google API
MLW_EMAIL_CLIENT_ID   Client ID of the Google Mail OAuth credential
MLW_EMAIL_CLIENT_SECRET   Client secret of the Google Mail OAuth credential
MLW_EMAIL_REFRESH_TOKEN   Refresh token of the Google Mail OAuth credential

Email Redis Stream

Outgoing emails are first written to a Redis Stream and delivered asynchronously, ensuring reliable at-least-once delivery.

Environment Variable Default Value Description
MLW_EMAIL_REDIS_STREAMKEY mlw-email-queue Redis stream key name
MLW_EMAIL_REDIS_STREAMGROUPNAME mlw-email-queue-group Consumer group name
MLW_EMAIL_REDIS_STREAMCONSUMERNAMEPREFIX mlw-email-queue-consumer- Prefix for consumer names; a random UUID suffix is appended at runtime
MLW_EMAIL_REDIS_STREAMENTRYPAYLOADKEY payload Field name that carries the message payload within a stream entry
MLW_EMAIL_REDIS_MESSAGEIDLETIME 3m Minimum time a message must be idle before it is reprocessed by another consumer
MLW_EMAIL_REDIS_CHECKIDLEINTERVAL 5s How often the scheduler checks for idle messages to reprocess
MLW_EMAIL_REDIS_RETRYIDELIMIT 10 Maximum number of idle messages to retry per scheduler run
MLW_EMAIL_REDIS_REPUBLISHATTEMPTS 3 Number of retry attempts when publishing a message to Redis fails
MLW_EMAIL_REDIS_REPUBLISHBACKOFF 2s Delay between consecutive republish retry attempts
MLW_EMAIL_REDIS_REPUBLISHINTERVAL 5s Interval between scheduled republish job runs
MLW_EMAIL_REDIS_REPUBLISHLIMIT 100 Maximum number of messages to republish per scheduled job run
MLW_EMAIL_REDIS_CHECKIDLECONSUMERSINTERVAL 60m How often the scheduler removes idle consumers from the consumer group
MLW_EMAIL_REDIS_CONSUMERIDLETIME 30m Minimum idle duration before a consumer is considered inactive and eligible for removal
Last updated on Apr 17, 2026 (14:27) Edit on Github Send Feedback
On this page:
Search

develop

In-App Protection