Start the server.

Usage:

kc.sh start [OPTIONS]

Use this command to run the server in production.

Options:

-b, --auto-build     (Deprecated) Automatically detects whether the server configuration changed
                       and a new server image must be built prior to starting the server. This
                       option provides an alternative to manually running the 'build' prior to
                       starting the server. Use this configuration carefully in production as it
                       might impact the startup time.
-h, --help           This help message.
--help-all           This same help message but with additional options.
--import-realm       Import realms during startup by reading any realm configuration file from the
                       'data/import' directory.
--optimized          Use this option to achieve an optional startup time if you have previously
                       built a server image using the 'build' command.

Cache:

--cache <type>       Defines the cache mechanism for high-availability. By default, a 'ispn' cache
                       is used to create a cluster between multiple server nodes. A 'local' cache
                       disables clustering and is intended for development and testing purposes.
                       Possible values are: ispn, local. Default: ispn.
--cache-config-file <file>
                     Defines the file from which cache configuration should be loaded from. The
                       configuration file is relative to the 'conf/' directory.
--cache-stack <stack>
                     Define the default stack to use for cluster communication and node discovery.
                       This option only takes effect if 'cache' is set to 'ispn'. Default: udp.
                       Possible values are: tcp, udp, kubernetes, ec2, azure, google.

Storage (Experimental):

--storage <type>     Experimental: Sets the default storage mechanism for all areas. Possible
                       values are: jpa, chm, hotrod.
--storage-area-auth-session <type>
                     Experimental: Sets a storage mechanism for authentication sessions. Possible
                       values are: jpa, chm, hotrod.
--storage-area-authorization <type>
                     Experimental: Sets a storage mechanism for authorizations. Possible values
                       are: jpa, chm, hotrod.
--storage-area-client <type>
                     Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
                       chm, hotrod.
--storage-area-client-scope <type>
                     Experimental: Sets a storage mechanism for client scopes. Possible values are:
                       jpa, chm, hotrod.
--storage-area-event-admin <type>
                     Experimental: Sets a storage mechanism for admin events. Possible values are:
                       jpa, chm, hotrod.
--storage-area-event-auth <type>
                     Experimental: Sets a storage mechanism for authentication and authorization
                       events. Possible values are: jpa, chm, hotrod.
--storage-area-group <type>
                     Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
                       chm, hotrod.
--storage-area-login-failure <type>
                     Experimental: Sets a storage mechanism for login failures. Possible values
                       are: jpa, chm, hotrod.
--storage-area-realm <type>
                     Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
                       chm, hotrod.
--storage-area-role <type>
                     Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
                       chm, hotrod.
--storage-area-single-use-object <type>
                     Experimental: Sets a storage mechanism for single use objects. Possible values
                       are: jpa, chm, hotrod.
--storage-area-user <type>
                     Experimental: Sets a storage mechanism for users. Possible values are: jpa,
                       chm, hotrod.
--storage-area-user-session <type>
                     Experimental: Sets a storage mechanism for user and client sessions. Possible
                       values are: jpa, chm, hotrod.
--storage-deployment-state-version-seed <type>
                     Experimental: Secret that serves as a seed to mask the version number of
                       Keycloak in URLs. Need to be identical across all servers in the cluster.
                       Will default to a random number generated when starting the server which is
                       secure but will lead to problems when a loadbalancer without sticky sessions
                       is used or nodes are restarted.
--storage-hotrod-host <host>
                     Experimental: Sets the host of the Infinispan server.
--storage-hotrod-password <password>
                     Experimental: Sets the password of the Infinispan user.
--storage-hotrod-port <port>
                     Experimental: Sets the port of the Infinispan server.
--storage-hotrod-username <username>
                     Experimental: Sets the username of the Infinispan user.

Database:

--db <vendor>        The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
                       mysql, oracle, postgres. Default: dev-file.
--db-password <password>
                     The password of the database user.
--db-pool-initial-size <size>
                     The initial size of the connection pool.
--db-pool-max-size <size>
                     The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size>
                     The minimal size of the connection pool.
--db-schema <schema> The database schema to be used.
--db-url <jdbc-url>  The full database JDBC URL. If not provided, a default URL is set based on the
                       selected database vendor. For instance, if using 'postgres', the default
                       JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname>
                     Sets the database name of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-url-host <hostname>
                     Sets the hostname of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
                       option is set, this option is ignored.
--db-url-properties <properties>
                     Sets the properties of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-username <username>
                     The username of the database user.

Transaction:

--transaction-xa-enabled <true|false>
                     If set to false, Keycloak uses a non-XA datasource in case the database does
                       not support XA transactions. Default: true.

Feature:

--features <feature> Enables a set of one or more features. Possible values are: authorization,
                       account2, account-api, admin-fine-grained-authz, admin-api, admin, admin2,
                       docker, impersonation, openshift-integration, scripts, token-exchange,
                       web-authn, client-policies, ciba, map-storage, par,
                       declarative-user-profile, dynamic-scopes, client-secret-rotation,
                       step-up-authentication, recovery-codes, update-email, js-adapter, preview.
--features-disabled <feature>
                     Disables a set of one or more features. Possible values are: authorization,
                       account2, account-api, admin-fine-grained-authz, admin-api, admin, admin2,
                       docker, impersonation, openshift-integration, scripts, token-exchange,
                       web-authn, client-policies, ciba, map-storage, par,
                       declarative-user-profile, dynamic-scopes, client-secret-rotation,
                       step-up-authentication, recovery-codes, update-email, js-adapter, preview.

Hostname:

--hostname <hostname>
                     Hostname for the Keycloak server.
--hostname-admin <hostname>
                     The hostname for accessing the administration console. Use this option if you
                       are exposing the administration console using a hostname other than the
                       value set to the 'hostname' option.
--hostname-admin-url <url>
                     Set the base URL for accessing the administration console, including scheme,
                       host, port and path
--hostname-path <path>
                     This should be set if proxy uses a different context-path for Keycloak.
--hostname-port <port>
                     The port used by the proxy when exposing the hostname. Set this option if the
                       proxy uses a port other than the default HTTP and HTTPS ports. Default: -1.
--hostname-strict <true|false>
                     Disables dynamically resolving the hostname from request headers. Should
                       always be set to true in production, unless proxy verifies the Host header.
                       Default: true.
--hostname-strict-backchannel <true|false>
                     By default backchannel URLs are dynamically resolved from request headers to
                       allow internal and external applications. If all applications use the public
                       URL this option should be enabled. Default: false.
--hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path.

HTTP/TLS:

--http-enabled <true|false>
                     Enables the HTTP listener. Default: false.
--http-host <host>   The used HTTP Host. Default: 0.0.0.0.
--http-port <port>   The used HTTP port. Default: 8080.
--http-relative-path <path>
                     Set the path relative to '/' for serving resources. The path must start with a
                       '/'. Default: /.
--https-certificate-file <file>
                     The file path to a server certificate or certificate chain in PEM format.
--https-certificate-key-file <file>
                     The file path to a private key in PEM format.
--https-cipher-suites <ciphers>
                     The cipher suites to use. If none is given, a reasonable default is selected.
--https-client-auth <auth>
                     Configures the server to require/request client authentication. Possible
                       values are: none, request, required. Default: none.
--https-key-store-file <file>
                     The key store which holds the certificate information instead of specifying
                       separate files.
--https-key-store-password <password>
                     The password of the key store file. Default: password.
--https-key-store-type <type>
                     The type of the key store file. If not given, the type is automatically
                       detected based on the file name.
--https-port <port>  The used HTTPS port. Default: 8443.
--https-protocols <protocols>
                     The list of protocols to explicitly enable. Default: TLSv1.3.
--https-trust-store-file <file>
                     The trust store which holds the certificate information of the certificates to
                       trust.
--https-trust-store-password <password>
                     The password of the trust store file.
--https-trust-store-type <type>
                     The type of the trust store file. If not given, the type is automatically
                       detected based on the file name.

Health:

--health-enabled <true|false>
                     If the server should expose health check endpoints. If enabled, health checks
                       are available at the '/health', '/health/ready' and '/health/live'
                       endpoints. Default: false.

Metrics:

--metrics-enabled <true|false>
                     If the server should expose metrics. If enabled, metrics are available at the
                       '/metrics' endpoint. Default: false.

Proxy:

--proxy <mode>       The proxy address forwarding mode if the server is behind a reverse proxy.
                       Possible values are: none, edge, reencrypt, passthrough. Default: none.

Vault:

--vault <provider>   Enables a vault provider. Possible values are: file, hashicorp.
--vault-dir <dir>    If set, secrets can be obtained by reading the content of files within the
                       given directory.

Logging:

--log <handler>      Enable one or more log handlers in a comma-separated list. Possible values
                       are: console, file, gelf. Default: console.
--log-console-color <true|false>
                     Enable or disable colors when logging to console. Default: false.
--log-console-format <format>
                     The format of unstructured console log entries. If the format has spaces in
                       it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
                       -5p [%c] (%t) %s%e%n.
--log-console-output <output>
                     Set the log output to JSON or default (plain) unstructured logging. Possible
                       values are: default, json. Default: default.
--log-file <file>    Set the log file path and filename. Default: data/log/keycloak.log.
--log-file-format <format>
                     Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
                       SSS} %-5p [%c] (%t) %s%e%n.
--log-file-output <output>
                     Set the log output to JSON or default (plain) unstructured logging. Possible
                       values are: default, json. Default: default.
--log-gelf-facility <name>
                     The facility (name of the process) that sends the message. Default: keycloak.
--log-gelf-host <hostname>
                     Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
                       host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
                       localhost.
--log-gelf-include-location <true|false>
                     Include source code location. Default: true.
--log-gelf-include-message-parameters <true|false>
                     Include message parameters from the log event. Default: true.
--log-gelf-include-stack-trace <true|false>
                     If set to true, occuring stack traces are included in the 'StackTrace' field
                       in the GELF output. Default: true.
--log-gelf-level <level>
                     The log level specifying which message levels will be logged by the GELF
                       logger. Message levels lower than this value will be discarded. Default:
                       INFO.
--log-gelf-max-message-size <size>
                     Maximum message size (in bytes). If the message size is exceeded, GELF will
                       submit the message in multiple chunks. Default: 8192.
--log-gelf-port <port>
                     The port the Logstash or Graylog Host is called on. Default: 12201.
--log-gelf-timestamp-format <pattern>
                     Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
                       pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-level <category:level>
                     The log level of the root category or a comma-separated list of individual
                       categories and their levels. For the root category, you don't need to
                       specify a category. Default: info.

Security (Experimental):

--fips-mode <mode>   Experimental: Sets the FIPS mode. If 'enabled' is set, FIPS is enabled but on
                       non-approved mode. For full FIPS compliance, set 'strict' to run on approved
                       mode. Possible values are: enabled, strict, disabled. Default: disabled.

By default, this command tries to update the server configuration by running a
'build' before starting the server. You can disable this behavior by using the
'--optimized' option:

      $ kc.sh start '--optimized'

By doing that, the server should start faster based on any previous
configuration you have set when manually running the 'build' command.