version: v1.1.0

dsn: env://DSN

serve:
  public:
    base_url: https://auth.example.com
    port: 6000
    cors:
      enabled: false
      # CORS is handled by Oathkeeper proxy to avoid duplicate headers
  admin:
    base_url: http://localhost:6050
    port: 6050

selfservice:
  default_browser_return_url: https://account.example.com
  allowed_return_urls:
    - https://account.example.com
    - https://auth.example.com
    - https://app.example.com
    - https://admin.example.com
    - http://localhost:5000
    - http://localhost:5173
    - https://local.example.com:5173
    - http://localhost:7000

  methods:
    password:
      enabled: true
      config:
        haveibeenpwned_enabled: true
        min_password_length: 8
        identifier_similarity_check_enabled: true

    totp:
      enabled: true
      config:
        issuer: Example App

    webauthn:
      enabled: true
      config:
        rp:
          display_name: Example App
          id: example.com
          origins:
            - https://account.example.com
            - https://auth.example.com
            - https://app.example.com
            - https://admin.example.com
            - http://localhost:5000
            - http://localhost:5173
            - https://local.example.com:5173
            - http://localhost:7000

    link:
      enabled: true

    code:
      enabled: true

  flows:
    error:
      ui_url: https://account.example.com/error

    settings:
      ui_url: https://account.example.com/settings
      privileged_session_max_age: 15m
      required_aal: highest_available

    recovery:
      enabled: true
      ui_url: https://account.example.com/recovery
      use: code
      lifespan: 4h
      after:
        default_browser_return_url: https://account.example.com/settings

    verification:
      enabled: true
      ui_url: https://account.example.com/verification
      use: code
      lifespan: 24h
      after:
        default_browser_return_url: https://account.example.com/

    logout:
      after:
        default_browser_return_url: https://account.example.com/login

    login:
      ui_url: https://account.example.com/login
      lifespan: 10m

    registration:
      lifespan: 10m
      ui_url: https://account.example.com/registration
      after:
        default_browser_return_url: https://account.example.com/
        password:
          hooks:
            - hook: session

log:
  level: info
  format: text
  leak_sensitive_values: false

secrets:
  cookie:
    - env://SECRETS_COOKIE
  cipher:
    - env://SECRETS_CIPHER
  default:
    - env://SECRETS_DEFAULT

ciphers:
  algorithm: xchacha20-poly1305

hashers:
  algorithm: bcrypt
  bcrypt:
    cost: 12

identity:
  default_schema_id: nexus-v2
  schemas:
    - id: default
      url: file:///etc/kratos/identity.schema.json
    - id: nexus-v2
      url: file:///etc/kratos/identity.v2.schema.json

cookies:
  domain: .example.com
  same_site: Lax

session:
  lifespan: 24h
  earliest_possible_extend: 1h
  cookie:
    domain: .example.com
    same_site: Lax
    persistent: true

courier:
  smtp:
    connection_uri: env://COURIER_SMTP_CONNECTION_URI
    from_address: env://COURIER_SMTP_FROM_ADDRESS
    from_name: env://COURIER_SMTP_FROM_NAME