Start the server.

Usage:

kc.bat start [OPTIONS]

Use this command to run the server in production.

Options:

-h, --help           This help message.
--help-all           This same help message but with additional options.
--import-realm       Import realms during startup by reading any realm configuration file from the
                       'data/import' directory.
--optimized          Use this option to achieve an optimal startup time if you have previously
                       built a server image using the 'build' command.

Database:

--db-password <password>
                     The password of the database user.
--db-pool-initial-size <size>
                     The initial size of the connection pool.
--db-pool-max-size <size>
                     The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size>
                     The minimal size of the connection pool.
--db-schema <schema> The database schema to be used.
--db-url <jdbc-url>  The full database JDBC URL. If not provided, a default URL is set based on the
                       selected database vendor. For instance, if using 'postgres', the default
                       JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname>
                     Sets the database name of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-url-host <hostname>
                     Sets the hostname of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
                       option is set, this option is ignored.
--db-url-properties <properties>
                     Sets the properties of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-username <username>
                     The username of the database user.

Hostname:

--hostname <hostname>
                     Hostname for the Keycloak server.
--hostname-admin <hostname>
                     The hostname for accessing the administration console. Use this option if you
                       are exposing the administration console using a hostname other than the
                       value set to the 'hostname' option.
--hostname-admin-url <url>
                     Set the base URL for accessing the administration console, including scheme,
                       host, port and path
--hostname-path <path>
                     This should be set if proxy uses a different context-path for Keycloak.
--hostname-port <port>
                     The port used by the proxy when exposing the hostname. Set this option if the
                       proxy uses a port other than the default HTTP and HTTPS ports. Default: -1.
--hostname-strict <true|false>
                     Disables dynamically resolving the hostname from request headers. Should
                       always be set to true in production, unless proxy verifies the Host header.
                       Default: true.
--hostname-strict-backchannel <true|false>
                     By default backchannel URLs are dynamically resolved from request headers to
                       allow internal and external applications. If all applications use the public
                       URL this option should be enabled. Default: false.
--hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path.

HTTP/TLS:

--http-enabled <true|false>
                     Enables the HTTP listener. Default: false.
--http-host <host>   The used HTTP Host. Default: 0.0.0.0.
--http-max-queued-requests <requests>
                     Maximum number of queued HTTP requests. Use this to shed load in an overload
                       situation. Excess requests will return a "503 Server not Available" response.
--http-port <port>   The used HTTP port. Default: 8080.
--https-certificate-file <file>
                     The file path to a server certificate or certificate chain in PEM format.
--https-certificate-key-file <file>
                     The file path to a private key in PEM format.
--https-cipher-suites <ciphers>
                     The cipher suites to use. If none is given, a reasonable default is selected.
--https-client-auth <auth>
                     Configures the server to require/request client authentication. Possible
                       values are: none, request, required. Default: none.
--https-key-store-file <file>
                     The key store which holds the certificate information instead of specifying
                       separate files.
--https-key-store-password <password>
                     The password of the key store file. Default: password.
--https-key-store-type <type>
                     The type of the key store file. If not given, the type is automatically
                       detected based on the file name. If 'fips-mode' is set to 'strict' and no
                       value is set, it defaults to 'BCFKS'.
--https-port <port>  The used HTTPS port. Default: 8443.
--https-protocols <protocols>
                     The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
--https-trust-store-file <file>
                     The trust store which holds the certificate information of the certificates to
                       trust.
--https-trust-store-password <password>
                     The password of the trust store file.
--https-trust-store-type <type>
                     The type of the trust store file. If not given, the type is automatically
                       detected based on the file name. If 'fips-mode' is set to 'strict' and no
                       value is set, it defaults to 'BCFKS'.

Proxy:

--proxy <mode>       The proxy address forwarding mode if the server is behind a reverse proxy.
                       Possible values are: none, edge, reencrypt, passthrough. Default: none.

Vault:

--vault-dir <dir>    If set, secrets can be obtained by reading the content of files within the
                       given directory.

Logging:

--log <handler>      Enable one or more log handlers in a comma-separated list. Possible values
                       are: console, file, gelf. Default: console.
--log-console-color <true|false>
                     Enable or disable colors when logging to console. Default: false.
--log-console-format <format>
                     The format of unstructured console log entries. If the format has spaces in
                       it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
                       -5p [%c] (%t) %s%e%n.
--log-console-output <output>
                     Set the log output to JSON or default (plain) unstructured logging. Possible
                       values are: default, json. Default: default.
--log-file <file>    Set the log file path and filename. Default: data/log/keycloak.log.
--log-file-format <format>
                     Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
                       SSS} %-5p [%c] (%t) %s%e%n.
--log-file-output <output>
                     Set the log output to JSON or default (plain) unstructured logging. Possible
                       values are: default, json. Default: default.
--log-gelf-facility <name>
                     The facility (name of the process) that sends the message. Default: keycloak.
--log-gelf-host <hostname>
                     Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
                       host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
                       localhost.
--log-gelf-include-location <true|false>
                     Include source code location. Default: true.
--log-gelf-include-message-parameters <true|false>
                     Include message parameters from the log event. Default: true.
--log-gelf-include-stack-trace <true|false>
                     If set to true, occuring stack traces are included in the 'StackTrace' field
                       in the GELF output. Default: true.
--log-gelf-level <level>
                     The log level specifying which message levels will be logged by the GELF
                       logger. Message levels lower than this value will be discarded. Default:
                       INFO.
--log-gelf-max-message-size <size>
                     Maximum message size (in bytes). If the message size is exceeded, GELF will
                       submit the message in multiple chunks. Default: 8192.
--log-gelf-port <port>
                     The port the Logstash or Graylog Host is called on. Default: 12201.
--log-gelf-timestamp-format <pattern>
                     Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
                       pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-level <category:level>
                     The log level of the root category or a comma-separated list of individual
                       categories and their levels. For the root category, you don't need to
                       specify a category. Default: info.

By default, this command tries to update the server configuration by running a
'build' before starting the server. You can disable this behavior by using the
'--optimized' option:

      $ kc.bat start '--optimized'

By doing that, the server should start faster based on any previous
configuration you have set when manually running the 'build' command.
