Configuration Details
Ed-Fi API v8 is configurable through appsettings.json in each service. This
page documents the most common settings. Environment variables override
appsettings.json values using the double-underscore __ separator for
hierarchy — for example, AppSettings__Datastore=mssql. No special prefix is
required.
Ed-Fi API Settings
Required Settings
The Ed-Fi API requires a database connection, a reachable Configuration Service,
and JWT authentication settings to start. In the Docker Compose setup these are
provided via the .env file; in other deployments configure them directly in
appsettings.json or via environment variables. The JwtAuthentication section
points the Ed-Fi API at the token authority — see Identity
Provider for the required keys.
-
AppSettings:DatastoreExample postgresqlDescription Primary database engine for the DMS. Valid values: postgresql,mssql -
ConfigurationServiceSettings:BaseUrlExample http://ed-fi-api-config:8081Description Base URL of the Configuration Service. The Ed-Fi API contacts this URL at runtime to retrieve claim sets, data stores, and application context -
ConfigurationServiceSettings:EncryptionKeyExample MySecretKey1234567890123456789012Description Key used to decrypt data store connection strings stored in the Configuration Service. Must match DatabaseSettings:EncryptionKeyin the Configuration Service. Recommended: a 32-character ASCII string. Set viaDMS_CONFIG_DATABASE_ENCRYPTION_KEYenvironment variable -
AppSettings:AuthenticationServiceExample http://ed-fi-api-config:8081/connect/tokenDescription Token endpoint the Ed-Fi API forwards /oauth/tokenproxy requests to. Must use the container-network hostname in Docker deployments. Set viaSELF_CONTAINED_OAUTH_TOKEN_ENDPOINTorKEYCLOAK_OAUTH_TOKEN_ENDPOINT -
ConfigurationServiceSettings:ClientSecretExample (generated secret) Description Client secret the Ed-Fi API uses to authenticate to the Configuration Service as the CMSReadOnlyAccessclient. Must match the secret configured in the Configuration Service. Set viaCONFIG_SERVICE_CLIENT_SECRETenv var
Optional Settings
-
AppSettings:MultiTenancyDefault falseDescription When true, enables multi-tenancy mode. The tenant identifier is extracted from the URL route. See Single and Multi-Tenant Configuration -
AppSettings:RouteQualifierSegmentsDefault (empty) Description Comma-separated list of route qualifier segments extracted from the URL path. Example: districtId,schoolYear. Segments must matchdataStoreContextsconfigured in the Configuration Service. See Context-Based Routing for Year-Specific Data Store -
AppSettings:BypassTypeCoercionDefault falseDescription When true, disables automatic type coercion onPOSTandPUTrequest values. Submitted values must already match the JSON Schema type. Improves performance but requires clients to submit correctly typed values -
AppSettings:AllowIdentityUpdateOverridesDefault (empty) Description Comma-separated list of resource names that allow natural key (identity) updates. By default all resources reject identity updates with HTTP 400 -
AppSettings:MaskRequestBodyInLogsDefault trueDescription When true, masks request body content inDEBUG-level log statements by replacing all scalar values with"*". Whenfalse, the full unmasked body is logged. See Logging Configuration -
AppSettings:UseApiSchemaPathDefault false; Docker Compose env varUSE_API_SCHEMA_PATHdefaults totruein.env.exampleDescription When true, loads the API schema (core and extensions) from the directory specified byApiSchemaPath. Whenfalse, loads the bundled schema from the application output -
AppSettings:ApiSchemaPathDefault (empty); Docker Compose env var API_SCHEMA_PATHdefaults to/app/ApiSchemain.env.exampleDescription Directory containing bootstrap-api-schema-manifest.jsonand the declared schema files. Used whenUseApiSchemaPathistrue. ExtensionApiSchema.jsonfiles placed in this directory are automatically loaded. See Extending with MetaEd -
AppSettings:DomainsExcludedFromOpenApiDefault (empty) Description Comma-separated list of Ed-Fi domain names to exclude from the generated OpenAPI specification. Case-insensitive. Useful for reducing Swagger UI noise in focused deployments -
CacheSettings:ClaimSetsCacheExpirationSecondsDefault 600Description Seconds before cached claim sets (the claims taxonomy) expire and are re-fetched from the Configuration Service -
CacheSettings:ApplicationContextCacheExpirationSecondsDefault 600Description Seconds before cached application context expires and is re-fetched from the Configuration Service -
CacheSettings:TokenCacheExpirationSecondsDefault 1500Description Seconds before the cached Configuration Service access token expires and is renewed -
CacheSettings:ProfileCacheExpirationSecondsDefault 1800Description Seconds before cached profile definitions expire and are re-fetched from the Configuration Service -
CacheSettings:DataStoreCacheExpirationSecondsDefault 600Description Seconds before cached data store configuration expires and is re-fetched from the Configuration Service. Requires DataStoreCacheRefreshEnabledto betrue. Set to0or a negative value to keep the cache until the next explicit reload -
CacheSettings:DataStoreCacheRefreshEnabledDefault trueDescription Enables TTL-based automatic refresh of the cached data store configuration from the Configuration Service. When true, DMS re-fetches data store settings once a cache entry is older thanDataStoreCacheExpirationSeconds, so changes made in the Configuration Service propagate without a restart. Whenfalse, the cached configuration is kept until the next explicit reload -
AppSettings:PathBaseDefault (empty); Docker Compose env var PATH_BASEdefaults toapiin.env.exampleDescription URL path prefix for all Ed-Fi API endpoints. With PATH_BASE=api, resource endpoints are at/api/data/ed-fi/.... Leave empty to serve from the root path with no prefix -
DatabaseOptions:IsolationLevelDefault ReadCommittedDescription Transaction isolation level. Valid values from System.Data.IsolationLevel -
RateLimit:PermitLimit,RateLimit:Window,RateLimit:QueueLimitDefaults 5000,10,0Description Fixed-window rate limiting, partitioned by hostname. PermitLimitrequests are allowed perWindowseconds. Excess requests queue up toQueueLimit(0 = no queuing); requests beyond the queue receive HTTP 429. Remove theRateLimitsection entirely to disable rate limiting
Configuration Service Settings
Required Settings
-
AppSettings:DatastoreExample postgresqlDescription Primary database engine. Valid values: postgresql,mssql -
AppSettings:IdentityProviderDefault self-containedDescription Authentication provider. Valid values: self-contained(OpenIddict),keycloak. See Identity Provider -
DatabaseSettings:EncryptionKeyExample MySecretKey1234567890123456789012Description AES key used to encrypt data store connection strings at rest. Must match ConfigurationServiceSettings:EncryptionKeyin the Ed-Fi API. Set viaDMS_CONFIG_DATABASE_ENCRYPTION_KEYenvironment variable. Recommended: a 32-character ASCII string
Optional Settings
-
AppSettings:DeployDatabaseOnStartupDefault trueDescription When true, creates and initializes the Configuration Service database on startup -
AppSettings:MultiTenancyDefault falseDescription When true, enables multi-tenancy. The tenant identifier is extracted from theTenantrequest header -
AppSettings:PathBaseDefault (empty); Docker Compose env var DMS_CONFIG_PATH_BASEdefaults toconfigin.env.exampleDescription URL base segment for all Configuration Service endpoints. Example: with PathBase=config, the management API is at/config/v3/vendors -
AppSettings:TokenRequestTimeoutSecondsDefault 30Description Timeout in seconds for outbound token requests -
AppSettings:ReverseProxy:UseForwardedHeadersDefault falseDescription When true, respectsX-Forwarded-*headers for URL generation. Enable when deploying behind a reverse proxy or load balancer -
AppSettings:ReverseProxy:KnownProxiesDefault (empty) Description Comma-separated list of trusted proxy IP addresses (e.g. 10.0.0.1,10.0.0.2). Restricts which proxies may supply forwarded-header values -
AppSettings:ReverseProxy:KnownNetworksDefault (empty) Description Comma-separated list of trusted proxy CIDR networks (e.g. 192.168.1.0/24,10.0.0.0/8). ExtendsKnownProxiesto cover a range of addresses -
AppSettings:EnableApplicationResetEndpointDefault falseDescription When true, enablesPUT /v3/applications/{id}/reset-credentialfor resetting API client credentials via API. Disable when an application supports multiple API clients, as resetting credentials affects all clients for that application -
IdentitySettings:ClientSecretValidation:MinimumLengthDefault 32Description Minimum length for client secrets registered with the Configuration Service. Secrets must also contain at least one uppercase letter, one lowercase letter, one number, and one special character from !@#$%^&*()-_=+[]{}:;,.? -
IdentitySettings:ClientSecretValidation:MaximumLengthDefault 128Description Maximum length for client secrets