Database Configuration

This controls whether users that are created can have an empty password or not.

The Couchbase Server backing bucket for the database.

This is the amount of milliseconds should pass before a bucket operation times out. An error will be returned if the bucket operation times out saying: operation timed out.

The root CA cert path for X.509 bucket authentication.

The channel cache config settings.

The trigger value for starting the channel cache eviction process.

Specify this as a percentage which will be the percentage used on `max_number).

When the cache size, determined by max_number, reaches the high watermark, the eviction process iterates through the cache, removing inactive channels.

The trigger value for stopping the channel cache eviction process.

Specify this as a percentage which will be the percentage used on `max_number).

When the cache size, determined by max_number returns to a value lower than the percentage of it set here, the cache eviction process is stopped.

Used to control whether Sync Gateway should use the all documents (*) channel.

The amount of time (in seconds) to keep entries in the cache beyond the minimum retained.

The maximum number of entries to maintain in the cache per channel.

The maximum number of pending sequences before skipping sequences.

The maximum number of channel caches which can exist at any one point.

The maximum time (in milliseconds) for waiting for a pending sequence before skipping it.

The maximum amount of time (in milliseconds) to wait for a skipped sequence before abandoning it.

The minimum number of entries to maintain in the cache per channel.

The revision cache config settings.

The number of shards the revision cache should be split into.

The maximum number of revisions that can be stored in the revision cache.

The cert path (public key) for X.509 bucket auth.

How long (in seconds) clients can remain offline for without losing replication metadata.

Defaults to 30 days (in seconds)

The interval between scheduled tombstone compaction runs (in days). This can be a floating point number.

If set to 0, compaction will not run automatically.

CORS configuration for this database; if present, overrides server's config.

List of allowed headers

List of allowed login origins

List of allowed origins, use ['*'] to allow access from everywhere

Delta sync configuration settings.

This is an enterprise-edition feature only

Whether delta sync is enabled.

This is an enterprise-edition feature only

The number of seconds deltas for old revisions are available for.

This defaults to 24 hours (in seconds).

Whether to disable username/password authentication and only allow OIDC and guest access.

Whether to use extended attributes to store Sync Gateway document (_sync) metadata.

These are the settings for webhooks.

The Javascript function to use to filter the webhook events.

The handler type.

The options for the event.

The option key and value.

The amount of time (in seconds) to attempt connect to the webhook before giving up.

The URL of the webhook.

The Javascript function to use to filter the webhook events.

The handler type.

The options for the event.

The option key and value.

The amount of time (in seconds) to attempt connect to the webhook before giving up.

The URL of the webhook.

The maximum amount of concurrent event handling independent functions that can be running at the same time.

The maximum amount of time (in milliseconds) to wait when the even queue is full.

Properties associated with a user

A list of channels to explicitly grant to the user for the default collection.

A list of roles to explicitly grant to the user.

All the channels that the user has been granted access to for the default collection.

Access could have been granted through the sync function, roles, or explicitly on the user under the admin_channels property.

A set of access grants by scope and collection.

An object keyed by scope, containing a set of collections.

An object keyed by collection name, defines access for the collection.

A list of channels to explicitly grant to the user.

All the channels that the user has been granted access to.

Access could have been granted through the sync function, roles, or explicitly on the user under the admin_channels property.

The channels that the user has been granted access to through channels_claim.

The last time that the user's JWT roles/channels were updated.

If true, the user will not be able to login to the account as it is disabled.

The email address of the user.

The channels that the user has been granted access to through channels_claim.

The issuer of the last JSON Web Token that the user last used to sign in.

The last time that the user's JWT roles/channels were updated.

The roles that the user has been added to through roles_claim.

The name of the user.

User names can only have alphanumeric ASCII characters and underscores.

The password of the user.

Mandatory. unless allow_empty_password is true in the database configs.

All the roles that the user has been granted access to.

Access could have been granted through the sync function, roles_claim, or explicitly on the user under the admin_roles property.

This controls whether import should attempt to create a temporary backup of the previous revision body (if available) when the document is modified in the bucket.

If true, documents will be imported in to Sync Gateway from the bucket when requested. Documents will be ran through the set import_filter if any is set.

The default value depends on the edition of Sync Gateway being used. If the edition is the community-edition, then this will default to false or else in the enterprise-edition, it will default to true.

This can also be set to the string continuous which maps to true.

This is the function that all imported documents in the default scope and collection are ran through in order to filter out what to import and what not to import. This allows you to control what is made available to Couchbase Mobile clients. If it is not set, then no documents are filtered when imported.

import_docs must be true to make this field applicable.

If scopes parameter is set, this is ignored.

** This is an enterprise-edition feature only**

This is how many import partitions should be used for import sharding.

Partitions are distributed among all Sync Gateway nodes participating in import processing (import_docs=true), and each process a subset of the server's vbuckets.

Each partition is processed by an independent function that runs simultaneously to others, so import_partitions can be used to tune concurrency based on the number of Sync Gateway nodes, and the number of cores per node.

The maximum number of seconds the sync, import filter, and custom conflict resolver JavaScript functions are allowed to run for before timing out. Set to 0 to allow the JS functions to run uncapped.

The key path (private key) for X.509 bucket auth

The Memcached TLS port.

The number of seconds before a _local document should expire.

Configuration for Local JWT authentication.

The providers name.

The JWT signing algorithms to accept for authentication.

If set, the value(s) of the given JSON Web Token claim will be added to the user's channels.

The value of this claim must be either a string or an array of strings, any other type will result in an error.

The value to match against the "aud" claim of JWTs. Set to an empty string to disable audience validation.

Disable Sync Gateway session creation on successful JWT authentication.

The value to match against the "iss" claim of JWTs.

The JSON Web Keys to use to validate JWTs.

If to register a new Sync Gateway user account when a user logs in with a JWT.

If set, the value(s) of the given JSON Web Token claim will be added to the user's roles.

The value of this claim must be either a string or an array of strings, any other type will result in an error.

This is the username prefix for all users created through this provider.

Allows a different OpenID Connect field to be specified instead of the Subject (sub).

The field name to use can be specified here.

Per-database logging configuration.

Console logging configuration.

Log Keys for the console output

Log Level for the console output

The maximum amount of query operations that can be running at any one point.

The name of the database.

This is the number of Global Secondary Indexes (GSI) to use for core indexes.

Start the database in an offline state.

Configuration for OpenID Connect authentication.

The default provider to use when the provider is not specified in the client.

List of OpenID Connect issuers.

The providers name.

Determines whether the TLS certificate verification should be disabled for this provider.

Indicates if this is the default OpenID Connect provider.

The name of the OpenID Connect Provider.

Allows users accept unsigned tokens from providers.

The URL that the OpenID Connect will redirect to after authentication.

If not provided, a callback URL will be generated.

If set, the value(s) of the given OpenID Connect authentication token claim will be added to the user's channels.

The value of this claim must be either a string or an array of strings, any other type will result in an error.

The OpenID Connect provider client ID.

Controls whether to maintain state between the auth request and callback endpoints (/_oidc and /_oidc_callback).

This is not recommended as it would cause OpenID Connect authentication to be vulnerable to Cross-Site Request Forgery (CSRF, XSRF).

This bypasses the configuration validation based on the OpenID Connect specifications. This may be required for some OpenID providers that don't strictly adhere to the specifications.

Disable Sync Gateway session creation on successful OpenID Connect authentication.

The non-standard discovery endpoint.

This is whether the _oidc_callback response should include the OpenID Connect access token and associated fields (such as token_type, and expires_in).

The URL for the OpenID Connect issuer.

If to register a new Sync Gateway user account when a user logs in with OpenID Connect.

If set, the value(s) of the given OpenID Connect authentication token claim will be added to the user's roles.

The value of this claim must be either a string or an array of strings, any other type will result in an error.

The scope sent for the OpenID Connect request.

This is the username prefix for all users created through this provider.

Allows a different OpenID Connect field to be specified instead of the Subject (sub).

The field name to use can be specified here.

The OpenID Connect provider client secret.

The number of seconds before old revisions are removed from the Couchbase Server bucket.

The password for authenticating to the server.

The query limit to be used during pagination of large queries.

Properties of a replication

Set to true to run the replication as an adhoc replication instead of a persistent one.

This means that the replication will only last the period of the replication until the status is changed to stopped and then it will be removed automatically. It will also be removed if Sync Gateway restarts or if removed due to user action.

The amount of changes to be sent in one batch of replications. Changing this is an enterprise-edition only feature.

If true, the replicator will run with collections, and will replicate all collections, unless otherwise limited by keyspace_map.

If false, the replicator will only replicate the default collection.

Limits the set of collections replicated to those listed in this array.

The replication will use all collections defined on the database if this list is empty.

Remaps the local collection name to the one specified in this array when replicating with the remote.

If only a subset of collections need remapping, elements in this array can be specified as null to preserve the local collection name.

The same index is used for both collections_remote and collections_local, and both arrays must be the same length.

This defines what conflict resolution policy Sync Gateway should use to apply when resolving conflicting revisions.

Changing this is an enterprise-edition only feature.

Behaviour

• default - In priority order, this will cause
  • Deletes to always win (the delete with the longest revision history wins if both revisions are deletes)
  • The revision with the longest revision history to win. This means the the revision with the most changes and therefore the highest revision ID will win.
• localWins - This will result in local revisions always being the winner in any conflict.
• remoteWins - This will result in remote revisions always being the winner in any conflict.
• custom - This will result in conflicts going through your own custom conflict resolver. You must provide this logic as a Javascript function in the custom_conflict_resolver parameter. This is an enterprise-edition only feature.

Note: replications created prior to Sync Gateway 2.8 will default to default.

If true, changes will be immediately synced when they happen. This is known as a continuous replication.

If false, all changes will be synced until they have been processed. The replication will then cease and not process any future changes (unless started again by the user). This is known as a one-shot replication.

This specifies the Javascript function to use to resolve conflicts between conflicting revisions.

This must be used when conflict_resolution_type=custom. This property will be ignored when conflict_resolution_type is not custom.

The Javascript function to provide this property should be in backticks (like the sync function). The function takes 1 parameter which is a struct that represents the conflict. This struct has 2 properties:

• LocalDocument - The local document. This contains the document ID under the _id key.
• RemoteDocument - The remote document The function should return the new documents body. This can be the winning revision (for example, return conflict.LocalDocument), a new body, or nil to resolve as a delete.

Example:

"custom_conflict_resolver":\`
	function(conflict) {
		console.log("Doc ID: "+conflict.LocalDocument._id);
		console.log("Full remote doc: "+JSON.stringify(conflict.RemoteDocument));
		return conflict.RemoteDocument;
	}
\`

Using complex custom_conflict_resolver functions can noticeably degrade performance. Use a built-in resolver whenever possible.

This is an enterprise-edition only feature.

This specifies which direction the replication will be replicating with the remote replicator.

The directions are:

• pull - changes are pulled from the remote database
• push - changes are pushed to the remote database
• pushAndPull - changes are both push-to and pulled-from the remote database

Replications created prior to Sync Gateway 2.8 derive their direction from the source/target URL of the replication.

This will turn on delta- sync for the replication. This works in conjunction with the database level setting delta_sync.enabled

If set to true, delta-sync will be used as long as both databases involved in the replication have delta-sync enabled. If a database does not have delta-sync enabled, then the replication will run without delta-sync.

Replications created prior to Sync Gateway 2.8 must have delta-sync disabled.

Enabling this is an enterprise-edition only feature.

This defines whether to filter documents by their channels or not.

If set to sync_gateway/bychannel then a pull replication will be limited to a specific set of channels specified by the query_params.channels property.

This only can be used with pull replications.

This is what state to start the replication in when creating a new replication.

This allows you to control if the replication starts in a stopped start or running state.

Replications prior to Sync Gateway 2.8 will run in the default state running.

Specifies the maximum time-period (in minutes) that Sync Gateway will attempt to reconnect to a lost or unreachable remote.

When a disconnection happens, Sync Gateway will do an exponential backoff up to this specified value. When this value is met, it will attempt to reconnect indefinitely every max_backoff_time minutes.

If this is set to 0, Sync Gateway will do the normal exponential backoff after the disconnect happens but then attempting 10 minutes and stop the replication.

Note: this defaults to 5 minutes for replications created prior to Sync Gateway 2.8.

Specifies whether to purge a document if the remote user loses access to all of the channels on the document when attempting to pull it from the remote.

If false, documents will not be replicated and not be purged when the user loses access.

This is a set of key/value pairs used in the query string of the replication.

If filters=sync_gateway/bychannel then this can be used to set the channels to filter by in a pull replication. To do this, set the channels key to a string array of the channels to filter by. For example:

"filter":"sync_gateway/bychannel",
"query_params": {
  "channels":["chanUser1"]
},

This is the endpoint of the database for the remote Sync Gateway that is the subject of this replication's push, pull, or pushAndPull action.

Typically this would include the URI, port, and database name. For example, http://localhost:4985/db.

How this remote is used depends on the direction of the replication:

• pull - this replicator pulls changes from the remote
• push - this replicator pushes changes to this remote
• pushAndPull - this replicator pushes changes to this remote, while also pulling receiving changes

The password to use to authenticate with the remote.

This password will be redacted in the replication config.

This can only be used for a pull replication.

The username to use to authenticate with the remote.

This can only be used for a pull replication.

This is the ID of the replication.

When creating a new replication using a POST request, this will be set to a random UUID if not explicitly set.

When the replication ID is specified in the URL, this must be set to the same replication ID if specifying it at all.

This is used if you want to specify a user to run the replication as. This means that the replication will only be able to replicate what the user access to what the user has access to.

The maximum depth a document's revision tree can grow too.

The minimum is 20 if conflicts are allowed and 0 if not. It is not recommended to go below 100 when conflicts are allowed.

An object keyed by scope name containing config for the specific collection.

Scope-specific configuration.

An object keyed by collection name containing config for the specific collection.

Collection-specific configuration.

This is the function that all imported documents in this collection are ran through in order to filter out what to import and what not to import. This allows you to control what is made available to Couchbase Mobile clients. If it is not set, then no documents are filtered when imported.

import_docs in the database config must be true to make this field applicable.

The Javascript function that newly created documents in this collection are ran through.

Controls whether to send a WWW-Authenticate header in 401 Unauthorized HTTP responses.

If set, always serve attachments with the Content-Type header set to the type of the attachment.

When serving an attachment, usually the Content-Type header is set to the type of the attachment but the Content-Disposition response header will be set instead if the content type is vulnerable to a phishing attack, causing the browser to download the file instead of display it. This option will override that behaviour and always set the Content-Type header.

This is the Couchbase Server address or addresses that the database connect to.

Make all session cookies for the database set the HttpOnly flag so they are inaccessible to JavaScript.

This can be used to define a custom per-database session cookie name.

Override the session cookie secure flag. If set, the cookie will have the secure flag.

This will default to true if startup config api.https.tls_cert_path is set otherwise it will default to false.

Whether the node should accept assign replications (true) or not (false).

Use a custom heartbeat interval (in seconds) for websocket ping frames.

The amount of milliseconds a N1QL query should run before logging a warning.

Set to true to allow the database to be suspended.

Defaults to true when running in serverless mode otherwise defaults to false.

The Javascript function that newly created documents are ran through for the default scope and collection. If scopes parameter is set, this is ignored.

These are unsupported options and therefore it is not recommended to use them.

Setting for test purposes only

Whether Couchbase buckets can be flushed via Admin REST API.

Set the dcp feed to use a different read buffer size.

Force REST API errors to return forbidden

Restrict GUEST document access to read-only.

Set the kv pool to use a different buffer size.

Whether the oidc_test_provider endpoints should be exposed on the public API.

Enable self-signed certificates for OIDC testing.

Enable self-signed certificates for external JavaScript load.

Enable self-signed certificates for SG-replicate testing.

Whether pass-through view query is supported through public API.

The number of access and role grants per document to be used as a threshold for grant count warnings.

The number of channel name characters to be used as a threshold for channel name warnings.

The number of channels per document to be used as a threshold for the channel count warnings.

The number of channels per user to be used as a threshold for channel count warnings.

The number of bytes to be used as a threshold for xattr size limit warnings.

Force the use of views instead of GSI.

The key to use for the user xattr that will be accessible from the sync function. IF empty, the feature will be disabled.

The username for authenticating to the server.

The number of seconds before a view query should timeout.