Skip to content

Configuration reference

PassBeyond uses either a complete environment configuration or one YAML file. It does not merge individual environment values into YAML. See the configuration guide for loading precedence.

File selection

InputPurpose
--config <path>Select a YAML configuration file
PASSBEYOND_CONFIGSelect a YAML file when --config is absent
./config.yamlDefault YAML path

Core settings

YAMLEnvironmentTypeRequired / defaultDescription
domainPASSBEYOND_DOMAINstringRequiredPublic hostname without a scheme or path, for example host.example.com. Used for HTTPS SAML URLs, redirects, and cookie scope.
idpMetadataURLPASSBEYOND_IDP_METADATA_URLstringOne metadata source requiredRemote IdP metadata. Cached and refreshed every 30 minutes.
idpMetadataFilePASSBEYOND_IDP_METADATA_FILEstringOne metadata source requiredLocal IdP metadata XML. Takes precedence over URL mode and is loaded at startup only.
configPathPASSBEYOND_CONFIG_PATHstring./dynamic_config.jsonWritable dynamic JSON containing generated secrets, keys, instance ID, and remote metadata cache.
sessionTimeoutPASSBEYOND_SESSION_TIMEOUTinteger1440Application JWT lifetime in minutes. Must be greater than zero for session creation.
samlRequestSigningPASSBEYOND_SAML_REQUEST_SIGNINGbooleanfalseSign SAML authentication requests with the generated instance key.
supportURLPASSBEYOND_SUPPORT_URLstringEmptySupport link shown on friendly error pages.
footerPASSBEYOND_FOOTERstringEmptyCustom footer content on friendly error pages.

When both metadata fields appear in YAML, idpMetadataFile wins. Environment mode selects the URL first when both environment variables are present.

Proxy settings

Proxy settings are nested under proxy in YAML.

YAMLEnvironmentTypeRequired / defaultDescription
proxy.listenAddressPASSBEYOND_PROXY_LISTEN_ADDRESSstringEmpty; set explicitlyAddress and port for PassBeyond, for example 127.0.0.1:8123 or :8123.
proxy.targetURLPASSBEYOND_PROXY_TARGET_URLURLRequiredBackend origin to which accepted requests are proxied.
proxy.targetDisableSSLVerifyPASSBEYOND_PROXY_TARGET_DISABLE_SSL_VERIFYbooleanfalseDisable certificate verification for an HTTPS target. Unsafe for production.
proxy.stripVersionHeadersPASSBEYOND_PROXY_STRIP_VERSION_HEADERSbooleanfalseRemove common backend version headers from responses.
proxy.useBasicAuthPASSBEYOND_PROXY_USE_BASIC_AUTHbooleanfalseSend Authorization: Basic <user:> to the backend using the authenticated subject and an empty password.
proxy.ignoreAuthorizationHeaderbooleanfalsePreserve incoming Basic authorization instead of removing it. YAML only. Bearer authorization is preserved independently.
proxy.trustedProxiesPASSBEYOND_PROXY_TRUSTED_PROXIESstring listEmptyIP addresses or CIDR ranges allowed to supply X-Forwarded-For. Environment values are comma-separated.

When stripVersionHeaders is enabled, PassBeyond removes X-Powered-By, Server, X-AspNet-Version, X-AspNetMvc-Version, and X-SourceFiles from backend responses.

Authorization compatibility options

useBasicAuth creates a trusted Basic header from the PassBeyond subject. ignoreAuthorizationHeader preserves a client-provided Basic header. These are different behaviors; do not enable the latter unless the backend is explicitly meant to authenticate it.

Passthrough settings

YAMLEnvironmentTypeDefaultDescription
passthroughPathsPASSBEYOND_PASSTHROUGH_PATHSstring listEmptyLiteral path prefixes that bypass SAML. Environment values are comma-separated.
passthroughTokensPASSBEYOND_PASSTHROUGH_TOKENSstring listEmptyBearer tokens accepted through X-Passbeyond-Authorization. Environment values are comma-separated.

Path values must start with / and contain at least one additional character. Root and empty values are rejected. A configured token applies to the whole instance, not to one path.

Environment example

bash
PASSBEYOND_DOMAIN="myapp.example.com"
PASSBEYOND_IDP_METADATA_URL="https://sso.example.com/metadata.xml"
PASSBEYOND_CONFIG_PATH="/var/lib/passbeyond/myapp.json"

PASSBEYOND_PROXY_LISTEN_ADDRESS="127.0.0.1:8123"
PASSBEYOND_PROXY_TARGET_URL="http://127.0.0.1:8888"
PASSBEYOND_PROXY_TARGET_DISABLE_SSL_VERIFY="false"
PASSBEYOND_PROXY_STRIP_VERSION_HEADERS="true"
PASSBEYOND_PROXY_USE_BASIC_AUTH="false"
PASSBEYOND_PROXY_TRUSTED_PROXIES="127.0.0.1,::1"

PASSBEYOND_SESSION_TIMEOUT="1440"
PASSBEYOND_SAML_REQUEST_SIGNING="false"
PASSBEYOND_SUPPORT_URL="https://support.example.com/"
PASSBEYOND_FOOTER="Example Company — Identity Support"

PASSBEYOND_PASSTHROUGH_PATHS="/public/,/static/"
PASSBEYOND_PASSTHROUGH_TOKENS="first-secret,second-secret"

Boolean environment values are enabled only by the literal lowercase value true; all other non-empty values are treated as false.

Released under the MIT License.