Skip to content

Environment variables

Environment variables are used to configure the Keycloak cluster or your custom extensions.

They can be used to adjust the Keycloak settings (see Note that some configuration variables are under the responsibility of Cloud-IAM and won't be overridable.

Environment variables
Environment variables

Types of Keycloak variables

We propose two types of variables:

  • Clear: the value is displayed in clear in the console
  • Masked: the value is masked and can no longer be read once saved.

To make a variable "masked", simply click on the padlock and validate:

Environment variables masked
Environment variables masked

The value is then no longer displayed, but you can modify it if you wish to update it.

If you wish to make a masked variable clear again, you can do so by clicking on the open padlock:

Environment variables clear
Environment variables clear


However, this will reset the current value, so you'll need to enter it again:

Environment variables blank
Environment variables blank

Keycloak variables


This variable can be used to configure the log level of Keycloak. The default value is INFO.

You can use this value for instance WARN,com.acme.extension:DEBUG to log at the DEBUG level for the classes from package com.acme.extension, and at the WARN level for everything else.


Changing the value of variable KC_HTTP_RELATIVE_PATH will change the url of your deployment. This might impact the availability of your deployment.

The deployment url is generated by this formula:${KC_HTTP_RELATIVE_PATH}/admin/master/console/

For backward compatibility between Wildfly and Quarkus, you might need to set this value to /auth. In this case, all the urls are prefixed with /auth as before in Wildfly.

Be careful when changing / removing this value, because it affects the login url for your end-users