> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to configure the Auth0 Deploy CLI to modify the tool for your needs.

# Configure the Deploy CLI

Configuring the Deploy’s CLI is essential for establishing Auth0 credentials as well as generally modifying the behavior of the tool to your specific needs. There are two ways the Deploy CLI can be configured:

1. Use the configuration file (`config.json`).
2. Set environment variables.

## Configuration file

A standalone JSON file can be used to configure Deploy CLI. This file will usually reside in the root directory of your project and should be named `config.json`.

### Example

```json lines theme={null}
{
  "AUTH0_DOMAIN": "<YOUR_TENANT_DOMAIN>",
  "AUTH0_CLIENT_ID": "{yourClientId}",
  "AUTH0_ALLOW_DELETE": false
}
```

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  Hard-coding credentials is not recommended, and risks secret leakage should this file ever be committed to a public version control system. To mitigate this risk, pass credentials as [environment variables](#environment-variables) as a best practice.
</Callout>

## Environment variables

By default, the Deploy CLI ingests environment variables, providing the ability to pass credentials and other configurations to the tool without needing to publish to the `config.json` file. Environment variables can either be used to augment the `config.json` file or replace it altogether depending on the project needs.

Non-primitive configuration values like `AUTH0_KEYWORD_REPLACE_MAPPINGS` and `AUTH0_EXCLUDED` can also be passed in through environment variables so long as these values are properly serialized JSON.

To disable the consumption of environment variables for either the `import` or `export` commands, pass the `--env=false` argument.

### Examples

#### Deploying configuration for YAML formats without a config.json file

```bash lines theme={null}
$ export AUTH0_DOMAIN={yourDomain}
$ export AUTH0_CLIENT_ID={yourClientId}
$ export AUTH0_CLIENT_SECRET={yourClientSecret}
$ a0deploy import --input_file=local/tenant.yaml
```

#### Disable environment variable ingestion

```bash wrap lines theme={null}
$ a0deploy export -c=config.json --format=yaml --output_folder=local --env=false
```

#### Non-primitive configuration values

```bash lines theme={null}
$ export AUTH0_EXCLUDED='["actions","organizations"]'
$ export AUTH0_KEYWORD_REPLACE_MAPPINGS='{"ENVIRONMENT":"dev"}'
$ a0deploy export -c=config.json --format=yaml --output_folder=local
```

## Available Configuration Properties

### AUTH0\_DOMAIN

String. The domain of the target Auth0 tenant.

### AUTH0\_CLIENT\_ID

String. The ID of the designated Auth0 application used to make API requests.

### AUTH0\_CLIENT\_SECRET

String. The secret of the designated Auth0 application used to make API requests.

### AUTH0\_ACCESS\_TOKEN

String. Short-lived <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=access+token">access token</Tooltip> for <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=Management+API">Management API</Tooltip> from designated Auth0 application. Can be used in replacement to <Tooltip tip="Client ID: Identification value given to your registered resource from Auth0." cta="View Glossary" href="/docs/glossary?term=client+ID">client ID</Tooltip> and <Tooltip tip="Client ID: Identification value given to your registered resource from Auth0." cta="View Glossary" href="/docs/glossary?term=client+secret">client secret</Tooltip> combination.

### AUTH0\_CLIENT\_SIGNING\_KEY\_PATH

String. The path to the private key used by the client when facilitating Private Key <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JWT">JWT</Tooltip> authentication. Path relative to the working directory. Also note `AUTH0_CLIENT_SIGNING_ALGORITHM` for specifying <Tooltip tip="Signing Algorithm: Algorithm used to digitally sign tokens to ensure the token has not been tampered with." cta="View Glossary" href="/docs/glossary?term=signing+algorithm">signing algorithm</Tooltip>.

### AUTH0\_CLIENT\_SIGNING\_ALGORITHM

String. Specifies the JWT signing algorithms used by the client when facilitating Private Key JWT authentication. Only used in combination with `AUTH0_CLIENT_SIGNING_KEY_PATH`.

Accepted values: `RS256`, `RS384`, `PS256`.

### AUTH0\_ALLOW\_DELETE

Boolean. When enabled, will allow the tool to delete resources. Default: `false`.

### AUTH0\_EXCLUDED

Array of strings. Excludes entire resource types from being managed, bi-directionally. To learn more, read [Exclude Resources from Management](/docs/deploy-monitor/deploy-cli-tool/exclude-resources-from-management).

Cannot be used simultaneously with [AUTH0\_INCLUDED\_ONLY](#auth0_included_only).

Possible values: `actions`, `attackProtection`, `branding`, `clientGrants`, `clients`, `connections`, `customDomains`, `databases`, `emailProvider`, `emailTemplates`, `guardianFactorProviders`, `guardianFactorTemplates`, `guardianFactors`, `guardianPhoneFactorMessageTypes`, `guardianPhoneFactorSelectedProvider`, `guardianPolicies`, `logStreams`, `migrations`, `organizations`, `pages`, `prompts`, `resourceServers`, `roles`, `tenant`, `triggers`.

#### Example

```json lines theme={null}
{
  "AUTH0_EXCLUDED": ["organizations", "connections", "hooks"]
}
```

### AUTH0\_INCLUDED\_ONLY

Array of strings. Specifies which resource types to manage bi-directionally. To learn more, read [Exclude Resources from Management](/docs/deploy-monitor/deploy-cli-tool/exclude-resources-from-management).

Cannot be used simultaneously with [AUTH0\_EXCLUDED](#auth0_excluded).

Possible values: `actions`, `attackProtection`, `branding`, `clientGrants`, `clients`, `connections`, `customDomains`, `databases`, `emailProvider`, `emailTemplates`, `guardianFactorProviders`, `guardianFactorTemplates`, `guardianFactors`, `guardianPhoneFactorMessageTypes`, `guardianPhoneFactorSelectedProvider`, `guardianPolicies`, `logStreams`, `migrations`, `organizations`, `pages`, `prompts`, `resourceServers`, `roles`, `tenant`, `triggers`.

#### Example

```json lines theme={null}
{
  "AUTH0_INCLUDED_ONLY": ["clients", "connections", "tenant", "branding"]
}
```

### AUTH0\_KEYWORD\_REPLACE\_MAPPINGS

Mapping of specific keywords to facilities dynamic replacement. To learn more, read [Keyword Replacement](/docs/deploy-monitor/deploy-cli-tool/keyword-replacement).

#### Example

```json lines theme={null}
{
  "ENVIRONMENT": "DEV",
  "ALLOWED_ORIGINS": ["https://dev.test-site.com", "localhost"]
}
```

### AUTH0\_PRESERVE\_KEYWORDS

Boolean. When enabled, will attempt to preserve keyword replacement markers in local resource files during export. Otherwise, the remote values will overwrite those manually-placed keyword markers.

This configuration requires the presence of local configuration files and defined keyword replace mappings via the `AUTH0_KEYWORD_REPLACE_MAPPINGS` configuration property.

See also: [Preserve Keywords on Export](/docs/deploy-monitor/deploy-cli-tool/keyword-replacement#preserve-keywords-on-export).

### AUTH0\_EXPORT\_IDENTIFIERS

Boolean. When enabled, will return identifiers of all resources. May be useful for certain debugging or record-keeping scenarios within a single-tenant context. Default: `false`.

### EXCLUDED\_PROPS

Provides ability to exclude any unwanted properties from management.

#### Example

```json lines theme={null}
{
  "connections": ["options.twilio_token"]
}
```

### AUTH0\_AUDIENCE

String. Separate value from <Tooltip tip="Audience: Unique identifier of the audience for an issued token. Named aud in a token, its value contains the ID of either an application (Client ID) for an ID Token or an API (API Identifier) for an Access Token." cta="View Glossary" href="/docs/glossary?term=audience">audience</Tooltip> value while retrieving an access token for the Management API. Useful when default Management API endpoints are not publicly exposed.

### AUTH0\_EXCLUDED\_RULES

Array of strings. Excludes the management of specific rules by ID. Note: This configuration may be subject to deprecation in the future. To learn more, read [Exclude Resources from Management](/docs/deploy-monitor/deploy-cli-tool/exclude-resources-from-management).

### AUTH0\_EXCLUDED\_CLIENTS

Array of strings. Excludes the management of specific clients by ID. Note: This configuration may be subject to deprecation in the future. To learn more, read [Exclude Resources from Management](/docs/deploy-monitor/deploy-cli-tool/exclude-resources-from-management).

### AUTH0\_EXCLUDED\_DATABASES

Array of strings. Excludes the management of specific databases by ID. Note: This configuration may be subject to deprecation in the future. To learn more, read [Exclude Resources from Management](/docs/deploy-monitor/deploy-cli-tool/exclude-resources-from-management).

### AUTH0\_EXCLUDED\_CONNECTIONS

Array of strings. Excludes the management of specific connections by ID. Note: This configuration may be subject to deprecation in the future. To learn more, read [Exclude Resources from Management](/docs/deploy-monitor/deploy-cli-tool/exclude-resources-from-management).

### AUTH0\_EXCLUDED\_RESOURCE\_SERVERS

Array of strings. Excludes the management of specific <Tooltip tip="Resource Server: Server hosting protected resources. Resource servers accept and respond to protected resource requests." cta="View Glossary" href="/docs/glossary?term=resource+servers">resource servers</Tooltip> by ID. Note: This configuration may be subject to deprecation in the future. To learn more, read [Exclude Resources from Management](/docs/deploy-monitor/deploy-cli-tool/exclude-resources-from-management).