Skip to content

Configuration

FlagRequiredDescription
--client-idNoOAuth 2.0 client ID your application will use. Auto-generated (e.g. brave-falcon-3a9f12) when omitted.
--client-secretNoOAuth 2.0 client secret your application will use. Auto-generated (43-char random secret) when omitted.
--public-clientNoConfigure as public client (no client_secret, token_endpoint_auth_method=none). For SPAs and native apps.
--redirect-uriNo*Redirect URI registered for your client. Required unless STUBIDP_REDIRECT_URI is set.
--jwks-fileNoPath to a JWKS JSON file. A key pair is auto-generated when omitted.
--skip-promptNoSkip login and consent UI and auto-approve every interaction. Intended for E2E tests and automation.
--default-userNoJSON object of OIDC claims returned for every authenticated user (e.g. '{"sub":"alice","email":"alice@example.com"}').
--rate-limit-window-msNoRate limit time window in milliseconds. Default: 900000 (15 min).
--rate-limit-maxNoMax requests per IP per window. Default: 100.
--rate-limit-disabledNoDisable rate limiting entirely.
--enable-registrationNoEnable dynamic client registration (RFC 7591) and management (RFC 7592) via /register.
--registration-initial-access-tokenNoBearer token required to call POST /register. Omit for open registration.
--trust-proxyNoTrust reverse proxy headers (X-Forwarded-*). Enable when running behind a reverse proxy or load balancer.
--https-redirectNoRedirect HTTP requests to HTTPS and enable CSP upgrade-insecure-requests. Enable in production behind TLS termination.
--security-headersNoEnable security headers (CSP, HSTS, etc.) via helmet. Enable when deployed; omit for local development.
--scopesNoComma-separated list of supported OIDC scopes. Default: openid,offline_access,email,profile,phone,address.
--claimsNoJSON object mapping scope names to claim arrays. Overrides auto-derived claims (e.g. '{"openid":["sub"],"email":["email"]}').

When --client-id or --client-secret are omitted, the generated values are printed in the startup table so you can copy them into your application config.

Every CLI flag can also be set via an environment variable (see below). Environment variables take effect when the flag is not passed explicitly.

VariableDefaultDescription
STUBIDP_CLIENT_IDauto-generatedOAuth 2.0 client ID (equivalent to --client-id)
STUBIDP_CLIENT_SECRETauto-generatedOAuth 2.0 client secret (equivalent to --client-secret)
STUBIDP_PUBLIC_CLIENTfalseConfigure as public client (no client_secret, token_endpoint_auth_method=none). For SPAs and native apps (equivalent to --public-client)
STUBIDP_REDIRECT_URIRedirect URI (equivalent to --redirect-uri; required if flag is omitted)
STUBIDP_JWKS_FILEPath to a JWKS JSON file (equivalent to --jwks-file)
STUBIDP_ISSUERhttp://localhost:{STUBIDP_PORT}Issuer URL embedded in issued tokens
STUBIDP_ENABLE_REGISTRATIONfalseEnable dynamic client registration RFC 7591/7592 (POST /register, GET/PUT/DELETE /register/:id)
STUBIDP_REGISTRATION_INITIAL_ACCESS_TOKENBearer token required to call POST /register (open registration when omitted)
STUBIDP_SCOPESopenid,offline_access,email,profile,phone,addressComma-separated list of supported OIDC scopes (equivalent to --scopes)
STUBIDP_CLAIMSauto-derived from scopesJSON object mapping scope names to claim arrays. Overrides auto-derived claims (equivalent to --claims)
VariableDefaultDescription
STUBIDP_PORT8484HTTP server port
STUBIDP_LOG_LEVELinfoLogging verbosity (fatal, error, warn, info, debug, trace)
STUBIDP_DATABASE_DIALECTDatabase backend: postgresql or sqlite (in-memory when omitted)
STUBIDP_DATABASE_URLConnection string (PostgreSQL) or file path (SQLite)
STUBIDP_SKIP_PROMPTfalseSet to true to skip login/consent UI and auto-approve every interaction (equivalent to --skip-prompt)
STUBIDP_DEFAULT_USERJSON object of OIDC claims for the stub user (equivalent to --default-user)
STUBIDP_RATE_LIMIT_WINDOW_MS900000Rate limit time window in milliseconds (equivalent to --rate-limit-window-ms)
STUBIDP_RATE_LIMIT_MAX100Max requests per IP per window (equivalent to --rate-limit-max)
STUBIDP_RATE_LIMIT_DISABLEDfalseSet to true to disable rate limiting (equivalent to --rate-limit-disabled)
STUBIDP_TRUST_PROXYfalseSet to true to trust reverse proxy headers (X-Forwarded-*) (equivalent to --trust-proxy)
STUBIDP_HTTPS_REDIRECTfalseSet to true to redirect HTTP to HTTPS and enable CSP upgrade-insecure-requests (equivalent to --https-redirect)
STUBIDP_SECURITY_HEADERSfalseSet to true to enable security headers (CSP, HSTS, etc.) via helmet (equivalent to --security-headers)

stubIdP supports two database backends for persisting OIDC session state.

When no database is configured, an in-memory store is used. Sessions are lost on restart — suitable for most local development workflows.

Terminal window
STUBIDP_DATABASE_DIALECT=sqlite STUBIDP_DATABASE_URL=./stubidp.db stubidp \
--redirect-uri http://localhost:8080/callback
Terminal window
STUBIDP_DATABASE_DIALECT=postgresql \
STUBIDP_DATABASE_URL=postgresql://user:pass@localhost:5432/stubidp \
stubidp \
--redirect-uri http://localhost:8080/callback

The STUBIDP_ISSUER value is embedded in issued tokens as the iss claim and must match what your application validates.

  • Local dev — defaults to http://localhost:8484, no change needed.
  • Cloudflare Workers — derived automatically from the incoming request URL, no override required.
  • Custom domain — set STUBIDP_ISSUER=https://idp.example.com to match your deployed URL.

stubIdP has two mechanisms for running auth flows without any human interaction.

When this flag is set, every redirect to the login or consent screen is silently auto-approved. The browser (or test runner) follows the normal OIDC redirect chain and receives the authorization code at the redirect URI without any UI being rendered.

Terminal window
STUBIDP_SKIP_PROMPT=true stubidp --redirect-uri http://localhost:3000/callback

A headless endpoint that is always available regardless of --skip-prompt. Navigate the browser to this URL instead of /interaction/:uid to complete the current interaction step programmatically. Useful when you want UI available by default but need headless completion in specific test cases.

Provide a JSON object of standard OIDC claims that stubIdP will include in the ID token and UserInfo response for every authenticated session. The sub field controls the subject identifier used during --skip-prompt auto-login; all other fields are returned as-is.

Terminal window
STUBIDP_DEFAULT_USER='{"sub":"alice","name":"Alice Example","email":"alice@example.com","email_verified":true}' \
STUBIDP_SKIP_PROMPT=true \
stubidp --redirect-uri http://localhost:3000/callback

Supported fields: any standard OIDC claims (name, given_name, family_name, email, email_verified, picture, locale, phone_number, etc.) plus arbitrary custom claims.

When --skip-prompt is active and no --default-user is set, stubIdP requires a login_hint parameter in the authorization request. The value must be a valid email address or E.164 phone number. It is used as the subject identifier (sub) and automatically populates the email or phone_number claim to match.

Terminal window
# Authorization request includes: login_hint=alice@example.com
STUBIDP_SKIP_PROMPT=true stubidp --redirect-uri http://localhost:3000/callback
# Result: sub = "alice@example.com", email = "alice@example.com"