All configuration for authentication your Keel application is done in the keelconfig.yaml file.

Configuring Tokens

You can configure your tokens like so:

    # Lifespan of the access token in seconds. Default is 24 hours.
    accessTokenExpiry: 3600
    # Lifespan of the refresh token in seconds. Default is 3 months.
    refreshTokenExpiry: 604800
    # Enable refresh token rotation. Default is true.
    refreshTokenRotationEnabled: true

It's recommended to keep the lifespan of an access token extremely short, since if they're stolen they can be used to access your application as a specific user. Refresh tokens are used to acquire new access tokens, and can live longer.

Redirect URL

For Single Sign-On, make sure to configure the redirectUrl. Users will be sent here after the auth/authorize/{provider} flow has successfully completed. An auth code will be provided in the query parameter code, which can then be used at the token endpoint to acquire an access and refresh token. We go into more detail about this on the Single Sign-On page.


Various providers can be configured. Depending on the type various other fields may be required.

Parameter NameDescription
typeThe type of provider
nameThe unique name you give to this provider
clientIdThe client ID given to you by your provider

Types of Providers

We support google, facebook, and gitlab out-of-the-box. See the providers page for more.

You can also configure your own custom OpenId Connect (oidc) provider type. Read on for more.

Out of the Box Providers

No additional fields need to be provided.

    - type: google
      name: google_client
      clientId: hfjuwaa3a2983h1hfsdf

Custom OpenID Connect Provider

Parameter NameDescription
issuerUrlThe provider's issuer URL used for discovery purposes
    # Custom OIDC
    - type: oidc
      name: Baidu
      clientId: kasj28fnq09ak

Client Secret Configuration

This is only necessary for the Single Sign-On flow.

The name of the secret has the format AUTH_PROVIDER_SECRET_{name} where {name} is the UPPER_SNAKE_CASED name of the provider as configured in your keelconfig.yaml file. See the Single Sign-On page for more.