Concourse is configured through a YAML file mounted at /etc/concourse/config.yaml. All values can also be set via environment variables or CLI arguments.
Configuration values are resolved in this order (highest priority first):
CLI arguments
Environment variables
YAML config file
Built-in defaults
The config file supports environment variable substitution:
${VAR} — substitutes the value of VAR. Fails if unset.${VAR:-default} — substitutes the value of VAR, or default if unset.
host : 0.0.0.0 # Bind address
jwt_secret : ${CONCOURSE_JWT_SECRET} # Required. Min 32 bytes.
public_url : ${CONCOURSE_PUBLIC_URL:-} # For client autodiscovery
name : ${CONCOURSE_NAME:-My Company} # Organization display name
extensions_url : ${CONCOURSE_EXTENSIONS_URL:-} # Extension registry URL
url : ${DATABASE_URL:-sqlite:///data/concourse.db}
issuer : https://accounts.google.com
client_id : ${OIDC_CLIENT_ID}
client_secret : ${OIDC_CLIENT_SECRET}
redirect_uri : ${OIDC_REDIRECT_URI:-http://localhost:8080/api/v1/auth/oidc/callback}
metadata_url : ${SAML_METADATA_URL}
entity_id : ${SAML_ENTITY_ID:-https://concourse.example.com}
acs_url : ${SAML_ACS_URL:-http://localhost:8080/api/v1/auth/saml/acs}
admin_email : ${CONCOURSE_ADMIN_EMAIL}
admin_password : ${CONCOURSE_ADMIN_PASSWORD}
admin_name : ${CONCOURSE_ADMIN_NAME:-}
url : ${AUDIT_DATABASE_URL:-file:///data/audit.db}
url : ${AUDIT_WEBHOOK_URL:-}
Authorization : Bearer ${AUDIT_WEBHOOK_TOKEN:-}
Field Type Default Description server.hoststring 0.0.0.0Bind address for the HTTP server. server.portinteger 8080Listen port for HTTP and WebSocket. server.jwt_secretstring — Required. Secret used to sign JWT tokens. Must be at least 32 bytes.server.public_urlstring — Public URL of this Concourse instance. Used for client autodiscovery and SSO callback URLs. server.namestring My CompanyOrganization name displayed in the inboard app. server.extensions_urlstring — URL of the extension registry. Defaults to the inboard-hosted registry if unset.
Field Type Default Description database.urlstring sqlite:///data/concourse.dbPrimary database URL. Supports sqlite://, file://, libsql://, and :memory:.
Field Type Default Description auth.password_enabledboolean trueEnable email/password authentication. auth.oidc.enabledboolean falseEnable OpenID Connect authentication. auth.oidc.issuerstring — OIDC issuer URL (e.g., https://accounts.google.com). auth.oidc.client_idstring — OIDC client ID from your identity provider. auth.oidc.client_secretstring — OIDC client secret. auth.oidc.redirect_uristring http://localhost:8080/api/v1/auth/oidc/callbackOIDC callback URL. Must match your IdP configuration. auth.saml.enabledboolean falseEnable SAML 2.0 authentication. auth.saml.metadata_urlstring — URL to your IdP’s SAML metadata XML. auth.saml.entity_idstring https://concourse.example.comSAML Service Provider entity ID. auth.saml.acs_urlstring http://localhost:8080/api/v1/auth/saml/acsSAML Assertion Consumer Service URL.
Field Type Default Description bootstrap.admin_emailstring — Email for the initial admin user. Used only on first startup. bootstrap.admin_passwordstring — Password for the initial admin user. bootstrap.admin_namestring — Display name for the initial admin user.
Field Type Default Description audit.enabledboolean trueEnable audit logging. audit.database.urlstring file:///data/audit.dbAudit database URL. Separate from the primary database for tamper resistance. audit.webhook.enabledboolean falseEnable webhook forwarding of audit events. audit.webhook.urlstring — SIEM or log collector webhook URL. audit.webhook.headersmap — HTTP headers to include in webhook requests. audit.webhook.batch_sizeinteger 100Number of events to batch before sending. audit.webhook.flush_interval_secsinteger 5Maximum seconds between webhook flushes. audit.webhook.timeout_secsinteger 30HTTP timeout for webhook requests.
