1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# assay-engine PostgreSQL 18 example config — workflow + dashboard
# with JWT pass-through auth from an upstream OIDC provider (Hydra,
# Keycloak, Auth0, …). Pass-through means: the upstream IdP mints the
# JWT, your edge forwards it as `Authorization: Bearer ...`, and the
# engine validates the signature against the upstream's JWKS without
# managing users itself. See `site/pages/auth-pass-through.html`.
[]
= "0.0.0.0:3000"
# Env-var substitution (0.3.1+): `${VAR}` and `${VAR:-default}`.
= "${PUBLIC_URL:-http://localhost:3000}"
[]
= "postgres"
# PG18 minimum. Inject DATABASE_URL via environment (K8s Secret env,
# systemd EnvironmentFile, etc.) to keep credentials out of the config.
= "${DATABASE_URL:-postgres://postgres:postgres@localhost:5432/assay}"
[]
= true
[]
= true
# Pass-through JWT validation against an upstream OIDC provider
# (added in 0.3.2). Configure one block per trusted issuer. Tokens
# whose `iss` matches a configured `issuer_url` are verified against
# that issuer's JWKS; everything else falls through to the engine's
# internal JWT path. When this list is non-empty the engine no longer
# requires operator users / admin_api_keys — the upstream IdP is the
# source of truth.
#
# [[auth.external_issuers]]
# issuer_url = "${HYDRA_ISSUER:-https://hydra.example.com/}"
# audience = ["my-app"]
# jwks_refresh_secs = 3600 # default; minimum 60
[]
= "info"
= "json"