Select release
Introduction

Home

Installation

Configuration

Console Installation and Configuration

Integration

Migration Instructions

API Reference

General Principles

Admin API

Audit API

Authentication API

Passkeys API

Communication API

Operations API

Registrations API

Reference

Callbacks API (Webhooks)

Configuration Properties

Console Configuration Properties

Database Structure

Internal Architecture

Additional Topics

Database Setup for PostgreSQL

Database Setup for Oracle

Database Setup for MSSQL

Examples

Examples of Operation Types

Admin Console Configuration Properties

View product develop

Gateway Configuration Properties

The configuration properties used by the Admin Console Gateway are listed below.

It is possible to override any configuration property by an environment variable. To override the property prop.some-key, define an environment variable PROP_SOME_KEY. The rules are:

  • All letters must be converted to uppercase.
  • Dots (.) and hyphens (-) must be replaced with underscores (_).

General configuration

Property / Corresponding environment variable Default Description
powerauth.cloud.admin-console-gateway.powerauth.cloud.service.url
POWERAUTH_CLOUD_ADMIN_CONSOLE_GATEWAY_POWERAUTH_CLOUD_SERVICE_URL		 _empty_ URL of the PowerAuth Cloud service (mandatory)
powerauth.cloud.admin-console-gateway.jwt.external-user-id-claim
POWERAUTH_CLOUD_ADMIN_CONSOLE_GATEWAY_JWT_EXTERNAL_USER_ID_CLAIM		 unique_name Claim in the received JWT to retrieve the external user id from (if the configured claim is not present in the JWT, the sub claim is used by default)

Upstream Security Configuration

Property / Corresponding environment variable Default Description
powerauth.cloud.admin-console-gateway.security.auth.oidc.roles-claim-expression
POWERAUTH_CLOUD_ADMIN_CONSOLE_GATEWAY_SECURITY_AUTH_OIDC_ROLES_CLAIM_EXPRESSION		 [roles] SpEL expression used to match the claim in the received JWT to retrieve the authenticated user’s roles from (for nested claims, use [topLevel][nested])
powerauth.cloud.admin-console-gateway.jwt.issuer-uri
POWERAUTH_CLOUD_ADMIN_CONSOLE_GATEWAY_JWT_ISSUER_URI		 _empty_ Authorization Server URI used to obtain all necessary data (discover public keys) for incoming JWT verification (the value is also used for iss claim verification) - this or the following property must be defined (both are also valid)
spring.security.oauth2.resourceserver.jwt.jwk-set-uri
SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI		 _empty_ Authorization Server JWK Set URI to directly specify the public keys URI (if this property is set, the previous property - if defined - is used only for iss claim verification)
powerauth.cloud.admin-console-gateway.jwt.audiences
POWERAUTH_CLOUD_ADMIN_CONSOLE_GATEWAY_JWT_AUDIENCES		 _empty_ Required aud claim value of the incoming JWT (if not defined, the aud claim value is not verified)

Downstream Security Configuration

Property / Corresponding environment variable Default Description
powerauth.cloud.admin-console-gateway.security.downstream.auth.type
POWERAUTH_CLOUD_ADMIN_CONSOLE_GATEWAY_SECURITY_DOWNSTREAM_AUTH_TYPE		 BASIC_HTTP Authentication type to be used with downstream requests to the PowerAuth Cloud service (possible values are BASIC_HTTP and NONE)
powerauth.cloud.admin-console-gateway.security.downstream.auth.basic.username
POWERAUTH_CLOUD_ADMIN_CONSOLE_GATEWAY_SECURITY_DOWNSTREAM_AUTH_BASIC_USERNAME		 _empty_ Username to be used with downstream Basic HTTP authentication (mandatory if downstream authentication type is BASIC_HTTP)
powerauth.cloud.admin-console-gateway.security.downstream.auth.basic.password
POWERAUTH_CLOUD_ADMIN_CONSOLE_GATEWAY_SECURITY_DOWNSTREAM_AUTH_BASIC_PASSWORD		 _empty_ Password to be used with downstream Basic HTTP authentication (mandatory if downstream authentication type is BASIC_HTTP)

Monitoring and Observability

Property / Corresponding environment variable Default Note
powerauth.cloud.admin-console-gateway.logging
POWERAUTH_CLOUD_ADMIN_CONSOLE_GATEWAY_LOGGING		 _empty_ Reference to the logging configuration to load

Console SPA Configuration Properties

Environment Variable Default Note
API_URL _empty_ URL of the Admin Console Gateway (mandatory)
OAUTH_ENABLED false OAuth2 authentication enabled (mandatory)
OAUTH_CLIENT_ID _empty_ OAuth2 client ID
OAUTH_SCOPE _empty_ OAuth2 scope
OAUTH_AUTHORIZE_URL _empty_ OAuth2 authorization URL
OAUTH_AUTHORIZE_REDIRECT_URL _empty_ OAuth2 authorization redirect URL
OAUTH_TOKEN_URL _empty_ OAuth2 token URL
OAUTH_TOKEN_REDIRECT_URL _empty_ OAuth2 token redirect URL

PKCE requirement:

  • The Admin Console SPA is a public client and uses the OAuth 2.1 Authorization Code flow with PKCE (S256). Do not use the implicit flow and do not configure a client secret for the SPA. The token endpoint must accept a code_verifier without client authentication for this SPA client.

OAuth/OIDC settings for the Admin Console SPA must align with the Admin Console Gateway verification settings:

  • The issuer that provides tokens to the SPA must match the Gateway issuer (POWERAUTH_CLOUD_ADMIN_CONSOLE_GATEWAY_JWT_ISSUER_URI).
  • If the Gateway verifies audiences (POWERAUTH_CLOUD_ADMIN_CONSOLE_GATEWAY_JWT_AUDIENCES), ensure the SPA obtains tokens with an aud claim that matches this value. Configure your IdP so the SPA requests tokens for the same resource/API audience expected by the Gateway.
  • Make sure the IdP JWKS is discoverable by the Gateway (via issuer discovery or SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI).
  • Redirect URLs (OAUTH_AUTHORIZE_REDIRECT_URL, OAUTH_TOKEN_REDIRECT_URL) must be set to the public URL where the SPA is served and registered in the IdP.

Azure Entra ID specifics:

  • Use the “Single-page application (SPA)” platform for redirect URIs in the SPA app registration (enables Authorization Code with PKCE; no client secret).
  • Do not enable the legacy implicit grant.

For more details, see Gateway Configuration Properties.

Last updated on Dec 18, 2025 (08:29) View product
On this page:
Search

develop

PowerAuth Cloud