Configuration Reference

January 28, 2026 · View on GitHub

By default, Dekaf reads the config.yaml file in the current working directory.

You can use DEKAF_ environment variable prefix, following by the configuration field name in the screaming snake case:

DEKAF_PULSAR_WEB_URL="http://my-pulsar:8080"
DEKAF_PULSAR_BROKER_URL="pulsar://my-pulsar:6650`"

The config.yaml have priority over environment variables.

Basic configuration

FieldExampleDescription
port8090The port the server listens on. ⚠️ In some cases, you also need to set publicBaseUrl. See #323
dataDir./dataPath to the persistent data directory.

Pulsar Instance

FieldExampleDescription
pulsarNamedefaultPulsar instance name.
pulsarColor#ff0000Optional accent color to visually distinguish this instance.
pulsarWebUrlhttp://localhost:8080Pulsar web service URL.
pulsarBrokerUrlpulsar://localhost:6650Pulsar service URL.
pulsarListenerNameexternalAdvertised listener name.
defaultPulsarAuthDefault authentication credentials for all users serialized as JSON. Not recommended to use it in multi-user production environments. See more details in the section below

Dekaf <-> Pulsar Instance TLS

FieldDescription
pulsarTlsKeyFilePathPath to the TLS key file.
pulsarTlsCertificateFilePathPath to the TLS certificate file.
pulsarTlsTrustCertsFilePathPath to the trusted TLS certificate file.
pulsarAllowTlsInsecureConnectionConfigure whether the Pulsar client accept untrusted TLS certificate from broker
pulsarEnableTlsHostnameVerificationIt allows to validate hostname verification when client connects to broker over tls. It validates incoming x509 certificate and matches provided hostname(CN/SAN) with expected broker's host name. It follows RFC 2818, 3.1. Server Identity hostname verification. See https://tools.ietf.org/html/rfc2818
pulsarUseKeyStoreTlsIf Tls is enabled, whether use KeyStore type as tls configuration parameter.False means use default pem type configuration.
pulsarSslProviderThe name of the security provider used for SSL connections. Default value is the default security provider of the JVM.
pulsarTlsKeyStoreTypeThe file format of the key store file.
pulsarTlsKeyStorePathThe location of the key store file.
pulsarTlsKeyStorePasswordThe store password for the key store file.
pulsarTlsTrustStoreTypeThe file format of the trust store file.
pulsarTlsTrustStorePathThe location of the trust store file.
pulsarTlsTrustStorePasswordThe store password for the trust store file.
pulsarTlsCiphersA list of cipher suites. This is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol. By default all the available cipher suites are supported.
pulsarTlsProtocolsThe SSL protocol used to generate the SSLContext. Default setting is TLS, which is fine for most cases. Allowed values in recent JVMs are TLS, TLSv1.3, TLSv1.2 and TLSv1.1.

Running Dekaf behind reverse-proxy

FieldExampleDescription
basePath/dekafWhen running the application behind a reverse-proxy, it may be useful to specify a base path.
publicBaseUrlhttps://dev.my.org/dekafWhen running the application behind a reverse-proxy, you need to provide a public URL to let the application know how to render links and making redirects correctly.

Dekaf <-> Web TLS

:::warning

Don't forget to set the publicBaseUrl to the public URL of the application, otherwise, the application won't work properly.

Also set the appropriate cookie settings.

:::

FieldDescription
protocolhttp or https
tlsKeyFilePathPath to the TLS key file.
tlsCertificateFilePathPath to the TLS certificate file.

Cookies

FieldDescription
cookieSecuretrue or false. Set it to true if you use the https protocol.
cookieSameSitetrue or false. Set it to true if you use the https protocol.

Default Pulsar Auth

You can specify default Dekaf <---> Pulsar authentication. It will be stored as a browser cookie for all Dekaf users.

Example of specifying default Pulsar auth using environment variable:

DEKAF_DEFAULT_PULSAR_AUTH: '{"type":"jwt","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30"}'

Supported authentication methods:

The type field values for each authentication method can be found here: https://github.com/visortelle/dekaf/blob/31723122e2c4221fe7d67d52015253980846c169/server/src/main/scala/pulsar_auth/PulsarAuth.scala#L20