​Outpost Configuration

Global configurations are provided through env variables or a YAML file. ConfigMap can be used if deploying with Kubernetes.

​Environment Variables

​YAML

# Outpost Configuration Example (Generated)
# This example shows all available keys with their default values where applicable.

# A 16, 24, or 32 byte secret key used for AES encryption of sensitive data at rest.
# Required: Y
aes_encryption_secret: ""

# Secret key for signing and verifying JWTs if JWT authentication is used for the API.
# Required: Y
api_jwt_secret: ""

# API key for authenticating requests to the Outpost API.
# Required: Y
api_key: ""

# Port number for the API server to listen on.
api_port: 3333

alert:
  # If true, automatically disables a destination after 'consecutive_failure_count' is reached.
  auto_disable_destination: true

  # URL to which Outpost will send a POST request when an alert is triggered (e.g., for destination failures).
  callback_url: ""

  # Number of consecutive delivery failures for a destination before triggering an alert and potentially disabling it.
  consecutive_failure_count: 20


# Enables or disables audit logging for significant events.
audit_log: true

# Time-to-live in seconds for delivery queue idempotency keys. Controls how long processed deliveries are remembered to prevent duplicate delivery attempts. Default: 3600 (1 hour).
delivery_idempotency_key_ttl: 3600

# Maximum number of delivery attempts to process concurrently.
delivery_max_concurrency: 1

# Timeout in seconds for HTTP requests made during event delivery to webhook destinations.
delivery_timeout_seconds: 5

# Optional deployment identifier for multi-tenancy. Enables multiple deployments to share the same infrastructure while maintaining data isolation.
deployment_id: ""

# Path to the directory containing custom destination type definitions. Overrides 'destinations.metadata_path' if set.
destination_metadata_path: ""

destinations:
  # Configuration specific to AWS Kinesis destinations.
  aws_kinesis:
    # If true, includes Outpost metadata (event ID, topic, etc.) within the Kinesis record payload.
    metadata_in_payload: true


  # If true, includes a 'timestamp-ms' field with millisecond precision in destination metadata. Useful for load testing and debugging.
  include_millisecond_timestamp: false

  # Path to the directory containing custom destination type definitions. This can be overridden by the root-level 'destination_metadata_path' if also set.
  metadata_path: "config/outpost/destinations"

  # Configuration specific to webhook destinations.
  webhook:
    # If true, disables adding the default 'X-Outpost-Event-Id' header to webhook requests. Only applies to 'default' mode.
    disable_default_event_id_header: false

    # If true, disables adding the default 'X-Outpost-Signature' header to webhook requests. Only applies to 'default' mode.
    disable_default_signature_header: false

    # If true, disables adding the default 'X-Outpost-Timestamp' header to webhook requests. Only applies to 'default' mode.
    disable_default_timestamp_header: false

    # If true, disables adding the default 'X-Outpost-Topic' header to webhook requests. Only applies to 'default' mode.
    disable_default_topic_header: false

    # Prefix for metadata headers added to webhook requests. Defaults to 'x-outpost-' in 'default' mode and 'webhook-' in 'standard' mode.
    header_prefix: "x-outpost-"

    # Webhook mode: 'default' for customizable webhooks or 'standard' for Standard Webhooks specification compliance. Defaults to 'default'.
    mode: ""

    # Proxy URL for routing webhook requests through a proxy server. Supports HTTP and HTTPS proxies. When configured, all outgoing webhook traffic will be routed through the specified proxy.
    proxy_url: ""

    # Algorithm used for signing webhook requests (e.g., 'hmac-sha256'). Only applies to 'default' mode.
    signature_algorithm: "hmac-sha256"

    # Go template for constructing the content to be signed for webhook requests. Only applies to 'default' mode.
    signature_content_template: "{{.Timestamp.Unix}}.{{.Body}}"

    # Encoding for the signature (e.g., 'hex', 'base64'). Only applies to 'default' mode.
    signature_encoding: "hex"

    # Go template for the value of the signature header. Only applies to 'default' mode.
    signature_header_template: "t={{.Timestamp.Unix}},v0={{.Signatures | join \",\"}}"



# Global flag to disable all telemetry (anonymous usage statistics to Hookdeck and error reporting to Sentry). If true, overrides 'telemetry.disabled'.
disable_telemetry: false

# Sets the Gin framework mode (e.g., 'debug', 'release', 'test'). See Gin documentation for details.
gin_mode: "release"

# Custom HTTP User-Agent string for outgoing webhook deliveries. If unset, a default (OrganizationName/Version) is used.
http_user_agent: ""

idgen:
  # Prefix for delivery event IDs, prepended with underscore (e.g., 'dev_123'). Default: empty (no prefix)
  delivery_event_prefix: ""

  # Prefix for delivery IDs, prepended with underscore (e.g., 'dlv_123'). Default: empty (no prefix)
  delivery_prefix: ""

  # Prefix for destination IDs, prepended with underscore (e.g., 'dst_123'). Default: empty (no prefix)
  destination_prefix: ""

  # Prefix for event IDs, prepended with underscore (e.g., 'evt_123'). Default: empty (no prefix)
  event_prefix: ""

  # ID generation type for all entities: uuidv4, uuidv7, nanoid. Default: uuidv4
  type: "uuidv4"


# Maximum number of log entries to batch together before writing to storage.
log_batch_size: 1000

# Maximum time in seconds to buffer logs before flushing them to storage, if batch size is not reached.
log_batch_threshold_seconds: 10

# Defines the verbosity of application logs. Common values: 'trace', 'debug', 'info', 'warn', 'error'.
log_level: "info"

# Maximum number of log writing operations to process concurrently.
log_max_concurrency: 1

mqs:
  # Configuration for using AWS SQS as the message queue. Only one MQ provider should be configured.
  aws_sqs:
    # AWS Access Key ID for SQS. Required if AWS SQS is the chosen MQ provider.
    # Required: Conditional
    access_key_id: ""

    # Name of the SQS queue for delivery events.
    delivery_queue: "outpost-delivery"

    # Custom AWS SQS endpoint URL. Optional, typically used for local testing (e.g., LocalStack).
    endpoint: ""

    # Name of the SQS queue for log events.
    log_queue: "outpost-log"

    # AWS Region for SQS. Required if AWS SQS is the chosen MQ provider.
    # Required: Conditional
    region: ""

    # AWS Secret Access Key for SQS. Required if AWS SQS is the chosen MQ provider.
    # Required: Conditional
    secret_access_key: ""


  # Whether Outpost should create and manage message queue infrastructure. Set to false if you manage infrastructure externally (e.g., via Terraform). Defaults to true for backward compatibility.
  auto_provision: # <*bool>

  # Configuration for using Azure Service Bus as the message queue. Only one MQ provider should be configured.
  azure_servicebus:
    # Service principal client ID
    # Required: Y
    client_id: ""

    # Service principal client secret
    # Required: Y
    client_secret: ""

    # Azure Service Bus connection string
    connection_string: ""

    # Subscription name for delivery queue
    delivery_subscription: "outpost-delivery-sub"

    # Topic name for delivery queue
    delivery_topic: "outpost-delivery"

    # Subscription name for log queue
    log_subscription: "outpost-log-sub"

    # Topic name for log queue
    log_topic: "outpost-log"

    # Azure Service Bus namespace
    # Required: Y
    namespace: ""

    # Azure resource group name
    # Required: Y
    resource_group: ""

    # Azure subscription ID
    # Required: Y
    subscription_id: ""

    # Azure Active Directory tenant ID
    # Required: Y
    tenant_id: ""


  # Configuration for using GCP Pub/Sub as the message queue. Only one MQ provider should be configured.
  gcp_pubsub:
    # Name of the GCP Pub/Sub subscription for delivery events.
    delivery_subscription: "outpost-delivery-sub"

    # Name of the GCP Pub/Sub topic for delivery events.
    delivery_topic: "outpost-delivery"

    # Name of the GCP Pub/Sub subscription for log events.
    log_subscription: "outpost-log-sub"

    # Name of the GCP Pub/Sub topic for log events.
    log_topic: "outpost-log"

    # GCP Project ID for Pub/Sub. Required if GCP Pub/Sub is the chosen MQ provider.
    # Required: Conditional
    project: ""

    # JSON string or path to a file containing GCP service account credentials for Pub/Sub. Required if GCP Pub/Sub is the chosen MQ provider and not running in an environment with implicit credentials (e.g., GCE, GKE).
    # Required: Conditional
    service_account_credentials: ""


  # Configuration for using RabbitMQ as the message queue. Only one MQ provider should be configured.
  rabbitmq:
    # Name of the RabbitMQ queue for delivery events.
    delivery_queue: "outpost-delivery"

    # Name of the RabbitMQ exchange to use.
    exchange: "outpost"

    # Name of the RabbitMQ queue for log events.
    log_queue: "outpost-log"

    # RabbitMQ server connection URL (e.g., 'amqp://user:pass@host:port/vhost'). Required if RabbitMQ is the chosen MQ provider.
    # Required: Conditional
    server_url: ""



# Maximum number of destinations allowed per tenant/organization.
max_destinations_per_tenant: 20

otel:
  # OpenTelemetry configuration specific to logs.
  logs:
    # Specifies the OTLP exporter to use for this telemetry type (e.g., 'otlp'). Typically used with environment variables like OTEL_EXPORTER_OTLP_TRACES_ENDPOINT.
    # Required: Conditional
    exporter: ""

    # Specifies the OTLP protocol ('grpc' or 'http') for this telemetry type. Typically used with environment variables like OTEL_EXPORTER_OTLP_TRACES_PROTOCOL.
    # Required: Conditional
    protocol: ""


  # OpenTelemetry configuration specific to metrics.
  metrics:
    # Specifies the OTLP exporter to use for this telemetry type (e.g., 'otlp'). Typically used with environment variables like OTEL_EXPORTER_OTLP_TRACES_ENDPOINT.
    # Required: Conditional
    exporter: ""

    # Specifies the OTLP protocol ('grpc' or 'http') for this telemetry type. Typically used with environment variables like OTEL_EXPORTER_OTLP_TRACES_PROTOCOL.
    # Required: Conditional
    protocol: ""


  # The service name reported to OpenTelemetry. If set, OpenTelemetry will be enabled.
  service_name: ""

  # OpenTelemetry configuration specific to traces.
  traces:
    # Specifies the OTLP exporter to use for this telemetry type (e.g., 'otlp'). Typically used with environment variables like OTEL_EXPORTER_OTLP_TRACES_ENDPOINT.
    # Required: Conditional
    exporter: ""

    # Specifies the OTLP protocol ('grpc' or 'http') for this telemetry type. Typically used with environment variables like OTEL_EXPORTER_OTLP_TRACES_PROTOCOL.
    # Required: Conditional
    protocol: ""



# Name of the organization, used for display purposes and potentially in user agent strings.
organization_name: ""

portal:
  # Primary brand color (hex code) for theming the Outpost Portal (e.g., '#6122E7'). Also referred to as Accent Color in some contexts.
  brand_color: ""

  # If true, disables Outpost branding in the portal.
  disable_outpost_branding: false

  # URL for the favicon to be used in the Outpost Portal.
  favicon_url: ""

  # Force a specific theme for the Outpost Portal (e.g., 'light', 'dark').
  force_theme: ""

  # URL for the light-mode logo to be displayed in the Outpost Portal.
  logo: ""

  # URL for the dark-mode logo to be displayed in the Outpost Portal.
  logo_dark: ""

  # Organization name displayed in the Outpost Portal.
  org_name: ""

  # URL to proxy the Outpost Portal through. If set, Outpost serves the portal assets, and this URL is used as the base. Must be a valid URL.
  proxy_url: ""

  # The expected Referer URL for accessing the portal. This is a security measure. Required if the Outpost Portal is enabled/used. Example: 'https://admin.example.com'.
  # Required: Conditional
  referer_url: ""


# Connection URL for PostgreSQL, used for log storage. Example: 'postgres://user:pass@host:port/dbname?sslmode=disable'.
# Required: Y
postgres: ""

# Time-to-live in seconds for publish queue idempotency keys. Controls how long processed events are remembered to prevent duplicate processing. Default: 3600 (1 hour).
publish_idempotency_key_ttl: 3600

publishmq:
  # Configuration for using AWS SQS as the publish message queue. Only one publish MQ provider should be configured.
  aws_sqs:
    # AWS Access Key ID for the SQS publish queue. Required if AWS SQS is the chosen publish MQ provider.
    # Required: Conditional
    access_key_id: ""

    # Custom AWS SQS endpoint URL for the publish queue. Optional.
    endpoint: ""

    # Name of the SQS queue for publishing events. Required if AWS SQS is the chosen publish MQ provider.
    # Required: Conditional
    queue: ""

    # AWS Region for the SQS publish queue. Required if AWS SQS is the chosen publish MQ provider.
    # Required: Conditional
    region: ""

    # AWS Secret Access Key for the SQS publish queue. Required if AWS SQS is the chosen publish MQ provider.
    # Required: Conditional
    secret_access_key: ""


  # Configuration for using Azure Service Bus as the publish message queue. Only one publish MQ provider should be configured.
  azure_servicebus:
    # Azure Service Bus connection string for the publish queue. Required if Azure Service Bus is the chosen publish MQ provider.
    # Required: Conditional
    connection_string: ""

    # Name of the Azure Service Bus subscription to read published events from. Required if Azure Service Bus is the chosen publish MQ provider.
    # Required: Conditional
    subscription: ""

    # Name of the Azure Service Bus topic for publishing events. Required if Azure Service Bus is the chosen publish MQ provider.
    # Required: Conditional
    topic: ""


  # Configuration for using GCP Pub/Sub as the publish message queue. Only one publish MQ provider should be configured.
  gcp_pubsub:
    # GCP Project ID for the Pub/Sub publish topic. Required if GCP Pub/Sub is the chosen publish MQ provider.
    # Required: Conditional
    project: ""

    # JSON string or path to a file containing GCP service account credentials for the Pub/Sub publish topic. Required if GCP Pub/Sub is chosen and not using implicit credentials.
    # Required: Conditional
    service_account_credentials: ""

    # Name of the GCP Pub/Sub subscription to read published events from. Required if GCP Pub/Sub is the chosen publish MQ provider.
    # Required: Conditional
    subscription: ""

    # Name of the GCP Pub/Sub topic for publishing events. Required if GCP Pub/Sub is the chosen publish MQ provider.
    # Required: Conditional
    topic: ""


  # Configuration for using RabbitMQ as the publish message queue. Only one publish MQ provider should be configured.
  rabbitmq:
    # Name of the RabbitMQ exchange for the publish queue.
    exchange: ""

    # Name of the RabbitMQ queue for publishing events. Required if RabbitMQ is the chosen publish MQ provider.
    # Required: Conditional
    queue: ""

    # RabbitMQ server connection URL for the publish queue. Required if RabbitMQ is the chosen publish MQ provider.
    # Required: Conditional
    server_url: ""



# Maximum number of messages to process concurrently from the publish queue.
publish_max_concurrency: 1

redis:
  # Enable Redis cluster mode for distributed Redis deployments.
  cluster_enabled: false

  # Redis database number to select after connecting (ignored in cluster mode).
  # Required: Y
  database: 0

  # Development only: Force cluster to use original host for discovered nodes. DO NOT use in production.
  dev_cluster_host_override: false

  # Hostname or IP address of the Redis server.
  # Required: Y
  host: "127.0.0.1"

  # Password for Redis authentication, if required by the server.
  # Required: Y
  password: ""

  # Port number for the Redis server.
  # Required: Y
  port: 6379

  # Enable TLS encryption for Redis connection.
  tls_enabled: false


# Interval in seconds for exponential backoff retry strategy (base 2). Ignored if retry_schedule is provided.
retry_interval_seconds: 30

# Maximum number of retry attempts for a single event delivery before giving up. Ignored if retry_schedule is provided.
retry_max_limit: 10

# Backoff time in milliseconds when the retry monitor finds no messages to process. When a retry message is found, the monitor immediately polls for the next message without delay. Lower values provide faster retry processing but increase Redis load. For serverless Redis providers (Upstash, ElastiCache Serverless), consider increasing to 5000-10000ms to reduce costs. Default: 100
retry_poll_backoff_ms: 100

# Comma-separated list of retry delays in seconds. If provided, overrides retry_interval_seconds and retry_max_limit. Schedule length defines the max number of retries. Example: '5,60,600,3600,7200' for 5 retries at 5s, 1m, 10m, 1h, 2h.
retry_schedule: []

# Specifies the service type to run. Valid values: 'api', 'log', 'delivery', or empty/all for singular mode (runs all services).
service: ""

telemetry:
  # Maximum time in seconds to wait before sending a batch of telemetry events if batch size is not reached.
  batch_interval: 5

  # Maximum number of telemetry events to batch before sending.
  batch_size: 100

  # Disables telemetry within the 'telemetry' block (Hookdeck usage stats and Sentry). Can be overridden by the global 'disable_telemetry' flag at the root of the configuration.
  disabled: false

  # The Hookdeck Source URL to send anonymous usage telemetry data to. Set to empty to disable sending to Hookdeck.
  hookdeck_source_url: "https://hkdk.events/yhk665ljz3rn6l"

  # Sentry DSN for error reporting. If provided and telemetry is not disabled, Sentry integration will be enabled.
  sentry_dsn: "https://examplePublicKey@o0.ingest.sentry.io/0"


# Comma-separated list of topics that this Outpost instance should subscribe to for event processing.
topics: [item1, item2]
yaml