Configuration Reference
Oriel loads oriel.toml by default and then applies environment overrides.
Defaults
Section titled “Defaults”| TOML key | Default |
|---|---|
server.http_addr | :6743 |
server.public_url | empty |
server.insecure | false |
server.tls.cert_file | empty |
server.tls.key_file | empty |
ingest.grpc_addr | :4317 |
ingest.http_addr | :4318 |
ingest.http_on_server | false |
flags.stale_after | 720h |
flags.unused_window | 336h |
flags.unused_threshold | 0 |
flags.unused_detection | true |
flags.scan_interval | 15m |
alert.allow_private_targets | false |
clickhouse.dsn | clickhouse://localhost:9000/oriel |
metadata.dsn | empty, required for serving and metadata commands |
valkey.dsn | valkey://localhost:6379/0 |
valkey.key_prefix | oriel |
valkey.operation_timeout | 500ms |
valkey.ruleset_ttl | 10m |
valkey.session_cache_ttl | 30s |
valkey.token_cache_ttl | 30s |
auth.cookie_secret | empty; required when any OIDC provider is enabled |
admin.allow_signup | false |
admin.email_domain_allowlist | empty |
admin.workspace_create_policy | instance_admins |
admin.oidc_jit_provisioning | true |
admin.invite_ttl_hours | 168 |
admin.smtp.host | empty, disables invite email delivery |
admin.smtp.port | 0; invite mailer uses 587 when unset |
admin.smtp.username | empty |
admin.smtp.password | empty |
admin.smtp.from | empty |
admin.smtp.starttls | unset |
self_observability.enabled | true |
self_observability.interval | 30s |
self_observability.sample_ratio | 1.0 |
log.level | info |
log.format | auto |
Environment Overrides
Section titled “Environment Overrides”| Environment variable | TOML key |
|---|---|
ORIEL_SERVER_HTTP_ADDR | server.http_addr |
ORIEL_SERVER_PUBLIC_URL | server.public_url |
ORIEL_SERVER_INSECURE | server.insecure |
ORIEL_SERVER_TLS_CERT_FILE | server.tls.cert_file |
ORIEL_SERVER_TLS_KEY_FILE | server.tls.key_file |
ORIEL_INGEST_GRPC_ADDR | ingest.grpc_addr |
ORIEL_INGEST_HTTP_ADDR | ingest.http_addr |
ORIEL_INGEST_HTTP_ON_SERVER | ingest.http_on_server |
ORIEL_FLAGS_STALE_AFTER | flags.stale_after |
ORIEL_FLAGS_UNUSED_WINDOW | flags.unused_window |
ORIEL_FLAGS_UNUSED_THRESHOLD | flags.unused_threshold |
ORIEL_FLAGS_UNUSED_DETECTION | flags.unused_detection |
ORIEL_FLAGS_SCAN_INTERVAL | flags.scan_interval |
ORIEL_ALERT_ALLOW_PRIVATE_TARGETS | alert.allow_private_targets |
ORIEL_CLICKHOUSE_DSN | clickhouse.dsn |
ORIEL_METADATA_DSN | metadata.dsn |
ORIEL_VALKEY_DSN | valkey.dsn |
ORIEL_VALKEY_KEY_PREFIX | valkey.key_prefix |
ORIEL_VALKEY_OPERATION_TIMEOUT | valkey.operation_timeout |
ORIEL_VALKEY_RULESET_TTL | valkey.ruleset_ttl |
ORIEL_VALKEY_SESSION_CACHE_TTL | valkey.session_cache_ttl |
ORIEL_VALKEY_TOKEN_CACHE_TTL | valkey.token_cache_ttl |
ORIEL_AUTH_COOKIE_SECRET | auth.cookie_secret |
ORIEL_ADMIN_ALLOW_SIGNUP | admin.allow_signup |
ORIEL_ADMIN_WORKSPACE_CREATE_POLICY | admin.workspace_create_policy |
ORIEL_ADMIN_OIDC_JIT_PROVISIONING | admin.oidc_jit_provisioning |
ORIEL_ADMIN_INVITE_TTL_HOURS | admin.invite_ttl_hours |
ORIEL_ADMIN_SMTP_HOST | admin.smtp.host |
ORIEL_ADMIN_SMTP_PORT | admin.smtp.port |
ORIEL_ADMIN_SMTP_USERNAME | admin.smtp.username |
ORIEL_ADMIN_SMTP_PASSWORD | admin.smtp.password |
ORIEL_ADMIN_SMTP_FROM | admin.smtp.from |
ORIEL_ADMIN_SMTP_STARTTLS | admin.smtp.starttls |
ORIEL_SELF_OBSERVABILITY_ENABLED | self_observability.enabled |
ORIEL_SELF_OBSERVABILITY_INTERVAL | self_observability.interval |
ORIEL_SELF_OBSERVABILITY_SAMPLE_RATIO | self_observability.sample_ratio |
ORIEL_LOG_LEVEL | log.level |
ORIEL_LOG_FORMAT | log.format |
OIDC provider client secrets can be overridden with:
ORIEL_AUTH_OIDC_<SLUG>_CLIENT_SECRETThe slug is uppercased and hyphens become underscores.
Server
Section titled “Server”[server]http_addr = ":6743"public_url = "https://oriel.example.com"insecure = false
[server.tls]cert_file = ""key_file = ""Native TLS is enabled only when both cert_file and key_file are set.
Ingest
Section titled “Ingest”[ingest]grpc_addr = ":4317"http_addr = ":4318"http_on_server = falseBoth ingest listeners use the same TLS configuration as the server when native TLS is configured.
Set http_on_server = true to also mount OTLP/HTTP on the API/UI listener
(server.http_addr) under /v1/traces, /v1/logs, and /v1/metrics. This
only applies to oriel serve --role=all; the dedicated ingest.http_addr
listener remains enabled by default.
Alerts
Section titled “Alerts”[alert]allow_private_targets = falseBy default, alert delivery refuses webhook, ntfy, and SMTP targets that resolve
to loopback, link-local, private, multicast, or unspecified addresses. Set
allow_private_targets = true only for trusted deployments that intentionally
deliver to internal endpoints.
Feature Flags
Section titled “Feature Flags”[flags]stale_after = "720h"unused_window = "336h"unused_threshold = 0unused_detection = truescan_interval = "15m"The worker scans each project’s flags for staleness every scan_interval. A
temporary flag idle longer than stale_after, a flag settled to one variation in
every environment, an unmaintained flag, or a flag at or below unused_threshold
evaluations over unused_window is flagged for cleanup. Detection is advisory and
never archives or deletes a flag. The unused signal depends on evaluation
telemetry; set unused_detection = false on deployments that do not emit it, such
as query-only nodes or purely client-side SDKs, so live flags are not flagged for
lack of data.
Storage
Section titled “Storage”[clickhouse]dsn = "clickhouse://oriel:oriel@localhost:9000/oriel"
[metadata]dsn = "postgres://oriel:oriel@localhost:5432/oriel"
[valkey]dsn = "valkey://localhost:6379/0"key_prefix = "oriel"operation_timeout = "500ms"ruleset_ttl = "10m"session_cache_ttl = "30s"token_cache_ttl = "30s"The metadata DSN is required. ClickHouse is required for ingest, query, worker, and most doctor checks. Valkey is required for serving and readiness; Oriel uses it for versioned feature-flag ruleset cache entries and SDK stream fanout while PostgreSQL remains authoritative.
[auth]cookie_secret = "replace-with-a-stable-secret"
[auth.oidc.company]name = "Company SSO"icon = "generic"issuer = "https://id.example.com"client_id = "oriel"client_secret = "change-me"redirect_url = ""scopes = ["openid", "profile", "email"]groups_claim = "groups"If redirect_url is empty, Oriel derives it from server.public_url. When any
OIDC provider is enabled, auth.cookie_secret must be set to a stable shared
value; otherwise oriel serve refuses to start. Local password sessions do not
use this setting.
[admin]allow_signup = falseemail_domain_allowlist = []workspace_create_policy = "instance_admins"oidc_jit_provisioning = trueinvite_ttl_hours = 168
[admin.smtp]host = ""port = 587username = ""password = ""from = "oriel@example.com"starttls = trueworkspace_create_policy accepts instance_admins, any_user, or nobody.
An empty SMTP host disables invitation email delivery; invitation creation still
returns a one-time accept link. The SMTP password is best supplied through
ORIEL_ADMIN_SMTP_PASSWORD. The invite mailer uses Go’s SMTP delivery path,
which negotiates STARTTLS when the server advertises it.
Logging
Section titled “Logging”[log]level = "info"format = "auto"level accepts debug, info, warn, and error. format accepts auto,
json, and console.