config

type Account struct {
	// `allow_deletion` determines whether users can delete their accounts.
	AllowDeletion bool `yaml:"allow_deletion" json:"allow_deletion,omitempty" koanf:"allow_deletion" jsonschema:"default=false"`
	// `allow_signup` determines whether users are able to create new accounts.
	AllowSignup bool `yaml:"allow_signup" json:"allow_signup,omitempty" koanf:"allow_signup" jsonschema:"default=true"`
}

type AuditLog struct {
	// `console_output` controls audit log console output.
	ConsoleOutput AuditLogConsole `` /* 129-byte string literal not displayed */
	// `mask` determines whether sensitive information (usernames, emails) should be masked in the audit log output.
	//
	// This configuration applies to logs written to the console as well as persisted logs.
	Mask bool `yaml:"mask" json:"mask,omitempty" koanf:"mask" jsonschema:"default=true"`
	// `storage` controls audit log retention.
	Storage AuditLogStorage `yaml:"storage" json:"storage,omitempty" koanf:"storage"`
	// `retention` specifies the time duration after which log audit entries may be deleted.
	Retention string `yaml:"retention" json:"retention,omitempty" koanf:"retention" jsonschema:"default=720h"`
}

type AuditLogConsole struct {
	// `enabled` controls whether audit log output on the console is enabled or disabled.
	Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=true"`
	// `output` determines the output stream audit logs are sent to.
	OutputStream OutputStream `yaml:"output" json:"output,omitempty" koanf:"output" split_words:"true" jsonschema:"default=stdout,enum=stdout,enum=stderr"`
}

type AuditLogStorage struct {
	// `enabled` controls whether audit log should be retained (i.e. persisted).
	Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=false"`
}

type Config struct {
	// `account` configures settings related to user accounts.
	Account Account `yaml:"account" json:"account,omitempty" koanf:"account" jsonschema:"title=account"`
	// `audit_log` configures output and storage modalities of audit logs.
	AuditLog AuditLog `yaml:"audit_log" json:"audit_log,omitempty" koanf:"audit_log" split_words:"true" jsonschema:"title=audit_log"`
	// `convert_legacy_config`, if set to `true`, automatically copies the set values of deprecated configuration
	// options, to new ones. If set to `false`, these values have to be set manually if non-default values should be
	// used.
	ConvertLegacyConfig bool `` /* 143-byte string literal not displayed */
	// `covert_legacy_session_config`, if set to `true`, automatically copies the set of deprecated server-side session
	// configuration options to the new ones. If set to `false`, these values have to be set manually if non-default
	// values should be used.
	ConvertLegacyServerSideSessionConfig bool `` /* 202-byte string literal not displayed */
	// `database` configures database connection settings.
	Database Database `yaml:"database" json:"database,omitempty" koanf:"database" jsonschema:"title=database"`
	// `debug`, if set to `true`, adds additional debugging information to flow API responses.
	Debug bool `yaml:"debug" json:"debug,omitempty" koanf:"debug" jsonschema:"default=false"`
	// `email` configures how email addresses of user accounts are acquired and used.
	Email Email `yaml:"email" json:"email,omitempty" koanf:"email" jsonschema:"title=email"`
	// `email_delivery` configures how outgoing mails are delivered.
	EmailDelivery EmailDelivery `` /* 129-byte string literal not displayed */
	// Deprecated. See child properties for suggested replacements.
	Emails Emails `yaml:"emails" json:"emails,omitempty" koanf:"emails" jsonschema:"title=emails"`
	// `log` configures application logging.
	Log LoggerConfig `yaml:"log" json:"log,omitempty" koanf:"log" jsonschema:"title=log"`
	// `mfa` configures how multi-factor-authentication behaves.
	MFA MFA `yaml:"mfa" json:"mfa,omitempty" koanf:"mfa" jsonschema:"title=mfa"`
	// Deprecated. See child properties for suggested replacements.
	Passcode Passcode `yaml:"passcode" json:"passcode,omitempty" koanf:"passcode" jsonschema:"title=passcode"`
	// `passkey` configures how passkeys  are acquired and used.
	Passkey Passkey `yaml:"passkey" json:"passkey,omitempty" koanf:"passkey" jsonschema:"title=passkey"`
	// `password` configures how passwords are acquired and used.
	Password Password `yaml:"password" json:"password,omitempty" koanf:"password" jsonschema:"title=password"`
	// `rate_limiter` configures rate limits for rate limited API operations and storage modalities for rate limit data.
	RateLimiter RateLimiter `yaml:"rate_limiter" json:"rate_limiter,omitempty" koanf:"rate_limiter" split_words:"true" jsonschema:"title=rate_limiter"`
	// `saml` configures modalities of SAML (Security Assertion Markup Language) SSO authentication and SAML identity
	// providers.
	Saml config.Saml `yaml:"saml" json:"saml,omitempty" koanf:"saml" jsonschema:"title=saml"`
	// `secrets` configures the keys used for cryptographically signing tokens issued by the API.
	Secrets Secrets `yaml:"secrets" json:"secrets,omitempty" koanf:"secrets" jsonschema:"title=secrets"`
	// `server` configures address and CORS settings of the public and admin API.
	Server Server `yaml:"server" json:"server,omitempty" koanf:"server" jsonschema:"title=server"`
	// `service` configures general service information.
	Service Service `yaml:"service" json:"service,omitempty" koanf:"service" jsonschema:"title=service"`
	// `session` configures settings for session JWTs and Cookies issued by the API.
	Session Session `yaml:"session" json:"session,omitempty" koanf:"session" jsonschema:"title=session"`
	// Deprecated. Use `email_delivery.smtp` instead.
	Smtp SMTP `yaml:"smtp" json:"smtp,omitempty" koanf:"smtp" jsonschema:"title=smtp"`
	// `third_party` configures the modalities of third party OAuth/OIDC based authentication and available identity
	// providers.
	ThirdParty ThirdParty `yaml:"third_party" json:"third_party,omitempty" koanf:"third_party" split_words:"true" jsonschema:"title=third_party"`
	// `username` configures how usernames of user accounts are acquired and used.
	Username Username `yaml:"username" json:"username,omitempty" koanf:"username" jsonschema:"title=username"`
	// `webauthn` configures general settings for communication with the WebAuthentication API.
	Webauthn WebauthnSettings `yaml:"webauthn" json:"webauthn,omitempty" koanf:"webauthn" jsonschema:"title=webauthn"`
	// `webhooks` configures HTTP-based callbacks for specific events occurring in the system.
	Webhooks WebhookSettings `yaml:"webhooks" json:"webhooks,omitempty" koanf:"webhooks" jsonschema:"title=webhooks"`
	// `privacy` configures privacy settings
	Privacy Privacy `yaml:"privacy" json:"privacy,omitempty" koanf:"privacy" jsonschema:"title=privacy"`
}

type Cookie struct {
	// `domain` is the domain the cookie will be bound to. Works for subdomains, but not cross-domain.
	// See the `session.enable_auth_token_header` configuration instead if the API and the client application run on
	// different domains.
	Domain string `yaml:"domain" json:"domain,omitempty" koanf:"domain" jsonschema:"default=hanko"`
	// `http_only` determines whether cookies are HTTP only or accessible by Javascript.
	HttpOnly bool `yaml:"http_only" json:"http_only,omitempty" koanf:"http_only" split_words:"true" jsonschema:"default=true"`
	// `name` is the name of the cookie.
	Name string `yaml:"name" json:"name,omitempty" koanf:"name" jsonschema:"default=hanko"`
	// `retention` determines the retention behavior of authentication cookies.
	Retention string `` /* 153-byte string literal not displayed */
	// `same_site` controls whether a cookie is sent with cross-site requests.
	// See [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value) for
	// more details.
	SameSite string `` /* 139-byte string literal not displayed */
	// `secure` indicates whether the cookie is sent to the server only when a request is made with the https: scheme
	// (except on localhost).
	//
	// NOTE: `secure` must be set to `false` when working on `localhost` and with the Safari browser because it does
	// not store secure cookies on `localhost`.
	Secure bool `yaml:"secure" json:"secure,omitempty" koanf:"secure" jsonschema:"default=true"`
}

type Cors struct {
	// `allow_origins` determines the value of the Access-Control-Allow-Origin
	// response header. This header defines a list of [origins](https://developer.mozilla.org/en-US/docs/Glossary/Origin)
	// that may access the resource.
	//
	// The wildcard characters `*` and `?` are supported and are converted to regex fragments `.*` and `.` accordingly.
	AllowOrigins []string `` /* 155-byte string literal not displayed */

	// `unsafe_wildcard_origin_allowed` allows a wildcard `*` origin to be used with AllowCredentials
	// flag. In that case we consider any origin allowed and send it back to the client in an `Access-Control-Allow-Origin` header.
	//
	// This is INSECURE and potentially leads to [cross-origin](https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
	// attacks. See also https://github.com/labstack/echo/issues/2400 for discussion on the subject.
	//
	// Optional. Default value is `false`.
	UnsafeWildcardOriginAllowed bool `` /* 207-byte string literal not displayed */
}

type CustomThirdPartyProvider struct {
	// `allow_linking` indicates whether existing accounts can be automatically linked with this provider.
	//
	// Linking is based on matching one of the email addresses of an existing user account with the (primary)
	// email address of the third party provider account.
	AllowLinking bool `yaml:"allow_linking" json:"allow_linking,omitempty" koanf:"allow_linking" jsonschema:"default=false"`
	// `attribute_mapping` defines a map that associates a set of known standard OIDC conformant end-user claims
	// (the key of a map entry) at the Hanko backend to claims retrieved from a third party provider (the value of the
	// map entry). This is primarily necessary if a non-OIDC provider is configured/used in which case it is probable
	// that user data returned from the userinfo endpoint does not already conform to OIDC standard claims.
	//
	// Example: You configure an OAuth Provider (i.e. non-OIDC) and the provider's configured userinfo endpoint returns
	// an end-user's user ID at the provider not under a `sub` key in its JSON response but rather under a `user_id`
	// key. You would then configure an attribute mapping as follows:
	//
	// “`yaml
	//attribute_mapping:
	//  sub: user_id
	// “`
	//
	// See https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims for a list of known standard claims
	// that provider claims can be mapped into. Any other claims received from a provider are not discarded but are
	// retained internally in a `custom_claims` claim.
	//
	// Mappings are one-to-one mappings, complex mappings (e.g. mapping concatenations of two claims) are not possible.
	AttributeMapping map[string]string `yaml:"attribute_mapping" json:"attribute_mapping,omitempty" koanf:"attribute_mapping"`
	// URL of the provider's authorization endpoint where the end-user is redirected to authenticate and grant consent for
	// an application to access their resources.
	//
	// Required if `use_discovery` is false or omitted.
	AuthorizationEndpoint string `yaml:"authorization_endpoint" json:"authorization_endpoint,omitempty" koanf:"authorization_endpoint"`
	// `ID` is a unique identifier for the provider, derived from the key in the `custom_providers` map, by
	// concatenating the prefix "custom_". This allows distinguishing between built-in and custom providers at runtime.
	ID string `jsonschema:"-" yaml:"-" json:"-" koanf:"-"`
	// `issuer` is the provider's issuer identifier. It should be a URL that uses the "https"
	//	scheme and has no query or fragment components.
	//
	// Required if `use_discovery` is true.
	Issuer string `yaml:"issuer" json:"issuer,omitempty" koanf:"issuer"`
	// `client_id` is the ID of the OAuth/OIDC client. Must be obtained from the provider.
	//
	// Required if the provider is `enabled`.
	ClientID string `yaml:"client_id" json:"client_id,omitempty" koanf:"client_id" split_words:"true"`
	// `display_name` is the name of the provider that is intended to be shown to an end-user.
	//
	// Required if the provider is `enabled`.
	DisplayName string `yaml:"display_name" json:"display_name,omitempty" koanf:"display_name"`
	// `enabled` indicates if the provider is enabled or disabled.
	Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=false"`
	// `scopes` is a list of scopes requested from the provider that specify the level of access an application has to
	// a user's resources on a server, defining what actions the app can perform on behalf of the user.
	//
	// Required if the provider is `enabled`.
	Scopes []string `yaml:"scopes" json:"scopes,omitempty" koanf:"scopes,omitempty"`
	// `secret` is the client secret for the OAuth/OIDC client. Must be obtained from the provider.
	//
	// Required if the provider is `enabled`.
	Secret string `yaml:"secret" json:"secret,omitempty" koanf:"secret"`
	// URL of the provider's token endpoint URL where an application exchanges an authorization code for an access
	// token, which is used to authenticate API requests on behalf of the end-user.
	//
	// Required if `use_discovery` is false or omitted.
	TokenEndpoint string `yaml:"token_endpoint" json:"token_endpoint,omitempty" koanf:"token_endpoint"`
	// `use_discovery` determines if configuration information about an OpenID Connect (OIDC) provider, such as
	// endpoint URLs and supported features,should be automatically retrieved, from a well-known
	// URL (typically /.well-known/openid-configuration).
	UseDiscovery bool `yaml:"use_discovery" json:"use_discovery,omitempty" koanf:"use_discovery" jsonschema:"default=true"`
	// URL of the provider's endpoint that returns claims about an authenticated end-user.
	//
	// Required if `use_discovery` is false or omitted.
	UserinfoEndpoint string `yaml:"userinfo_endpoint" json:"userinfo_endpoint,omitempty" koanf:"userinfo_endpoint"`
}

type CustomThirdPartyProviders map[string]CustomThirdPartyProvider

type Database struct {
	// `database` determines the name of the database schema to use.
	Database string `yaml:"database" json:"database,omitempty" koanf:"database" jsonschema:"default=hanko"`
	// `dialect` is the name of the database system to use.
	Dialect string `` /* 138-byte string literal not displayed */
	// `host` is the host the database system is running on.
	Host string `yaml:"host" json:"host,omitempty" koanf:"host" jsonschema:"default=localhost"`
	// `password` is the password for the database user to use for connecting to the database.
	Password string `yaml:"password" json:"password,omitempty" koanf:"password" jsonschema:"default=hanko"`
	// `port` is the port the database system is running on.
	Port string `yaml:"port" json:"port,omitempty" koanf:"port" jsonschema:"default=5432"`
	// `url` is a datasource connection string. It can be used instead of the rest of the database configuration
	// options. If this `url` is set then it is prioritized, i.e. the rest of the options, if set, have no effect.
	//
	// Schema: `dialect://username:password@host:port/database`
	Url string `yaml:"url" json:"url,omitempty" koanf:"url" jsonschema:"example=postgres://hanko:hanko@localhost:5432/hanko"`
	// `user` is the database user to use for connecting to the database.
	User string `yaml:"user" json:"user,omitempty" koanf:"user" jsonschema:"default=hanko"`
}

type Email struct {
	// `acquire_on_login` determines whether users, provided that they do not already have registered an email,
	//	are prompted to provide an email on login.
	AcquireOnLogin bool `` /* 128-byte string literal not displayed */
	// `acquire_on_registration` determines whether users are prompted to provide an email on registration.
	AcquireOnRegistration bool `` /* 148-byte string literal not displayed */
	// `enabled` determines whether emails are enabled.
	Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=true"`
	// 'limit' determines the maximum number of emails a user can register.
	Limit int `yaml:"limit" json:"limit,omitempty" koanf:"limit" jsonschema:"default=5"`
	// `max_length` specifies the maximum allowed length of an email address.
	MaxLength int `yaml:"max_length" json:"max_length,omitempty" koanf:"max_length" jsonschema:"default=100"`
	// `optional` determines whether users must provide an email when prompted.
	// There must always be at least one email address associated with an account. The primary email address cannot be
	// deleted if emails are required (`optional`: false`).
	Optional bool `yaml:"optional" json:"optional,omitempty" koanf:"optional" jsonschema:"default=false"`
	// `passcode_ttl` specifies, in seconds, how long a passcode is valid for.
	PasscodeTtl int `yaml:"passcode_ttl" json:"passcode_ttl,omitempty" koanf:"passcode_ttl" jsonschema:"default=300"`
	// `require_verification` determines whether newly created emails must be verified by providing a passcode sent
	// to respective address.
	RequireVerification bool `` /* 139-byte string literal not displayed */
	// `use_as_login_identifier` determines whether emails can be used as an identifier on login.
	UseAsLoginIdentifier bool `` /* 129-byte string literal not displayed */
	// `user_for_authentication` determines whether users can log in by providing an email address and subsequently
	// providing a passcode sent to the given email address.
	UseForAuthentication bool `` /* 126-byte string literal not displayed */
}

type EmailDelivery struct {
	// `enabled` determines whether the API delivers emails.
	// Disable if you want to send the emails yourself. To do so you must subscribe to the `email.create` webhook event.
	Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=true"`
	// `from_address` configures the sender address of emails sent to users.
	FromAddress string `` /* 127-byte string literal not displayed */
	// `from_name` configures the sender name of emails sent to users.
	FromName string `yaml:"from_name" json:"from_name,omitempty" koanf:"from_name" split_words:"true" jsonschema:"default=Hanko"`
	// `SMTP` contains the SMTP server settings for sending mails.
	SMTP SMTP `yaml:"smtp" json:"smtp,omitempty" koanf:"smtp" jsonschema:"title=smtp"`
}

type Emails struct {
	// Deprecated. Use `email.require_verification` instead.
	RequireVerification bool `` /* 139-byte string literal not displayed */
	// Deprecated. Use `email.limit` instead.
	MaxNumOfAddresses int `` /* 136-byte string literal not displayed */
}

type JWTTemplate struct {
	Claims map[string]interface{} `yaml:"claims" json:"claims,omitempty" koanf:"claims"`
}

type LoggerConfig struct {
	// `log_health_and_metrics` determines whether requests of the `/health` and `/metrics` endpoints are logged.
	LogHealthAndMetrics bool `` /* 126-byte string literal not displayed */
}

type MFA struct {
	// `acquire_on_login` configures if users are prompted creating an MFA credential on login.
	AcquireOnLogin bool `yaml:"acquire_on_login" json:"acquire_on_login" koanf:"acquire_on_login" jsonschema:"default=false"`
	// `acquire_on_registration` configures if users are prompted creating an MFA credential on registration.
	AcquireOnRegistration bool `yaml:"acquire_on_registration" json:"acquire_on_registration" koanf:"acquire_on_registration" jsonschema:"default=true"`
	// `device_trust_cookie_name` is the name of the cookie used to store the token of a trusted device.
	DeviceTrustCookieName string `` /* 146-byte string literal not displayed */
	// `device_trust_duration` configures the duration a device remains trusted after authentication; once expired, the
	// user must reauthenticate with MFA.
	DeviceTrustDuration time.Duration `yaml:"device_trust_duration" json:"device_trust_duration" koanf:"device_trust_duration" jsonschema:"default=720h,type=string"`
	// `device_trust_policy` determines the conditions under which a device or browser is considered trusted, allowing
	// MFA to be skipped for subsequent logins.
	DeviceTrustPolicy string `` /* 173-byte string literal not displayed */
	// `enabled` determines whether multi-factor-authentication is enabled.
	Enabled bool `yaml:"enabled" json:"enabled" koanf:"enabled" jsonschema:"default=true"`
	// `optional` determines whether users must create an MFA credential when prompted. The MFA credential cannot be
	// deleted if multi-factor-authentication is required (`optional: false`).
	Optional bool `yaml:"optional" json:"optional" koanf:"optional" jsonschema:"default=true"`
	// `security_keys` configures security key settings for multi-factor-authentication
	SecurityKeys SecurityKeys `yaml:"security_keys" json:"security_keys,omitempty" koanf:"security_keys" jsonschema:"title=security_keys"`
	// `totp` configures the TOTP (Time-Based One-Time-Password) method for multi-factor-authentication.
	TOTP TOTP `yaml:"totp" json:"totp,omitempty" koanf:"totp" jsonschema:"title=totp"`
}

type OutputStream string

type Passcode struct {
	// Deprecated. Use `email.passcode_ttl` instead.
	TTL int `yaml:"ttl" json:"ttl,omitempty" koanf:"ttl" jsonschema:"default=300"`
}

type Passkey struct {
	// `acquire_on_registration` configures how users are prompted creating a passkey on registration.
	AcquireOnRegistration string `` /* 190-byte string literal not displayed */
	// `acquire_on_login` configures how users are prompted creating a passkey on login.
	AcquireOnLogin string `` /* 169-byte string literal not displayed */
	// `attestation_preference` is used to specify the preference regarding attestation conveyance during
	// credential generation.
	AttestationPreference string `` /* 183-byte string literal not displayed */
	// `enabled` determines whether users can create or authenticate with passkeys.
	Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=true"`
	// `limit` defines the maximum number of passkeys a user can have.
	Limit int `yaml:"limit" json:"limit,omitempty" koanf:"limit" jsonschema:"default=10"`
	// `optional` determines whether users must create a passkey when prompted. The last remaining passkey cannot be
	// deleted if passkeys are required (`optional: false`).
	//
	// It also takes part in determining the order of password and passkey acquisition
	// on login and registration (see also `acquire_on_login` and `acquire_on_registration`): if one credential type is
	// required (`optional: false`) then that one takes precedence, i.e. is acquired first.
	Optional bool `yaml:"optional" json:"optional,omitempty" koanf:"optional" jsonschema:"default=true"`
	// `user_verification` specifies the requirements regarding local authorization with an authenticator through
	//  various authorization gesture modalities; for example, through a touch plus pin code,
	//  password entry, or biometric recognition.
	//
	// The setting applies to both WebAuthn registration and authentication ceremonies.
	UserVerification string `` /* 181-byte string literal not displayed */
}

type Password struct {
	// `acquire_on_registration` configures how users are prompted creating a password on registration.
	AcquireOnRegistration string `` /* 190-byte string literal not displayed */
	// `acquire_on_login` configures how users are prompted creating a password on login.
	AcquireOnLogin string `` /* 168-byte string literal not displayed */
	// `enabled` determines whether passwords are enabled or disabled.
	Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=true"`
	// `min_length` determines the minimum password length.
	MinLength int `yaml:"min_length" json:"min_length,omitempty" koanf:"min_length" split_words:"true" jsonschema:"default=8"`
	// Deprecated. Use `min_length` instead.
	MinPasswordLength int `` /* 133-byte string literal not displayed */
	// `optional` determines whether users must set a password when prompted. The password cannot be deleted if
	// passwords are required (`optional: false`).
	//
	// It also takes part in determining the order of password and passkey acquisition
	// on login and registration (see also `acquire_on_login` and `acquire_on_registration`): if one credential type is
	// required (`optional: false`) then that one takes precedence, i.e. is acquired first.
	Optional bool `yaml:"optional" json:"optional,omitempty" koanf:"optional" jsonschema:"default=false"`
	// `recovery` determines whether users can start a recovery process, e.g. in case of a forgotten password.
	Recovery bool `yaml:"recovery" json:"recovery,omitempty" koanf:"recovery" jsonschema:"default=true"`
}

type Privacy struct {
	// `show_account_existence_hints` determines whether the user should get a user-friendly response rather than a privacy protecting one. E.g. on sign-up, when enabled the user will get "user already exists" response.
	// It only has an effect when emails are enabled.
	ShowAccountExistenceHints bool `` /* 164-byte string literal not displayed */
	// `only_show_actual_login_methods` determines whether the user will only be prompted with his configured login methods.
	// It only has an effect when emails are enabled, can be used for authentication and passwords are enabled.
	OnlyShowActualLoginMethods bool `` /* 170-byte string literal not displayed */
}

type RateLimiter struct {
	// `enabled` controls whether rate limiting is enabled or disabled.
	Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=true"`
	// `store` sets the store for the rate limiter. When you have multiple instances of Hanko running, it is recommended to use
	//  the `redis` store because otherwise your instances each have their own states.
	Store RateLimiterStoreType `yaml:"store" json:"store,omitempty" koanf:"store" jsonschema:"default=in_memory,enum=in_memory,enum=redis"`
	// `redis_config` configures connection to a redis instance.
	// Required if `store` is set to `redis`
	Redis *RedisConfig `yaml:"redis_config" json:"redis_config,omitempty" koanf:"redis_config"`
	// `passcode_limits` controls rate limits for passcode operations.
	PasscodeLimits RateLimits `yaml:"passcode_limits" json:"passcode_limits,omitempty" koanf:"passcode_limits" split_words:"true"`
	// `otp_limits` controls rate limits for OTP login attempts.
	OTPLimits RateLimits `yaml:"otp_limits" json:"otp_limits,omitempty" koanf:"otp_limits" split_words:"true"`
	// `password_limits` controls rate limits for password login operations.
	PasswordLimits RateLimits `yaml:"password_limits" json:"password_limits,omitempty" koanf:"password_limits" split_words:"true"`
	// `token_limits` controls rate limits for token exchange operations.
	TokenLimits RateLimits `` /* 130-byte string literal not displayed */
}

type RateLimiterStoreType string

type RateLimits struct {
	// `tokens` determines how many operations/requests can occur in the given `interval`.
	Tokens uint64 `yaml:"tokens" json:"tokens" koanf:"tokens" jsonschema:"default=3"`
	// `interval` determines when to reset the token interval.
	// It must be a (possibly signed) sequence of decimal
	// numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".
	// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
	Interval time.Duration `yaml:"interval" json:"interval" koanf:"interval" jsonschema:"default=1m,type=string"`
}

type RedisConfig struct {
	// `address` is the address of the redis instance in the form of `host[:port][/database]`.
	Address string `yaml:"address" json:"address" koanf:"address"`
	// `password` is the password for the redis instance.
	Password string `yaml:"password" json:"password,omitempty" koanf:"password"`
}

type RelyingParty struct {
	// `display_name` is the service's name that some WebAuthn Authenticators will display to the user during registration
	// and authentication ceremonies.
	DisplayName string `` /* 139-byte string literal not displayed */
	Icon        string `yaml:"icon" json:"icon,omitempty" koanf:"icon" jsonschema:"-"`
	// `id` is the [effective domain](https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-effective-domain)
	// the passkey/WebAuthn credentials will be bound to.
	Id string `yaml:"id" json:"id,omitempty" koanf:"id" jsonschema:"default=localhost,examples=localhost,example.com,subdomain.example.com"`
	// `origins` is a list of origins for which passkeys/WebAuthn credentials will be accepted by the server. Must
	// include the protocol and can only be the effective domain, or a registrable domain suffix of the effective
	// domain, as specified in the [`id`](#id). Except for `localhost`, the protocol **must** always be `https` for
	// passkeys/WebAuthn to work. IP Addresses will not work.
	//
	// For an Android application the origin must be the base64 url encoded SHA256 fingerprint of the signing
	// certificate.
	Origins []string `` /* 209-byte string literal not displayed */
}

type SMTP struct {
	Host     string `yaml:"host" json:"host,omitempty" koanf:"host" jsonschema:"default=localhost"`
	Port     string `yaml:"port" json:"port,omitempty" koanf:"port" jsonschema:"default=465"`
	User     string `yaml:"user" json:"user,omitempty" koanf:"user"`
	Password string `yaml:"password" json:"password,omitempty" koanf:"password"`
}

type Secrets struct {
	// `keys` are used to en- and decrypt the JWKs which get used to sign the JWTs issued by the API.
	// For every key a JWK is generated, encrypted with the key and persisted in the database.
	//
	// You can use this list for key rotation: add a new key to the beginning of the list and the corresponding
	// JWK will then be used for signing JWTs. All tokens signed with the previous JWK(s) will still
	// be valid until they expire. Removing a key from the list does not remove the corresponding
	// database record. If you remove a key, you also have to remove the database record, otherwise
	// application startup will fail.
	Keys []string `yaml:"keys" json:"keys,omitempty" koanf:"keys" jsonschema:"minItems=1"`
}

type SecurityKeys struct {
	// `attestation_preference` is used to specify the preference regarding attestation conveyance during
	// credential generation.
	AttestationPreference string `` /* 183-byte string literal not displayed */
	// `authenticator_attachment`  is used to specify the preference regarding authenticator attachment during credential registration.
	AuthenticatorAttachment string `` /* 214-byte string literal not displayed */
	// `enabled` determines whether security keys are eligible for multi-factor-authentication.
	Enabled bool `yaml:"enabled" json:"enabled" koanf:"enabled" jsonschema:"default=true"`
	// 'limit' determines the maximum number of security keys a user can register.
	Limit int `yaml:"limit" json:"limit,omitempty" koanf:"limit" jsonschema:"default=10"`
	// `user_verification` specifies the requirements regarding local authorization with an authenticator through
	//  various authorization gesture modalities; for example, through a touch plus pin code,
	//  password entry, or biometric recognition.
	//
	// The setting applies to both WebAuthn registration and authentication ceremonies.
	UserVerification string `` /* 183-byte string literal not displayed */
}

type Server struct {
	// `public` contains the server configuration for the public API.
	Public ServerSettings `yaml:"public" json:"public,omitempty" koanf:"public" jsonschema:"title=public"`
	// `admin` contains the server configuration for the admin API.
	Admin ServerSettings `yaml:"admin" json:"admin,omitempty" koanf:"admin" jsonschema:"title=admin"`
}

type ServerSettings struct {
	// `address` is the address of the server to listen on in the form of host:port.
	//
	// See [net.Dial](https://pkg.go.dev/net#Dial) for details of the address format.
	Address string `yaml:"address" json:"address,omitempty" koanf:"address"`
	// `cors` contains configuration options regarding Cross-Origin-Resource-Sharing.
	Cors Cors `yaml:"cors" json:"cors,omitempty" koanf:"cors" jsonschema:"title=cors"`
}

type ServerSide struct {
	// `enabled` determines whether server-side sessions are enabled.
	//
	// NOTE: When enabled the session endpoint must be used in order to check if a session is still valid.
	Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=false"`
	// `limit` determines the maximum number of server-side sessions a user can have. When the limit is exceeded,
	// older sessions are invalidated.
	Limit int `yaml:"limit" json:"limit,omitempty" koanf:"limit" jsonschema:"default=100"`
}

type Service struct {
	// `name` determines the name of the service.
	// This value is used, e.g. in the subject header of outgoing emails.
	Name string `yaml:"name" json:"name,omitempty" koanf:"name"`
}

type Session struct {
	// `allow_revocation` allows users to revoke their own sessions.
	AllowRevocation bool `yaml:"allow_revocation" json:"allow_revocation,omitempty" koanf:"allow_revocation" jsonschema:"default=true"`
	// `audience` is a list of strings that identifies the recipients that the JWT is intended for.
	// The audiences are placed in the `aud` claim of the JWT.
	// If not set, it defaults to the value of the`webauthn.relying_party.id` configuration parameter.
	Audience []string `yaml:"audience" json:"audience,omitempty" koanf:"audience"`
	// `acquire_ip_address` stores the user's IP address in the database.
	AcquireIPAddress bool `yaml:"acquire_ip_address" json:"acquire_ip_address,omitempty" koanf:"acquire_ip_address" jsonschema:"default=true"`
	// `acquire_user_agent` stores the user's user agent in the database.
	AcquireUserAgent bool `yaml:"acquire_user_agent" json:"acquire_user_agent,omitempty" koanf:"acquire_user_agent" jsonschema:"default=true"`
	// `cookie` contains configuration for the session cookie issued on successful registration or login.
	Cookie Cookie `yaml:"cookie" json:"cookie,omitempty" koanf:"cookie"`
	// `enable_auth_token_header` determines whether a session token (JWT) is returned in an `X-Auth-Token`
	// header after a successful authentication. This option should be set to `true` if API and client applications
	// run on different domains.
	EnableAuthTokenHeader bool `` /* 152-byte string literal not displayed */
	// `issuer` is a string that identifies the principal (human user, an organization, or a service)
	// that issued the JWT. Its value is set in the `iss` claim of a JWT.
	Issuer string `yaml:"issuer" json:"issuer,omitempty" koanf:"issuer"`
	// `lifespan` determines the maximum duration for which a session token (JWT) is valid. It must be a (possibly signed) sequence of decimal
	// numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".
	// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
	Lifespan string `yaml:"lifespan" json:"lifespan,omitempty" koanf:"lifespan" jsonschema:"default=12h"`
	// `limit` determines the maximum number of server-side sessions a user can have. When the limit is exceeded,
	// older sessions are invalidated.
	Limit int `yaml:"limit" json:"limit,omitempty" koanf:"limit" jsonschema:"default=5"`
	// `show_on_profile` indicates that the sessions should be listed on the profile.
	ShowOnProfile bool `yaml:"show_on_profile" json:"show_on_profile,omitempty" koanf:"show_on_profile" jsonschema:"default=true"`
	// Deprecated. Use settings in parent object.
	//`server_side` contains configuration for server-side sessions.
	ServerSide *ServerSide `yaml:"server_side" json:"server_side,omitempty" koanf:"server_side"`
	// `jwt_template` defines a template for adding custom `claims` to session JWTs.
	//
	// These claims are processed at JWT generation time and can include static values,
	// templated strings using Go's text/template syntax, or nested structures (maps and slices).
	//
	// The template has access to user data via the `.User` field, which includes:
	// - `.User.UserID`: The user's unique ID (string)
	// - `.User.Email`: Email details (optional, with `.Address`, `.IsPrimary`, `.IsVerified`)
	// - `.User.Username`: The user's username (string, optional)
	//
	// Claims that fail to process (e.g., due to invalid templates) are logged and skipped,
	// ensuring JWT generation continues without interruption.
	//
	//
	// Example usage in YAML configuration:
	// “`yaml
	// session:
	//   lifespan: 24h
	//   jwt_template:
	//     claims:
	//       role: "user"                               # Static value
	//       user_email: "{{.User.Email.Address}}"      # Templated string
	//       is_verified: "{{.User.Email.IsVerified}}"  # Boolean from user data
	//       metadata:                                  # Nested map
	//         source: "hanko"
	//         greeting: "Hello {{.User.Username}}"
	//       scopes:                                    # Slice with templated value
	//         - "read"
	//         - "write"
	//         - "{{if .User.Email.IsVerified}}admin{{else}}basic{{end}}"
	// “`
	//
	// In this example:
	// - `role` is a static string ("user").
	// - `user_email` dynamically inserts the user's email address.
	// - `is_verified` inserts a boolean indicating email verification status.
	// - `metadata` is a nested map with a static `source` and a templated `greeting`.
	// - `scopes` is a slice combining static values and a conditional template.
	//
	// Notes:
	// - Claims with the following keys will be ignored because they are currently added to the JWT
	//   by default:
	//     - sub
	//     - iat
	//     - exp
	//     - aud
	//     - iss
	//     - email
	//     - username
	//     - session_id
	// - Templates must be valid Go `text/template` syntax. Invalid templates are logged and ignored.
	// - Boolean strings ("true" or "false") from templates are automatically converted to actual booleans.
	// - Use conditionals (e.g., `{{if .User.Email}}`) to handle optional fields safely.
	//
	// For more details on template syntax, see: https://pkg.go.dev/text/template
	JWTTemplate *JWTTemplate `yaml:"jwt_template" json:"jwt_template,omitempty" koanf:"jwt_template"`
}

type TOTP struct {
	// `enabled` determines whether TOTP is eligible for multi-factor-authentication.
	Enabled bool `yaml:"enabled" json:"enabled" koanf:"enabled" jsonschema:"default=true"`
}

type ThirdParty struct {
	// `providers` contains the configurations for the available OAuth/OIDC identity providers.
	Providers ThirdPartyProviders `yaml:"providers" json:"providers,omitempty" koanf:"providers" jsonschema:"title=providers,uniqueItems=true"`
	// `custom_providers contains the configurations for custom OAuth/OIDC identity providers.
	CustomProviders CustomThirdPartyProviders `yaml:"custom_providers" json:"custom_providers,omitempty" koanf:"custom_providers" jsonschema:"title=custom_providers"`
	// `redirect_url` is the URL the third party provider redirects to with an authorization code. Must consist of the base URL
	// of your running Hanko backend instance and the `callback` endpoint of the API,
	// i.e. `{YOUR_BACKEND_INSTANCE}/thirdparty/callback.`
	//
	// Required if any of the [`providers`](#providers) are `enabled`.
	RedirectURL string `` /* 155-byte string literal not displayed */
	// `error_redirect_url` is the URL the backend redirects to if an error occurs during third party sign-in.
	// Errors are provided as 'error' and 'error_description' query params in the redirect location URL.
	//
	// When using the Hanko web components it should be the URL of the page that embeds the web component such that
	// errors can be processed properly by the web component.
	//
	// You do not have to add this URL to the 'allowed_redirect_urls', it is automatically included when validating
	// redirect URLs.
	//
	// Required if any of the [`providers`](#providers) are `enabled`. Must not have trailing slash.
	ErrorRedirectURL string `yaml:"error_redirect_url" json:"error_redirect_url,omitempty" koanf:"error_redirect_url" split_words:"true"`
	// `default_redirect_url` is the URL the backend redirects to after it successfully verified
	// the response from any third party provider.
	//
	// Must not have trailing slash.
	DefaultRedirectURL string `yaml:"default_redirect_url" json:"default_redirect_url,omitempty" koanf:"default_redirect_url" split_words:"true"`
	// `allowed_redirect_urls` is a list of URLs the backend is allowed to redirect to after third party sign-in was
	// successful.
	//
	// Supports wildcard matching through globbing. e.g. `https://*.example.com` will allow `https://foo.example.com`
	// and `https://bar.example.com` to be accepted.
	//
	// Globbing is also supported for paths, e.g. `https://foo.example.com/*` will match `https://foo.example.com/page1`
	// and `https://foo.example.com/page2`.
	//
	// A double asterisk (`**`) acts as a "super"-wildcard/match-all.
	//
	// See [here](https://pkg.go.dev/github.com/gobwas/glob#Compile) for more on globbing.
	//
	// Must not be empty if any of the [`providers`](#providers) are `enabled`. URLs in the list must not have a trailing slash.
	AllowedRedirectURLS   []string             `` /* 140-byte string literal not displayed */
	AllowedRedirectURLMap map[string]glob.Glob `jsonschema:"-" yaml:"-" json:"-" koanf:"-"`
}

type ThirdPartyProvider struct {
	// `allow_linking` indicates whether existing accounts can be automatically linked with this provider.
	//
	// Linking is based on matching one of the email addresses of an existing user account with the (primary)
	// email address of the third party provider account.
	AllowLinking bool `yaml:"allow_linking" json:"allow_linking,omitempty" koanf:"allow_linking" split_words:"true"`
	// `client_id` is the ID of the OAuth/OIDC client. Must be obtained from the provider.
	//
	// Required if the provider is `enabled`.
	ClientID    string `yaml:"client_id" json:"client_id,omitempty" koanf:"client_id" split_words:"true"`
	DisplayName string `jsonschema:"-" yaml:"-" json:"-" koanf:"-"`
	// `enabled` determines whether this provider is enabled.
	Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=false"`
	// `secret` is the client secret for the OAuth/OIDC client. Must be obtained from the provider.
	//
	// Required if the provider is `enabled`.
	Secret string `yaml:"secret" json:"secret,omitempty" koanf:"secret"`
	// `ID` is a unique name/slug/identifier for the provider. It is the lowercased key of the corresponding field
	// in ThirdPartyProviders. See also: CustomThirdPartyProvider.ID.
	ID string `jsonschema:"-" yaml:"-" json:"-" koanf:"-"`
}

type ThirdPartyProviders struct {
	// `apple` contains the provider configuration for Apple.
	Apple ThirdPartyProvider `yaml:"apple" json:"apple,omitempty" koanf:"apple"`
	// `discord` contains the provider configuration for Discord.
	Discord ThirdPartyProvider `yaml:"discord" json:"discord,omitempty" koanf:"discord"`
	// `github` contains the provider configuration for GitHub.
	GitHub ThirdPartyProvider `yaml:"github" json:"github,omitempty" koanf:"github"`
	// `google` contains the provider configuration for Google.
	Google ThirdPartyProvider `yaml:"google" json:"google,omitempty" koanf:"google"`
	// `linkedin` contains the provider configuration for LinkedIn.
	LinkedIn ThirdPartyProvider `yaml:"linkedin" json:"linkedin,omitempty" koanf:"linkedin"`
	// `microsoft` contains the provider configuration for Microsoft.
	Microsoft ThirdPartyProvider `yaml:"microsoft" json:"microsoft,omitempty" koanf:"microsoft"`
	//`facebook` contains the provider configuration for Facebook.
	Facebook ThirdPartyProvider `yaml:"facebook" json:"facebook,omitempty" koanf:"facebook"`
}

type Username struct {
	// `acquire_on_login` determines whether users, provided that they do not already have set a username,
	//	are prompted to provide a username on login.
	AcquireOnLogin bool `` /* 127-byte string literal not displayed */
	// `acquire_on_registration` determines whether users are prompted to provide a username on registration.
	AcquireOnRegistration bool `` /* 148-byte string literal not displayed */
	// `enabled` determines whether users can set a unique username.
	//
	// Usernames can contain letters (a-z,A-Z), numbers (0-9), and underscores.
	Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=false"`
	// `max_length` specifies the maximum allowed length of a username.
	MaxLength int `yaml:"max_length" json:"max_length,omitempty" koanf:"max_length" jsonschema:"default=32"`
	// `min_length` specifies the minimum length of a username.
	MinLength int `yaml:"min_length" json:"min_length,omitempty" koanf:"min_length" split_words:"true" jsonschema:"default=3"`
	// `optional` determines whether users must provide a username when prompted. The username can only be changed but
	// not deleted if usernames are required (`optional: false`).
	Optional bool `yaml:"optional" json:"optional,omitempty" koanf:"optional" jsonschema:"default=true"`
	// `use_as_login_identifier` determines whether usernames, if enabled, can be used for logging in.
	UseAsLoginIdentifier bool `` /* 129-byte string literal not displayed */
}

type WebauthnSettings struct {
	RelyingParty RelyingParty `yaml:"relying_party" json:"relying_party,omitempty" koanf:"relying_party" split_words:"true" jsonschema:"title=relying_party"`
	// Deprecated, use `timeouts` instead.
	Timeout int `yaml:"timeout" json:"timeout,omitempty" koanf:"timeout" jsonschema:"default=60000"`
	// `timeouts` specifies the timeouts for passkey/WebAuthn registration and login.
	Timeouts WebauthnTimeouts `yaml:"timeouts" json:"timeouts,omitempty" koanf:"timeouts" split_words:"true" jsonschema:"title=timeouts"`
	// Deprecated, use `passkey.user_verification` instead
	UserVerification string                `` /* 181-byte string literal not displayed */
	Handler          *webauthnLib.WebAuthn `jsonschema:"-"`
}

type WebauthnTimeouts struct {
	// `registration` determines the time, in milliseconds, that the client is willing to wait for the credential
	// creation request to the WebAuthn API to complete.
	Registration int `yaml:"registration" json:"registration,omitempty" koanf:"registration" jsonschema:"default=600000"`
	// `login` determines the time, in milliseconds, that the client is willing to wait for the credential
	//  request to the WebAuthn API to complete.
	Login int `yaml:"login" json:"login,omitempty" koanf:"login" jsonschema:"default=600000"`
}

type Webhook struct {
	// `callback` specifies the URL to which the change data will be sent.
	Callback string `yaml:"callback" json:"callback,omitempty" koanf:"callback"`
	// `events` is a list of events this hook listens for.
	Events events.Events `yaml:"events" json:"events,omitempty" koanf:"events" jsonschema:"title=events"`
}

type WebhookSettings struct {
	// `allow_time_expiration` determines whether webhooks are disabled when unused for 30 days
	// (only for database webhooks).
	AllowTimeExpiration bool `yaml:"allow_time_expiration" json:"allow_time_expiration,omitempty" koanf:"allow_time_expiration" jsonschema:"default=false"`
	// `enabled` enables the webhook feature.
	Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=false"`
	// `hooks` is a list of Webhook configurations.
	//
	// When using environment variables the value for the `WEBHOOKS_HOOKS` key must be specified in the following
	// format:
	// `{"callback":"http://app.com/usercb","events":["user"]};{"callback":"http://app.com/emailcb","events":["email.send"]}`
	Hooks Webhooks `yaml:"hooks" json:"hooks,omitempty" koanf:"hooks" jsonschema:"title=hooks"`
}

type Webhooks []Webhook