ParseServerOptions

The account lockout policy for failed login attempts.

Enable (or disable) client class creation, defaults to false

Enable (or disable) custom objectId

Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to false, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the _User.authData field. Defaults to false.

Add headers to Access-Control-Allow-Headers

Sets origins for Access-Control-Allow-Origin. This can be a string for a single origin or an array of strings for multiple origins.

Adapter module for the analytics

Your Parse Application ID

Sets the app name

Configuration for your authentication providers, as stringified JSON. See http://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication

Adapter module for the cache

Sets the maximum size for the in memory cache, defaults to 10000

Sets the TTL for the in memory cache (in ms), defaults to 5000 (5 seconds)

Key for iOS, MacOS, tvOS clients

Full path to your cloud code main.js

Run with cluster, optionally set the number of processes default to os.cpus().length

A collection prefix for the classes

Optional. If set to true, the email property of a user is automatically converted to lowercase before being stored in the database. Consequently, queries must match the case as stored in the database, which would be lowercase in this scenario. If false, the email property is stored as set, without any case modifications. Default is false.

Optional. If set to true, the username property of a user is automatically converted to lowercase before being stored in the database. Consequently, queries must match the case as stored in the database, which would be lowercase in this scenario. If false, the username property is stored as set, without any case modifications. Default is false.

custom pages for password validation and reset

Adapter module for the database; any options that are not explicitly described here are passed directly to the database client.

Options to pass to the database client

The full URI to your database. Supported databases are mongodb or postgres.

Default value for limit option on queries, defaults to 100.

Set to true if Parse requests within the same Node.js environment as Parse Server should be routed to Parse Server directly instead of via the HTTP interface. Default is false.

If set to false then Parse requests within the same Node.js environment as Parse Server are executed as HTTP requests sent to Parse Server via the serverURL. For example, a Parse.Query in Cloud Code is calling Parse Server via a HTTP request. The server is essentially making a HTTP request to itself, unnecessarily using network resources such as network ports.

⚠️ In environments where multiple Parse Server instances run behind a load balancer and Parse requests within the current Node.js environment should be routed via the load balancer and distributed as HTTP requests among all instances via the serverURL, this should be set to false.

Key for Unity and .Net SDK

Adapter module for email sending

Set to true if a email verification token should be reused in case another token is requested but there is a token that is still valid, i.e. has not expired. This avoids the often observed issue that a user requests multiple emails and does not know which link contains a valid token because each newly generated token would invalidate the previous token.

Default is false.
Requires option verifyUserEmails: true.

Set the validity duration of the email verification token in seconds after which the token expires. The token is used in the link that is set in the email. After the token expires, the link becomes invalid and a new link has to be sent. If the option is not set or set to undefined, then the token never expires.

For example, to expire the token after 2 hours, set a value of 7200 seconds (= 60 seconds * 60 minutes * 2 hours).

Default is undefined.
Requires option verifyUserEmails: true.

Enable (or disable) anonymous users, defaults to true

Optional. If set to true, the collation rule of case comparison for queries and indexes is enabled. Enable this option to run Parse Server with MongoDB Atlas Serverless or AWS Amazon DocumentDB. If false, the collation rule of case comparison is disabled. Default is false.

Enables the default express error handler for all errors

Optional. Enables insecure authentication adapters. Insecure auth adapters are deprecated and will be removed in a future version. Defaults to false.

If set to true, error details are removed from error messages in responses to client requests, and instead a generic error message is sent. Default is true.

Key for encrypting your files

Set to true if new users should be created without public read and write access.

Sets whether we should expire the inactive sessions, defaults to true. If false, all new sessions are created with no expiration date.

Whether Parse Server should automatically extend a valid session by the sessionLength. In order to reduce the number of session updates in the database, a session will only be extended when a request is received after at least half of the current session's lifetime has passed.

Key for your files

Adapter module for the files sub-system

Options for file uploads

The mount path for the GraphQL endpoint

⚠️ File upload inside the GraphQL mutation system requires Parse Server to be able to call itself by making requests to the URL set in serverURL.

Defaults is /graphql.

Enable public introspection for the GraphQL endpoint, defaults to false

Full path to your GraphQL custom schema.graphql file

The host to serve ParseServer on, defaults to 0.0.0.0

Options for request idempotency to deduplicate identical requests that may be caused by network issues. Caution, this is an experimental feature that may not be appropriate for production.

Key for the Javascript SDK

Log as structured JSON objects

parse-server's LiveQuery configuration object

Live query server configuration options (will start the liveQuery server)

Adapter module for the logging sub-system

Sets the level for logs

(Optional) Overrides the log levels used internally by Parse Server to log events.

Folder for the logs (defaults to './logs'); set to null to disable file based logging

(Optional) The maintenance key is used for modifying internal and read-only fields of Parse Server.

⚠️ This key is not intended to be used as part of a regular operation of Parse Server. This key is intended to conduct out-of-band changes such as one-time migrations or data correction tasks. Internal fields are not officially documented and may change at any time without publication in release changelogs. We strongly advice not to rely on internal fields as part of your regular operation and to investigate the implications of any planned changes directly in the source code of your current version of Parse Server.

(Optional) Restricts the use of maintenance key permissions to a list of IP addresses or ranges.

This option accepts a list of single IP addresses, for example ['10.0.0.1', '10.0.0.2']. You can also use CIDR notation to specify an IP address range, for example ['10.0.1.0/24'].

Special scenarios:
- Setting an empty array [] means that the maintenance key cannot be used even in Parse Server Cloud Code. This value cannot be set via an environment variable as there is no way to pass an empty array to Parse Server via an environment variable.
- Setting ['0.0.0.0/0', '::0'] means to allow any IPv4 and IPv6 address to use the maintenance key and effectively disables the IP filter.

Considerations:
- IPv4 and IPv6 addresses are not compared against each other. Each IP version (IPv4 and IPv6) needs to be considered separately. For example, ['0.0.0.0/0'] allows any IPv4 address and blocks every IPv6 address. Conversely, ['::0'] allows any IPv6 address and blocks every IPv4 address.
- Keep in mind that the IP version in use depends on the network stack of the environment in which Parse Server runs. A local environment may use a different IP version than a remote environment. For example, it's possible that locally the value ['0.0.0.0/0'] allows the request IP because the environment is using IPv4, but when Parse Server is deployed remotely the request IP is blocked because the remote environment is using IPv6.
- When setting the option via an environment variable the notation is a comma-separated string, for example "0.0.0.0/0,::0".
- IPv6 zone indices (% suffix) are not supported, for example fe80::1%eth0, fe80::1%1 or ::1%lo.

Defaults to ['127.0.0.1', '::1'] which means that only localhost, the server instance on which Parse Server runs, is allowed to use the maintenance key.

Your Parse Master Key

(Optional) Restricts the use of master key permissions to a list of IP addresses or ranges.

This option accepts a list of single IP addresses, for example ['10.0.0.1', '10.0.0.2']. You can also use CIDR notation to specify an IP address range, for example ['10.0.1.0/24'].

Special scenarios:
- Setting an empty array [] means that the master key cannot be used even in Parse Server Cloud Code. This value cannot be set via an environment variable as there is no way to pass an empty array to Parse Server via an environment variable.
- Setting ['0.0.0.0/0', '::0'] means to allow any IPv4 and IPv6 address to use the master key and effectively disables the IP filter.

Considerations:
- IPv4 and IPv6 addresses are not compared against each other. Each IP version (IPv4 and IPv6) needs to be considered separately. For example, ['0.0.0.0/0'] allows any IPv4 address and blocks every IPv6 address. Conversely, ['::0'] allows any IPv6 address and blocks every IPv4 address.
- Keep in mind that the IP version in use depends on the network stack of the environment in which Parse Server runs. A local environment may use a different IP version than a remote environment. For example, it's possible that locally the value ['0.0.0.0/0'] allows the request IP because the environment is using IPv4, but when Parse Server is deployed remotely the request IP is blocked because the remote environment is using IPv6.
- When setting the option via an environment variable the notation is a comma-separated string, for example "0.0.0.0/0,::0".
- IPv6 zone indices (% suffix) are not supported, for example fe80::1%eth0, fe80::1%1 or ::1%lo.

Defaults to ['127.0.0.1', '::1'] which means that only localhost, the server instance on which Parse Server runs, is allowed to use the master key.

(Optional) The duration in seconds for which the current masterKey is being used before it is requested again if masterKey is set to a function. If masterKey is not set to a function, this option has no effect. Default is 0, which means the master key is requested by invoking the masterKey function every time the master key is used internally by Parse Server.

Max value for limit option on queries, defaults to unlimited

Maximum number of logs to keep. If not set, no logs will be removed. This can be a number of files or number of days. If using days, add 'd' as the suffix. (default: null)

Max file size for uploads, defaults to 20mb

middleware for express server, can be string or function

Mounts the GraphQL endpoint

Mount path for the server, defaults to /parse

Deprecated. Mounts the GraphQL Playground which is deprecated and will be removed in a future version. The playground exposes the master key in the browser. Use Parse Dashboard as GraphQL IDE or configure a third-party GraphQL client with custom request headers.

Sets the number of characters in generated object id's, default 10

The options for pages such as password reset and email verification.

The password policy for enforcing password related rules.

Deprecated. Mount path for the GraphQL Playground. The playground is deprecated and will be removed in a future version.

The port to run the ParseServer, defaults to 1337.

Enable (or disable) the addition of a unique hash to the file names

Set to true to prevent a user from logging in if the email has not yet been verified and email verification is required. Supports a function with a return value of true or false for conditional prevention. The function receives a request object that includes createdWith to indicate whether the invocation is for signup or login and the used auth provider.

The createdWith values per scenario:

• Password signup: { action: 'signup', authProvider: 'password' }
• Auth provider signup: { action: 'signup', authProvider: '<provider>' }
• Password login: { action: 'login', authProvider: 'password' }
• Auth provider login: function not invoked; auth provider login bypasses email verification

If set to true it prevents a user from signing up if the email has not yet been verified and email verification is required. In that case the server responds to the sign-up with HTTP status 400 and a Parse Error 205 EMAIL_NOT_FOUND. If set to false the server responds with HTTP status 200, and client SDKs return an unauthenticated Parse User without session token. In that case subsequent requests fail until the user's email address is verified.

Default is false.
Requires option verifyUserEmails: true.

Protected fields that should be treated with extra security when fetching details.

Optional. The public URL to Parse Server. This URL will be used to reach Parse Server publicly for features like password reset and email verification links. The option can be set to a string or a function that can be asynchronously resolved. The returned URL string must start with http:// or https://.

Configuration for push, as stringified JSON. See http://docs.parseplatform.org/parse-server/guide/#push-notifications

Options to limit repeated requests to Parse Server APIs. This can be used to protect sensitive endpoints such as /requestPasswordReset from brute-force attacks or Parse Server as a whole from denial-of-service (DoS) attacks.

ℹ️ Mind the following limitations:
- rate limits applied per IP address; this limits protection against distributed denial-of-service (DDoS) attacks where many requests are coming from various IP addresses
- if multiple Parse Server instances are behind a load balancer or ran in a cluster, each instance will calculate it's own request rates, independent from other instances; this limits the applicability of this feature when using a load balancer and another rate limiting solution that takes requests across all instances into account may be more suitable
- this feature provides basic protection against denial-of-service attacks, but a more sophisticated solution works earlier in the request flow and prevents a malicious requests to even reach a server instance; it's therefore recommended to implement a solution according to architecture and user case.

Read-only key, which has the same capabilities as MasterKey without writes

(Optional) Restricts the use of read-only master key permissions to a list of IP addresses or ranges.

This option accepts a list of single IP addresses, for example ['10.0.0.1', '10.0.0.2']. You can also use CIDR notation to specify an IP address range, for example ['10.0.1.0/24'].

Special scenarios:
- Setting an empty array [] means that the read-only master key cannot be used even in Parse Server Cloud Code. This value cannot be set via an environment variable as there is no way to pass an empty array to Parse Server via an environment variable.
- Setting ['0.0.0.0/0', '::0'] means to allow any IPv4 and IPv6 address to use the read-only master key and effectively disables the IP filter.

Considerations:
- IPv4 and IPv6 addresses are not compared against each other. Each IP version (IPv4 and IPv6) needs to be considered separately. For example, ['0.0.0.0/0'] allows any IPv4 address and blocks every IPv6 address. Conversely, ['::0'] allows any IPv6 address and blocks every IPv4 address.
- Keep in mind that the IP version in use depends on the network stack of the environment in which Parse Server runs. A local environment may use a different IP version than a remote environment. For example, it's possible that locally the value ['0.0.0.0/0'] allows the request IP because the environment is using IPv4, but when Parse Server is deployed remotely the request IP is blocked because the remote environment is using IPv6.
- When setting the option via an environment variable the notation is a comma-separated string, for example "0.0.0.0/0,::0".
- IPv6 zone indices (% suffix) are not supported, for example fe80::1%eth0, fe80::1%1 or ::1%lo.

Defaults to ['0.0.0.0/0', '::0'] which means that any IP address is allowed to use the read-only master key. It is recommended to set this option to ['127.0.0.1', '::1'] to restrict access to localhost.

Options to customize the request context using inversion of control/dependency injection.

An array of keys and values that are prohibited in database read and write requests to prevent potential security vulnerabilities. It is possible to specify only a key ({"key":"..."}), only a value ({"value":"..."}) or a key-value pair ({"key":"...","value":"..."}). The specification can use the following types: boolean, numeric or string, where string will be interpreted as a regex notation. Request data is deep-scanned for matching definitions to detect also any nested occurrences. Defaults are patterns that are likely to be used in malicious requests. Setting this option will override the default patterns.

Key for REST calls

When a user changes their password, either through the reset password email or while logged in, all sessions are revoked if this is true. Set to false if you don't want to revoke sessions.

Configuration for push scheduling, defaults to false.

Defined schema

The security options to identify and report weak security settings.

Set to false to prevent sending of verification email. Supports a function with a return value of true or false for conditional email sending.

Default is true.

Callback when server has closed

The URL to Parse Server.

⚠️ Certain server features or adapters may require Parse Server to be able to call itself by making requests to the URL set in serverURL. If a feature requires this, it is mentioned in the documentation. In that case ensure that the URL is accessible from the server itself.

Session duration, in seconds, defaults to 1 year

Disables console output

Starts the liveQuery server

The trust proxy settings. It is important to understand the exact setup of the reverse proxy, since this setting will trust values provided in the Parse Server API request. See the express trust proxy settings documentation. Defaults to false.

Personally identifiable information fields in the user table the should be removed for non-authorized users. Deprecated @see protectedFields

Set the logging to verbose

Parse Server makes a HTTP request to the URL set in serverURL at the end of its launch routine to verify that the launch succeeded. If this option is set to false, the verification will be skipped. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall or in certain containerized environments.

⚠️ Server URL verification requires Parse Server to be able to call itself by making requests to the URL set in serverURL.

Default is true.

Set to true to require users to verify their email address to complete the sign-up process. Supports a function with a return value of true or false for conditional verification. The function receives a request object that includes createdWith to indicate whether the invocation is for signup or login and the used auth provider.

The createdWith values per scenario:

• Password signup: { action: 'signup', authProvider: 'password' }
• Auth provider signup: { action: 'signup', authProvider: '<provider>' }
• Password login: { action: 'login', authProvider: 'password' }
• Auth provider login: function not invoked; auth provider login bypasses email verification
• Resend verification email: createdWith is undefined; use the resendRequest property to identify those

Key sent with outgoing webhook calls