Start the server.

Usage:

kc.sh start [OPTIONS]

Use this command to run the server in production.

Options:

-b, --auto-build     (Deprecated) Automatically detects whether the server configuration changed
                       and a new server image must be built prior to starting the server. This
                       option provides an alternative to manually running the 'build' prior to
                       starting the server. Use this configuration carefully in production as it
                       might impact the startup time.
-h, --help           This help message.
--help-all           This same help message but with additional options.
--import-realm       Import realms during startup by reading any realm configuration file from the
                       'data/import' directory.
--optimized          Use this option to achieve an optional startup time if you have previously
                       built a server image using the 'build' command.

Storage (Experimental):

--storage-deployment-state-version-seed <type>
                     Experimental: Secret that serves as a seed to mask the version number of
                       Keycloak in URLs. Need to be identical across all servers in the cluster.
                       Will default to a random number generated when starting the server which is
                       secure but will lead to problems when a loadbalancer without sticky sessions
                       is used or nodes are restarted.
--storage-hotrod-cache-configure <true|false>
                     Experimental: When set to true, Keycloak will create and configure Infinispan
                       caches on startup. Default: true.
--storage-hotrod-cache-reindex <[cache1,cache2,...]|all>
                     Experimental: List of cache names that should be indexed on Keycloak startup.
                       Defaulting to `all` which means all caches are reindexed. Default: all.
--storage-hotrod-host <host>
                     Experimental: Sets the host of the Infinispan server.
--storage-hotrod-password <password>
                     Experimental: Sets the password of the Infinispan user.
--storage-hotrod-port <port>
                     Experimental: Sets the port of the Infinispan server.
--storage-hotrod-username <username>
                     Experimental: Sets the username of the Infinispan user.

Database:

--db-password <password>
                     The password of the database user.
--db-pool-initial-size <size>
                     The initial size of the connection pool.
--db-pool-max-size <size>
                     The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size>
                     The minimal size of the connection pool.
--db-schema <schema> The database schema to be used.
--db-url <jdbc-url>  The full database JDBC URL. If not provided, a default URL is set based on the
                       selected database vendor. For instance, if using 'postgres', the default
                       JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname>
                     Sets the database name of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-url-host <hostname>
                     Sets the hostname of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
                       option is set, this option is ignored.
--db-url-properties <properties>
                     Sets the properties of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-username <username>
                     The username of the database user.

Hostname:

--hostname <hostname>
                     Hostname for the Keycloak server.
--hostname-admin <hostname>
                     The hostname for accessing the administration console. Use this option if you
                       are exposing the administration console using a hostname other than the
                       value set to the 'hostname' option.
--hostname-admin-url <url>
                     Set the base URL for accessing the administration console, including scheme,
                       host, port and path
--hostname-path <path>
                     This should be set if proxy uses a different context-path for Keycloak.
--hostname-port <port>
                     The port used by the proxy when exposing the hostname. Set this option if the
                       proxy uses a port other than the default HTTP and HTTPS ports. Default: -1.
--hostname-strict <true|false>
                     Disables dynamically resolving the hostname from request headers. Should
                       always be set to true in production, unless proxy verifies the Host header.
                       Default: true.
--hostname-strict-backchannel <true|false>
                     By default backchannel URLs are dynamically resolved from request headers to
                       allow internal and external applications. If all applications use the public
                       URL this option should be enabled. Default: false.
--hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path.

HTTP/TLS:

--http-enabled <true|false>
                     Enables the HTTP listener. Default: false.
--http-host <host>   The used HTTP Host. Default: 0.0.0.0.
--http-port <port>   The used HTTP port. Default: 8080.
--https-certificate-file <file>
                     The file path to a server certificate or certificate chain in PEM format.
--https-certificate-key-file <file>
                     The file path to a private key in PEM format.
--https-cipher-suites <ciphers>
                     The cipher suites to use. If none is given, a reasonable default is selected.
--https-client-auth <auth>
                     Configures the server to require/request client authentication. Possible
                       Values: none, request, required. Default: none.
--https-key-store-file <file>
                     The key store which holds the certificate information instead of specifying
                       separate files.
--https-key-store-password <password>
                     The password of the key store file. Default: password.
--https-key-store-type <type>
                     The type of the key store file. If not given, the type is automatically
                       detected based on the file name.
--https-port <port>  The used HTTPS port. Default: 8443.
--https-protocols <protocols>
                     The list of protocols to explicitly enable. Default: TLSv1.3.
--https-trust-store-file <file>
                     The trust store which holds the certificate information of the certificates to
                       trust.
--https-trust-store-password <password>
                     The password of the trust store file.
--https-trust-store-type <type>
                     The type of the trust store file. If not given, the type is automatically
                       detected based on the file name.

Proxy:

--proxy <mode>       The proxy address forwarding mode if the server is behind a reverse proxy.
                       Possible values are: edge,reencrypt,passthrough Default: none.

Vault:

--vault-dir <dir>    If set, secrets can be obtained by reading the content of files within the
                       given directory.

Logging:

--log <handler>      Enable one or more log handlers in a comma-separated list. Available log
                       handlers are: console,file,gelf Default: console.
--log-console-color <true|false>
                     Enable or disable colors when logging to console. Default: false.
--log-console-format <format>
                     The format of unstructured console log entries. If the format has spaces in
                       it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
                       -5p [%c] (%t) %s%e%n.
--log-console-output <default|json>
                     Set the log output to JSON or default (plain) unstructured logging. Default:
                       default.
--log-file <path>/<file-name>.log
                     Set the log file path and filename. Default: data/log/keycloak.log.
--log-file-format <format>
                     Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
                       SSS} %-5p [%c] (%t) %s%e%n.
--log-gelf-facility <name>
                     The facility (name of the process) that sends the message. Default: keycloak.
--log-gelf-host <hostname>
                     Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
                       host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
                       localhost.
--log-gelf-include-location <true|false>
                     Include source code location. Default: true.
--log-gelf-include-message-parameters <true|false>
                     Include message parameters from the log event. Default: true.
--log-gelf-include-stack-trace <true|false>
                     If set to true, occuring stack traces are included in the 'StackTrace' field
                       in the gelf output. Default: true.
--log-gelf-max-message-size <size>
                     Maximum message size (in bytes). If the message size is exceeded, gelf will
                       submit the message in multiple chunks. Default: 8192.
--log-gelf-port <port>
                     The port the Logstash or Graylog Host is called on. Default: 12201.
--log-gelf-timestamp-format <pattern>
                     Set the format for the gelf timestamp field. Uses Java SimpleDateFormat
                       pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-level <category:level>
                     The log level of the root category or a comma-separated list of individual
                       categories and their levels. For the root category, you don't need to
                       specify a category. Default: info.

By default, this command tries to update the server configuration by running a
'build' before starting the server. You can disable this behavior by using the
'--optimized' option:

      $ kc.sh start '--optimized'

By doing that, the server should start faster based on any previous
configuration you have set when manually running the 'build' command.