Configuration Properties
View product
develop
You can set the following configurations to the PowerAuth Cloud components:
PowerAuth Server
| Environment Variable | Default Value | Description |
|---|---|---|
| POWERAUTH_SERVER_JPA_CHARSET | utf8 |
|
| POWERAUTH_SERVER_JPA_CHARACTER_ENCODING | utf8 |
|
| POWERAUTH_SERVER_JPA_USE_UNICODE | true | |
| POWERAUTH_SERVER_JPA_LOCK_TIMEOUT | 10000 | Database lock timeout configuration |
| POWERAUTH_SERVER_DATASOURCE_JNDI_NAME | false | |
| POWERAUTH_SERVER_SPRING_JMX_ENABLED | false | |
| POWERAUTH_SERVER_SPRING_JMX_DEFAULT_DOMAIN | powerauth-server |
|
| POWERAUTH_SERVER_HTTP_PROXY_ENABLED | false | |
| POWERAUTH_SERVER_HTTP_PROXY_HOST | 127.0.0.1 |
Proxy host |
| POWERAUTH_SERVER_HTTP_PROXY_PORT | 8080 | Proxy port |
| POWERAUTH_SERVER_HTTP_PROXY_USERNAME | Proxy username | |
| POWERAUTH_SERVER_HTTP_PROXY_PASSWORD | Proxy password | |
| POWERAUTH_SERVER_HTTP_CONNECTION_TIMEOUT | 5000 | Service connect timeout in milliseconds |
| POWERAUTH_SERVER_RESTRICT_ACCESS | false | Whether access to the REST API is restricted |
| POWERAUTH_SERVER_ACTIVATION_VALIDITY_MILLIS | 120000 | Default expiration period for activations |
| POWERAUTH_SERVER_CRYPTO_TEMPORARY_ACTIVATION_BLOCK_ENABLED | false | Whether the temporary activation block feature is enabled. Applies to activations using cryptography protocol v4. When enabled, such activations that reach the maximum number of failed attempts are blocked for a limited time and automatically returned to the ACTIVE state. Activations using older protocol versions are blocked permanently regardless of this flag. |
| POWERAUTH_SERVER_CRYPTO_TEMPORARY_ACTIVATION_BLOCK_PERIOD_IN_MILLISECONDS | 300000 | Time period (in milliseconds) for the first temporary activation block. Default 5 minutes. |
| POWERAUTH_SERVER_CRYPTO_TEMPORARY_ACTIVATION_BLOCK_MULTIPLIER | 2 | Multiplier applied to the temporary block period for consecutive blocks. The n-th consecutive block lasts periodInMilliseconds * multiplier^(n-1) ms. |
| POWERAUTH_SERVER_DB_MASTER_ENCRYPTION_ALGORITHM | AEAD_KMAC |
Encryption algorithm for per-record encryption of database records |
| POWERAUTH_SERVER_DB_MASTER_ENCRYPTION_KEY | Master DB encryption key for algorithm AES_HMAC |
|
| POWERAUTH_SERVER_DB_MASTER_ENCRYPTION_AEAD_KMAC_KEY | Master DB encryption key for algorithm AEAD_KMAC |
|
| POWERAUTH_SERVER_SECURE_VAULT_ENABLE_BIOMETRY | false | Whether biometry is enabled in Secure Vault |
| POWERAUTH_SERVER_APPLICATION_NAME | powerauth-server |
|
| POWERAUTH_SERVER_APPLICATION_DISPLAY_NAME | PowerAuth Server |
|
| POWERAUTH_SERVER_APPLICATION_ENVIRONMENT | Application environment exposed in status endpoint | |
| POWERAUTH_SERVER_LOGGING | ||
| POWERAUTH_SERVER_AUTHENTICATION_CODE_MAX_FAILED_ATTEMPTS | 5 | Maximum failed attempts for signature verification |
| POWERAUTH_SERVER_PROXIMITY_CHECK_OTP_LENGTH | 8 | Length of OTP generated for proximity check |
| POWERAUTH_SERVER_PROXIMITY_CHECK_OTP_STEP_DURATION | 30s |
Time-step duration used for generating and validating TOTP for the proximity check |
| POWERAUTH_SERVER_PROXIMITY_CHECK_OTP_STEP_COUNT | 1 | Number of past time-steps used for validating TOTP for the proximity check |
| POWERAUTH_SERVER_CALLBACKS_DEFAULT_MAX_ATTEMPTS | 1 | Default maximum number of dispatch attempts for a callback event |
| POWERAUTH_SERVER_CALLBACKS_DEFAULT_RETENTION_PERIOD | 30d |
Default retention period of a completed callback event before deleting its record from the database table |
| POWERAUTH_SERVER_CALLBACKS_DEFAULT_INITIAL_BACKOFF | 2s |
Default initial backoff after an unsuccessful attempt to dispatch a callback event |
| POWERAUTH_SERVER_CALLBACKS_MAX_BACKOFF | 32s |
The maximum allowable backoff period between successive attempts to dispatch a callback event |
| POWERAUTH_SERVER_CALLBACKS_BACKOFF_MULTIPLIER | 1.5 | The multiplier used to calculate the backoff period |
| POWERAUTH_SERVER_CALLBACKS_PENDING_CALLBACK_URL_EVENTS_DISPATCH_LIMIT | 100 | Maximum number of pending callback events that will be dispatched in a single scheduled job run |
| POWERAUTH_SERVER_CALLBACKS_THREAD_POOL_CORE_SIZE | 1 | Number of core threads in the thread pool used by the executor |
| POWERAUTH_SERVER_CALLBACKS_THREAD_POOL_MAX_SIZE | 2 | Maximum number of threads in the thread pool used by the executor |
| POWERAUTH_SERVER_CALLBACKS_THREAD_POOL_QUEUE_CAPACITY | 1000 | Queue capacity of the thread pool used by the executor |
| POWERAUTH_SERVER_CALLBACKS_FORCE_RERUN_PERIOD | Time period after which a currently processed callback event is considered stale and should be scheduled to rerun | |
| POWERAUTH_SERVER_CALLBACKS_FAILURE_THRESHOLD | 200 | The number of consecutive failures allowed for callback events with the same configuration. If set to -1, unlimited number of failures is allowed |
| POWERAUTH_SERVER_CALLBACKS_FAILURE_RESET_TIMEOUT | 60s |
Time period after which a Callback URL Event will be dispatched, even if failure threshold has been reached |
| POWERAUTH_SERVER_CALLBACKS_CLIENTS_CACHE_REFRESH_AFTER_WRITE | 5m |
Callback REST clients are cached and automatically evicted if updated through the Callback Management API on a single node. Time-based refreshing mechanism is a fallback in clustered environments |
Push Server
| Environment Variable | Default Value | Description |
|---|---|---|
| PUSH_SERVER_POWERAUTH_SERVICE_RESPONSE_TIMEOUT | 60s |
PowerAuth REST API response timeout |
| PUSH_SERVER_POWERAUTH_SERVICE_MAX_IDLE_TIME | 200s |
PowerAuth REST API max idle time |
| PUSH_SERVER_SECURITY_CLIENT_TOKEN | PowerAuth REST API authentication token | |
| PUSH_SERVER_SECURITY_CLIENT_SECRET | PowerAuth REST API authentication secret / password | |
| PUSH_SERVER_ACCEPT_INVALID_SSL_CERTIFICATE | false | Whether to accept invalid SSL certificate. |
| PUSH_SERVER_JPA_CHARSET | utf8 |
|
| PUSH_SERVER_JPA_CHARACTER_ENCODING | utf8 |
|
| PUSH_SERVER_JPA_USE_UNICODE | true | |
| PUSH_SERVER_APNS_DEVELOPMENT | true | Flag indicating that the development instance of APNS service should be used |
| PUSH_SERVER_APNS_PROXY_ENABLED | false | Flag indicating if the communication needs to go through proxy |
| PUSH_SERVER_APNS_PROXY_HOST | 127.0.0.1 |
Proxy host |
| PUSH_SERVER_APNS_PROXY_PORT | 8080 | Proxy port |
| PUSH_SERVER_APNS_PROXY_USERNAME | Proxy username | |
| PUSH_SERVER_APNS_PROXY_PASSWORD | Proxy password | |
| PUSH_SERVER_FCM_PROXY_ENABLED | false | Flag indicating if the communication needs to go through proxy |
| PUSH_SERVER_FCM_PROXY_HOST | 127.0.0.1 |
Proxy host |
| PUSH_SERVER_FCM_PROXY_PORT | 8080 | Proxy port |
| PUSH_SERVER_FCM_PROXY_USERNAME | Proxy username | |
| PUSH_SERVER_FCM_PROXY_PASSWORD | Proxy password | |
| PUSH_SERVER_FCM_DATA_NOTIFICATION_ONLY | false | Flag indicating that FCM service should never use “notification” format, only a data format with extra payload representing the notification |
| PUSH_SERVER_HMS_PROXY_ENABLED | false | Flag indicating if the communication needs to go through proxy |
| PUSH_SERVER_HMS_PROXY_HOST | 127.0.0.1 |
Proxy host |
| PUSH_SERVER_HMS_PROXY_PORT | 8080 | Proxy port |
| PUSH_SERVER_HMS_PROXY_USERNAME | Proxy username | |
| PUSH_SERVER_HMS_PROXY_PASSWORD | Proxy password | |
| PUSH_SERVER_HMS_DATA_NOTIFICATION_ONLY | false | Flag indicating that HMS service should never use “notification” format, only a data format with extra payload representing the notification |
| PUSH_SERVER_DATASOURCE_JNDI_NAME | false | |
| PUSH_SERVER_CAMPAIGN_BATCH_SIZE | 100000 | |
| PUSH_SERVER_MESSAGE_STORAGE_ENABLED | false | Whether persistent storing of sent messages is enabled |
| PUSH_SERVER_REGISTRATION_MULTIPLE_ACTIVATIONS_ENABLED | false | Whether push registration supports “associated activations” |
| PUSH_SERVER_SPRING_BATCH_JOB_ENABLED | false | |
| PUSH_SERVER_SPRING_JMX_ENABLED | false | |
| PUSH_SERVER_SPRING_JMX_DEFAULT_DOMAIN | powerauth-push-server |
|
| PUSH_SERVER_FCM_CONNECT_TIMEOUT | 5000 | Push message gateway connect timeout in milliseconds |
| PUSH_SERVER_APNS_CONNECT_TIMEOUT | 5000 | Push message gateway connect timeout in milliseconds |
| PUSH_SERVER_HMS_CONNECT_TIMEOUT | 5000 | Push message gateway connect timeout in milliseconds |
| PUSH_SERVER_APPLICATION_NAME | powerauth-push-server |
|
| PUSH_SERVER_APPLICATION_DISPLAY_NAME | PowerAuth Push Server |
|
| PUSH_SERVER_APPLICATION_ENVIRONMENT | Environment identifier | |
| PUSH_SERVER_LOGGING |
PowerAuth Cloud
| Environment Variable | Default Value | Description |
|---|---|---|
| POWERAUTH_CLOUD_POWERAUTH_SERVICE_SECURITY_CLIENT_SECRET | PowerAuth REST API authentication secret / password | |
| POWERAUTH_CLOUD_POWERAUTH_SERVICE_SECURITY_CLIENT_TOKEN | PowerAuth REST API authentication token | |
| POWERAUTH_CLOUD_POWERAUTH_SERVICE_RESPONSE_TIMEOUT | 60s |
PowerAuth REST API response timeout |
| POWERAUTH_CLOUD_POWERAUTH_SERVICE_MAX_IDLE_TIME | 200s |
PowerAuth REST API max idle time |
| POWERAUTH_CLOUD_FIDO2_SERVICE_SECURITY_CLIENT_SECRET | PowerAuth FIDO2 API authentication secret / password | |
| POWERAUTH_CLOUD_FIDO2_SERVICE_SECURITY_CLIENT_TOKEN | PowerAuth FIDO2 API authentication token | |
| POWERAUTH_CLOUD_FIDO2_SERVICE_RESPONSE_TIMEOUT | 60s |
PowerAuth FIDO2 API response timeout |
| POWERAUTH_CLOUD_FIDO2_SERVICE_MAX_IDLE_TIME | 200s |
PowerAuth FIDO2 API max idle time |
| POWERAUTH_CLOUD_PUSH_SERVER_RESPONSE_TIMEOUT | 60s |
Push Server API response timeout |
| POWERAUTH_CLOUD_PUSH_SERVER_MAX_IDLE_TIME | 200s |
Push Server API max idle time |
| POWERAUTH_CLOUD_DATASOURCE_JNDI_NAME | false | |
| POWERAUTH_CLOUD_DATASOURCE_URL | jdbc:postgresql://host.docker.internal:5432/powerauth |
|
| POWERAUTH_CLOUD_DATASOURCE_USERNAME | $USERNAME$ |
|
| POWERAUTH_CLOUD_DATASOURCE_PASSWORD | $PASSWORD$ |
|
| POWERAUTH_CLOUD_JPA_CHARSET | utf8 |
|
| POWERAUTH_CLOUD_JPA_CHARACTER_ENCODING | utf8 |
|
| POWERAUTH_CLOUD_JPA_USE_UNICODE | true | |
| POWERAUTH_CLOUD_JPA_LOCK_TIMEOUT | 10000 | Database lock timeout configuration |
| POWERAUTH_CLOUD_LOGGING | ||
| POWERAUTH_CLOUD_SECURITY_AUTH_TYPE | BASIC_HTTP |
BASIC_HTTP for basic HTTP authentication or OIDC for OpenID Connect. If OIDC is enabled, the properties below must be configured. |
| POWERAUTH_CLOUD_SECURITY_AUTH_OIDC_ROLES_CLAIM | A name of the claim in the JWT that contains the user roles. | |
| POWERAUTH_CLOUD_SECURITY_AUTH_OIDC_ISSUER_URI | URL of the provider, e.g. https://sts.windows.net/example/ |
|
| POWERAUTH_CLOUD_SECURITY_AUTH_OIDC_AUDIENCES | A comma-separated list of allowed aud JWT claim values to be validated. |
|
| POWERAUTH_CLOUD_DEVICEINFOTRANSLATION_BATCHSIZE | 100 | Batch size to use when querying the DB to translate the device info |
| POWERAUTH_CLOUD_DEVICEINFOTRANSLATION_DATALOAD_CRON | 0 0 1 * * * |
Cron expression for the device info mapping data load job (use - to turn it off completely) |
| POWERAUTH_CLOUD_DEVICEINFOTRANSLATION_DATALOAD_BATCHSIZE | 100 | Batch size to use when loading device info mapping data to the database |
| POWERAUTH_CLOUD_DEVICEINFOTRANSLATION_DATALOAD_SOURCE_ANDROID_LOCATION | /opt/device-info-mapping/android.csv |
Source Android device info mapping file location (set to empty value to not load Android data) |
| POWERAUTH_CLOUD_DEVICEINFOTRANSLATION_DATALOAD_SOURCE_ANDROID_ENCODING | UTF-16LE |
Source Android device info mapping file encoding |
| POWERAUTH_CLOUD_DEVICEINFOTRANSLATION_DATALOAD_SOURCE_IOS_LOCATION | /opt/device-info-mapping/ios.txt |
Source iOS device info mapping file location (set to empty value to not load iOS data) |
| POWERAUTH_CLOUD_DEVICEINFOTRANSLATION_DATALOAD_SOURCE_IOS_ENCODING | UTF-8 |
Source iOS device info mapping file encoding |
Enrollment Server
| Environment Variable | Default Value | Description |
|---|---|---|
| ENROLLMENT_SERVER_POWERAUTH_SERVICE_RESPONSE_TIMEOUT | 60s |
PowerAuth REST API response timeout |
| ENROLLMENT_SERVER_POWERAUTH_SERVICE_MAX_IDLE_TIME | 200s |
PowerAuth REST API max idle time |
| ENROLLMENT_SERVER_POWERAUTH_SERVICE_SECURITY_CLIENT_SECRET | PowerAuth REST API authentication secret / password | |
| ENROLLMENT_SERVER_POWERAUTH_SERVICE_SECURITY_CLIENT_TOKEN | PowerAuth REST API authentication token | |
| ENROLLMENT_SERVER_PUSH_SERVER_RESPONSE_TIMEOUT | 60s |
Push Server response timeout |
| ENROLLMENT_SERVER_PUSH_SERVER_MAX_IDLE_TIME | 200s |
Push Server max idle time |
| ENROLLMENT_SERVER_MTOKEN_ENABLED | true | Publishing of Mobile Token endpoints can be enabled or disabled using this property |
| ENROLLMENT_SERVER_ACTIVATION_SPAWN_ENABLED | false | The activation spawn functionality can be enabled or disabled using this property |
| ENROLLMENT_SERVER_DATASOURCE_JNDI_NAME | false | |
| ENROLLMENT_SERVER_ADMIN_ENABLED | true | The admin API can be enabled or disabled using this property |
| ENROLLMENT_SERVER_ACTIVATION_REMOVE_ALLOW_1FA | false | Whether single-factor authentication using POSSESSION factor is permitted for the activation removal endpoint |
| ENROLLMENT_SERVER_JPA_CHARSET | utf8 |
|
| ENROLLMENT_SERVER_JPA_CHARACTER_ENCODING | utf8 |
|
| ENROLLMENT_SERVER_JPA_USE_UNICODE | true | |
| ENROLLMENT_SERVER_JPA_LOCK_TIMEOUT | 10000 | Database lock timeout configuration |
| ENROLLMENT_SERVER_USER_INFO_PROVIDER | Whether to register minimal claims provider (value MINIMAL) or REST provider (value REST) |
|
| ENROLLMENT_SERVER_USER_INFO_REST_URL | Base URL of user-info storage. Must be specified if the provider is type of REST |
|
| ENROLLMENT_SERVER_USER_INFO_REST_BASIC_ENABLED | false | Whether Basic authentication enabled |
| ENROLLMENT_SERVER_USER_INFO_REST_BASIC_USERNAME | Basic authentication username | |
| ENROLLMENT_SERVER_USER_INFO_REST_BASIC_PASSWORD | Basic authentication password | |
| ENROLLMENT_SERVER_LOGGING | ||
| ENROLLMENT_SERVER_FLAG_REPORTING | false | Enable sharing the flags in the public API |
Please note that under normal circumstanced you are supposed to define only:
POWERAUTH_CLOUD_DATASOURCE_URL=jdbc:postgresql://host.docker.internal:5432/powerauth
POWERAUTH_CLOUD_DATASOURCE_USERNAME=$USERNAME$
POWERAUTH_CLOUD_DATASOURCE_PASSWORD=$PASSWORD$
Consult support if you have some specific request.
Last updated on Jun 11, 2026 (03:49)
View product