Configuration

Summary: OpenBao server config is HCL or JSON. The file (or directory of files, loaded alphabetically) defines storage, listeners, seal, telemetry, UI, and a handful of top-level options.

Sources: raw/docs/configuration/index.md, raw/docs/configuration/listener/*, raw/docs/configuration/storage/*, raw/docs/configuration/seal/*, raw/docs/configuration/telemetry.md, raw/docs/configuration/ui.md.

Last updated: 2026-05-19

---

File format

HCL or JSON. May be a directory — every .hcl and .json file is loaded in alphabetical order. For top-level non-list keys, last file wins; list types (e.g. multiple listener blocks) append (source: raw/docs/configuration/index.md).

Example top-level shape:

ui = true
cluster_addr = "https://127.0.0.1:8201"
api_addr     = "https://127.0.0.1:8200"

storage "raft" {
  path    = "data"
  node_id = "raft_node_1"
}

listener "tcp" {
  address = "0.0.0.0:8200"
  ...
}

seal "awskms" { ... }

Top-level stanzas

• storage — required. The data backend. See storage and raw/docs/configuration/storage/. Backends: raft, postgresql, filesystem, inmem.
• ha_storage — optional. Separate backend for the HA lock when storage doesn’t support locking. See high-availability.
• listener — required, repeatable. tcp (raw/docs/configuration/listener/tcp.md) or unix (raw/docs/configuration/listener/unix.md). Shared options in raw/docs/configuration/listener/shared.md.
• seal — auto-unseal config. See seal-unseal. Backends: awskms, azurekeyvault, gcpckms, ocikms, alicloudkms, pkcs11, kmip, transit, static.
• telemetry — metrics export (raw/docs/configuration/telemetry.md). See internals.
• ui — boolean to enable the web UI on the listener (raw/docs/configuration/ui.md).
• plugins — plugin directory and tuning (raw/docs/configuration/plugins.md).
• service_registration — register OpenBao itself in a service registry, e.g. Kubernetes (raw/docs/configuration/service-registration/).
• user_lockout — login-failure thresholds per auth method (raw/docs/configuration/user-lockout.md).
• audit — file-permissions check for plugin/audit dirs (raw/docs/configuration/audit.md).
• log_requests_level — debug logging knob (raw/docs/configuration/log-requests-level.md).
• self_init — auto-initialize on first boot (raw/docs/configuration/self-init.md).

Address options

• api_addr — what clients should reach this node at (used in redirects).
• cluster_addr — node-to-node address for forwarded requests / Raft.

Both matter in HA — if standby nodes can’t reach the active node’s cluster_addr, request forwarding breaks.

Related pages

• seal-unseal — seal stanza
• storage — storage and ha_storage stanzas
• high-availability — address options and ha_storage
• internals — telemetry metrics catalog
• kubernetes-platform — most K8s deployments derive config from Helm values