This controls whether users that are created can have an empty password or not.

The Couchbase Server backing bucket for the database.

This is the amount of milliseconds should pass before a bucket operation times out. An error will be returned if the bucket operation times out saying: operation timed out.

The root CA cert path for X.509 bucket authentication.

The channel cache config settings.

The trigger value for starting the channel cache eviction process.

Specify this as a percentage which will be the percentage used on `max_number).

When the cache size, determined by max_number, reaches the high watermark, the eviction process iterates through the cache, removing inactive channels.

The trigger value for stopping the channel cache eviction process.

Specify this as a percentage which will be the percentage used on `max_number).

When the cache size, determined by max_number returns to a value lower than the percentage of it set here, the cache eviction process is stopped.

The amount of time (in seconds) to keep entries in the cache beyond the minimum retained.

The maximum number of entries to maintain in the cache per channel.

The maximum number of pending sequences before skipping sequences.

The maximum number of channel caches which can exist at any one point.

The maximum time (in milliseconds) for waiting for a pending sequence before skipping it.

The maximum amount of time (in milliseconds) to wait for a skipped sequence before abandoning it.

The minimum number of entries to maintain in the cache per channel.

The revision cache config settings.

The maximum amount of memory the revision cache should take up in MB, setting to 0 will disable any eviction based on memory at rev cache. There is a minimum value of 50 (50MB) for this config option. When set this memory limit will work in in hand with revision cache size parameter. So you will potentially get eviction at revision cache both based off memory footprint and number of items in the cache. This is an Enterprise Edition feature only

The number of shards the revision cache should be split into.

The maximum number of revisions that can be stored in the revision cache. Note when running with greater than 1 shard count we add 10% capacity overall to avoid early eviction when some shards fill up before others, so you may find that the capacity stat (revision_cache_num_items) will climb to the defined rev cache size + 10%.

The cert path (public key) for X.509 bucket auth.

Sets the default value of request_plus for one-shot/non-continuous changes feeds, which when true, ensures all valid documents written prior to the request being issued are included in the response. Setting this option at the database level is required to ensure Couchbase Lite utilizes this changes feed mode.

This also sets the default value of query param request_plus for GET /{keyspace}/_changes or request_plus for POST /{keyspace}/_changes.

How long (in seconds) clients can remain offline for without losing replication metadata.

Defaults to 30 days (in seconds)

The interval between scheduled tombstone compaction runs (in days). This can be a floating point number.

If set to 0, compaction will not run automatically.

List of allowed headers. These headers will be added the Access-Control-Allow-Headers response to a valid CORS request.

A recommended minimum set of values should be ["Accept-Encoding", "Authorization", "Content-Type", "If-Match"].

List of allowed origins to apply to public /{db}/_session API.

To use cors on /{db}/_session, the domain must be present in both login_origin and origin.

If configured, Authorization must be included in headers.

Value for Access-Control-Maximum-Age. Uses 0 by default.

List of allowed origins for the public API. The request Origin header is checked against these values. If successful the Origin header is returned in the HTTP response header as Access-Control-Allow-Origin.

Delta sync configuration settings.

This is an Enterprise Edition feature only

Whether delta sync is enabled.

This is an Enterprise Edition feature only

The number of seconds deltas for old revisions are available for.

This defaults to 24 hours (in seconds).

Whether to disable username/password authentication and only allow OIDC and guest access.

This controls whether the GET /{keyspace}/_all_docs REST API endpoint is publicly accessible or not. Disabling this endpoint is recommended for larger datasets or production workloads. GET /{keyspace}/_changes or POST /{keyspace}/_bulk_get have more efficient implementations and should be used instead.

If set to true, the endpoint will not be publicly accessible, and will only be available on the Admin API. Setting this to false, or leaving it as the default value is deprecated, and may default to true in a future release.

These are the settings for webhooks.

The Javascript function to use to filter the webhook events.

The handler type.

The amount of time (in seconds) to attempt connect to the webhook before giving up.

The URL of the webhook.

The Javascript function to use to filter the webhook events.

The handler type.

Options for the document changed event.

If true, only the winning revision of the document will be sent to the webhook.

The amount of time (in seconds) to attempt connect to the webhook before giving up.

The URL of the webhook.

The maximum amount of concurrent event handling independent functions that can be running at the same time.

The maximum amount of time (in milliseconds) to wait when the even queue is full.

Properties associated with a user

A list of channels to explicitly grant to the user for the default collection. See collection_access for channels in named collections.

A list of roles to explicitly grant to the user.

All the channels that the user has been granted access to for the default collection. See collection_access for channels in named collections.

Access could have been granted through the sync function, roles, or explicitly on the user under the admin_channels property.

A set of access grants by scope and collection for a specific collection.

An object keyed by scope, containing a set of collections.

An object keyed by collection name, defines access collections in this scope.

A list of channels to explicitly grant to the user in this collection.

All the channels that the user has been granted access to in this collection.

Access could have been granted through the sync function, roles, or explicitly on the user under the admin_channels property.

The channels that the user has been granted access to through channels_claim for this collection.

The last time that the user's JWT channels were updated for this collection.

If true, the user will not be able to login to the account as it is disabled.

The email address of the user.

The channels that the user has been granted access to through channels_claim for the default collection.

The issuer of the last JSON Web Token that the user last used to sign in.

The last time that the user's JWT roles/channels were updated.

The roles that the user has been added to through roles_claim.

The name of the user.

User names can only have alphanumeric ASCII characters and underscores.

The password of the user.

Mandatory. unless allow_empty_password is true in the database configs.

All the roles that the user has been granted access to.

Access could have been granted through the sync function, roles_claim, or explicitly on the user under the admin_roles property.

This controls whether import should attempt to create a temporary backup of the previous revision body (if available) when the document is modified in the bucket.

If true, documents will be imported in to Sync Gateway from the bucket in the background. Documents will be ran through the set import_filter if any is set.

The default value depends on the edition of Sync Gateway being used. If the edition is the Community Edition, then this will default to false or else in the Enterprise Edition, it will default to true. This value requires enable_shared_bucket_access=true.

This can also be set to the string continuous which maps to true.

This is the function that all imported documents in the default scope and collection are ran through in order to filter out what to import and what not to import. This allows you to control what is made available to Couchbase Mobile clients. If it is not set, then no documents are filtered when imported.

import_docs must be true to make this field applicable.

If scopes parameter is set, this is ignored.

** This is an Enterprise Edition feature only**

This is how many import partitions should be used for import sharding.

Partitions are distributed among all Sync Gateway nodes participating in import processing (import_docs=true), and each process a subset of the server's vbuckets.

Each partition is processed by an independent function that runs simultaneously to others, so import_partitions can be used to tune concurrency based on the number of Sync Gateway nodes, and the number of cores per node.

Global Secondary Index Settings

The number of partitions to use for the large indexes created by Sync Gateway. It is not recommended to set this unless you require additional horizontal scalability for individual indexes and have appropriately scaled your Query nodes to handle the increased query parallelism. If set, the recommended number is 8 and does not need to be directly related to the number of your Query nodes. Ensure documentation is read to understand the performance tradeoffs and instructions for migration if you have previously run with only one partition. See /{db}/_index_init for more information.

If not specified or 1, all indexes will be non partitioned.

This is the number of Global Secondary Indexes (GSI) to use for core indexes.

The maximum number of seconds the sync, import filter, and custom conflict resolver JavaScript functions are allowed to run for before timing out. Set to 0 to allow the JS functions to run uncapped.

The key path (private key) for X.509 bucket auth

The Memcached TLS port.

The number of seconds before a _local document should expire.

Configuration for Local JWT authentication.

The providers name.

The JWT signing algorithms to accept for authentication.

If set, the value(s) of the given JSON Web Token claim will be added to the user's channels.

The value of this claim must be either a string or an array of strings, any other type will result in an error.

The value to match against the "aud" claim of JWTs. Set to an empty string to disable audience validation.

Disable Sync Gateway session creation on successful JWT authentication.

The value to match against the "iss" claim of JWTs.

The JSON Web Keys to use to validate JWTs.

The algorithm intended for use with the key.

For Elliptic Curve keys, the name of the curve to use.

For RSA keys, the exponent of the public key, as a Base64urlUInt-encoded value.

The Key ID, used to identify the key to use.

The cryptographic algorithm family used with the key, such as "RSA" or "EC"

For RSA keys, the modulus value of the key, as a Base64urlUInt-encoded value.

The intended use of the public key. Only 'sig' is accepted.

For Elliptic Curve keys, the X coordinate of the point, as a base64url string.

For Elliptic Curve keys, the Y coordinate of the point, as a base64url string.

If to register a new Sync Gateway user account when a user logs in with a JWT.

If set, the value(s) of the given JSON Web Token claim will be added to the user's roles.

The value of this claim must be either a string or an array of strings, any other type will result in an error.

This is the username prefix for all users created through this provider.

Allows a different OpenID Connect field to be specified instead of the Subject (sub).

The field name to use can be specified here.

Per-database logging configuration.

Audit logging configuration.

List of roles for which audit logging is disabled. Either cbs or sgw.

The domain of the role for which audit logging is disabled.

The name of the role for which audit logging is disabled.

List of users for which audit logging is disabled.

The domain of the user for which audit logging is disabled.

The name of the user for which audit logging is disabled.

Whether audit logging is enabled.

List of enabled audit events for this database.

Console logging configuration.

Log Keys for the console output

Log Level for the console output

The maximum amount of query operations that can be running at any one point.

The name of the database.

Start the database in an offline state.

Configuration for OpenID Connect authentication.

The default provider to use when the provider is not specified in the client.

List of OpenID Connect issuers.

The providers name.

Determines whether the TLS certificate verification should be disabled for this provider.

Indicates if this is the default OpenID Connect provider.

The name of the OpenID Connect Provider.

Allows users accept unsigned tokens from providers.

The URL that the OpenID Connect will redirect to after authentication.

If not provided, a callback URL will be generated.

If set, the value(s) of the given OpenID Connect authentication token claim will be added to the user's channels.

The value of this claim must be either a string or an array of strings, any other type will result in an error.

The OpenID Connect provider client ID.

Controls whether to maintain state between the auth request and callback endpoints (/_oidc and /_oidc_callback).

This is not recommended as it would cause OpenID Connect authentication to be vulnerable to Cross-Site Request Forgery (CSRF, XSRF).

This bypasses the configuration validation based on the OpenID Connect specifications. This may be required for some OpenID providers that don't strictly adhere to the specifications.

Disable Sync Gateway session creation on successful OpenID Connect authentication.

The non-standard discovery endpoint.

This is whether the _oidc_callback response should include the OpenID Connect access token and associated fields (such as token_type, and expires_in).

The URL for the OpenID Connect issuer.

If to register a new Sync Gateway user account when a user logs in with OpenID Connect.

If set, the value(s) of the given OpenID Connect authentication token claim will be added to the user's roles.

The value of this claim must be either a string or an array of strings, any other type will result in an error.

The scope sent for the OpenID Connect request.

This is the username prefix for all users created through this provider.

Allows a different OpenID Connect field to be specified instead of the Subject (sub).

The field name to use can be specified here.

The OpenID Connect provider client secret.

The number of seconds before old revisions are removed from the Couchbase Server bucket.

The password for authenticating to the server.

The query limit to be used during pagination of large queries.

Properties of a replication

Set to true to run the replication as an adhoc replication instead of a persistent one.

This means that the replication will only last the period of the replication until the status is changed to stopped and then it will be removed automatically. It will also be removed if Sync Gateway restarts or if removed due to user action.

The amount of changes to be sent in one batch of replications. Changing this is an Enterprise Edition only feature.

If true, the replicator will run with collections, and will replicate all collections, unless otherwise limited by collections_local.

If false, the replicator will only replicate the default collection.

Limits the set of collections replicated to those listed in this array.

The replication will use all collections defined on the database if this list is empty.

Remaps the local collection name to the one specified in this array when replicating with the remote.

If only a subset of collections need remapping, elements in this array can be specified as null to preserve the local collection name.

The same index is used for both collections_remote and collections_local, and both arrays must be the same length.

This defines what conflict resolution policy Sync Gateway should use to apply when resolving conflicting revisions.

Changing this is an Enterprise Edition only feature.

If true, changes will be immediately synced when they happen. This is known as a continuous replication.

If false, all changes will be synced until they have been processed. The replication will then cease and not process any future changes (unless started again by the user). This is known as a one-shot replication.

This specifies the Javascript function to use to resolve conflicts between conflicting revisions.

This must be used when conflict_resolution_type=custom. This property will be ignored when conflict_resolution_type is not custom.

The Javascript function to provide this property should be in backticks (like the sync function). The function takes 1 parameter which is a struct that represents the conflict. This struct has 2 properties:

• LocalDocument - The local document. This contains the document ID under the _id key.
• RemoteDocument - The remote document The function should return the new document's body. This can be the winning revision (for example, return conflict.LocalDocument), a new body, or nil to resolve as a delete.

Example:

function(conflict) {
  console.log("Doc ID: "+conflict.LocalDocument._id);
  console.log("Full remote doc: "+JSON.stringify(conflict.RemoteDocument));
  return conflict.RemoteDocument;
}

Using complex custom_conflict_resolver functions can noticeably degrade performance. Use a built-in resolver whenever possible.

If a document merge is being done, the _rev and _cv properties should not be included in the returned document body as Sync Gateway will generate new values for these.

This is an Enterprise Edition only feature.

This specifies which direction the replication will be replicating with the remote replicator.

This will turn on delta-sync for the replication. In order to enable delta-sync for a replication, the database level setting delta_sync.enabled must also be set to true.

Using delta-sync is an Enterprise Edition only feature.

This defines whether to filter documents.

This is what state to start the replication in when creating a new replication.

This allows you to control if the replication starts in a stopped start or running state.

Replications prior to Sync Gateway 2.8 will run in the default state running.

Specifies the maximum time-period (in minutes) that Sync Gateway will attempt to reconnect to a lost or unreachable remote.

When a disconnection happens, Sync Gateway will do an exponential backoff up to this specified value. When this value is met, it will attempt to reconnect indefinitely every max_backoff_time minutes.

If this is set to 0, Sync Gateway will do the normal exponential backoff after the disconnect happens but then attempting 10 minutes and stop the replication.

Note: this defaults to 5 minutes for replications created prior to Sync Gateway 2.8.

Specifies whether to purge a document if the remote user loses access to all of the channels on the document when attempting to pull it from the remote.

If false, documents will not be replicated and not be purged when the user loses access.

This is a set of key/value pairs used in the query string of the replication.

If filters=sync_gateway/bychannel then this can be used to set the channels to filter by in a pull replication. To do this, set the channels key to a string array of the channels to filter by. For example:

"filter":"sync_gateway/bychannel",
"query_params": {
  "channels":["chanUser1"]
},

This is the endpoint of the database for the remote Sync Gateway that is the subject of this replication's push, pull, or pushAndPull action. Typically this would include the URI, port, and database name. For example, https://localhost:4985/db.

The password to use to authenticate with the remote. This password will be redacted in the replication config.

The username to use to authenticate with the remote.

This is the ID of the replication.

When creating a new replication using a POST request, this will be set to a random UUID if not explicitly set.

When the replication ID is specified in the URL, this must be set to the same replication ID if specifying it at all.

This is used if you want to specify a user to run the replication as. This means that the replication will only be able to replicate what the user access to what the user has access to.

The maximum depth a document's revision tree can grow to.

Properties associated with a role

A list of channels to explicitly grant to the role for the default collection. See collection_access for channels in named collections.

All the channels that the role has been granted access to for the default collection.

These channels could have been assigned by the Sync function or using the admin_channels property.

A set of access grants by scope and collection for a specific collection.

An object keyed by scope, containing a set of collections.

An object keyed by collection name, defines access collections in this scope.

A list of channels to explicitly grant to the user in this collection.

All the channels that the user has been granted access to in this collection.

Access could have been granted through the sync function, roles, or explicitly on the user under the admin_channels property.

The channels that the user has been granted access to through channels_claim for this collection.

The last time that the user's JWT channels were updated for this collection.

The name of the role.

Role names can only have alphanumeric ASCII characters and underscores.

An object keyed by scope name containing config for the specific collection.

Scope-specific configuration.

An object keyed by collection name containing config for the specific collection.

Collection-specific configuration.

This is the function that all imported documents in this collection are ran through in order to filter out what to import and what not to import. This allows you to control what is made available to Couchbase Mobile clients. If it is not set, then no documents are filtered when imported.

import_docs in the database config must be true to make this field applicable.

The Javascript function that newly created documents in this collection are ran through.

Controls whether to send a WWW-Authenticate header in 401 Unauthorized HTTP responses.

If set, always serve attachments with the Content-Type header set to the type of the attachment.

When serving an attachment, usually the Content-Type header is set to the type of the attachment but the Content-Disposition response header will be set instead if the content type is vulnerable to a phishing attack, causing the browser to download the file instead of display it. This option will override that behaviour and always set the Content-Type header.

This is the Couchbase Server address or addresses that the database connect to.

Make all session cookies for the database set the HttpOnly flag so they are inaccessible to JavaScript.

This can be used to define a custom per-database session cookie name.

Override the session cookie secure flag. If set, the cookie will have the secure flag.

This will default to true if startup config api.https.tls_cert_path is set otherwise it will default to false.

Whether the node should accept assign replications (true) or not (false).

Use a custom heartbeat interval (in seconds) for websocket ping frames.

The amount of milliseconds a N1QL query should run before logging a warning.

Controls whether Sync Gateway stores additional legacy revision tree pointer data to support 3.x/early 4.x clients that still use RevTree IDs (for example when used as delta sources).

Disable this when you are confident all clients use newer CV-based revisions and no longer require legacy RevTree ID lookups.

Set to true to allow the database to be suspended.

Defaults to true when running in serverless mode otherwise defaults to false.

The Javascript function that newly created documents are ran through for the default scope and collection.

If scopes parameter is set, this is ignored.

These are unsupported options and therefore it is not recommended to use them.

Setting for test purposes only

Whether Couchbase buckets can be flushed via Admin REST API.

Set the dcp feed to use a different read buffer size.

Force REST API errors to return forbidden

Restrict GUEST document access to read-only.

Set the kv pool to use a different buffer size.

Whether the oidc_test_provider endpoints should be exposed on the public API.

Enable self-signed certificates for OIDC testing.

Enable self-signed certificates for external JavaScript load.

Override the session cookie SameSite behavior. By default, a session cookie will have SameSite:None if CORS is enabled, and will have no SameSite attribute if CORS is not enabled. Setting this property toDefault will omit the SameSite attribute from the cookie.

Enable self-signed certificates for SG-replicate testing.

Whether pass-through view query is supported through public API.

The number of access and role grants per document to be used as a threshold for grant count warnings.

The number of channel name characters to be used as a threshold for channel name warnings.

The number of channels per document to be used as a threshold for the channel count warnings.

The number of channels per user to be used as a threshold for channel count warnings.

The number of bytes to be used as a threshold for xattr size limit warnings.

Force the use of views instead of GSI.

The key to use for the user xattr that will be accessible from the sync function. If empty, the feature will be disabled.

This is an Enterprise Edition feature only.

The username for authenticating to the server.

Properties associated with a user

A list of channels to explicitly grant to the user for the default collection. See collection_access for channels in named collections.

A list of roles to explicitly grant to the user.

All the channels that the user has been granted access to for the default collection. See collection_access for channels in named collections.

Access could have been granted through the sync function, roles, or explicitly on the user under the admin_channels property.

A set of access grants by scope and collection for a specific collection.

An object keyed by scope, containing a set of collections.

An object keyed by collection name, defines access collections in this scope.

A list of channels to explicitly grant to the user in this collection.

All the channels that the user has been granted access to in this collection.

Access could have been granted through the sync function, roles, or explicitly on the user under the admin_channels property.

The channels that the user has been granted access to through channels_claim for this collection.

The last time that the user's JWT channels were updated for this collection.

If true, the user will not be able to login to the account as it is disabled.

The email address of the user.

The channels that the user has been granted access to through channels_claim for the default collection.

The issuer of the last JSON Web Token that the user last used to sign in.

The last time that the user's JWT roles/channels were updated.

The roles that the user has been added to through roles_claim.

The name of the user.

User names can only have alphanumeric ASCII characters and underscores.

The password of the user.

Mandatory. unless allow_empty_password is true in the database configs.

All the roles that the user has been granted access to.

Access could have been granted through the sync function, roles_claim, or explicitly on the user under the admin_roles property.

The number of seconds before a view query should timeout.