# OAuth server configuration

Use this page to understand the OAuth server configuration fields for Ripple Custody. The example shows one possible component configuration; token policy, client setup, resource values, private key storage, and ingress depend on your deployment.

This page applies to on-premise deployments only. For current defaults and the full supported schema, use the configuration packaged with your release.

## What this config controls

The OAuth server acts as an OIDC provider for Ripple Custody. It issues and validates tokens, exposes discovery metadata and JWKS, and supports OAuth clients used by the platform.

Supported grant types documented in this reference:

| Grant type | Description |
|  --- | --- |
| `authorization_code` | Authorization code flow for web applications. |
| `client_credentials` | Service-to-service authentication. Usually used for read-only API requests; system-signed intent proposals require the separate system-signed intent setup and matching policies. |
| `password` | Password grant for trusted applications. |
| `refresh_token` | Token refresh. |


## Environment variables

| Variable | Description | Example or source |
|  --- | --- | --- |
| `POSTGRES_URL` | PostgreSQL connection URL. | Secret |
| `DEBUG` | Debug logging namespace. | `oidc-provider:*` |


Additional OAuth server environment variables are managed by the deployment configuration unless explicitly exposed.

Token lifetime and session settings are configured in Keycloak realm settings, not directly in the OAuth server. See [Keycloak configuration](/products/custody/v1.36/deployment/reference/keycloak).

## Component fields

Location: `components.oauth`

| Field | Description |
|  --- | --- |
| `enabled` | Enables the OAuth component. |
| `replicas` | Number of OAuth server replicas. |
| `resources.requests` | CPU and memory requests. |
| `resources.limits` | CPU and memory limits. |
| `secrets.server` | Secret configuration for `OAUTH_SERVER_KEY`. |
| `secrets.psql` | Secret reference for database connection values. |
| `secrets.oidc-credentials` | Secret reference for OIDC credentials. |
| `secrets.clients` | Secret reference for OAuth client definitions. |
| `ingress.main` | Ingress settings for the OAuth endpoint. |


Resource and replica values are workload-dependent. Set them based on expected authentication load and observed runtime behavior.

## Private key

The OAuth server requires private key material for signing JWT tokens.

Expected secret key:

| Secret | Key | Description |
|  --- | --- | --- |
| `oauth-server` | `OAUTH_SERVER_KEY` | Private key used by the OAuth server. |


For the complete authentication secret map, see [Secret management for authentication](/products/custody/v1.36/deployment/reference/auth-secrets).

## Authentication flows

Internal OAuth clients are configured by the deployment. For how API authentication works, see:

- [Authentication](/products/custody/v1.36/identity-and-access/authentication/overview)
- [Authenticate API requests](/products/custody/v1.36/identity-and-access/authentication/authenticate-api-requests)


## Example

This example shows one possible OAuth component configuration:


```yaml
components:
  oauth:
    enabled: true
    replicas: 2
    resources:
      limits:
        cpu: 1000m
        memory: 512Mi
      requests:
        cpu: 100m
        memory: 128Mi
    secrets:
      server:
        secretRef: oauth-server
      psql:
        secretRef: oauth-psql
      oidc-credentials:
        secretRef: oauth-oidc-credentials
      clients:
        secretRef: oauth-clients
    ingress:
      main:
        enabled: true
        hosts:
          - host: "openid.example.com"
            paths:
              - path: /
                pathType: Prefix
        tls:
          - secretName: oauth-tls
            hosts:
              - openid.example.com
```

Example private key secret shape:


```yaml
apiVersion: v1
kind: Secret
metadata:
  name: oauth-server
type: Opaque
stringData:
  OAUTH_SERVER_KEY: |
    -----BEGIN PRIVATE KEY-----
    <private-key-material>
    -----END PRIVATE KEY-----
```

## Related topics

- [Keycloak configuration](/products/custody/v1.36/deployment/reference/keycloak)
- [Secret management for authentication](/products/custody/v1.36/deployment/reference/auth-secrets)
- [Networking configuration](/products/custody/v1.36/deployment/reference/networking)
- [PostgreSQL configuration](/products/custody/v1.36/deployment/reference/postgresql)
- [Genesis payload reference](/products/custody/v1.36/governance/genesis/payload-reference)