Configure the Deploy CLI

Configuring the Deploy’s CLI is essential for establishing Auth0 credentials as well as generally modifying the behavior of the tool to your specific needs. There are two ways the Deploy CLI can be configured:

1. Use the configuration file (config.json).

2. Set environment variables.

A standalone JSON file can be used to configure Deploy CLI. This file will usually reside in the root directory of your project and should be named config.json.

{
  "AUTH0_DOMAIN": "<YOUR_TENANT_DOMAIN>",
  "AUTH0_CLIENT_ID": "<YOUR_CLIENT_ID>",
  "AUTH0_ALLOW_DELETE": false
}

By default, the Deploy CLI ingests environment variables, providing the ability to pass credentials and other configurations to the tool without needing to publish to the config.json file. Environment variables can either be used to augment the config.json file or replace it altogether depending on the project needs.

Non-primitive configuration values like AUTH0_KEYWORD_REPLACE_MAPPINGS and AUTH0_EXCLUDED can also be passed in through environment variables so long as these values are properly serialized JSON.

To disable the consumption of environment variables for either the import or export commands, pass the --env=false argument.

$ export AUTH0_DOMAIN=<YOUR_AUTH0_DOMAIN>
$ export AUTH0_CLIENT_ID=<YOUR_CLIENT_ID>
$ export AUTH0_CLIENT_SECRET=<YOUR_CLIENT_SECRET>
$ a0deploy import --input_file=local/tenant.yaml

$ a0deploy export -c=config.json --format=yaml --output_folder=local --env=false

$ export AUTH0_EXCLUDED='["actions","organizations"]'
$ export AUTH0_KEYWORD_REPLACE_MAPPINGS='{"ENVIRONMENT":"dev"}'
$ a0deploy export -c=config.json --format=yaml --output_folder=local

String. The domain of the target Auth0 tenant.

String. The ID of the designated Auth0 application used to make API requests.

String. The secret of the designated Auth0 application used to make API requests.

String. Short-lived access token for Management API from designated Auth0 application. Can be used in replacement to client ID and client secret combination.

String. The path to the private key used by the client when facilitating Private Key JWT authentication. Path relative to the working directory. Also note AUTH0_CLIENT_SIGNING_ALGORITHM for specifying signing algorithm.

String. Specifies the JWT signing algorithms used by the client when facilitating Private Key JWT authentication. Only used in combination with AUTH0_CLIENT_SIGNING_KEY_PATH.

Accepted values: RS256, RS384, PS256.

Boolean. When enabled, will allow the tool to delete resources. Default: false.

Array of strings. Excludes entire resource types from being managed, bi-directionally. To learn more, read Exclude Resources from Management.

Cannot be used simultaneously with AUTH0_INCLUDED_ONLY.

Possible values: actions, attackProtection, branding, clientGrants, clients, connections, customDomains, databases, emailProvider, emailTemplates, guardianFactorProviders, guardianFactorTemplates, guardianFactors, guardianPhoneFactorMessageTypes, guardianPhoneFactorSelectedProvider, guardianPolicies, logStreams, migrations, organizations, pages, prompts, resourceServers, roles, tenant, triggers.

{
  "AUTH0_EXCLUDED": ["organizations", "connections", "hooks"]
}

Array of strings. Specifies which resource types to manage bi-directionally. To learn more, read Exclude Resources from Management.

Cannot be used simultaneously with AUTH0_EXCLUDED.

Possible values: actions, attackProtection, branding, clientGrants, clients, connections, customDomains, databases, emailProvider, emailTemplates, guardianFactorProviders, guardianFactorTemplates, guardianFactors, guardianPhoneFactorMessageTypes, guardianPhoneFactorSelectedProvider, guardianPolicies, logStreams, migrations, organizations, pages, prompts, resourceServers, roles, tenant, triggers.

{
  "AUTH0_INCLUDED_ONLY": ["clients", "connections", "tenant", "branding"]
}

Mapping of specific keywords to facilities dynamic replacement. To learn more, read Keyword Replacement.

{
  "ENVIRONMENT": "DEV",
  "ALLOWED_ORIGINS": ["https://dev.test-site.com", "localhost"]
}

Boolean. When enabled, will attempt to preserve keyword replacement markers in local resource files during export. Otherwise, the remote values will overwrite those manually-placed keyword markers.

This configuration requires the presence of local configuration files and defined keyword replace mappings via the AUTH0_KEYWORD_REPLACE_MAPPINGS configuration property.

See also: Preserve Keywords on Export.

Boolean. When enabled, will return identifiers of all resources. May be useful for certain debugging or record-keeping scenarios within a single-tenant context. Default: false.

Provides ability to exclude any unwanted properties from management.

{
  "connections": ["options.twilio_token"]
}

String. Separate value from audience value while retrieving an access token for the Management API. Useful when default Management API endpoints are not publicly exposed.

Array of strings. Excludes the management of specific rules by ID. Note: This configuration may be subject to deprecation in the future. To learn more, read Exclude Resources from Management.

Array of strings. Excludes the management of specific clients by ID. Note: This configuration may be subject to deprecation in the future. To learn more, read Exclude Resources from Management.

Array of strings. Excludes the management of specific databases by ID. Note: This configuration may be subject to deprecation in the future. To learn more, read Exclude Resources from Management.

Array of strings. Excludes the management of specific connections by ID. Note: This configuration may be subject to deprecation in the future. To learn more, read Exclude Resources from Management.

Array of strings. Excludes the management of specific resource servers by ID. Note: This configuration may be subject to deprecation in the future. To learn more, read Exclude Resources from Management.