Skip to main content
Quick reference for every top-level key in the Orchestrator’s YAML configuration file. Keys that have dedicated reference pages link out to avoid duplication — keys documented only here include their full field tables. For a conceptual overview of how configuration works, see the Configuration overview.

version

Required. Specifies the configuration format version.
KeyTypeRequiredDescription
versionstringYesConfiguration version — currently accepts "1"
version: "1"

features

Optional. Enables experimental or gated behavior via feature flags.
KeyTypeRequiredDescription
featuresmap[string]stringNoFeature flag map — values "true" or "enabled" (case-insensitive) turn a feature on; any other value turns it off
features:
  experimental.clusters: "true"
Parsing rules: Only "true" and "enabled" (case-insensitive) are recognized as enabled. Any other value, or a missing flag, is treated as disabled. Known flags:
FlagPurposeStability
experimental.clustersEnable Orchestrator clustering for high availability with gossip-based membership, shared sessions, caches, and routingAlpha
Feature flags with the experimental. prefix indicate alpha-level features that may change without notice. See the Changelog for additions and removals.

http

Optional. Controls the HTTP server — bind address, TLS, timeouts, and access logging.
KeyTypeDefaultDescription
http.addressstring"0.0.0.0:9443"Network address and port to bind to
http.tlsstringName of a TLS profile defined under the top-level tls key (mutually exclusive with http.hosts)
http.readTimeoutSecondsinteger20Maximum seconds to read the full request
http.readHeaderTimeoutSecondsinteger5Maximum seconds to read request headers
http.writeTimeoutSecondsinteger20Maximum seconds to write the response
http.idleTimeoutSecondsinteger60Maximum seconds to keep idle connections open
http.endpointTimeoutSecondsinteger15Maximum seconds for an endpoint handler to complete
http.accessLog.disabledbooleanfalseDisable HTTP access logging
http.accessLog.levelstring"info"Access log level — "debug", "info", or "error"
http:
  address: "0.0.0.0:9443"
  tls: "default"
  readTimeoutSeconds: 20
  writeTimeoutSeconds: 20
SNI-based virtual hosts: The http.hosts array binds different TLS profiles to different server names via SNI. It is mutually exclusive with http.tls. Each host entry requires a serverName (or default: true for the fallback) and a tls profile reference. Only one default: true entry is allowed. Cluster-based routing: The http.routing object enables routing requests across an Orchestrator cluster. Set http.routing.enabled: true with type: "cluster" and a cluster.name reference. Requires experimental.clusters to be enabled.

tls

Optional. Named TLS profiles for server certificates, cipher suites, mTLS, and certificate revocation checking. See the TLS Security reference for the full field table, mTLS configuration, OCSP/CRL settings, and Windows Certificate Store support. 
tls:
  "default":
    certFile: /etc/maverics/certs/server.pem
    keyFile: /etc/maverics/certs/server-key.pem
    minVersion: "1.2"
    maxVersion: "1.3"

connectors

Optional. Identity provider connections — OIDC, SAML, LDAP, and attribute providers. See the Identity Fabric reference for all supported connector types, protocol details, and per-provider configuration. 
connectors:
  - name: azure
    type: azure
    oauthClientID: "{{ env.AZURE_CLIENT_ID }}"
    oauthClientSecret: <vault.azure_client_secret>
    oidcWellKnownURL: "https://login.microsoftonline.com/{{ env.TENANT_ID }}/v2.0/.well-known/openid-configuration"

apps

Optional. Application definitions with routes, authentication policies, and upstream targets. See the Applications reference for app types (Proxy, OIDC, SAML, MCP Bridge, MCP Proxy) and route configuration. 
apps:
  - name: my-app
    type: proxy
    upstream: "https://internal-app.example.com"
    routePatterns:
      - "app.example.com/"

oidcProvider

Optional. OIDC Provider mode settings — token signing, claim mapping, and client registration. See the OIDC Provider reference for the full configuration.

samlProvider

Optional. SAML Provider mode settings — assertion signing, attribute mapping, and metadata. See the SAML Provider reference for the full configuration.

ldapProvider

Optional. LDAP Provider mode settings — virtual directory, attribute mapping, and backend routing. See the LDAP Provider reference for the full configuration.

mcpProvider

Optional. AI Identity Gateway mode settings — MCP Bridge and MCP Proxy configuration. See the AI Identity Gateway reference for the full configuration.

session

Optional. Session cookie, lifetime, and store configuration. See the Sessions reference for session types (local, cluster), cookie settings, and lifetime configuration. 
session:
  cookie:
    name: "__Host-maverics"
    secure: true
  lifetime: "8h"

caches

Optional. Named cache stores for session data, tokens, and IdP metadata. See the Caches reference for Redis configuration, cluster caching, and connection settings. 
caches:
  - name: shared-redis
    type: redis
    redis:
      addresses:
        - "redis.example.com:6379"

logger

Optional. Structured logging configuration. See the Logging reference for verbosity levels, JSON output, and filtering. 
logger:
  level: "info"
  jsonOutput: true

health

Optional. Health check endpoint and heartbeat monitoring. See the Telemetry reference for health endpoint configuration. 
health:
  location: "/status"
  heartbeat:
    interval: "60s"

telemetry

Optional. OpenTelemetry metrics and traces via OTLP. See the Telemetry reference for metrics, traces, and OTLP exporter configuration.

singleLogout

Optional. Single logout endpoint and post-logout redirect behavior. See the Single Logout guide for configuration and flow details.

clusters

Optional. Multi-node Orchestrator cluster configuration for high availability. See the Clusters reference for gossip protocol, shared state, and cluster routing. Requires experimental.clusters feature flag.

apis

Optional. Custom API endpoints powered by Service Extensions. See the Custom APIs reference for custom API configuration.

Configuration Overview

Conceptual overview, environment variables, and runtime behavior

Installation

CLI flags, environment variables, and deployment options