Frontier server configuration controls the core application behavior, network settings, authentication, and platform-level features. Configuration can be provided via a YAML file or environment variables with the FRONTIER_SERVICE_ prefix.
Configuration File By default, Frontier looks for a configuration file. You can specify a custom config file:
frontier server start --config=/path/to/config.yaml
Environment Variables All configuration options can be set using environment variables with the FRONTIER_SERVICE_ prefix:
export FRONTIER_SERVICE_APP_PORT = 8000 export FRONTIER_SERVICE_DB_URL = "postgres://user:pass@localhost:5432/frontier"
Core Configuration Version Configuration file version number. Used for backward compatibility.
Logging Logging level for the application. Options: debug, info, warning, error, fatal
Controls where audit events are logged. Options:
none - Audit events are not loggedstdout - Log audit events to standard outputdb - Store audit events in the database List of audit event names to ignore from logging. log : ignored_audit_events : - "app.user.created" - "app.permission.checked"
Application Settings Network Configuration app.host
string
default: "127.0.0.1"
Host address for the Frontier application to bind to.
app.port
integer
default: "8000"
required
Port number for HTTP/REST API communication.
app.grpc.port
integer
default: "8001"
required
Port number for gRPC communication.
app.grpc.max_recv_msg_size
integer
default: "33554432"
Maximum message size in bytes that the gRPC server can receive (32MB default).
app.grpc.max_send_msg_size
integer
default: "33554432"
Maximum message size in bytes that the gRPC server can send (32MB default).
Port number for Connect protocol communication.
Port number for Prometheus metrics exposition.
TLS Configuration Path to TLS certificate file for gRPC server. app : grpc : tls_cert_file : "/etc/frontier/certs/server-cert.pem" tls_key_file : "/etc/frontier/certs/server-key.pem" tls_client_ca_file : "/etc/frontier/certs/ca-cert.pem"
Path to TLS private key file for gRPC server.
app.grpc.tls_client_ca_file
Path to CA certificate for client certificate verification.
Profiling & Monitoring Enable pprof endpoints for CPU, memory, and mutex profiling at /debug/pprof. Only enable in development or controlled environments as it exposes runtime information.
CORS Configuration List of origins allowed for Cross-Origin Resource Sharing. app : cors : allowed_origins : - "https://app.example.com" - "https://admin.example.com" # Use "*" to allow all origins (not recommended for production)
HTTP methods allowed for CORS requests. app : cors : allowed_methods : - GET - POST - PUT - PATCH - DELETE
HTTP headers allowed in CORS requests. app : cors : allowed_headers : - Authorization - Content-Type - X-Requested-With
HTTP headers that browsers are allowed to access. app : cors : exposed_headers : - Content-Type - X-Request-Id
Authentication Configuration Session Management app.authentication.session.hash_secret_key
Secret key for session hash validation (must be exactly 32 characters). app : authentication : session : hash_secret_key : "hash-secret-should-be-32-chars--"
Generate a secure random string for production. Never commit secrets to version control.
app.authentication.session.block_secret_key
Secret key for session encryption (must be exactly 32 characters). app : authentication : session : block_secret_key : "block-secret-should-be-32-chars-"
app.authentication.session.domain
Domain for session cookies. If not set, defaults to request origin host.
app.authentication.session.same_site
SameSite policy for session cookies. Options: "" (empty), lax, strict, none
app.authentication.session.validity
Session validity duration (default: 30 days). app : authentication : session : validity : "168h" # 7 days
app.authentication.session.secure
Enable secure flag for cookies (requires HTTPS). Set to true in production when using HTTPS.
Custom headers for collecting session metadata. app : authentication : session : headers : client_ip : "x-forwarded-for" client_country : "x-frontier-country" client_city : "x-frontier-city" client_user_agent : "User-Agent"
JWT Token Configuration app.authentication.token.rsa_path
Path to RSA private key for JWT signing. Generate using frontier server keygen. app : authentication : token : rsa_path : "/etc/frontier/keys/rsa"
If not specified, JWT access tokens will be disabled.
app.authentication.token.rsa_base64
Base64-encoded RSA private key. Alternative to rsa_path for containerized deployments.
app.authentication.token.iss
string
default: "http://localhost.frontier"
Issuer claim (iss) added to JWT tokens.
app.authentication.token.validity
JWT token validity duration.
app.authentication.token.claims.add_org_ids
Include user’s organization IDs in JWT claims.
app.authentication.token.claims.add_user_email
Include user email in JWT claims.
app.authentication.token.claims.add_session_id
Include session ID in JWT claims.
Callback URLs app.authentication.callback_urls
Public-facing URLs for OAuth callback redirects and email link verification. app : authentication : callback_urls : - "http://localhost:8000/v1beta1/auth/callback" - "https://api.example.com/v1beta1/auth/callback"
The first URL is used by default. Additional URLs can be selected per-strategy using query parameters. app.authentication.authorized_redirect_urls
URLs where users can be redirected after successful authentication. app : authentication : authorized_redirect_urls : - "https://app.example.com/dashboard" - "https://app.example.com/home"
OIDC Configuration app.authentication.oidc_config
OpenID Connect provider configurations. Multiple providers can be configured. app : authentication : oidc_config : google : client_id : "xxxxx.apps.googleusercontent.com" client_secret : "xxxxx" issuer_url : "https://accounts.google.com" validity : "10m" github : client_id : "github-client-id" client_secret : "github-client-secret" issuer_url : "https://github.com" validity : "10m"
Email Authentication app.authentication.mail_otp
Configuration for one-time password (OTP) email authentication. app : authentication : mail_otp : subject : "Frontier - Login Code" body : "Your login code: <h2>{{.Otp}}</h2>" validity : "15m"
The body is a Go template with {{.Otp}} variable. app.authentication.mail_link
Configuration for magic link email authentication. app : authentication : mail_link : subject : "Frontier Login - One time link" body : "Click to login: <a href='{{.Link}}'>Login</a>" validity : "15m"
The body is a Go template with {{.Link}} variable. Passkey Configuration app.authentication.passkey.rpdisplayname
Display name for the Relying Party (your application name).
app.authentication.passkey.rpid
Relying Party ID (typically your domain without scheme and port). app : authentication : passkey : rpid : "example.com"
app.authentication.passkey.rporigins
List of fully qualified origins permitted for passkey authentication. app : authentication : passkey : rporigins : - "https://example.com" - "https://app.example.com"
Test Users app.authentication.test_users.enabled
Enable test user authentication for development/testing. Never enable in production environments.
app.authentication.test_users.domain
Email domain for test users (e.g., example.com).
app.authentication.test_users.otp
Fixed OTP for test users.
Admin Configuration Email addresses, UUIDs, or slugs of users to promote as platform superusers. If a user exists, they’re promoted to superuser. If an email is provided for a non-existent user, a new account is created. Resources Configuration app.resources_config_path
Path to resources configuration files with scheme prefix. app : resources_config_path : "file:///tmp/resources_config" # Or for GCS: # resources_config_path: "gs://frontier-bucket/resources_config"
app.resources_config_path_secret
Secret for accessing resources configuration. app : resources_config_path_secret : "env://RESOURCE_CONFIG_SECRET" # Or from file: # resources_config_path_secret: "file:///opt/auth.json" # Or direct value: # resources_config_path_secret: "val://user:password"
Webhook Configuration app.webhook.encryption_key
Encryption key for webhook endpoint secrets stored in database (must be 32 characters). app : webhook : encryption_key : "webhook-secret-32-characters--"
This encrypts the endpoint secrets, not the webhook payloads themselves.
Development Settings HTTP header name containing user’s email for identity proxying. app : identity_proxy_header : "X-Frontier-Email"
CRITICAL: This bypasses ALL authorization checks. NEVER use in production.
Admin UI Configuration Port for the Admin UI web interface.
ui.title
string
default: "Frontier Admin"
Title displayed in the browser tab.
URL or path to logo image for the login page.
Base URL for showing users their full organization URL.
Product ID to use for adding credits in the UI.
List of organization industry types for UI dropdowns. ui : organization_types : - "Technology" - "Healthcare" - "Finance" - "Education"
New Relic Integration Enable New Relic APM integration.
Application name in New Relic.
Complete Example config.yaml
Environment Variables
version : 1 log : level : info audit_events : db ignored_audit_events : - "app.permission.checked" new_relic : enabled : false app_name : "Frontier" license : "NEWRELIC_LICENSE_KEY" ui : port : 8100 title : "Frontier Admin" logo : "https://example.com/logo.png" app_url : "https://app.example.com" organization_types : - "Technology" - "Healthcare" app : host : "0.0.0.0" port : 8000 grpc : port : 8001 max_recv_msg_size : 33554432 max_send_msg_size : 33554432 connect : port : 8002 metrics_port : 9000 profiler : false cors : allowed_origins : - "https://app.example.com" allowed_methods : - GET - POST - PUT - PATCH - DELETE allowed_headers : - Authorization - Content-Type exposed_headers : - Content-Type authentication : callback_urls : - "https://api.example.com/v1beta1/auth/callback" authorized_redirect_urls : - "https://app.example.com/dashboard" session : hash_secret_key : "hash-secret-should-be-32-chars--" block_secret_key : "block-secret-should-be-32-chars-" domain : "example.com" same_site : "lax" validity : "720h" secure : true headers : client_ip : "x-forwarded-for" client_country : "x-frontier-country" client_city : "x-frontier-city" client_user_agent : "User-Agent" token : rsa_path : "/etc/frontier/keys/rsa" iss : "https://api.example.com" validity : "1h" claims : add_org_ids : true add_user_email : true add_session_id : true oidc_config : google : client_id : "xxxxx.apps.googleusercontent.com" client_secret : "xxxxx" issuer_url : "https://accounts.google.com" validity : "10m" mail_otp : subject : "Your Login Code" body : "Use this code to login: <h2>{{.Otp}}</h2>" validity : "15m" mail_link : subject : "Your Login Link" body : "Click here to login: <a href='{{.Link}}'>Login</a>" validity : "15m" passkey : rpdisplayname : "Example App" rpid : "example.com" rporigins : - "https://example.com" - "https://app.example.com" admin : users : - "[email protected] " webhook : encryption_key : "webhook-secret-32-characters--"
See Also