Skip to main content

Flowable Hub Properties

2026.1.0+

Flowable Hub is a Spring Boot application. This means that it is configured as a Spring Boot application and all available properties for a Spring Boot application are also applicable for Flowable Hub.

Flowable Hub uses two property namespaces:

  • flowable.hub.* for the Hub engine and its security, and
  • application.hub.* for the out-of-the-box Hub application (security type, access restrictions and clustering).

See the Flowable Hub Installation Instructions for a step-by-step configuration guide.

info

Unlike Flowable Control, Flowable Hub is not configured with a fixed runtime connection through properties. There are no cluster-config bootstrap properties. Instead, the runtime environments (called clusters) that Hub monitors and manages are registered at runtime in the UI under Hub Configuration → Clusters. See the Clusters documentation for details.

Hub specific properties

The following list displays the properties which are specific for Flowable Hub.

General properties

Properties with the prefix flowable.hub

PropertyDescriptionDefault value
license-locationThe location of the license file.file:${user.home}/.flowable/flowable.license
db-store-enabledWhether the license should be fetched from the database.false
database-schema-updateThe strategy that should be used for the database schema update (possible values: true, false, ignore).true
database-schemaThe database schema to be used for table checks / generation (needed in case the database metadata doesn't return that correctly).
database-table-prefixA database table prefix which is used for all runtime operations of Flowable.
use-lock-for-database-schema-updateWhether to use a lock when performing the database schema create or update operations.false
modeThe mode in which the Hub application is running. Possible values: self-hosted, cloud-shared.self-hosted
token-signing-secretThe token signing secret used for token based request authentication. Must be at least 32 characters if set.

Security properties

Properties with the prefix application.hub.security

PropertyDescriptionDefault value
typeThe type of the security that should be used. Possible values: basic, oauth2.basic
access-groupsA comma separated allow list of groups that are allowed to access the application. The GROUP_ prefix is not required.-
access-authoritiesA comma separated allow list of authorities that are allowed to access the application.-

Security OAuth2 application properties

Properties with the prefix application.hub.security.oauth2

PropertyDescriptionDefault value
authorized-client-repository-typeThe type of the OAuth2 Authorized Client Repository. Needed when oauth2CurrentUser is used to communicate with a runtime environment and a refresh token is configured. Possible values: session, default. When running a single node this can be set to default (in-memory).session

Security Token properties

Properties with the prefix flowable.hub.security.token

PropertyDescriptionDefault value
max-user-sizeThe maximum number of users that the token cache should contain.2048
max-ageThe max age after which a token entry should be invalidated.1d

Security Remember Me properties

Properties with the prefix flowable.hub.security.remember-me

PropertyDescriptionDefault value
keyThe hash key used by Spring Security for the remember me cookie.testKey
cookie-nameThe name of the remember me cookie.flowable-hub-remember-me
cookie-domainThe domain for the remember me cookie.
cookie-max-ageThe max age of the remember me cookie.31d
token-refresh-durationThe duration it takes to refresh the token in the database.1d
store-user-detailsWhether user details (like the remote address and the user agent) should be stored with the token.false
max-user-cache-sizeThe maximum number of users that the user details cache should contain.2048
max-user-cache-ageThe max age after which the user detail entries should be invalidated.30m

Security CSRF properties

Properties with the prefix flowable.hub.security.rest.csrf

PropertyDescriptionDefault value
enabledFlag indicating the CSRF protection for Flowable Hub should be enabled.true
cookie-nameThe name of the cookie in which the CSRF token will be stored.FLOWABLE_HUB_CSRF_TOKEN
header-nameThe name of the header in which the CSRF token will be stored.X-FLOWABLE-HUB-CSRF-TOKEN
cookie-domainThe name of the domain where the CSRF token cookie will be saved and read from.
cookie-pathThe name of the path where the CSRF token cookie will be saved and read from.

Security Content Security Policy properties

Properties with the prefix flowable.hub.security.rest.content-security-policy

PropertyDescriptionDefault value
policy-directivesThe Content Security Policy directives.
report-onlyFlag indicating whether to use Content-Security-Policy-Report-Only instead of Content-Security-Policy.false

Security OAuth2 properties

Properties with the prefix flowable.hub.security.oauth2

PropertyDescriptionDefault value
post-logout-redirect-urlThe post logout redirect URL. When set, the OIDC logout success handler is configured with this URL.
post-logout-redirect-url-query-parameterThe post logout redirect URL query parameter used when building the end session endpoint URL.post_logout_redirect_uri
end-session-endpoint-urlThe end session endpoint URL. Use this when the OpenID Connect well-known configuration cannot be used and the endpoint needs to be set manually.-

Security OAuth2 Client Mapper properties

Properties with the prefix flowable.hub.security.oauth2.client.mapper

PropertyDescriptionDefault value
admin-authoritiesA comma separated list of all the authorities which should make the user an admin.-
authorities-attributesA comma separated list of the names of the attributes from which authorities should be extracted without any changes.-
idm-user-id-attributesA comma separated list of the names of the token attributes that hold the user id corresponding to the Flowable IDM user id.-

Security OAuth2 Resource Server Mapper properties

Properties with the prefix flowable.hub.security.oauth2.resourceserver.mapper

PropertyDescriptionDefault value
admin-authoritiesA comma separated list of all the authorities which should make the user an admin.-
authorities-attributesA comma separated list of the names of the attributes from which authorities should be extracted without any changes.-
idm-user-id-attributesA comma separated list of the names of the token attributes that hold the user id corresponding to the Flowable IDM user id.-

Security OAuth2 Resource Server JWT properties

Properties with the prefix flowable.hub.security.oauth2.resourceserver.jwt

PropertyDescriptionDefault value
principal-claim-nameThe claim that holds the id of the user.-

Security Encryption properties

Properties with the prefix flowable.hub.encryption

Some values, such as the OAuth2 SSO client secrets, are stored encrypted in the database using AES/CBC/PKCS5PADDING. This needs a 128-bit initialization vector and a 128-bit secret key, each represented as 16 ASCII characters.

PropertyDescriptionDefault value
secretA 16 character string used to create the secret key spec from its bytes.
initialization-vectorA 16 character string used to create the initialization vector parameter from its bytes.
caution

Do not change the encryption secret or initialization-vector after client secrets have been saved. Existing secrets can no longer be decrypted and would need to be reconfigured in the UI.

Bootstrap properties

Properties with the prefix flowable.hub.bootstrap

PropertyDescriptionDefault value
use-lockWhether to use a lock when bootstrapping.false
lock-wait-timeThe time to wait for the lock.5m

Default admin properties

Properties with the prefix flowable.hub.bootstrap.default-admin

The default admin user (username admin, in the default tenant, placed in the flowableAdministrator group and granted the Hub Admin role) is only created on an empty database.

PropertyDescriptionDefault value
enabledWhether the default admin user should be created.true
passwordThe password for the default admin user (only applied during the first startup).test
caution

Make sure to change the default password before exposing Flowable Hub outside of a local development environment.

Tenant bootstrap properties

Properties with the prefix flowable.hub.bootstrap.tenants

PropertyDescriptionDefault value
enabledWhether the tenants bootstrap is enabled.true
default-passwordThe default password used for the users created in the tenants.test
resource-locationsThe locations used for the tenants bootstrap.classpath*:/bootstrap/tenants/*.json

Template tenant properties

Properties with the prefix flowable.hub.bootstrap.template-tenant

PropertyDescriptionDefault value
enabledWhether the template tenant bootstrap is enabled.true
resourceThe resource to use for the template tenant bootstrap.classpath:bootstrap/template-tenant.json

Audit log properties

Properties with the prefix flowable.hub.audit-log

The local audit log covers mutating Hub operations (tenants, users, groups, apps, SSO, tokens, environments).

PropertyDescriptionDefault value
enabledWhether the local Hub audit log is enabled.false

Properties with the prefix flowable.hub.remote-audit-log

The remote audit log covers operations that are proxied to a connected runtime environment (Work cluster).

PropertyDescriptionDefault value
enabledWhether the remote (proxied operations) Hub audit log is enabled.false

App provider properties

Properties with the prefix flowable.hub.app-provider

PropertyDescriptionDefault value
typeWhich AppProviderService implementation to use. database reads apps from the Hub database; properties reads them from flowable.hub.apps.*.database

Current user properties

Properties with the prefix flowable.hub.current-user

PropertyDescriptionDefault value
lookup-by-external-idWhether the current user should be looked up in the identity store by external id instead of the internal user id.false

REST properties

Properties with the prefix flowable.hub.rest

PropertyDescriptionDefault value
content-disposition-charsetThe charset for the content disposition file names.UTF-8
inline-mime-typesThe mime types that can be automatically inlined (rather than served as an attachment which triggers a download).image/gif, image/jpeg, image/png, application/pdf, audio/*, video/*
send-full-error-exceptionWhether to send the full error exception message for unknown exceptions. If false, the exception message is logged with a unique error identifier which is included in the response instead.true

Frontend properties

Properties with the prefix flowable.hub.frontend

PropertyDescriptionDefault value
titleThe title for the application. Used if there is no home.title in the messages.
home-pathThe base location for the Hub frontend.
inline-cssWhether to inline the custom css into the main index.html.false
inline-jsWhether to inline the custom js into the main index.html.false

Clustering properties

Flowable Hub can run with more than one node behind a load balancer. When doing so — and especially when using OAuth2 without sticky sessions — the HTTP session needs to be shared between the nodes over Redis using Spring Session.

PropertyDescriptionDefault value
application.hub.redis-enabledWhether Spring Session over Redis is enabled. Required to run clustered together with OAuth2 without sticky sessions.false
spring.data.redis.hostThe Redis host.localhost
spring.data.redis.portThe Redis port.6379
spring.data.redis.passwordThe Redis password.
spring.data.redis.ssl.enabledWhether SSL should be used for the Redis connection.false
spring.session.redis.configure-actionSet to none to skip the CONFIG command that Spring Session issues at startup. Required on managed Redis services (such as Azure Cache for Redis or AWS ElastiCache) that deny the CONFIG command.
spring.session.redis.namespaceThe key prefix for Spring Session entries. Use a different value per app to isolate sessions, or the same value across apps to share them.spring:session
note

Managed Redis services (such as Azure Cache for Redis or AWS ElastiCache) deny the CONFIG command that Spring Session issues at startup. On those services add spring.session.redis.configure-action=none.

The Lettuce client can be tuned with the application.hub.redis.lettuce.* properties.

PropertyDescriptionDefault value
application.hub.redis.lettuce.keepalive.idleThe idle time before keep alive probes are sent.60s
application.hub.redis.lettuce.keepalive.intervalThe interval between keep alive probes.30s
application.hub.redis.lettuce.keepalive.countThe number of keep alive probes.3
application.hub.redis.lettuce.disconnected-behaviorThe behavior when the client is disconnected. Possible values: DEFAULT, ACCEPT_COMMANDS, REJECT_COMMANDS.REJECT_COMMANDS
application.hub.redis.lettuce.publish-on-schedulerWhether to use a dedicated scheduler for publishing events.true