Start the server in development mode.

Usage:

kc.sh start-dev [OPTIONS]

Use this command if you want to run the server locally for development or
testing purposes.

Options:

-h, --help           This help message.
--help-all           This same help message but with additional options.
--import-realm       Import realms during startup by reading any realm configuration file from the
                       'data/import' directory.
-v, --verbose        Print out error details when running this command.

Cache:

--cache <type>       Defines the cache mechanism for high-availability. By default in production
                       mode, a 'ispn' cache is used to create a cluster between multiple server
                       nodes. By default in development mode, a 'local' cache disables clustering
                       and is intended for development and testing purposes. Possible values are:
                       ispn, local. Default: ispn.
--cache-config-file <file>
                     Defines the file from which cache configuration should be loaded from. The
                       configuration file is relative to the 'conf/' directory.
--cache-embedded-authorization-max-count <max-count>
                     The maximum number of entries that can be stored in-memory by the
                       authorization cache.
--cache-embedded-client-sessions-max-count <max-count>
                     The maximum number of entries that can be stored in-memory by the
                       clientSessions cache. Available only when embedded Infinispan clusters
                       configured.
--cache-embedded-keys-max-count <max-count>
                     The maximum number of entries that can be stored in-memory by the keys cache.
--cache-embedded-mtls-enabled <true|false>
                     Encrypts the network communication between Keycloak servers. Default: false.
--cache-embedded-mtls-key-store-file <file>
                     The Keystore file path. The Keystore must contain the certificate to use by
                       the TLS protocol. By default, it lookup 'cache-mtls-keystore.p12' under
                       conf/ directory.
--cache-embedded-mtls-key-store-password <password>
                     The password to access the Keystore.
--cache-embedded-mtls-trust-store-file <file>
                     The Truststore file path. It should contain the trusted certificates or the
                       Certificate Authority that signed the certificates. By default, it lookup
                       'cache-mtls-truststore.p12' under conf/ directory.
--cache-embedded-mtls-trust-store-password <password>
                     The password to access the Truststore.
--cache-embedded-offline-client-sessions-max-count <max-count>
                     The maximum number of entries that can be stored in-memory by the
                       offlineClientSessions cache. Available only when embedded Infinispan
                       clusters configured.
--cache-embedded-offline-sessions-max-count <max-count>
                     The maximum number of entries that can be stored in-memory by the
                       offlineSessions cache. Available only when embedded Infinispan clusters
                       configured.
--cache-embedded-realms-max-count <max-count>
                     The maximum number of entries that can be stored in-memory by the realms cache.
--cache-embedded-sessions-max-count <max-count>
                     The maximum number of entries that can be stored in-memory by the sessions
                       cache. Available only when embedded Infinispan clusters configured.
--cache-embedded-users-max-count <max-count>
                     The maximum number of entries that can be stored in-memory by the users cache.
--cache-metrics-histograms-enabled <true|false>
                     Enable histograms for metrics for the embedded caches. Default: false.
                       Available only when metrics are enabled.
--cache-remote-host <hostname>
                     The hostname of the remote server for the remote store configuration. It
                       replaces the 'host' attribute of 'remote-server' tag of the configuration
                       specified via XML file (see 'cache-config-file' option.). If the option is
                       specified, 'cache-remote-username' and 'cache-remote-password' are required
                       as well and the related configuration in XML file should not be present.
--cache-remote-password <password>
                     The password for the authentication to the remote server for the remote store.
                       It replaces the 'password' attribute of 'digest' tag of the configuration
                       specified via XML file (see 'cache-config-file' option.). If the option is
                       specified, 'cache-remote-username' is required as well and the related
                       configuration in XML file should not be present. Available only when remote
                       host is set.
--cache-remote-port <port>
                     The port of the remote server for the remote store configuration. It replaces
                       the 'port' attribute of 'remote-server' tag of the configuration specified
                       via XML file (see 'cache-config-file' option.). Default: 11222. Available
                       only when remote host is set.
--cache-remote-tls-enabled <true|false>
                     Enable TLS support to communicate with a secured remote Infinispan server.
                       Recommended to be enabled in production. Default: true. Available only when
                       remote host is set.
--cache-remote-username <username>
                     The username for the authentication to the remote server for the remote store.
                       It replaces the 'username' attribute of 'digest' tag of the configuration
                       specified via XML file (see 'cache-config-file' option.). If the option is
                       specified, 'cache-remote-password' is required as well and the related
                       configuration in XML file should not be present. Available only when remote
                       host is set.
--cache-stack <stack>
                     Define the default stack to use for cluster communication and node discovery.
                       This option only takes effect if 'cache' is set to 'ispn'. Default: udp.
                       Possible values are: tcp, udp, kubernetes, ec2, azure, google, or a custom
                       one.

Config:

--config-keystore <config-keystore>
                     Specifies a path to the KeyStore Configuration Source.
--config-keystore-password <config-keystore-password>
                     Specifies a password to the KeyStore Configuration Source.
--config-keystore-type <config-keystore-type>
                     Specifies a type of the KeyStore Configuration Source. Default: PKCS12.

Database:

--db <vendor>        The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
                       mysql, oracle, postgres. Default: dev-file.
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
                       driver is set accordingly to the chosen database.
--db-password <password>
                     The password of the database user.
--db-pool-initial-size <size>
                     The initial size of the connection pool.
--db-pool-max-size <size>
                     The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size>
                     The minimal size of the connection pool.
--db-schema <schema> The database schema to be used.
--db-url <jdbc-url>  The full database JDBC URL. If not provided, a default URL is set based on the
                       selected database vendor. For instance, if using 'postgres', the default
                       JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname>
                     Sets the database name of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-url-host <hostname>
                     Sets the hostname of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
                       option is set, this option is ignored.
--db-url-properties <properties>
                     Sets the properties of the default JDBC URL of the chosen vendor. Make sure to
                       set the properties accordingly to the format expected by the database
                       vendor, as well as appending the right character at the beginning of this
                       property value. If the `db-url` option is set, this option is ignored.
--db-username <username>
                     The username of the database user.

Transaction:

--transaction-xa-enabled <true|false>
                     If set to true, XA datasources will be used. Default: false.

Feature:

--features <feature> Enables a set of one or more features. Possible values are: <...>.
--features-disabled <feature>
                     Disables a set of one or more features. Possible values are: <...>.

Hostname v2:

--hostname <hostname|URL>
                     Address at which is the server exposed. Can be a full URL, or just a hostname.
                       When only hostname is provided, scheme, port and context path are resolved
                       from the request. Available only when hostname:v2 feature is enabled.
--hostname-admin <URL>
                     Address for accessing the administration console. Use this option if you are
                       exposing the administration console using a reverse proxy on a different
                       address than specified in the 'hostname' option. Available only when
                       hostname:v2 feature is enabled.
--hostname-backchannel-dynamic <true|false>
                     Enables dynamic resolving of backchannel URLs, including hostname, scheme,
                       port and context path. Set to true if your application accesses Keycloak via
                       a private network. If set to true, 'hostname' option needs to be specified
                       as a full URL. Default: false. Available only when hostname:v2 feature is
                       enabled.
--hostname-debug <true|false>
                     Toggles the hostname debug page that is accessible at
                       /realms/master/hostname-debug. Default: false. Available only when hostname:
                       v2 feature is enabled.
--hostname-strict <true|false>
                     Disables dynamically resolving the hostname from request headers. Should
                       always be set to true in production, unless your reverse proxy overwrites
                       the Host header. If enabled, the 'hostname' option needs to be specified.
                       Default: true. Available only when hostname:v2 feature is enabled.

HTTP(S):

--http-enabled <true|false>
                     Enables the HTTP listener. Default: false.
--http-host <host>   The used HTTP Host. Default: 0.0.0.0.
--http-max-queued-requests <requests>
                     Maximum number of queued HTTP requests. Use this to shed load in an overload
                       situation. Excess requests will return a "503 Server not Available" response.
--http-metrics-histograms-enabled <true|false>
                     Enables a histogram with default buckets for the duration of HTTP server
                       requests. Default: false. Available only when metrics are enabled.
--http-metrics-slos <list of buckets>
                     Service level objectives for HTTP server requests. Use this instead of the
                       default histogram, or use it in combination to add additional buckets.
                       Specify a list of comma-separated values defined in milliseconds. Example
                       with buckets from 5ms to 10s: 5,10,25,50,250,500,1000,2500,5000,10000
                       Available only when metrics are enabled.
--http-pool-max-threads <threads>
                     The maximum number of threads. If this is not specified then it will be
                       automatically sized to the greater of 4 * the number of available processors
                       and 50. For example if there are 4 processors the max threads will be 50. If
                       there are 48 processors it will be 192.
--http-port <port>   The used HTTP port. Default: 8080.
--http-relative-path <path>
                     Set the path relative to '/' for serving resources. The path must start with a
                       '/'. Default: /.
--https-certificate-file <file>
                     The file path to a server certificate or certificate chain in PEM format.
--https-certificate-key-file <file>
                     The file path to a private key in PEM format.
--https-certificates-reload-period <reload period>
                     Interval on which to reload key store, trust store, and certificate files
                       referenced by https-* options. May be a java.time.Duration value, an integer
                       number of seconds, or an integer followed by one of [ms, h, m, s, d]. Must
                       be greater than 30 seconds. Use -1 to disable. Default: 1h.
--https-cipher-suites <ciphers>
                     The cipher suites to use. If none is given, a reasonable default is selected.
--https-client-auth <auth>
                     Configures the server to require/request client authentication. Possible
                       values are: none, request, required. Default: none.
--https-key-store-file <file>
                     The key store which holds the certificate information instead of specifying
                       separate files.
--https-key-store-password <password>
                     The password of the key store file. Default: password.
--https-key-store-type <type>
                     The type of the key store file. If not given, the type is automatically
                       detected based on the file extension. If 'fips-mode' is set to 'strict' and
                       no value is set, it defaults to 'BCFKS'.
--https-port <port>  The used HTTPS port. Default: 8443.
--https-protocols <protocols>
                     The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
--https-trust-store-file <file>
                     The trust store which holds the certificate information of the certificates to
                       trust.
--https-trust-store-password <password>
                     The password of the trust store file.
--https-trust-store-type <type>
                     The type of the trust store file. If not given, the type is automatically
                       detected based on the file extension. If 'fips-mode' is set to 'strict' and
                       no value is set, it defaults to 'BCFKS'.

Health:

--health-enabled <true|false>
                     If the server should expose health check endpoints. If enabled, health checks
                       are available at the '/health', '/health/ready' and '/health/live'
                       endpoints. Default: false.

Management:

--http-management-port <port>
                     Port of the management interface. Relevant only when something is exposed on
                       the management interface - see the guide for details. Default: 9000.
--http-management-relative-path <path>
                     Set the path relative to '/' for serving resources from management interface.
                       The path must start with a '/'. If not given, the value is inherited from
                       HTTP options. Relevant only when something is exposed on the management
                       interface - see the guide for details. Default: /.
--https-management-certificate-file <file>
                     The file path to a server certificate or certificate chain in PEM format for
                       the management server. If not given, the value is inherited from HTTP
                       options. Relevant only when something is exposed on the management interface
                       - see the guide for details.
--https-management-certificate-key-file <file>
                     The file path to a private key in PEM format for the management server. If not
                       given, the value is inherited from HTTP options. Relevant only when
                       something is exposed on the management interface - see the guide for details.
--https-management-client-auth <auth>
                     Configures the management interface to require/request client authentication.
                       If not given, the value is inherited from HTTP options. Relevant only when
                       something is exposed on the management interface - see the guide for
                       details. Possible values are: none, request, required. Default: none.
--https-management-key-store-file <file>
                     The key store which holds the certificate information instead of specifying
                       separate files for the management server. If not given, the value is
                       inherited from HTTP options. Relevant only when something is exposed on the
                       management interface - see the guide for details.
--https-management-key-store-password <password>
                     The password of the key store file for the management server. If not given,
                       the value is inherited from HTTP options. Relevant only when something is
                       exposed on the management interface - see the guide for details. Default:
                       password.
--legacy-observability-interface <true|false>
                     DEPRECATED. If metrics/health endpoints should be exposed on the main HTTP
                       server (not recommended). If set to true, the management interface is
                       disabled. Default: false.

Metrics:

--metrics-enabled <true|false>
                     If the server should expose metrics. If enabled, metrics are available at the
                       '/metrics' endpoint. Default: false.

Proxy:

--proxy-headers <headers>
                     The proxy headers that should be accepted by the server. Misconfiguration
                       might leave the server exposed to security vulnerabilities. Takes precedence
                       over the deprecated proxy option. Possible values are: forwarded, xforwarded.
--proxy-protocol-enabled <true|false>
                     Whether the server should use the HA PROXY protocol when serving requests from
                       behind a proxy. When set to true, the remote address returned will be the
                       one from the actual connecting client. Default: false.
--proxy-trusted-addresses <trusted proxies>
                     A comma separated list of trusted proxy addresses. If set, then proxy headers
                       from other addresses will be ignored. By default all addresses are trusted.
                       A trusted proxy address is specified as an IP address (IPv4 or IPv6) or
                       Classless Inter-Domain Routing (CIDR) notation. Available only when
                       proxy-headers is set.

Vault:

--vault <provider>   Enables a vault provider. Possible values are: file, keystore.
--vault-dir <dir>    If set, secrets can be obtained by reading the content of files within the
                       given directory.
--vault-file <file>  Path to the keystore file.
--vault-pass <pass>  Password for the vault keystore.
--vault-type <type>  Specifies the type of the keystore file. Default: PKCS12.

Logging:

--log <handler>      Enable one or more log handlers in a comma-separated list. Possible values
                       are: console, file, syslog. Default: console.
--log-console-color <true|false>
                     Enable or disable colors when logging to console. Default: false. Available
                       only when Console log handler is activated.
--log-console-format <format>
                     The format of unstructured console log entries. If the format has spaces in
                       it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
                       -5p [%c] (%t) %s%e%n. Available only when Console log handler is activated.
--log-console-include-trace <true|false>
                     Include tracing information in the console log. If the 'log-console-format'
                       option is specified, this option has no effect. Default: true. Available
                       only when Console log handler and Tracing is activated.
--log-console-level <level>
                     Set the log level for the console handler. It specifies the most verbose log
                       level for logs shown in the output. It respects levels specified in the
                       'log-level' option, which represents the maximal verbosity for the whole
                       logging system. For more information, check the Logging guide. Possible
                       values are: off, fatal, error, warn, info, debug, trace, all. Default: all.
                       Available only when Console log handler is activated.
--log-console-output <output>
                     Set the log output to JSON or default (plain) unstructured logging. Possible
                       values are: default, json. Default: default. Available only when Console log
                       handler is activated.
--log-file <file>    Set the log file path and filename. Default: data/log/keycloak.log. Available
                       only when File log handler is activated.
--log-file-format <format>
                     Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
                       SSS} %-5p [%c] (%t) %s%e%n. Available only when File log handler is
                       activated.
--log-file-include-trace <true|false>
                     Include tracing information in the file log. If the 'log-file-format' option
                       is specified, this option has no effect. Default: true. Available only when
                       File log handler and Tracing is activated.
--log-file-level <level>
                     Set the log level for the file handler. It specifies the most verbose log
                       level for logs shown in the output. It respects levels specified in the
                       'log-level' option, which represents the maximal verbosity for the whole
                       logging system. For more information, check the Logging guide. Possible
                       values are: off, fatal, error, warn, info, debug, trace, all. Default: all.
                       Available only when File log handler is activated.
--log-file-output <output>
                     Set the log output to JSON or default (plain) unstructured logging. Possible
                       values are: default, json. Default: default. Available only when File log
                       handler is activated.
--log-level <category:level>
                     The log level of the root category or a comma-separated list of individual
                       categories and their levels. For the root category, you don't need to
                       specify a category. Default: info.
--log-syslog-app-name <name>
                     Set the app name used when formatting the message in RFC5424 format. Default:
                       keycloak. Available only when Syslog is activated.
--log-syslog-endpoint <host:port>
                     Set the IP address and port of the Syslog server. Default: localhost:514.
                       Available only when Syslog is activated.
--log-syslog-format <format>
                     Set a format specific to Syslog entries. Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
                       -5p [%c] (%t) %s%e%n. Available only when Syslog is activated.
--log-syslog-include-trace <true|false>
                     Include tracing information in the Syslog. If the 'log-syslog-format' option
                       is specified, this option has no effect. Default: true. Available only when
                       Syslog handler and Tracing is activated.
--log-syslog-level <level>
                     Set the log level for the Syslog handler. It specifies the most verbose log
                       level for logs shown in the output. It respects levels specified in the
                       'log-level' option, which represents the maximal verbosity for the whole
                       logging system. For more information, check the Logging guide. Possible
                       values are: off, fatal, error, warn, info, debug, trace, all. Default: all.
                       Available only when Syslog is activated.
--log-syslog-max-length <max-length>
                     Set the maximum length, in bytes, of the message allowed to be sent. The
                       length includes the header and the message. If not set, the default value is
                       2048 when 'log-syslog-type' is rfc5424 (default) and 1024 when
                       'log-syslog-type' is rfc3164. Available only when Syslog is activated.
--log-syslog-output <output>
                     Set the Syslog output to JSON or default (plain) unstructured logging.
                       Possible values are: default, json. Default: default. Available only when
                       Syslog is activated.
--log-syslog-protocol <protocol>
                     Set the protocol used to connect to the Syslog server. Possible values are:
                       tcp, udp, ssl-tcp. Default: tcp. Available only when Syslog is activated.
--log-syslog-type <type>
                     Set the Syslog type used to format the sent message. Possible values are:
                       rfc5424, rfc3164. Default: rfc5424. Available only when Syslog is activated.

Tracing (Preview):

--tracing-compression <method>
                     Preview: OpenTelemetry compression method used to compress payloads. If unset,
                       compression is disabled. Possible values are: gzip, none. Default: none.
                       Available only when 'opentelemetry' feature and Tracing is enabled.
--tracing-enabled <true|false>
                     Preview: Enables the OpenTelemetry tracing. Default: false. Available only
                       when 'opentelemetry' feature is enabled.
--tracing-endpoint <url>
                     Preview: OpenTelemetry endpoint to connect to. Default: http://localhost:4317.
                       Available only when 'opentelemetry' feature and Tracing is enabled.
--tracing-jdbc-enabled <true|false>
                     Preview: Enables the OpenTelemetry JDBC tracing. Default: true. Available only
                       when 'opentelemetry' feature and Tracing is enabled.
--tracing-protocol <protocol>
                     Preview: OpenTelemetry protocol used for the telemetry data. Possible values
                       are: grpc, http/protobuf. Default: grpc. Available only when 'opentelemetry'
                       feature and Tracing is enabled.
--tracing-resource-attributes <attributes>
                     Preview: OpenTelemetry resource attributes present in the exported trace to
                       characterize the telemetry producer. Values in format 'key1=val1,key2=val2'.
                       For more information, check the Tracing guide. Available only when
                       'opentelemetry' feature and Tracing is enabled.
--tracing-sampler-ratio <ratio>
                     Preview: OpenTelemetry sampler ratio. Probability that a span will be sampled.
                       Expected double value in interval <0,1). Default: 1.0. Available only when
                       'opentelemetry' feature and Tracing is enabled.
--tracing-sampler-type <type>
                     Preview: OpenTelemetry sampler to use for tracing. Possible values are:
                       always_on, always_off, traceidratio, parentbased_always_on,
                       parentbased_always_off, parentbased_traceidratio. Default: traceidratio.
                       Available only when 'opentelemetry' feature and Tracing is enabled.
--tracing-service-name <name>
                     Preview: OpenTelemetry service name. Takes precedence over 'service.name'
                       defined in the 'tracing-resource-attributes' property. Default: keycloak.
                       Available only when 'opentelemetry' feature and Tracing is enabled.

Truststore:

--tls-hostname-verifier <tls-hostname-verifier>
                     The TLS hostname verification policy for out-going HTTPS and SMTP requests.
                       Possible values are: ANY, WILDCARD (deprecated), STRICT (deprecated),
                       DEFAULT. Default: DEFAULT.
--truststore-paths <truststore-paths>
                     List of pkcs12 (p12 or pfx file extensions), PEM files, or directories
                       containing those files that will be used as a system truststore.

Security:

--fips-mode <mode>   Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
                       non-approved mode. For full FIPS compliance, set 'strict' to run on approved
                       mode. This option defaults to 'disabled' when 'fips' feature is disabled,
                       which is by default. This option defaults to 'non-strict' when 'fips'
                       feature is enabled. Possible values are: non-strict, strict. Default:
                       disabled.

Bootstrap Admin:

--bootstrap-admin-client-id <client id>
                     Client id for the temporary bootstrap admin service account. Used only when
                       the master realm is created. Available only when bootstrap admin client
                       secret is set. Default: temp-admin.
--bootstrap-admin-client-secret <client secret>
                     Client secret for the temporary bootstrap admin service account. Used only
                       when the master realm is created. Use a non-CLI configuration option for
                       this option if possible.
--bootstrap-admin-password <password>
                     Temporary bootstrap admin password. Used only when the master realm is
                       created. Use a non-CLI configuration option for this option if possible.
--bootstrap-admin-username <username>
                     Temporary bootstrap admin username. Used only when the master realm is
                       created. Available only when bootstrap admin password is set. Default:
                       temp-admin.

Do NOT start the server using this command when deploying to production.

Use 'kc.sh start-dev --help-all' to list all available options, including build
options.