Select release
Introduction

Home

Installation

Configuration

Console Installation and Configuration

Integration

Migration Instructions

API Reference

General Principles

Admin API

Audit API

Authentication API

Passkeys API

Communication API

Operations API

Registrations API

Reference

Callbacks API (Webhooks)

Configuration Properties

Console Configuration Properties

Database Structure

Internal Architecture

Additional Topics

Database Setup for PostgreSQL

Database Setup for Oracle

Database Setup for MSSQL

Examples

Examples of Operation Types

Admin Console Configuration Properties

View product develop

Gateway Configuration Properties

The configuration properties used by the Admin Console Gateway are listed below.

General configuration

Property / Corresponding environment variable Default Description
powerauth.cloud.admin-console-gateway.powerauth.cloud.service.url
POWERAUTH_CLOUD_ADMINCONSOLEGATEWAY_POWERAUTH_CLOUD_SERVICE_URL		 _empty_ URL of the PowerAuth Cloud service (mandatory)
powerauth.cloud.admin-console-gateway.jwt.external-user-id-claim
POWERAUTH_CLOUD_ADMINCONSOLEGATEWAY_JWT_EXTERNALUSERIDCLAIM		 unique_name Claim in the received JWT to retrieve the external user id from (if the configured claim is not present in the JWT, the sub claim is used by default)

Upstream Security Configuration

Property / Corresponding environment variable Default Description
powerauth.cloud.admin-console-gateway.security.auth.oidc.roles-claim-expression
POWERAUTH_CLOUD_ADMINCONSOLEGATEWAY_SECURITY_AUTH_OIDC_ROLESCLAIMEXPRESSION		 [roles] SpEL expression used to match the claim in the received JWT to retrieve the authenticated user’s roles from (for nested claims, use [topLevel][nested])
powerauth.cloud.admin-console-gateway.jwt.issuer-uri
POWERAUTH_CLOUD_ADMINCONSOLEGATEWAY_JWT_ISSUERURI		 _empty_ Authorization Server URI used to obtain all necessary data (discover public keys) for incoming JWT verification (the value is also used for iss claim verification) - this or the following property must be defined (both are also valid)
spring.security.oauth2.resourceserver.jwt.jwk-set-uri
SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWKSETURI		 _empty_ Authorization Server JWK Set URI to directly specify the public keys URI (if this property is set, the previous property - if defined - is used only for iss claim verification)
powerauth.cloud.admin-console-gateway.jwt.audiences
POWERAUTH_CLOUD_ADMINCONSOLEGATEWAY_JWT_AUDIENCES		 _empty_ Required aud claim value of the incoming JWT (if not defined, the aud claim value is not verified)

Downstream Security Configuration

Property / Corresponding environment variable Default Description
powerauth.cloud.admin-console-gateway.security.downstream.auth.type
POWERAUTH_CLOUD_ADMINCONSOLEGATEWAY_SECURITY_DOWNSTREAM_AUTH_TYPE		 BASIC_HTTP Authentication type to be used with downstream requests to the PowerAuth Cloud service (possible values are BASIC_HTTP, OIDC and NONE)
powerauth.cloud.admin-console-gateway.security.downstream.auth.basic.username
POWERAUTH_CLOUD_ADMINCONSOLEGATEWAY_SECURITY_DOWNSTREAM_AUTH_BASIC_USERNAME		 _empty_ Username to be used with downstream Basic HTTP authentication (mandatory if downstream authentication type is BASIC_HTTP)
powerauth.cloud.admin-console-gateway.security.downstream.auth.basic.password
POWERAUTH_CLOUD_ADMINCONSOLEGATEWAY_SECURITY_DOWNSTREAM_AUTH_BASIC_PASSWORD		 _empty_ Password to be used with downstream Basic HTTP authentication (mandatory if downstream authentication type is BASIC_HTTP)
powerauth.cloud.admin-console-gateway.security.downstream.auth.oidc.client-id
POWERAUTH_CLOUD_ADMINCONSOLEGATEWAY_SECURITY_DOWNSTREAM_AUTH_OIDC_CLIENTID		 _empty_ Client id to be used to authenticate the Gateway against an authorization server using the client credentials flow (mandatory if downstream authentication type is OIDC)
powerauth.cloud.admin-console-gateway.security.downstream.auth.oidc.client-secret
POWERAUTH_CLOUD_ADMINCONSOLEGATEWAY_SECURITY_DOWNSTREAM_AUTH_OIDC_CLIENTSECRET		 _empty_ Client secret to be used to authenticate the Gateway against an authorization server using the client credentials flow (mandatory if downstream authentication type is OIDC)
powerauth.cloud.admin-console-gateway.security.downstream.auth.oidc.token-uri
POWERAUTH_CLOUD_ADMINCONSOLEGATEWAY_SECURITY_DOWNSTREAM_AUTH_OIDC_TOKENURI		 _empty_ Authorization server token endpoint for retrieving tokens for downstream authentication (mandatory if downstream authentication type is OIDC)
powerauth.cloud.admin-console-gateway.security.downstream.auth.oidc.scope
POWERAUTH_CLOUD_ADMINCONSOLEGATEWAY_SECURITY_DOWNSTREAM_AUTH_OIDC_SCOPE		 _empty_ Scopes (comma-separated list) to be included in the request to the authorization server token endpoint (requested scopes for the access token)
powerauth.cloud.admin-console-gateway.security.downstream.auth.oidc.client-authentication-method
POWERAUTH_CLOUD_ADMINCONSOLEGATEWAY_SECURITY_DOWNSTREAM_AUTH_OIDC_CLIENTAUTHENTICATIONMETHOD		 _empty_ Authentication method used when authenticating the client with the authorization server (if not specified, the client_secret_basic is used, see OpenID Connect specs for all options)

Monitoring and Observability

Property / Corresponding environment variable Default Note
powerauth.cloud.admin-console-gateway.logging
POWERAUTH_CLOUD_ADMINCONSOLEGATEWAY_LOGGING		 _empty_ Reference to the logging configuration to load

Console SPA Configuration Properties

Environment Variable Default Note
API_URL _empty_ URL of the Admin Console Gateway (mandatory)
OAUTH_ENABLED false OAuth2 authentication enabled (mandatory)
OAUTH_CLIENT_ID _empty_ OAuth2 client ID
OAUTH_SCOPE _empty_ OAuth2 scope
OAUTH_AUTHORIZE_URL _empty_ OAuth2 authorization URL
OAUTH_AUTHORIZE_REDIRECT_URL _empty_ OAuth2 authorization redirect URL
OAUTH_TOKEN_URL _empty_ OAuth2 token URL
OAUTH_TOKEN_REDIRECT_URL _empty_ OAuth2 token redirect URL

PKCE requirement:

  • The Admin Console SPA is a public client and uses the OAuth 2.1 Authorization Code flow with PKCE (S256). Do not use the implicit flow and do not configure a client secret for the SPA. The token endpoint must accept a code_verifier without client authentication for this SPA client.

OAuth/OIDC settings for the Admin Console SPA must align with the Admin Console Gateway verification settings:

  • The issuer that provides tokens to the SPA must match the Gateway issuer (POWERAUTH_CLOUD_ADMINCONSOLEGATEWAY_JWT_ISSUERURI).
  • If the Gateway verifies audiences (POWERAUTH_CLOUD_ADMINCONSOLEGATEWAY_JWT_AUDIENCES), ensure the SPA obtains tokens with an aud claim that matches this value. Configure your IdP so the SPA requests tokens for the same resource/API audience expected by the Gateway.
  • Make sure the IdP JWKS is discoverable by the Gateway (via issuer discovery or SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWKSETURI).
  • Redirect URLs (OAUTH_AUTHORIZE_REDIRECT_URL, OAUTH_TOKEN_REDIRECT_URL) must be set to the public URL where the SPA is served and registered in the IdP.

Azure Entra ID specifics:

  • Use the “Single-page application (SPA)” platform for redirect URIs in the SPA app registration (enables Authorization Code with PKCE; no client secret).
  • Do not enable the legacy implicit grant.

For more details, see Gateway Configuration Properties.

Last updated on Jan 08, 2026 (08:21) View product
On this page:
Search

develop

PowerAuth Cloud