Configuration
Setting configuration values
Fides can be configured in two different ways: either via a toml file or via environment variables.
Both methods can be used simultaneously, with environment variables taking precedence over the toml file values.
Using a configuration file
Fides will use the first config file it can read from the following locations. Listed in order of precedence they are:
- At the path specified using the config file argument passed through the CLI, i.e.
fides -f <config_path> - At the path specified by the
FIDES__CONFIG_PATHenvironment variable - In the current working directory it will check for a subdir
.fidesand a file within namedfides.toml, i.e../.fides/fides.toml
Generating a config file
If you'd like to generate a new config file automatically using default values, run fides init.
This will create the file at the default location of ./.fides/fides.toml
Setting values via environment variables
Fides follows a set pattern for configuration via environment variables.
It looks for environment variables that start with FIDES followed by the config subsection name, followed by the key name, all separated with double underscores.
In practice this would look like FIDES__<SUBSECTION>__<KEY>
As a toml configuration value:
[database]
host = config_exampleAs an environment variable:
EXPORT FIDES__DATABASE__HOST=config_exampleViewing your configuration
You can view the current configuration of your application via either the CLI or API.
CLI
To view your application configuration via the CLI, run:
fides view configThis will show all configuration variables, including sensitive ones.
It is printed to the console as valid toml, so this can be copy/pasted as needed.
API
To view your application configuration in the API, run:
GET /api/v1/configFor security reasons, sensitive configuration values will not be shown here.
Fides configuration variable reference
Application database
Environment variable prefix: FIDES__DATABASE__
| Name | Type | Default | Description |
|---|---|---|---|
api_async_engine_max_overflow | integer | 10 | The same as api_engine_max_overflow but used for asynchronous database sessions. |
api_async_engine_pool_pre_ping | boolean | True | The same as api_engine_pool_pre_ping but used for asynchronous database sessions. |
api_async_engine_pool_size | integer | 5 | The same as api_engine_pool_size but used for asynchronous database sessions. |
api_engine_keepalives_count | integer | 5 | Maximum number of TCP keepalive retries before the client considers the connection dead and closes it. |
api_engine_keepalives_idle | integer | 30 | Number of seconds of inactivity before the client sends a TCP keepalive packet to verify the database connection is still alive. |
api_engine_keepalives_interval | integer | 10 | Number of seconds between TCP keepalive retries if the initial keepalive packet receives no response. |
api_engine_max_overflow | integer | 50 | The max_overflow for the API database Engine. |
api_engine_pool_size | integer | 50 | The pool_size for the API database Engine. |
automigrate | boolean | True | Automatically runs migrations on webserver startup. If set to False, will require the user to run migrations manually via the CLI or API. WARNING: Must be set to True for first-time startup. |
db | string | "default_db" | Required for deployment. The name of the Postgres database. |
load_samples | boolean | False | When set to True, initializes the database with sample data for testing. |
params | boolean | False | Additional connection parameters used when connecting to the application database. |
password | string | "defaultpassword" | Required for deployment. The password with which to login to the application database. |
port | string | "5432" | Required for deployment. The port at which the Postgres database will be accessible. |
readonly_db | string | None | The database name for read-only database connections. If not provided and readonly_server is set, falls back to db. |
readonly_params | dict | {} | Additional connection parameters for read-only database connections. If not provided and readonly_server is set, falls back to params. |
readonly_password | string | None | The password for read-only database connections. If not provided and readonly_server is set, falls back to password. |
readonly_port | string | None | The port for read-only database connections. If not provided and readonly_server is set, falls back to port. |
readonly_server | string | None | The hostname of the application read-only database server. When set, Fides will use this server for read-only database operations. |
readonly_user | string | None | The database user for read-only database connections. If not provided and readonly_server is set, falls back to user. |
server | string | "default-db" | Required for deployment. The hostname of the Postgres database server. |
task_engine_keepalives_count | integer | 5 | Maximum number of TCP keepalive retries before the client considers the connection dead and closes it. |
task_engine_keepalives_idle | integer | 30 | Number of seconds of inactivity before the client sends a TCP keepalive packet to verify the database connection is still alive. |
task_engine_keepalives_interval | integer | 10 | Number of seconds between TCP keepalive retries if the initial keepalive packet receives no response. |
task_engine_max_overflow | integer | 50 | The max_overflow for the celery task database Engine. |
task_engine_pool_size | integer | 50 | The pool_size for the celery task database Engine. |
test_db | string | "default_test_db" | Used instead of the db config when the FIDES_TEST_MODE environment variable is set to True, to avoid overwriting production data. |
user | string | "defaultuser" | Required for deployment. The database user with which to login to the application database. |
Read-Only Database Configuration
Configure a read-only database connection to improve performance by offloading read-heavy operations to a replica and scale your deployment to support higher request volumes.
All readonly-specific fields are optional. When readonly_server is configured but specific readonly fields are not provided, Fides automatically falls back to the corresponding primary database connection values. This simplifies configuration when the read-only replica uses the same credentials as the primary database.
Simple Configuration Example (same credentials as primary):
[database]
server = "primary-db.example.com"
user = "fides_user"
password = "fides_password"
port = "5432"
db = "fides"
# Read-only replica using same credentials
readonly_server = "readonly-replica.example.com"Advanced Configuration Example (different credentials):
[database]
# Primary database
server = "primary-db.example.com"
user = "fides_user"
password = "primary_password"
port = "5432"
db = "fides"
# Read-only replica with different credentials
readonly_server = "readonly-replica.example.com"
readonly_user = "readonly_user"
readonly_password = "readonly_password"
# Port and db will fall back to primary valuesRedis cache
Environment variable prefix: FIDES__REDIS__
| Name | Type | Default | Description |
|---|---|---|---|
charset | string | "utf8" | The character set to use for encoding data in the Redis cache. Not recommended to change. |
connection_url | string | None | A full connection URL to the Redis cache. If not specified, this URL is automatically assembled from the host, port, password and db_index specified above. |
db_index | integer | 0 | The application will use this index in the Redis cache to cache data. |
decode_responses | boolean | True | Whether or not to automatically decode the values fetched from Redis. Decodes using the charset configuration value. |
default_ttl_seconds | integer | 604800 | The number of seconds for which data will live in Redis before automatically expiring. |
enabled | boolean | True | Whether the application's Redis cache should be enabled. Only set to False for certain narrow uses of the application. |
host | string | "redis" | Required for deployment. The network address for the application Redis cache. |
identity_verification_code_ttl_seconds | integer | 600 | Sets TTL for cached identity verification code as part of subject requests. |
password | string | "testpassword" | Required for deployment. The password with which to login to the Redis cache. |
port | integer | 6379 | Required for deployment. The port at which the application cache will be accessible. |
read_only_connection_url | string | None | A full connection URL to the read-only Redis cache. If not specified, this URL is automatically assembled from the read-only connection parameters with fallbacks to main parameters. |
read_only_db_index | integer | None | The database index for the read-only Redis cache. If not specified, falls back to the main db_index value. |
read_only_enabled | boolean | False | Whether to enable a read-only Redis connection. When enabled, certain parts of the application will attempt to use the read-only connection instead of the writer connection. If the read-only connection is not available, the writer connection will be used. |
read_only_host | string | "" | The network address for the read-only Redis cache. |
read_only_password | string | None | The password for the read-only Redis cache. If not specified, falls back to the main password value. |
read_only_port | integer | None | The port for the read-only Redis cache. If not specified, falls back to the main port value. |
read_only_ssl | boolean | None | Whether the read-only Redis connection should be encrypted using TLS. If not specified, falls back to the main ssl value. |
read_only_ssl_ca_certs | string | None | Path to the CA certificate for TLS encryption on the read-only Redis connection. If not specified, falls back to the main ssl_ca_certs value. |
read_only_ssl_cert_reqs | string | None | SSL certificate requirements for the read-only Redis connection. If not specified, falls back to the main ssl_cert_reqs value. |
read_only_user | string | None | The user for the read-only Redis cache. If not specified, falls back to the main user value. |
ssl | boolean | False | Whether the application's connections to the cache should be encrypted using TLS. |
ssl_ca_certs | string | "" | If using TLS encryption, rooted with a custom Certificate Authority, set this to the path of the CA certificate |
ssl_cert_reqs | string | "required" | If using TLS encryption, set this to "required" if you wish to enforce the Redis cache to provide a certificate. Note that not all cache providers support this without setting ssl_ca_certs e.g. AWS Elasticache. |
user | string | "" | The user with which to login to the Redis cache. |
Logging
Environment variable prefix: FIDES__LOGGING__
| Name | Type | Default | Description |
|---|---|---|---|
colorize | boolean | False | Force colored logs. Any value set via environment variables is considered True. |
destination | string | "" | The output location for log files. Accepts any valid file path. If left unset, log entries are printed to stdout and log files are not produced. |
level | string | "INFO" | The minimum log entry level to produce. Also accepts "TRACE", "DEBUG", "WARNING", "ERROR", or "CRITICAL" (case insensitive). |
log_pii | boolean | False | If True, PII values will display unmasked in log output. This variable should always be set to False in production systems. |
serialization | string | "" | The format with which to produce log entries. If left unset, produces log entries formatted using the internal custom formatter. Also accepts "JSON" (case insensitive). |
CLI
Environment variable prefix: FIDES__CLI__
| Name | Type | Default | Description |
|---|---|---|---|
analytics_id | string | (auto-generated) | A fully anonymized unique identifier that is automatically generated by the application and stored in the toml file. |
local_mode | boolean | False | When set to True, forbids the Fides CLI from making calls to the Fides webserver. |
server_host | string | "localhost" | The hostname of the Fides webserver. |
server_path | string | "/" | The path of the Fides webserver. |
server_port | integer | 8080 | The optional port of the Fides webserver. |
server_protocol | string | "http" | The protocol used by the Fides webserver. |
server_url | string | None | The full server url generated from the other server configuration values. |
Security
Environment variable prefix: FIDES__SECURITY__
| Name | Type | Default | Description |
|---|---|---|---|
aes_encryption_key_length | integer | 16 | Length of desired encryption key when using Fides to generate a random secure string used for AES encryption. Length of desired random byte str for the AES GCM encryption used throughout Fides. |
aes_gcm_nonce_length | integer | 12 | Length of desired random byte str for the AES GCM encryption used throughout Fides. |
app_encryption_key | string | "" | Required. The key used to sign Fides API access tokens. Must be exactly 32 characters. |
auth_rate_limit | string | "10/minute" | The number of authentication requests from a single IP address allowed to hit authentication endpoints (login, OAuth token) within a rolling 60 second period. |
bastion_server_host | string | None | An optional field to store the bastion server host. |
bastion_server_ssh_private_key | string | None | An optional field to store the key used to SSH into the bastion server. |
bastion_server_ssh_timeout | float | 0.1 | The timeout in seconds for the transport socket (socket.settimeout). |
bastion_server_ssh_tunnel_timeout | float | 10 | The timeout in seconds for tunnel connection (open_channel timeout). |
bastion_server_ssh_username | string | None | An optional field to store the username used to access the bastion server. |
cors_origin_regex | string | None | A regex string to match against origins that should be permitted to make cross-origin requests. eg. 'https://.*\.example\.org'. To allow any origin, set this variable to '.*'. |
cors_origins | list | [] | A list of origins that should be permitted to make cross-origin requests. eg. ['https://example.org', 'https://www.example.org']. Adding a wildcard CORS origin i.e. * to this variable is not supported, but see cors_origin_regex variable below for allowing any origin. |
drp_jwt_secret | string | None | JWT secret by which passed-in identity is decrypted according to the HS256 algorithm. |
dsr_testing_tools_enabled | boolean | False | If set to True, contributor and owner roles will be able to run test privacy requests. |
enable_audit_log_resource_middleware | boolean | False | Either enables the collection of audit log resource data or bypasses the middleware. |
encoding | string | "UTF-8" | Text encoding to use for the application. |
env | string | "prod" | This determines which API endpoints require authentication. The default, "prod", requires authentication for all endpoints that may contain sensitive information. The other option, "dev", does not apply authentication to endpoints typically used by the CLI. |
identity_verification_attempt_limit | integer | 3 | The number of identity verification attempts to allow. |
oauth_access_token_expire_minutes | integer | 11520 | The time for which Fides API tokens will be valid. |
oauth_client_id_length_bytes | integer | 16 | Sets desired length in bytes of generated client id used for oauth. |
oauth_client_secret_length_bytes | integer | 16 | Sets desired length in bytes of generated client secret used for oauth. |
oauth_root_client_id | string | "" | Required. The value used to identify the Fides application root API client. |
oauth_root_client_secret | string | "" | Required. The secret value used to authenticate the Fides application root API client. |
oauth_root_client_secret_hash | string | None | Automatically generated by Fides, and represents a hashed value of the oauth_root_client_secret. |
parent_server_password | string | None | When using a parent/child Fides deployment, this password will be used by the child server to access the parent server. |
parent_server_username | string | None | When using a parent/child Fides deployment, this username will be used by the child server to access the parent server. |
rate_limit_prefix | string | "rate-limit" | The prefix given to keys in the Redis cache used by the rate limiter. |
request_rate_limit | string | "2000/minute" | The number of requests from a single IP address allowed to hit an endpoint within a rolling 60 second period. |
root_password | string | None | If set, this can be used in conjunction with root_username to log in without first creating a user in the database. |
root_user_roles | list | ["Owner"] | The list of roles that are given to the root user. |
root_user_scopes | list | All available scopes | The scopes granted to the root user when logging in with root_username and root_password. |
root_username | string | None | If set, this can be used in conjunction with root_password to log in without first creating a user in the database. |
subject_request_download_link_ttl_seconds | integer | 432000 | The number of seconds that a pre-signed download URL when using S3 storage will be valid. |
subject_request_download_ui_enabled | boolean | False | If set to True, the user interface will display a download button for subject requests. |
Execution
Environment variable prefix: FIDES__EXECUTION__
| Name | Type | Default | Description |
|---|---|---|---|
allow_custom_privacy_request_field_collection | boolean | False | Allows the collection of custom privacy request fields from incoming privacy requests. |
allow_custom_privacy_request_fields_in_request_execution | boolean | False | When set to True, allows the use of custom fields during the execution of privacy requests. |
disable_consent_identity_verification | boolean | None | Allows selective disabling of identity verification specifically for consent request. Identity verification for consent requests will be enabled if subject_identity_verification_required is set to true and this setting is empty or false. |
email_send_cron_expression | string | "0 12 * * mon" | The cron expression to send batch emails for DSR email integration. Defaults to weekly on Mondays at 12pm (noon). |
email_send_timezone | string | "US/Eastern" | The timezone to send batch emails for DSR email integration. |
fuzzy_search_enabled | boolean | True | Whether fuzzy search is enabled for privacy request lookups. |
interrupted_task_requeue_interval | integer | 300 | Seconds between polling for interrupted tasks to requeue. |
memory_watchdog_enabled | boolean | False | When set to True, enables memory management on Celery workers. Tasks consuming greater than 90% of available memory will be automatically shut down. |
privacy_request_delay_timeout | integer | 3600 | The amount of time to wait for actions which delay privacy requests (e.g., pre- and post-processing webhooks). |
request_task_ttl | integer | 604800 | For DSR 3.0, the number of seconds a Request Task should live (Privacy Request subtasks). Older request tasks will be cleaned up from completed Privacy Requests periodically. |
require_manual_request_approval | boolean | False | Whether privacy requests require explicit approval to execute. |
sql_dry_run | string | "none" | Enables dry run mode where SQL queries are logged instead of executed. Valid values are "none" (normal execution), "access" (dry run for access requests only), or "erasure" (dry run for erasure requests only). Access and erasure dry runs cannot run simultaneously because erasure operations require actual access request execution. |
state_polling_interval | integer | 30 | For DSR 3.0, the number of seconds between a scheduled process that checks to see if a Privacy Request's subtasks have "completed" and the overall Privacy Request needs to be placed in an errored state so it can be reprocessed. |
subject_identity_verification_required | boolean | False | Whether privacy requests require user identity verification. |
task_retry_backoff | integer | 1 | The backoff factor for retries, to space out repeated retries. |
task_retry_count | integer | 0 | The number of times a failed request will be retried. |
task_retry_delay | integer | 1 | The delays between retries in seconds. |
use_dsr_3_0 | boolean | True | If set to False, DSR 2.0 execution will be applied which processes tasks sequentially and in-memory. If set to True, privacy requests will be processed using DSR 3.0 which supports parallelization, asynchronous tasks, and task persistence. |
User
Environment variable prefix: FIDES__USER__
| Name | Type | Default | Description |
|---|---|---|---|
analytics_opt_out | boolean | True | When set to True, prevents sending anonymous analytics data to Ethyca. |
encryption_key | string | "test_encryption_key" | An arbitrary string used to encrypt the user data stored in the database. Encryption is implemented using PGP. |
password | string | "" | The password used to log into the Fides webserver. |
username | string | "" | The username used to log into the Fides webserver. |
Credentials
Environment variable prefix: FIDES__CREDENTIALS__
The credentials section uses custom keys which can be referenced in specific commands that take the --credentials-id option.
For example, a command that uses a credential might look like fides scan dataset db --credentials-id app_postgres.
The credential object itself will be validated at the time of use depending on what type of credential is required.
For instance if fides scan system okta is used, it will expect the object to contain orgUrl and token key/value pairs.
In the case of a typical database like postgres, it will only expect a connection_string.
The following is an example of what a credentials section might look like in a given deployment with various applications:
| Name | Type | Description |
|---|---|---|
my_aws.aws_access_key_id | string | Sets the aws_access_key_id for my_aws credentials. |
my_aws.aws_secret_access_key | string | Sets the aws_secret_access_key for my_aws credentials. |
my_aws.aws_session_token | string | Sets the aws_session_token for my_aws credentials. |
my_aws.region_name | string | Sets the region_name for my_aws credentials. |
my_bigquery.dataset | string | Sets the dataset for my_bigquery credentials. |
my_bigquery_creds.auth_provider_x509_cert_url | string | Sets the auth_provider_x509_cert_url for my_bigquery credentials keyfile. |
my_bigquery_creds.auth_uri | string | Sets the auth_uri for my_bigquery credentials keyfile. |
my_bigquery_creds.client_email | string | Sets the client_email for my_bigquery credentials keyfile. |
my_bigquery_creds.client_id | string | Sets the client_id for my_bigquery credentials keyfile. |
my_bigquery_creds.client_x509_cert_url | string | Sets the client_x509_cert_url for my_bigquery credentials keyfile. |
my_bigquery_creds.private_key | string | Sets the private_key for my_bigquery credentials keyfile. |
my_bigquery_creds.private_key_id | string | Sets the private_key_id for my_bigquery credentials keyfile. |
my_bigquery_creds.project_id | string | Sets the project_id for my_bigquery credentials keyfile. |
my_bigquery_creds.token_uri | string | Sets the token_uri for my_bigquery credentials keyfile. |
my_bigquery_creds.type | string | Sets the type for my_bigquery credential keyfile. |
my_okta.orgUrl | string | Sets the orgUrl for my_okta credentials. |
my_okta.token | string | Sets the token for my_okta credentials. |
my_postgres.connection_string | string | Sets the connection_string for my_postgres database credentials. |
Admin UI
Environment variable prefix: FIDES__ADMIN_UI__
| Name | Type | Default | Description |
|---|---|---|---|
enabled | boolean | True | Toggle whether the Admin UI is served from /. |
max_privacy_request_download_rows | integer | 100000 | The maximum number of rows permitted to be returned in a privacy request report download. |
url | string | None | The base URL for the Admin UI. |
Notifications
Environment variable prefix: FIDES__NOTIFICATIONS__
| Name | Type | Default | Description |
|---|---|---|---|
enable_property_specific_messaging | boolean | False | When set to True, enables property specific messaging feature, otherwise fall back on the messaging template type env flags set above. |
notification_service_type | string | None | Sets the notification service type used to send notifications. Accepts "aws_ses", "mailchimp_transactional", "mailgun", "twilio_sms", or "twilio_email". |
send_request_completion_notification | boolean | False | When set to True, enables subject notifications upon privacy request completion. |
send_request_receipt_notification | boolean | False | When set to True, enables subject notifications upon privacy request receipt. |
send_request_review_notification | boolean | False | When set to True, enables subject notifications upon privacy request review. |
Consent
Environment variable prefix: FIDES__CONSENT__
| Name | Type | Default | Description |
|---|---|---|---|
ac_enabled | boolean | False | When set to True, enables the Google Ads additional consent string. Requires TCF and a Fides Enterprise license. |
override_vendor_purposes | boolean | False | When set to True, allows for overriding the flexible legal basis of some TCF purposes. |
tcf_enabled | boolean | False | When set to True, enables the IAB Transparency and Consent Framework. This feature requires additional configuration in the privacy center as well as a Fides Enterprise license. |
Additional environment variables
The following environment variables are not included in the default fides.toml configuration, but may be set in your environment:
| ENV Variable | Default | Description |
|---|---|---|
FIDES__HOT_RELOAD | False | If True, the Fides server will reload code changes without needing to restart the server. This variable should always be set to False in production systems. |
FIDES__DEV_MODE | False | If True, the Fides server will log error tracebacks, and log details of third party requests. This variable should always be set to False in production systems. |
FIDES__CONFIG_PATH | None | If this is set to a path, that path will be used to load .toml files first. Any .toml files on this path will override any installed .toml files. |
Fidesplus configuration variable reference
Fidesplus supports all the Fides configuration variables above. Additionally, it also supports several Fidesplus-specific configuration sections, listed below.
Detection and discovery
Environment variable prefix: FIDESPLUS__DETECTION_DISCOVERY__
| Name | Type | Default | Description |
|---|---|---|---|
monitor_celery_tasks_enabled | boolean | True | Configures Web Monitor, detection, classification, and promotion to be run on worker instances instead of the API Server. |
website_monitor_enabled | boolean | False | Enables the website monitor service. |
website_monitor_polling_timeout_seconds | integer | 14400 | The maximum number of seconds to wait for website monitor jobs to finish. |
website_monitor_results_page_size | integer | 100 | The number of results to fetch per page when retrieving website monitor results. |
website_monitor_service_api_key | string | "sample_api_key" | The API key to use for authenticating with the website monitor service. |
website_monitor_service_url | string | "https://website-monitor.fides-staging.ethyca.com" | The hostname (including protocol prefix and port) to use for the website monitor service. |
Dictionary
Environment variable prefix: FIDESPLUS__DICTIONARY__
| Name | Type | Default | Description |
|---|---|---|---|
dictionary_service_api_key | string | "sample_api_key" | The API key to use for authenticating with the dictionary service. |
dictionary_service_url | string | "http://sample-dictionary-service:8081" | The hostname (including protocol prefix and port) to use for the dictionary service. |
enabled | boolean | False | Enables the Privacy Dictionary service. |
Endpoint cache settings
Environment variable prefix: FIDESPLUS__ENDPOINT_CACHE__
| Name | Type | Default | Description |
|---|---|---|---|
get_property_by_path_cache_ttl | float | 3600 | The TTL (time-to-live), in seconds, for entries in the GET /property?path endpoint cache. If set to a value <= 0, the cache is disabled. |
privacy_experience_cache_ttl | float | 3600 | The TTL (time-to-live), in seconds, for entries in the GET /privacy-experience endpoint cache. If set to a value <= 0, the cache is disabled. |
privacy_experience_gvl_translations_cache_ttl | float | 86400 | The TTL (time-to-live), in seconds, for entries in the GET /privacy-experience/gvl/translations cache. If set to a value <= 0, the cache is disabled. |
privacy_experience_meta_cache_ttl | float | 3600 | The TTL (time-to-live), in seconds, for entries in the GET /privacy-experience-meta endpoint cache. If set to a value <= 0, the cache is disabled. |
GVL settings
Environment variable prefix: FIDESPLUS__GVL__
| Name | Type | Default | Description |
|---|---|---|---|
gvl_source_url | string | "https://vendor-list.consensu.org/v3/vendor-list.json" | The URL from which to fetch the official GVL vendor list. |
Job settings
Environment variable prefix: FIDESPLUS__JOBS__
| Name | Type | Default | Description |
|---|---|---|---|
system_change_webhook_url | string | None | The URL to send the system change digest to. |
Consent extension
These are Fidesplus Extensions from the core Fides Consent Settings
Environment variable prefix: FIDES__CONSENT__
| Name | Type | Default | Description |
|---|---|---|---|
enable_auto_tcf_translation | boolean | False | Enables automatic (server-side) translations of the minimal TCF experience response to the user's preferred language based on the Accept-Language header. WARNING: this can significantly decrease cache hit ratios and reduce performance. |
enable_oob_translations | boolean | False | Enables translations on out-of-the-box Experiences and Notices. |
enable_translations | boolean | False | Enables a customer to set their own content in various languages. |
max_rapid_consent_rows | integer | 100000 | The maximum number of rows permitted to be returned in a rapid consent report response. |
privacy_experiences_cache_enabled | boolean | True | If True, privacy experience responses will be pre-calculated and stored in the cache, instead of being calculated on the fly. See privacy_experiences_error_on_cache_miss setting to configure behavior when a cache miss occurs. |
privacy_experiences_cache_frequency_seconds | integer | 3600 | Specifies how often the privacy experiences in the cache are refreshed (in seconds). Default is 3600s which is 1 hour. |
privacy_experiences_cache_ttl_seconds | integer | 259200 | Specifies how long the cached privacy experience responses will be stored in the cache (in seconds). Default is 259200s which is 3 days. We recommend setting this to a value that is significantly greater than the privacy_experiences_cache_frequency_seconds value. |
privacy_experiences_error_on_cache_miss | boolean | False | If True, an error will be returned for privacy experiences that are not found in the cache instead of calculating the experience response on the fly. |
privacy_experiences_tcf_db_cache_enabled | boolean | True | Deprecated: This setting will be removed in a future version, please use privacy_experiences_cache_enabled instead. If True, TCF privacy experience responses will be pre-calculated and stored in the database. See the privacy_experiences_error_on_cache_miss setting to configure behavior when a cache miss occurs. |
rapid_consent_db_buffer_size | integer | 1000 | The number of rows in the rapid consent DB query buffer. |
tcf_publisher_country_code | string | None | The country code of the country that determines the legislation of reference. Commonly, this corresponds to the country in which the publisher's business entity is established. |
Security extension
These are Fidesplus Extensions from the core Fides Security settings
Environment variable prefix: FIDES__SECURITY__
| Name | Type | Default | Description |
|---|---|---|---|
allow_username_password_login | boolean | False | Allows specific users to authenticate with username and password even when SSO is the main authentication method. |
consent_webhook_access_token_expire_minutes | integer | 129600 | The time in minutes for which consent webhook access tokens will be valid. Default value is equal to 90 days. |
System scanner settings
Environment variable prefix: FIDESPLUS__SYSTEM_SCANNER__
| Name | Type | Default | Description |
|---|---|---|---|
cluster_id | string | "" | The cluster ID for the system scanner. Must be a valid UUID if the system scanner is enabled. |
enabled | boolean | False | Enables the system scanner. |
pixie_api_key | string | "" | The API key for the Pixie service. Must be provided if the system scanner is enabled. |
pixie_cloud_server_url | string | "work.getcosmic.ai" | The URL of the Pixie cloud server. |
use_encryption | boolean | False | Whether to use encryption for the system scanner. |
Privacy center settings
Environment variable prefix: FIDES__PRIVACY_CENTER__
| Name | Type | Default | Description |
|---|---|---|---|
url | string | None | This allows external users to receive links to the DSR External Task portal. |
Celery configuration
Fides uses Celery (opens in a new tab) for asynchronous task management.
Fides supports configuring some Celery values via environment variables. These settings are listed below. Environment variable prefix: FIDES__CELERY__
| Name | Type | Default | Description |
|---|---|---|---|
event_queue_prefix | string | "fides_worker" | The prefix to use for event receiver queue names. |
task_always_eager | boolean | True | If True, tasks are executed locally instead of being sent to the queue. If False, tasks are sent to the queue. |
task_default_queue | string | "fides" | The name of the default queue if a message has no route or no custom queue has been specified. |
Also, to simplify deployments and remove the need for two different toml configuration files, it is possible to configure celery via the Fides configuration file.
Any valid configuration key/value pair for celery can instead be added to the Fides toml configuration file and will automatically be passed through to the celery deployment.
Note that Fides will not validate any of these key/value pairs. See the above configuration file reference for an example of using celery configuration pass-through.
For a full list of possible variable overrides, see the Celery configuration (opens in a new tab) documentation.