Skip to main content
Unkey services read configuration from a TOML file passed at startup. Environment variables can be referenced with ${VAR} and are expanded before parsing. Defaults and validation run after parsing. The config schema maps to svc/ctrl/api/config.go. The control plane API is configured via a TOML file: unkey run ctrl api --config=unkey.toml.
instance_id
string
Instance identifier for logs and tracing.
region
string
required
Region label for routing and observability.
http_port
int
default:"8080"
HTTP server port.
prometheus_port
int
Prometheus metrics port. Set to 0 to disable.
auth_token
string
required
Bearer token for control API clients.
Known consumers:
  • API service
  • Krane service
Rotation is manual today. There is no built-in rotation mechanism. TODO: Replace with JWT-based auth once auth.unkey.cloud is in place.
default_domain
string
Base domain for wildcard certificates.
regional_domain
string
Base domain for regional routing.
cname_domain
string
Base domain for custom CNAME targets.
database
object
required
MySQL configuration.
restate
object
Restate integration.
github
object
GitHub webhook configuration.
observability
object
Tracing configuration. Logging settings are parsed but not applied by the control API runtime.

Example configuration

Control API: 
http_port = 8080
prometheus_port = 9090
region = "${UNKEY_REGION}"
instance_id = "${POD_NAME}"
auth_token = "${UNKEY_AUTH_TOKEN}"
default_domain = "${UNKEY_DEFAULT_DOMAIN}"
regional_domain = "${UNKEY_REGIONAL_DOMAIN}"
cname_domain = "${UNKEY_CNAME_DOMAIN}"

[database]
primary = "${UNKEY_DATABASE_PRIMARY}"

[restate]
url = "${UNKEY_RESTATE_URL}"
admin_url = "${UNKEY_RESTATE_ADMIN_URL}"
api_key = "${UNKEY_RESTATE_API_KEY}"

[github]
webhook_secret = "${UNKEY_GITHUB_APP_WEBHOOK_SECRET}"

[observability.tracing]
sample_rate = 0.1

[observability.logging]
sample_rate = 0.01
slow_threshold = "2s"