Channels

Channels

GraphQL API channel configuration

The GraphQL channel exposes directory operations via GraphQL with:

• Collection queries: users(filter: …) { nodes { … } }
• Single lookup: user(id: ”…”) { … }
• Schema introspection: GET /graphql.sdl, GET /graphql.json
• GraphiQL UI: GET /graphql (Accept: text/html)

The base path is fixed at /graphql.

Automatic Persisted Queries (APQ)

APQ reduces bandwidth by allowing clients to send SHA256 hashes instead of full query strings after initial registration. Flow:

• Client sends POST with query + hash (registers query in cache)
• Subsequent requests send only the hash (GET or POST)
• On cache miss, client retries with full query

Enable APQ support

auto = enabled when GraphQL channel is enabled

true = always enabled, false = always disabled

Priority: SCRIBE_GRAPHQL_APQ_ENABLED > config

channels.graphql.apq.enabled = "auto"
channels.graphql.apq.enabled = ${?SCRIBE_GRAPHQL_APQ_ENABLED}

Maximum number of cached queries (LRU eviction when exceeded)

Priority: SCRIBE_GRAPHQL_APQ_MAX_SIZE > config

channels.graphql.apq.max-size = 1000
channels.graphql.apq.max-size = ${?SCRIBE_GRAPHQL_APQ_MAX_SIZE}

Cache entry TTL (expireAfterAccess, keeps hot queries longer)

Priority: SCRIBE_GRAPHQL_APQ_TTL > config

channels.graphql.apq.ttl = 10h
channels.graphql.apq.ttl = ${?SCRIBE_GRAPHQL_APQ_TTL}

Authentication settings for GraphQL API.

Inherits from root auth {} and can override settings.

channels.graphql.auth.enabled = ${?SCRIBE_GRAPHQL_AUTH_ENABLED}

Override global auth.methods with channel-specific list

Priority: SCRIBE_GRAPHQL_AUTH_METHODS > config > auth.methods

channels.graphql.auth.methods = ${?SCRIBE_GRAPHQL_AUTH_METHODS}

Query Parameter Defaults

Applied when the client omits the parameter. Client-provided values override these defaults except for max-limit which always caps. Default page size when no limit/first/last specified (configurable, default: 25)

Priority: SCRIBE_GRAPHQL_DEFAULT_LIMIT > config

channels.graphql.default-limit = 25
channels.graphql.default-limit = ${?SCRIBE_GRAPHQL_DEFAULT_LIMIT}

Enable the GraphQL channel

Priority: SCRIBE_GRAPHQL_ENABLED > config

channels.graphql.enabled = false
channels.graphql.enabled = ${?SCRIBE_GRAPHQL_ENABLED}

Schema Introspection

Controls access to schema introspection and SDL endpoints. Disable in production to reduce attack surface.

When disabled:

• Schema endpoints return 404: /graphql.json, /graphql.sdl
• Introspection queries are blocked: { __schema { … } }

Enable schema introspection

auto = enabled in dev/test, disabled in prod (security-safe default)

Affects: GET /graphql.json, GET /graphql.sdl, and introspection queries

Priority: SCRIBE_GRAPHQL_INTROSPECTION_ENABLED > config

channels.graphql.introspection.enabled = "auto"
channels.graphql.introspection.enabled = ${?SCRIBE_GRAPHQL_INTROSPECTION_ENABLED}

Query analysis limits (applied after parsing, before execution). These prevent queries that would consume excessive resources.

Maximum query complexity (prevents wide queries with many fields). Complexity is calculated as sum of fields selected. Set to 0 to disable. Tune based on staging logs (start with p95 + headroom).

Priority: SCRIBE_GRAPHQL_LIMITS_MAX_COMPLEXITY > config

channels.graphql.limits.max-complexity = 500
channels.graphql.limits.max-complexity = ${?SCRIBE_GRAPHQL_LIMITS_MAX_COMPLEXITY}

Maximum query depth (prevents deeply nested queries). Default 15 allows introspection queries (required by GraphiQL). Set to 0 to disable depth checking.

Priority: SCRIBE_GRAPHQL_LIMITS_MAX_DEPTH > config

channels.graphql.limits.max-depth = 15
channels.graphql.limits.max-depth = ${?SCRIBE_GRAPHQL_LIMITS_MAX_DEPTH}

Maximum entries per request (caps client-provided limit, configurable, default: 1000)

Priority: SCRIBE_GRAPHQL_MAX_LIMIT > config

channels.graphql.max-limit = 1000
channels.graphql.max-limit = ${?SCRIBE_GRAPHQL_MAX_LIMIT}

Query Security Limits

Protection against denial-of-service through excessive query complexity. These limits apply at different stages of query processing. Parser-level DoS limits (applied before query analysis). These are the first line of defense against malicious payloads.

Maximum query characters (prevents excessive parsing time/memory).

Priority: SCRIBE_GRAPHQL_PARSER_MAX_CHARACTERS > config

channels.graphql.parser.max-characters = 1048576
channels.graphql.parser.max-characters = ${?SCRIBE_GRAPHQL_PARSER_MAX_CHARACTERS}

Maximum query tokens (prevents parser CPU exhaustion).

Priority: SCRIBE_GRAPHQL_PARSER_MAX_TOKENS > config

channels.graphql.parser.max-tokens = 15000
channels.graphql.parser.max-tokens = ${?SCRIBE_GRAPHQL_PARSER_MAX_TOKENS}

Per-channel signal thresholds.

Inherits from: monitoring.signals

channels.graphql.signals = ${monitoring.signals} {}

Socket reference for GraphQL API.

Use a named socket from http.sockets.* or omit for @default.

Priority: SCRIBE_GRAPHQL_SOCKET > config

channels.graphql.socket = ${?SCRIBE_GRAPHQL_SOCKET}

GraphiQL UI configuration

GraphiQL v5 provides an interactive GraphQL query builder with Monaco Editor and optional plugins (Explorer, History). Assets are bundled with the app by default (offline-safe, no external network). Use asset {} block to override with CDN URLs.

External asset configuration (CDN override). By default, GraphiQL assets are bundled with the app. If configured, all fields are required. SRI (Subresource Integrity) hash prevents supply-chain attacks.

Subresource Integrity hash for the CSS stylesheet.

Example: "sha512-..."

channels.graphql.ui.asset.css-sri = null

CDN URL for GraphiQL CSS stylesheet.

Example: "https://cdn.example.com/graphiql/5.2.0/graphiql.css"

channels.graphql.ui.asset.css-url = null

Subresource Integrity hash for the JavaScript bundle.

Example: "sha512-..."

channels.graphql.ui.asset.js-sri = null

CDN URL for GraphiQL JavaScript bundle.

Example: "https://cdn.example.com/graphiql/5.2.0/graphiql.bundle.js"

channels.graphql.ui.asset.js-url = null

Dark mode (Monaco editor theme)

Priority: SCRIBE_GRAPHQL_UI_DARK_MODE > config

channels.graphql.ui.dark-mode = false
channels.graphql.ui.dark-mode = ${?SCRIBE_GRAPHQL_UI_DARK_MODE}

Show variables/headers panel by default

auto = show in dev, hide in prod

true = always show, false = always hide

Priority: SCRIBE_GRAPHQL_UI_EDITOR_TOOLS > config

channels.graphql.ui.default-editor-tools-visibility = "auto"
channels.graphql.ui.default-editor-tools-visibility = ${?SCRIBE_GRAPHQL_UI_EDITOR_TOOLS}

Enable GraphiQL UI

auto = enabled in dev/test, disabled in prod (prod-safe default)

Priority: SCRIBE_GRAPHQL_UI_ENABLED > config

channels.graphql.ui.enabled = "auto"
channels.graphql.ui.enabled = ${?SCRIBE_GRAPHQL_UI_ENABLED}

Plugins configuration

Enable Explorer plugin (visual query builder) Great for non-developers to explore schema visually

Priority: SCRIBE_GRAPHQL_UI_EXPLORER > config

channels.graphql.ui.plugins.explorer = true
channels.graphql.ui.plugins.explorer = ${?SCRIBE_GRAPHQL_UI_EXPLORER}

Enable History plugin (query history sidebar)

Priority: SCRIBE_GRAPHQL_UI_HISTORY > config

channels.graphql.ui.plugins.history = true
channels.graphql.ui.plugins.history = ${?SCRIBE_GRAPHQL_UI_HISTORY}

Show example queries and fragments When enabled, GraphiQL is pre-configured with:

• Per-type tabs with search, lookup, and changes queries
• Common fragments: {Type}Fields, ChangeDataFields, PageInfoFields
• FleX filter syntax examples

Priority: SCRIBE_GRAPHQL_UI_SHOW_EXAMPLES > config

channels.graphql.ui.show-examples = true
channels.graphql.ui.show-examples = ${?SCRIBE_GRAPHQL_UI_SHOW_EXAMPLES}

LDAP channel configuration

The LDAP channel exposes directory operations via LDAP v3 protocol with:

• Standard LDAP search, compare, and bind operations
• Simple Paged Results and VLV controls for pagination
• Server-Side Sorting (SSS) control
• LDAPS (TLS) for secure connections
• Client certificate authentication

Settings inherit from the shared ldap configuration block.

Authentication settings for LDAP channel.

Inherits from root auth {} and can override settings.

channels.ldap.auth.enabled = ${?SCRIBE_LDAP_AUTH_ENABLED}

Override global auth.methods with channel-specific list

Priority: SCRIBE_LDAP_AUTH_METHODS > config > auth.methods

channels.ldap.auth.methods = ${?SCRIBE_LDAP_AUTH_METHODS}

Connection Hints (channel-specific overrides)

Override database.connection-hints defaults for LDAP queries only. Values here are merged with database defaults (channel values win).

Lock acquisition timeout

Priority: SCRIBE_LDAP_LOCK_TIMEOUT > config > database.connection-hints

channels.ldap.connection-hints.lock-timeout = ${?SCRIBE_LDAP_LOCK_TIMEOUT}

Session flags (comma-separated): force-custom-plan, jit-off

Priority: SCRIBE_LDAP_SESSION_FLAGS > config > database.connection-hints

channels.ldap.connection-hints.session-flags = ${?SCRIBE_LDAP_SESSION_FLAGS}

Statement execution timeout (prevents runaway queries)

Priority: SCRIBE_LDAP_STATEMENT_TIMEOUT > config > database.connection-hints

channels.ldap.connection-hints.statement-timeout = ${?SCRIBE_LDAP_STATEMENT_TIMEOUT}

PostgreSQL work_mem per-query memory

Priority: SCRIBE_LDAP_WORK_MEM > config > database.connection-hints

channels.ldap.connection-hints.work-mem = ${?SCRIBE_LDAP_WORK_MEM}

Specifies the timeout in seconds that should be used if the SO_LINGER socket option is enabled. The value must be between 0 and 65535, inclusive.

Priority: SCRIBE_LDAP_LINGER_TIMEOUT_SECONDS > config

channels.ldap.linger-timeout-seconds = ${?SCRIBE_LDAP_LINGER_TIMEOUT_SECONDS}

Specifies the address on which to listen for client connections. The provided value must be a valid IP address or hostname. It may be null to indicate that it should listen on all available addresses on all interfaces.

channels.ldap.listen.item.host = null

Specifies the port number on which to listen for client connections. The provided value must be between 1 and 65535, or it may be 0 to indicate that the JVM should select a free port on the system.

channels.ldap.listen.item.port = 10389

Enable SSL/TLS for the listener. Presence of this block enables LDAPS. Inherits from the shared ssl configuration (ssl.ca, ssl.cert, ssl.key, ssl.password).

Specifies whether the server should request that the client present its own certificate chain during TLS negotiation. This will be ignored for non-TLS-based connections.

channels.ldap.listen.item.ssl.request-client-certificate = false

Indicates whether the server should require that the client present its own certificate chain during TLS negotiation and should fail negotiation if no certificate chain was provided. This will be ignored for non-TLS-based connections, and it will also be ignored if request-client-certificate is false.

channels.ldap.listen.item.ssl.require-client-certificate = false

Connection Limits

Configure limits on connections and message sizes. Specifies the maximum number of concurrent connections that the server will allow. If a client tries to establish a new connection while the server already has the maximum number of concurrent connections, then the new connection will be rejected. A value that is less than or equal to zero indicates no limit.

Priority: SCRIBE_LDAP_MAX_CONNECTIONS > config

channels.ldap.max-connections = ${?SCRIBE_LDAP_MAX_CONNECTIONS}

Specifies the maximum size in bytes for LDAP messages that will be accepted by this server. A value that is less than or equal to zero will use the maximum allowed message size.

Priority: SCRIBE_LDAP_MAX_MESSAGE_SIZE_BYTES > config

channels.ldap.max-message-size-bytes = ${?SCRIBE_LDAP_MAX_MESSAGE_SIZE_BYTES}

Prevent delegation to backend LDAP server When true, requests that cannot be satisfied locally will fail with UNWILLING_TO_PERFORM instead of delegating to the upstream LDAP server. Use for strict isolation only - enabling this may break schema queries, directory browser operations, and other features that require backend access.

Default: false (delegation allowed)

channels.ldap.prevent-delegation = false
channels.ldap.prevent-delegation = ${?SCRIBE_LDAP_PREVENT_DELEGATION}

Buffer Sizes

Configure socket buffer sizes for performance tuning. Specifies the receive buffer size that should be used for sockets accepted by the server. A value less than or equal to zero indicates that the default receive buffer size should be used.

Priority: SCRIBE_LDAP_RECEIVE_BUFFER_SIZE > config

channels.ldap.receive-buffer-size = ${?SCRIBE_LDAP_RECEIVE_BUFFER_SIZE}

Specifies the send buffer size that should be used for sockets accepted by the listener. A value less than or equal to zero indicates that the default send buffer size should be used.

Priority: SCRIBE_LDAP_SEND_BUFFER_SIZE > config

channels.ldap.send-buffer-size = ${?SCRIBE_LDAP_SEND_BUFFER_SIZE}

Per-channel signal thresholds.

LDAP typically has tighter latency requirements.

Example: Stricter LDAP latency thresholds

signals = ${monitoring.signals} { latency-p99 { degraded = 0.3, critical = 1.0 } }

Inherits from: monitoring.signals

channels.ldap.signals = ${monitoring.signals} {}

Indicates whether to use the TCP_NODELAY socket option for sockets accepted by the server. When enabled, disables Nagle’s algorithm for lower latency at the cost of more packets.

Priority: SCRIBE_LDAP_TCP_NO_DELAY > config

channels.ldap.tcp-no-delay = ${?SCRIBE_LDAP_TCP_NO_DELAY}

Socket Options

Fine-tune TCP connection behavior for LDAP connections. Specifies whether to use the SO_KEEPALIVE socket option for sockets accepted by the server. When enabled, the system will periodically probe idle connections to detect broken connections.

Priority: SCRIBE_LDAP_USE_KEEP_ALIVE > config

channels.ldap.use-keep-alive = ${?SCRIBE_LDAP_USE_KEEP_ALIVE}

Specifies whether to use the SO_LINGER socket option for sockets accepted by the server. When enabled, the socket will wait for pending data to be sent before closing.

Priority: SCRIBE_LDAP_USE_LINGER > config

channels.ldap.use-linger = ${?SCRIBE_LDAP_USE_LINGER}

Specifies whether to use the SO_REUSEADDR socket option for sockets accepted by the server. When enabled, allows the socket to bind to an address that is already in use.

Priority: SCRIBE_LDAP_USE_REUSE_ADDRESS > config

channels.ldap.use-reuse-address = ${?SCRIBE_LDAP_USE_REUSE_ADDRESS}

MCP (Model Context Protocol) channel configuration

The MCP channel exposes directory operations to AI coding assistants via:

• Tools: describe, search, help, ref
• Prompts: usage guide, filter syntax, troubleshooting
• Resources: OpenAPI spec, GraphQL schema, reference index

Works with Cursor, Claude Desktop, VS Code, Windsurf, and other MCP clients. The endpoint is fixed at /mcp. IMPORTANT: MCP requires HTTP/1.1 for Server-Sent Events (SSE) transport. HTTP/2-only sockets will not work. Ensure the bound socket has HTTP/1.1 enabled:

http.protocols.http-1-1.enabled = true  (default)

Authentication settings for MCP channel.

MCP clients discover auth via /.well-known/oauth-authorization-server (RFC 8414). Inherits from root auth {} and can override settings.

channels.mcp.auth.enabled = ${?SCRIBE_MCP_AUTH_ENABLED}

Override global auth.methods with channel-specific list

Priority: SCRIBE_MCP_AUTH_METHODS > config > auth.methods

channels.mcp.auth.methods = ${?SCRIBE_MCP_AUTH_METHODS}

Query Parameter Defaults

Applied when the client omits the parameter. Default page size for search results (configurable, default: 25)

Priority: SCRIBE_MCP_DEFAULT_LIMIT > config

channels.mcp.default-limit = 25
channels.mcp.default-limit = ${?SCRIBE_MCP_DEFAULT_LIMIT}

Enable the MCP channel

Priority: SCRIBE_MCP_ENABLED > config

channels.mcp.enabled = false
channels.mcp.enabled = ${?SCRIBE_MCP_ENABLED}

Maximum entries per search request (caps client-provided limit, default: 100)

Priority: SCRIBE_MCP_MAX_LIMIT > config

channels.mcp.max-limit = 100
channels.mcp.max-limit = ${?SCRIBE_MCP_MAX_LIMIT}

Socket reference(s) for MCP channel.

Can be a single name, comma-separated list, or HOCON list. Use named sockets from http.sockets.* or omit for @default.

Priority: SCRIBE_MCP_SOCKET > config

Examples:

socket = "admin"           # Single socket

socket = "admin, public"   # Comma-separated

socket = ["admin", "public"]  # HOCON list

channels.mcp.socket = ${?SCRIBE_MCP_SOCKET}

REST API channel configuration

The REST channel exposes directory operations via HTTP/JSON with:

• Collection search: GET /api/entries/{entry_type}
• Single lookup: GET /api/entries/{entry_type}/{id}
• OpenAPI UI/spec: GET /api

The base path is fixed at /api. Customers needing a different external path can use a reverse proxy for path rewriting.

Authentication settings for REST API.

Inherits from root auth {} and can override settings.

channels.rest.auth.enabled = ${?SCRIBE_REST_AUTH_ENABLED}

Override global auth.methods with channel-specific list

Priority: SCRIBE_REST_AUTH_METHODS > config > auth.methods

channels.rest.auth.methods = ${?SCRIBE_REST_AUTH_METHODS}

Connection Hints (channel-specific overrides)

Override database.connection-hints defaults for REST queries only. Values here are merged with database defaults (channel values win).

Lock acquisition timeout

Priority: SCRIBE_REST_LOCK_TIMEOUT > config > database.connection-hints

channels.rest.connection-hints.lock-timeout = ${?SCRIBE_REST_LOCK_TIMEOUT}

Session flags (comma-separated): force-custom-plan, jit-off

Priority: SCRIBE_REST_SESSION_FLAGS > config > database.connection-hints

channels.rest.connection-hints.session-flags = ${?SCRIBE_REST_SESSION_FLAGS}

Statement execution timeout (prevents runaway queries)

Priority: SCRIBE_REST_STATEMENT_TIMEOUT > config > database.connection-hints

channels.rest.connection-hints.statement-timeout = ${?SCRIBE_REST_STATEMENT_TIMEOUT}

PostgreSQL work_mem per-query memory

Priority: SCRIBE_REST_WORK_MEM > config > database.connection-hints

channels.rest.connection-hints.work-mem = ${?SCRIBE_REST_WORK_MEM}

Default count mode: exact, estimated, none (configurable, default: “estimated”)

Priority: SCRIBE_REST_DEFAULT_COUNT > config

channels.rest.default-count = "estimated"
channels.rest.default-count = ${?SCRIBE_REST_DEFAULT_COUNT}

Default attribute selection (configurable)

• null (default): return all user attributes (equivalent to LDAP ”*”)
• “cn,mail,sn”: return only specified attributes
• ”*,+”: return all user and operational attributes

Priority: SCRIBE_REST_DEFAULT_FIELDS > config

channels.rest.default-fields = ${?SCRIBE_REST_DEFAULT_FIELDS}

Default response shape: nodes, edges, pageInfo, count (comma-separated)

Configurable, default: “nodes,pageInfo,count”

Priority: SCRIBE_REST_DEFAULT_INCLUDE > config

channels.rest.default-include = "nodes,pageInfo,count"
channels.rest.default-include = ${?SCRIBE_REST_DEFAULT_INCLUDE}

Query Parameter Defaults

Applied when the client omits the parameter. Client-provided values override these defaults except for max-limit which always caps. Default page size when no limit/first/last specified (configurable, default: 25)

Priority: SCRIBE_REST_DEFAULT_LIMIT > config

channels.rest.default-limit = 25
channels.rest.default-limit = ${?SCRIBE_REST_DEFAULT_LIMIT}

Default sort order (configurable)

• null (default): database-native order (typically insertion order, not guaranteed stable)
• “cn”: sort by cn ascending
• “-modifyTimestamp,cn”: sort by modifyTimestamp descending, then cn ascending

Priority: SCRIBE_REST_DEFAULT_SORT > config

channels.rest.default-sort = ${?SCRIBE_REST_DEFAULT_SORT}

Enable the REST channel

Priority: SCRIBE_REST_ENABLED > config

channels.rest.enabled = false
channels.rest.enabled = ${?SCRIBE_REST_ENABLED}

Export Configuration

Streaming export for search results in various formats (CSV, TSV, LDIF, JSON, etc.) Triggered by filename or export query parameter on search endpoints.

Connection hints for export queries (read-replica routing, longer timeout)

channels.rest.export.connection-hints.read-only = true

channels.rest.export.connection-hints.statement-timeout = 5m

Default format when Accept is / and filename has no extension Options: csv, tsv, ldif, json, ndjson, json-seq, json-ld

Priority: SCRIBE_REST_EXPORT_DEFAULT_FORMAT > config

channels.rest.export.default-format = "ndjson"
channels.rest.export.default-format = ${?SCRIBE_REST_EXPORT_DEFAULT_FORMAT}

Enable export functionality

Priority: SCRIBE_REST_EXPORT_ENABLED > config

channels.rest.export.enabled = true
channels.rest.export.enabled = ${?SCRIBE_REST_EXPORT_ENABLED}

DB fetch size (rows per round-trip)

Priority: SCRIBE_REST_EXPORT_FETCH_SIZE > config

channels.rest.export.fetch-size = 2000
channels.rest.export.fetch-size = ${?SCRIBE_REST_EXPORT_FETCH_SIZE}

Rows per flush (batch flush for performance)

Priority: SCRIBE_REST_EXPORT_FLUSH_BATCH_SIZE > config

channels.rest.export.flush-batch-size = 500
channels.rest.export.flush-batch-size = ${?SCRIBE_REST_EXPORT_FLUSH_BATCH_SIZE}

LDIF Format Global Settings

These settings apply JVM-wide to all LDIF exports (UnboundID SDK limitation). Per-export options (wrapColumn, headerComment, version) are configured via the export query parameter JSON.

Base64 encoding strategy for LDIF output Options:

• minimal-compliant: Encode only when required by RFC 2849 (default, most readable)
• default: Library default encoding
• maximal: Encode everything that could be encoded
• user-friendly: Non-compliant but more readable for non-ASCII

Priority: SCRIBE_LDIF_BASE64_STRATEGY > config

channels.rest.export.ldif.base64-strategy = "minimal-compliant"
channels.rest.export.ldif.base64-strategy = ${?SCRIBE_LDIF_BASE64_STRATEGY}

Add comments explaining base64-encoded values Useful for debugging but makes output noisier and breaks clean diffs.

Priority: SCRIBE_LDIF_COMMENT_ABOUT_BASE64 > config

channels.rest.export.ldif.comment-about-base64 = false
channels.rest.export.ldif.comment-about-base64 = ${?SCRIBE_LDIF_COMMENT_ABOUT_BASE64}

Maximum export duration (abort if exceeded)

Priority: SCRIBE_REST_EXPORT_MAX_DURATION > config

channels.rest.export.max-duration = 5m
channels.rest.export.max-duration = ${?SCRIBE_REST_EXPORT_MAX_DURATION}

Maximum rows per export (hard cap, prevents runaway exports)

Priority: SCRIBE_REST_EXPORT_MAX_ROWS > config

channels.rest.export.max-rows = 100000
channels.rest.export.max-rows = ${?SCRIBE_REST_EXPORT_MAX_ROWS}

HTTP server settings for REST API.

This section inherits all settings from http. Override individual settings as needed.

Maximum entries per request (caps client-provided limit, configurable, default: 1000)

Priority: SCRIBE_REST_MAX_LIMIT > config

channels.rest.max-limit = 1000
channels.rest.max-limit = ${?SCRIBE_REST_MAX_LIMIT}

OpenAPI Schema Endpoints

Controls access to OpenAPI spec endpoints (JSON/YAML). Disable in production to reduce attack surface.

Enable OpenAPI schema endpoints

auto = enabled in dev/test, disabled in prod (security-safe default)

Affects: GET /api.json, GET /api.yaml, GET /openapi.json, GET /openapi.yaml

Priority: SCRIBE_REST_OPENAPI_ENABLED > config

channels.rest.openapi.enabled = "auto"
channels.rest.openapi.enabled = ${?SCRIBE_REST_OPENAPI_ENABLED}

Per-channel signal thresholds.

Inherits from monitoring.signals, override what differs.

Example: REST API tolerates higher latency

signals = ${monitoring.signals} { latency-p99 { degraded = 1.0, critical = 3.0 } }

Inherits from: monitoring.signals

channels.rest.signals = ${monitoring.signals} { }

Socket for REST API endpoints.

Use a named socket from http.sockets.* or omit for @default. If unset (no env var, key omitted, or value is null), defaults to @default.

Priority: SCRIBE_REST_SOCKET > config

channels.rest.socket = ${?SCRIBE_REST_SOCKET}

OpenAPI UI (Scalar API Reference) configuration

Inherits all defaults from openapi.ui. Channel-specific env vars can override individual settings. See openapi.ui in reference/openapi.conf for all available settings.

Inherits from: openapi.ui

channels.rest.ui = ${openapi.ui}

OpenAPI UI (Scalar API Reference) configuration

Inherits all defaults from openapi.ui. Channel-specific env vars can override individual settings. See openapi.ui in reference/openapi.conf for all available settings.

External asset (CDN override)

channels.rest.ui.asset.sri = ${?SCRIBE_REST_UI_ASSET_SRI}

channels.rest.ui.asset.url = ${?SCRIBE_REST_UI_ASSET_URL}

channels.rest.ui.dark-mode = ${?SCRIBE_REST_UI_DARK_MODE}

Channel-specific env var overrides

Priority: SCRIBE_REST_UI_* > openapi.ui.*

channels.rest.ui.enabled = ${?SCRIBE_REST_UI_ENABLED}

channels.rest.ui.force-dark-mode-state = ${?SCRIBE_REST_UI_FORCE_DARK_MODE_STATE}

channels.rest.ui.hide-dark-mode-toggle = ${?SCRIBE_REST_UI_HIDE_DARK_MODE_TOGGLE}

channels.rest.ui.hide-test-request-button = ${?SCRIBE_REST_UI_HIDE_TEST_REQUEST_BUTTON}

channels.rest.ui.layout = ${?SCRIBE_REST_UI_LAYOUT}

channels.rest.ui.search-hot-key = ${?SCRIBE_REST_UI_SEARCH_HOT_KEY}

channels.rest.ui.show-developer-tools = ${?SCRIBE_REST_UI_SHOW_DEVELOPER_TOOLS}

channels.rest.ui.show-sidebar = ${?SCRIBE_REST_UI_SHOW_SIDEBAR}

channels.rest.ui.theme = ${?SCRIBE_REST_UI_THEME}