Skip to content

Configuration Keys

Caracal has three configuration domains:

DomainUsed byChoose it when
Runtime workload configcaracal run and SDK clients.A workload needs Caracal-issued resource credentials.
Service environment configAPI, STS, Gateway, Audit, Coordinator, and Control.A service needs URLs, secrets, limits, or readiness settings.
Deployment valuesHelm, Compose, Postgres, and Redis.Operators size, schedule, expose, or secure infrastructure.
flowchart TD
  Need{What are you configuring?}
  Need -->|workload credentials| Runtime[Runtime profile and CARACAL_CONFIG]
  Need -->|service behavior| Env[Service environment variables]
  Need -->|deployment shape| Deploy[Helm values or Compose files]
  Runtime --> Precedence[Config precedence reference]
  Env --> Ops[Environment variables reference]
  Deploy --> Platform[Operations deployment pages]
FieldMeaning
zone_urlCloud/custom STS URL override for token exchange.
sts_urlCloud/custom SDK-readable STS alias/fallback.
coordinator_urlCloud/custom SDK/Console Coordinator URL override.
gateway_urlCloud/custom Gateway URL override for SDK transports.
zone_idZone identifier.
application_idConfidential application ID.
app_client_secret_fileCloud/custom secret-file path override.
app_client_secretInline local-development secret.
ttl_secondscaracal run exchange TTL, capped at 900 seconds.
continue_on_failureRequired credential failure behavior.
credentials[]Required resource credentials.
optional_credentials[]Optional resource credentials with on_failure.
mcp_governance.modeblock or log for likely MCP subprocesses.

Credential entries use env, resource, optional upstream_prefix, and optional credential_type. Use provider_token for direct caracal run provider-key injection and caracal_mandate for mandate-aware workloads.

Local dev and stable runtime launches auto-detect the client secret and credential manifest from the OS Caracal config directory. Use explicit secret-file paths and service URLs only for cloud deployments, containers, or custom infrastructure.

KeyServices
CARACAL_MODEAll services.
DATABASE_URL / DATABASE_URL_FILEAPI, STS, Gateway, Audit, Coordinator.
REDIS_URL / REDIS_URL_FILEAPI, STS, Gateway, Audit, Coordinator.
STREAMS_HMAC_KEY / STREAMS_HMAC_KEY_FILEStream producers and consumers.
AUDIT_HMAC_KEY / AUDIT_HMAC_KEY_FILEAudit producers and Audit service.
GATEWAY_STS_HMAC_KEY / GATEWAY_STS_HMAC_KEY_FILEAPI, STS, Gateway.
ZONE_KEK / ZONE_KEK_FILEAPI and STS.
CARACAL_ADMIN_TOKEN / CARACAL_ADMIN_TOKEN_FILEAPI and management clients.
CARACAL_COORDINATOR_TOKEN / CARACAL_COORDINATOR_TOKEN_FILECoordinator and Console agent/delegation views.

Helm values live under infra/helm/caracal/values.yaml. Compose environment and secrets are defined by infra/docker/docker-compose.yml and infra/docker/runtime-compose.yml.

Use Configuration Order to understand which file, environment variable, or deployment value wins.