API Configuration

This page documents all configuration options available for the API service. Configuration is loaded from a TOML file. Environment variables are expanded using ${VAR} or ${VAR:-default} syntax before parsing.

General

`instance_id`string

InstanceID identifies this particular API server instance. Used in log attribution, Kafka consumer group membership, and cache invalidation messages so that a node can ignore its own broadcasts.

`platform`string

Platform identifies the cloud platform where this node runs (e.g. "aws", "gcp", "hetzner", "kubernetes"). Appears in structured logs and metrics labels for filtering by infrastructure.

`image`string

Image is the container image identifier (e.g. "unkey/api:v1.2.3"). Logged at startup for correlating deployments with behavior changes.

`http_port`integer

HttpPort is the TCP port the API server binds to. Ignored when Listener is set, which is the case in test harnesses that use ephemeral ports.

Constraints: min: 1, max: 65535

`region`string

Region is the geographic region identifier (e.g. "us-east-1", "eu-west-1"). Included in structured logs and used by the key service when recording which region served a verification request.

`redis_url`string

RedisURL is the connection string for the Redis instance backing distributed rate limiting counters and usage tracking. Example: "redis://redis:6379"

`test_mode`boolean

TestMode relaxes certain security checks and trusts client-supplied headers that would normally be rejected. This exists for integration tests that need to inject specific request metadata. Do not enable in production.

`prometheus_port`integer

PrometheusPort starts a Prometheus /metrics HTTP endpoint on the specified port. Set to 0 (the default) to disable the endpoint entirely.

`max_request_body_size`integer

MaxRequestBodySize caps incoming request bodies at this many bytes. The zen server rejects requests exceeding this limit with a 413 status. Set to 0 or negative to disable the limit. Defaults to 10 MiB.

Database

DatabaseConfig holds connection strings for the primary MySQL database and an optional read-replica. The primary is required for all deployments; the replica reduces read load on the primary when set.

`database.primary`
Required
string

Primary is the MySQL DSN for the read-write database. This is the only required field in the entire configuration because the API server cannot function without a database. Example: "user:pass@tcp(host:3306)/unkey?parseTime=true&interpolateParams=true"

`database.readonly_replica`string

ReadonlyReplica is an optional MySQL DSN for a read-replica. When set, read queries are routed here to reduce load on the primary. The connection string format is identical to Primary.

ClickHouse

ClickHouseConfig configures connections to ClickHouse for analytics storage. All fields are optional; when URL is empty, a no-op analytics backend is used.

`clickhouse.url`string

URL is the ClickHouse connection string for the shared analytics cluster. When empty, analytics writes are silently discarded. Example: "clickhouse://default:password@clickhouse:9000?secure=false&skip_verify=true"

`clickhouse.analytics_url`string

AnalyticsURL is the base URL for workspace-specific analytics connections. Unlike URL, this endpoint receives per-workspace credentials injected at connection time by the analytics service. Only used when both this field and a [VaultConfig] are configured. Example: "http://clickhouse:8123/default"

`clickhouse.proxy_token`string

ProxyToken is the bearer token for authenticating against ClickHouse proxy endpoints exposed by the API server itself.

Otel

OtelConfig controls OpenTelemetry tracing and metrics export. When disabled, no collector connection is established and no spans are recorded.

`otel.enabled`boolean

Enabled activates OpenTelemetry tracing and metrics export to the collector endpoint. Defaults to false.

`otel.trace_sampling_rate`number

TraceSamplingRate is the probability (0.0–1.0) that any given trace is sampled. Lower values reduce overhead in high-throughput deployments. Only meaningful when Enabled is true.

Constraints: min: 0, max: 1

TLS Files

TLSFiles holds filesystem paths to a TLS certificate and private key. Both fields must be set together to enable HTTPS; setting only one is a validation error. The certificate and key are loaded at startup and used to construct a [tls.Config] stored in [Config.TLSConfig].

`tls.cert_file`string

CertFile is the filesystem path to a PEM-encoded TLS certificate.

`tls.key_file`string

KeyFile is the filesystem path to a PEM-encoded TLS private key.

Vault

VaultConfig configures the connection to the remote vault service used for encrypting and decrypting sensitive data like API key hashes. When URL is empty, vault-dependent features (like workspace analytics credentials) are disabled.

`vault.url`string

URL is the vault service endpoint. Example: "http://vault:8060"

`vault.token`string

Token is the bearer token used to authenticate with the vault service.

Kafka

KafkaConfig configures the Kafka connection used for distributed cache invalidation across API server instances. When Brokers is empty, cache invalidation is local-only and a no-op topic is used.

`kafka.brokers`string[]

Brokers is the list of Kafka broker addresses. When empty, distributed cache invalidation is disabled and each node operates independently. Example: ["kafka-0:9092", "kafka-1:9092"]

`kafka.cache_invalidation_topic`string

CacheInvalidationTopic is the Kafka topic name for broadcasting cache invalidation events between API nodes.

Ctrl

CtrlConfig configures the connection to the CTRL service, which manages deployments and rolling updates across the cluster.

`ctrl.url`string

URL is the CTRL service endpoint. Example: "http://ctrl-api:7091"

`ctrl.token`string

Token is the bearer token used to authenticate with the CTRL service.

Pprof

PprofConfig controls the Go pprof profiling endpoints served at /debug/pprof/*. When disabled, the endpoints are not registered on the server mux.

`pprof.enabled`boolean

Enabled activates pprof profiling endpoints. Defaults to false.

`pprof.username`string

Username is the Basic Auth username for pprof endpoints. When both Username and Password are empty, pprof endpoints are served without authentication — only appropriate in development environments.

`pprof.password`string

Password is the Basic Auth password for pprof endpoints.

Logging

LoggingConfig controls log sampling behavior. The sampler reduces log volume in production while ensuring slow requests are always captured. Events faster than SlowThreshold are emitted with probability SampleRate; events at or above the threshold are always emitted.

`logging.sample_rate`number

SampleRate is the baseline probability (0.0–1.0) of emitting a log event that completes faster than SlowThreshold. Set to 1.0 to log everything.

Constraints: min: 0, max: 1

`logging.slow_threshold`duration

SlowThreshold is the duration above which a request is considered slow and always logged regardless of SampleRate. Uses Go duration syntax (e.g. "1s", "500ms", "2m30s").

API Configuration

instance_idstring

platformstring

imagestring

http_portinteger

regionstring

redis_urlstring

test_modeboolean

prometheus_portinteger

max_request_body_sizeinteger

database.primaryRequiredstring

database.readonly_replicastring

clickhouse.urlstring

clickhouse.analytics_urlstring

clickhouse.proxy_tokenstring

otel.enabledboolean

otel.trace_sampling_ratenumber

tls.cert_filestring

tls.key_filestring

vault.urlstring

vault.tokenstring

kafka.brokersstring[]

kafka.cache_invalidation_topicstring

ctrl.urlstring

ctrl.tokenstring

pprof.enabledboolean

pprof.usernamestring

pprof.passwordstring

logging.sample_ratenumber

logging.slow_thresholdduration

On this page