Link Search Menu Expand Document
Early Access
Bugs expected



  • security.json (doesn’t exist by default)
  • Environment parameters


Here is a JSON representation of the resource:

    "LocalMode: : false,
	"GodMode": true,
	"JwtSecret": "This gets overwritten by an ENV parameter",
	"JwtPublicKey": "The public key of JWT issuer if JwtUseCert = true",
	"JwtIssuer": "The Demo Wizzard",
	"JwtDuration": 60,
	"maxJwtDuration": 360,
	"JwtUseCert": false,
	"TLSFile": "null",
	"TLSPassword": "null",
	"PEMCert": "Path to PEM Cert file",
	"TLSType": "pfx",
	"cipher": {
		"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": true,
		"TLS_RSA_WITH_AES_256_GCM_SHA384": true
	"enabledProtocols": {
		"TLSv1.3": false,
		"TLSv1.2": true
	"removeInsecureProtocols": {
		"TLSv1": true,
		"TLSv1.1": true,
		"SSLv2Hello": true
	"jwt": {
		"SomeQualifier1": {
			"active": false,
			"algorithm": "RS256",
			"key": "Somekey"
		"SomeQualifier2": {
			"active": false,
			"algorithm": "ES512",
			"key": "Somekey"


These properties are case-sensitive.

Property Type Description
ADMINPORT int (0 to 65353) HTTP Port for the Admin listener, should not be reachable from outside.
cipher Boolean Parameter for TLS ciphers and whether or not they are allowed.
CORS String Parameter for sites or subsites from which CORS requests will be accepted.
DEBUG Boolean To true if debug level logging is enabled. Creates more console output.
DisableEventBusSocket Boolean When true disables the websocket interface that allows for watching the eventBus.
disableDominoLogin Boolean (default false) When true, Domino does not issue JWT tokens in exchange for user credentials. Authentication then requires a configured external JWT provider.
disableJwtExpiryCheck Boolean When true disables checks against expired JWT tokens. Good for testing. Do not use in production. Defaults to false.
enabledProtocols Boolean Parameter for TLS protocols and whether they are enabled. There are problems using TLSv1.3 with Java8.
GodMode Boolean true to allow Local Users defined in the KeepConfig database.
jwt jwtParameters Parameter for JWT providers. Algorithm format to be used (e.g. “RS256”) and key or keyfile.
JwtIssuer String Parameter for the issuer name for the JWT tokens generated by KEEP.
JwtDuration int Lifetime in minutes for the internal JWT provider - default 60min.
JwtMaxDuration int Maximum lifetime in minutes JWT tokens are accepted.
JwtPublicKey String TODO
LocalMode Boolean true to use “localhost” as the server name.
TLSFile String Parameter for TLS file with key for jks, pem or pfx. This is hashed out in the “/config” endpoint.
TLSPassword String Parameter for password for jks and pfx key file. This is hashed out in the “/config” endpoint.
TLSType String Parameter for format for the TLSFile - “jks”, “pem” or “pfx”.
PEMCert String If your TLS is PEM format (e.g. LetsEncrypt) path to certificate file.
PORT int (0 to 65353) HTTP(S) port for the KEEP service.
removeInsecureProtocols Boolean Whether insecure protocols should be removed.

jwt Parameters

Here is a JSON representation of the resource:

	"jwt": {
		"SomeQualifier1": {
			"active": false,
			"algorithm": "RS256",
			"key": "Somekey"

The jwt (in lowercase) parameters include one ore more named entries with three properties:

Property Type Description
active Boolean true if this jwt qualifier is active
algorithm String JWT algorithm
key String JWT key


Overwriting the values

All values can be over written by entries in the config.d directory. The structure needs to be the same as in the default file, but only needs the entries you want to change.


  • Authentication & JWT
  • CORS
  • Proxy Configuration