Start the server in development mode.

Usage:

kc.bat start-dev [OPTIONS]

Use this command if you want to run the server locally for development or
testing purposes.

Options:

-h, --help           This help message.
--help-all           This same help message but with additional options.
--import-realm       Import realms during startup by reading any realm configuration file from the
                       'data/import' directory.

Cache:

--cache <type>       Defines the cache mechanism for high-availability. By default in production
                       mode, a 'ispn' cache is used to create a cluster between multiple server
                       nodes. By default in development mode, a 'local' cache disables clustering
                       and is intended for development and testing purposes. Possible values are:
                       ispn, local. Default: ispn.
--cache-config-file <file>
                     Defines the file from which cache configuration should be loaded from. The
                       configuration file is relative to the 'conf/' directory.
--cache-stack <stack>
                     Define the default stack to use for cluster communication and node discovery.
                       This option only takes effect if 'cache' is set to 'ispn'. Default: udp.
                       Possible values are: tcp, udp, kubernetes, ec2, azure, google.

Database:

--db <vendor>        The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
                       mysql, oracle, postgres. Default: dev-file.
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
                       driver is set accordingly to the chosen database.
--db-password <password>
                     The password of the database user.
--db-pool-initial-size <size>
                     The initial size of the connection pool.
--db-pool-max-size <size>
                     The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size>
                     The minimal size of the connection pool.
--db-schema <schema> The database schema to be used.
--db-url <jdbc-url>  The full database JDBC URL. If not provided, a default URL is set based on the
                       selected database vendor. For instance, if using 'postgres', the default
                       JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname>
                     Sets the database name of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-url-host <hostname>
                     Sets the hostname of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
                       option is set, this option is ignored.
--db-url-properties <properties>
                     Sets the properties of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-username <username>
                     The username of the database user.

Transaction:

--transaction-xa-enabled <true|false>
                     If set to false, Keycloak uses a non-XA datasource in case the database does
                       not support XA transactions. Default: true.

Feature:

--features <feature> Enables a set of one or more features. Possible values are: account-api,
                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
                       authorization, ciba, client-policies, client-secret-rotation,
                       declarative-user-profile, device-flow, docker, dpop, dynamic-scopes, fips,
                       impersonation, js-adapter, kerberos, linkedin-oauth, map-storage, par,
                       preview, recovery-codes, scripts, step-up-authentication, token-exchange,
                       transient-users, update-email, web-authn.
--features-disabled <feature>
                     Disables a set of one or more features. Possible values are: account-api,
                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
                       authorization, ciba, client-policies, client-secret-rotation,
                       declarative-user-profile, device-flow, docker, dpop, dynamic-scopes, fips,
                       impersonation, js-adapter, kerberos, linkedin-oauth, map-storage, par,
                       preview, recovery-codes, scripts, step-up-authentication, token-exchange,
                       transient-users, update-email, web-authn.

Hostname:

--hostname <hostname>
                     Hostname for the Keycloak server.
--hostname-admin <hostname>
                     The hostname for accessing the administration console. Use this option if you
                       are exposing the administration console using a hostname other than the
                       value set to the 'hostname' option.
--hostname-admin-url <url>
                     Set the base URL for accessing the administration console, including scheme,
                       host, port and path
--hostname-path <path>
                     This should be set if proxy uses a different context-path for Keycloak.
--hostname-port <port>
                     The port used by the proxy when exposing the hostname. Set this option if the
                       proxy uses a port other than the default HTTP and HTTPS ports. Default: -1.
--hostname-strict <true|false>
                     Disables dynamically resolving the hostname from request headers. Should
                       always be set to true in production, unless proxy verifies the Host header.
                       Default: true.
--hostname-strict-backchannel <true|false>
                     By default backchannel URLs are dynamically resolved from request headers to
                       allow internal and external applications. If all applications use the public
                       URL this option should be enabled. Default: false.
--hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path.

HTTP/TLS:

--http-enabled <true|false>
                     Enables the HTTP listener. Default: false.
--http-host <host>   The used HTTP Host. Default: 0.0.0.0.
--http-max-queued-requests <requests>
                     Maximum number of queued HTTP requests. Use this to shed load in an overload
                       situation. Excess requests will return a "503 Server not Available" response.
--http-port <port>   The used HTTP port. Default: 8080.
--http-relative-path <path>
                     Set the path relative to '/' for serving resources. The path must start with a
                       '/'. Default: /.
--https-certificate-file <file>
                     The file path to a server certificate or certificate chain in PEM format.
--https-certificate-key-file <file>
                     The file path to a private key in PEM format.
--https-cipher-suites <ciphers>
                     The cipher suites to use. If none is given, a reasonable default is selected.
--https-client-auth <auth>
                     Configures the server to require/request client authentication. Possible
                       values are: none, request, required. Default: none.
--https-key-store-file <file>
                     The key store which holds the certificate information instead of specifying
                       separate files.
--https-key-store-password <password>
                     The password of the key store file. Default: password.
--https-key-store-type <type>
                     The type of the key store file. If not given, the type is automatically
                       detected based on the file name. If 'fips-mode' is set to 'strict' and no
                       value is set, it defaults to 'BCFKS'.
--https-port <port>  The used HTTPS port. Default: 8443.
--https-protocols <protocols>
                     The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
--https-trust-store-file <file>
                     The trust store which holds the certificate information of the certificates to
                       trust.
--https-trust-store-password <password>
                     The password of the trust store file.
--https-trust-store-type <type>
                     The type of the trust store file. If not given, the type is automatically
                       detected based on the file name. If 'fips-mode' is set to 'strict' and no
                       value is set, it defaults to 'BCFKS'.

Health:

--health-enabled <true|false>
                     If the server should expose health check endpoints. If enabled, health checks
                       are available at the '/health', '/health/ready' and '/health/live'
                       endpoints. Default: false.

Metrics:

--metrics-enabled <true|false>
                     If the server should expose metrics. If enabled, metrics are available at the
                       '/metrics' endpoint. Default: false.

Proxy:

--proxy <mode>       The proxy address forwarding mode if the server is behind a reverse proxy.
                       Possible values are: none, edge, reencrypt, passthrough. Default: none.

Vault:

--vault <provider>   Enables a vault provider. Possible values are: file.
--vault-dir <dir>    If set, secrets can be obtained by reading the content of files within the
                       given directory.

Logging:

--log <handler>      Enable one or more log handlers in a comma-separated list. Possible values
                       are: console, file, gelf. Default: console.
--log-console-color <true|false>
                     Enable or disable colors when logging to console. Default: false.
--log-console-format <format>
                     The format of unstructured console log entries. If the format has spaces in
                       it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
                       -5p [%c] (%t) %s%e%n.
--log-console-output <output>
                     Set the log output to JSON or default (plain) unstructured logging. Possible
                       values are: default, json. Default: default.
--log-file <file>    Set the log file path and filename. Default: data/log/keycloak.log.
--log-file-format <format>
                     Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
                       SSS} %-5p [%c] (%t) %s%e%n.
--log-file-output <output>
                     Set the log output to JSON or default (plain) unstructured logging. Possible
                       values are: default, json. Default: default.
--log-gelf-facility <name>
                     The facility (name of the process) that sends the message. Default: keycloak.
--log-gelf-host <hostname>
                     Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
                       host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
                       localhost.
--log-gelf-include-location <true|false>
                     Include source code location. Default: true.
--log-gelf-include-message-parameters <true|false>
                     Include message parameters from the log event. Default: true.
--log-gelf-include-stack-trace <true|false>
                     If set to true, occuring stack traces are included in the 'StackTrace' field
                       in the GELF output. Default: true.
--log-gelf-level <level>
                     The log level specifying which message levels will be logged by the GELF
                       logger. Message levels lower than this value will be discarded. Default:
                       INFO.
--log-gelf-max-message-size <size>
                     Maximum message size (in bytes). If the message size is exceeded, GELF will
                       submit the message in multiple chunks. Default: 8192.
--log-gelf-port <port>
                     The port the Logstash or Graylog Host is called on. Default: 12201.
--log-gelf-timestamp-format <pattern>
                     Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
                       pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-level <category:level>
                     The log level of the root category or a comma-separated list of individual
                       categories and their levels. For the root category, you don't need to
                       specify a category. Default: info.

Security:

--fips-mode <mode>   Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
                       non-approved mode. For full FIPS compliance, set 'strict' to run on approved
                       mode. This option defaults to 'disabled' when 'fips' feature is disabled,
                       which is by default. This option defaults to 'non-strict' when 'fips'
                       feature is enabled. Possible values are: non-strict, strict. Default:
                       disabled.

Do NOT start the server using this command when deploying to production.

Use 'kc.bat start-dev --help-all' to list all available options, including
build options.
